Ok, so I tried to update to Plex Media Server v1-0-3 with ‘yum localinstall’ and was unable to start the service. I jinxed myself with my ‘extremely solid’ comment above 
.
This turns out to be a know issue - the details and solution to get you back up and running can be found in this post forums.plex.tv/discussion/225366/cant-start-plexmediaserver-after-yum-localupdate-plex-rpm.
Cheers,
Iso
hi
you need to add UDP 137 to the firewall configuration to allow the discovery of rasplex devices - thank you for a great guide.
@jamesmacwhite said:
@DigitalArtifexI echo similar points you’ve made when I originally followed this.
Firstly, thank you to OP for writing this guide. I used it to help migrate my Plex install from Windows Server 2012 R2 to CentOS 7. There were some areas I did differently based on my own views/security.
Plex doesn’t need to be root
The Plex user does not need to have root elevation or even have the ability to login. In newer versions of PMS the rpm package will automatically created a Plex user account. By default it has its shell set to
/bin/false, meaning you can’t login into the user via SSH or console. You should really consider keeping it this way. Unless you are running some really bespoke setup and understand the risks, the Plex user does not need to be elevated to root or have a shell for login abilities at any point.If you want SSH access, create a separate user account for general management/maintenance that isn’t
root.Additionally, as Plex Media Server runs as a proper service (unlike Windows), the permissions and elevation will be handled by systemd. No
jacketsudo required. The only thing to ensure is all Plex related directories are assigned to the plex userplex:plex. You can use:chown plex:plex <directory> # Directory only chown -R plex:plex <directory> # RecursiveNote: You do not need to use
chownon CIFS shares, as the UID and GID controls the ownership.You can modify the default paths after Plex Media Server is installed such as the Plex home directory (default
/var/lib/plexmediaserver) which is totally fine. Changes to these paths and other configs values can be done in/etc/sysconfig/PlexMediaServer.Samba shares
Regarding samba shares part, the special user and group created is not necessary. You can directly mount CIFS shares via the UID and GID of the plex user without any issues and in fact I would recommend doing so.
As the user is auto created by the rpm you can simply run the following and use numeric values reported back in
/etc/fstabid -u plex # Get UID id -g plex # Get GIDI actually had problems using the mentioned samba groups with the Optimised Versions feature. I got various permission and write errors every time I tried to use it, turns out its because of permissions on the CIFS mounts, despite adding the plex user assigned the group. Mounting with the plex user directly resolves the issue.
Additional firewall issues with firewalld
In addition to the well documented Plex ports required to be opened, firewalld didn’t play nice with RasPlex and blocked the ability to connect to Plex HT for remote control. This is likely due to multicast filtering and its a pain in the butt to add a rule for these data packets. In the end I gave up and essentially whitelisted my RasPlex device outright.
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="xx.xx.xx.xx" accept'Hope this helps in addition to excellent guide written.
If I want to add one more layer by adding deluge-daemon as another service. How should I configure the permissions?
My current thought is that I would keep the default deluge:deluge user and group and have it write files using 775 permission so that plex:plex can have access. I would configure Samba using the forceuser/forcegroup option to have it save files as deluge:deluge. I would then add my normal user account to the deluge group so I can modify the files through SSH if I want. Do you think this would be a nice configuration for the permissions or any other better options?
@wildkeny said:
@jamesmacwhite said:
@DigitalArtifexI echo similar points you’ve made when I originally followed this.
Firstly, thank you to OP for writing this guide. I used it to help migrate my Plex install from Windows Server 2012 R2 to CentOS 7. There were some areas I did differently based on my own views/security.
Plex doesn’t need to be root
The Plex user does not need to have root elevation or even have the ability to login. In newer versions of PMS the rpm package will automatically created a Plex user account. By default it has its shell set to
/bin/false, meaning you can’t login into the user via SSH or console. You should really consider keeping it this way. Unless you are running some really bespoke setup and understand the risks, the Plex user does not need to be elevated to root or have a shell for login abilities at any point.If you want SSH access, create a separate user account for general management/maintenance that isn’t
root.Additionally, as Plex Media Server runs as a proper service (unlike Windows), the permissions and elevation will be handled by systemd. No
jacketsudo required. The only thing to ensure is all Plex related directories are assigned to the plex userplex:plex. You can use:chown plex:plex <directory> # Directory only chown -R plex:plex <directory> # RecursiveNote: You do not need to use
chownon CIFS shares, as the UID and GID controls the ownership.You can modify the default paths after Plex Media Server is installed such as the Plex home directory (default
/var/lib/plexmediaserver) which is totally fine. Changes to these paths and other configs values can be done in/etc/sysconfig/PlexMediaServer.Samba shares
Regarding samba shares part, the special user and group created is not necessary. You can directly mount CIFS shares via the UID and GID of the plex user without any issues and in fact I would recommend doing so.
As the user is auto created by the rpm you can simply run the following and use numeric values reported back in
/etc/fstabid -u plex # Get UID id -g plex # Get GIDI actually had problems using the mentioned samba groups with the Optimised Versions feature. I got various permission and write errors every time I tried to use it, turns out its because of permissions on the CIFS mounts, despite adding the plex user assigned the group. Mounting with the plex user directly resolves the issue.
Additional firewall issues with firewalld
In addition to the well documented Plex ports required to be opened, firewalld didn’t play nice with RasPlex and blocked the ability to connect to Plex HT for remote control. This is likely due to multicast filtering and its a pain in the butt to add a rule for these data packets. In the end I gave up and essentially whitelisted my RasPlex device outright.
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="xx.xx.xx.xx" accept'Hope this helps in addition to excellent guide written.
If I want to add one more layer by adding deluge-daemon as another service. How should I configure the permissions?
My current thought is that I would keep the default deluge:deluge user and group and have it write files using 775 permission so that plex:plex can have access. I would configure Samba using the forceuser/forcegroup option to have it save files as deluge:deluge. I would then add my normal user account to the deluge group so I can modify the files through SSH if I want. Do you think this would be a nice configuration for the permissions or any other better options?
Perhaps in your case, Samba groups may be more suitable to you. Group the plex and deluge user under the same Samba group with rw permissions, that way you wouldn’t have to worry about one being plex:plex deluge:deluge. I did experience issues with Samba groups in regards to Plex Versions not being able to write to a CIFS mountpoint, so your mileage may vary but should be the best solution. I did have a bit more complexity in my setup where by my Plex Versions pointed to a separate file server (Windows) where as my PMS install is a Linux VM on ESXi. I had a Plex Versions folder mounted via CIFS and Samba groups didn’t work well, fortunately, I only need to mount my file server libraries via CIFS with a single user, as I don’t do anything else exotic on the PMS instance itself.
@jonnip said:
hiyou need to add UDP 137 to the firewall configuration to allow the discovery of rasplex devices - thank you for a great guide.
Ah, so Rasplex uses NETBIOS? I’ll have to test this out at some point, maybe I can remove the IPv4 whitelist rule.
If I want to add one more layer by adding deluge-daemon as another service. How should I configure the permissions?
My current thought is that I would keep the default deluge:deluge user and group and have it write files using 775 permission so that plex:plex can have access. I would configure Samba using the forceuser/forcegroup option to have it save files as deluge:deluge. I would then add my normal user account to the deluge group so I can modify the files through SSH if I want. Do you think this would be a nice configuration for the permissions or any other better options?
Perhaps in your case, Samba groups may be more suitable to you. Group the plex and deluge user under the same Samba group with rw permissions, that way you wouldn’t have to worry about one being
plex:plexdeluge:deluge. I did experience issues with Samba groups in regards to Plex Versions not being able to write to a CIFS mountpoint, so your mileage may vary but should be the best solution. I did have a bit more complexity in my setup where by my Plex Versions pointed to a separate file server (Windows) where as my PMS install is a Linux VM on ESXi. I had a Plex Versions folder mounted via CIFS and Samba groups didn’t work well, fortunately, I only need to mount my file server libraries via CIFS with a single user, as I don’t do anything else exotic on the PMS instance itself.
I am a bit confused - Why does Plex need write permission?
I think I have also misunderstood the original article. What I want is not to mount a CIFS on my NAS so that Plex can serve. I want to set up a Samba daemon on my NAS so that my other computers can access the NAS easily in case I need to manually add files to NAS (for example, to add posters for the movies). By far, everything seems to work. I am adding my 4 x 3TB NTFS drives to the NAS and reformatting them to EXT4 with an extra 6TB spare drive to switch files to. The only drawback I have experienced is that each time I log into through SSH to rsync large movie files between hard drives on my NAS (faster than copying between Samba drives), I have to change permissions of those files to deluge:deluge manually.
Good Job!!
Excellent tutorial! The fstab entry should only use forward slashes though, not Windows-style backslashes… otherwise the share won’t mount on boot, but will after running “mount -a”
Is there an way to uninstall Plex complete from CentOS? With all Settings etc.?
Having Problems to access the server and restarts don´t helping…
Okay, after some new install´s my PMS works fine…
Anybody use PlexPy with an CentOS VPS Server? With my VPS PlexPy runs fine… but the step to run PlexPy as service… i don´t know who to set up this…
@wildkeny said:
The only drawback I have experienced is that each time I log into through SSH to rsync large movie files between hard drives on my NAS (faster than copying between Samba drives), I have to change permissions of those files to deluge:deluge manually.
If you’re using rsync to move your movies between hard drives, you can easily eliminate your “Only Drawback” by using the rsync “–chown” flag (and create a bash/zsh alias with it that saves you the extra typing for extra credit 
)
$ /bin/ls -l my_cool_movie.mkv
-rw-r--r--. 1 murph peeps 0 Mar 8 01:53 my_cool_movie.mkv
$ sudo rsync -a --chown=deluge:deluge my_cool_movie.mkv plex/
$ /bin/ls -l plex/my_cool_movie.mkv
-rw-r--r--. 1 deluge deluge 0 Mar 8 01:53 plex/my_cool_movie.mkv
Chris
Fantastic Guide. As a newbie to CentOS this was excellent for me and I had a great time setting this up. Thanks also to all who commented as these help too. Great job!
Thank you very much for this guide ! I just have to find another guide as good as your to migrate my existing plex database on it !
Ive installed this a couple of times and for some reason I can not get any channel playback on Windows machines from the Centos server. Ive tried edge,IE11 and Firefox. I can get into the plexweb and I can see channels but I cant play anything from them
I can get video play from an ipad running Safari.
I’m unsure if its a centos build issue or something else Ive done? Any ideas?
I must say that this guide is awesome. Many thanks for writing this up. since installing PMS on my CentOS minimal machine, it has been rock solid. I may have to copy this write to a Word document and hold on to it in case I need to do this again (god forbid lol). Thanks @isomorphic!
Theres something not right here. Ive have tried installing plex on two separate hyperv hosts, 5 times over and I can not get any browser based clients on a Windows 10 machine to stream anything from external channels. Today I installed server 2012 straight over the centos install, stuck Bit Torrant channel on and was streaming a movie within 30 seconds. Something must have changed with centos. I’m using the CentOS-7-x86_64-DVD-1611 dvd. I did try doing a workstation installation of centos but I couldn’t get any bundles into the plugin folder to work, hence I gave up and used server 2012. I would really love to get this going on centos. Anyone selling these errors?
Amazing. Thanks for sharing; very much appreciated.
Thanks for this most excellent guide! @isomorphic
@DigitalArtifex
I followed the guide to the T, but did the mistake of not reading the comments. 
How do I change the plex user to be secure w/o hurting the installation?
Since Centos 7 uses systemd, might I suggest this guide I put together?
In the comments above, I saw mention of PMS as root. You can but it’s not wise and definitely not needed. Running as root will also subject you to ROOT_SQUASH when accessing media over NFS unless expressly handled.
@ChuckPa said:
In the comments above, I saw mention of PMS as
root. You can but it’s not wise and definitely not needed. Running asrootwill also subject you toROOT_SQUASHwhen accessing media over NFS unless expressly handled.
I unfortunately didn’t read the comments before installing plex, so I would now like to change the user I created to be a system/service user (no root, no login etc).
What’s the best approach to doing this?
/etc/passwd? What else do I need to do? rm home and mail-spool?usermod?I’m going to create a “usenet” group of which I intend to add plex, sabnzbd, sonarr, and radarr users to.
Next, I’ll make sure the different services get started using that group (but with it’s own user).
^^ is that the correct approach?
Regarding NFS, I have a QNAP that I store my library on, and I’m using NFS (controlled by Autofs). There are two mountpoints
On the server side I have it locked down so that the only IP that can connect is the centos-machine running the usenet services. Looking at the client side the permissions are set to 777 and the owner is root:root. Should I lock this down further? How?
These are the settings (it’s the same for Series):
