Plex Media Server on Minimal Centos 7.0

1. As default, PMS is installed as user plex, group plex, secondary membership to video, not login capabile, no root priv
2. When you setup the share permissions, there’s no need to get too fancy. I leave mine open because my home LAN is safe and I write to the share when I rip.
3. The local NFS mount should be as clean (I enable and use NFSv4)

To put PMS back into its default configuration.

1. Remove whatever you did to make it root. (/etc/systemd/system/plexmediaserver.service.d/override.conf ?)
2. remove the package
3. userdel plex
4. groupdel plex

When you install again, it will likely not start because of permissions to the metadata in /var/lib/plexmdiaserver

1. Install PMS
2. Stop PMS
3. sudo chown -R plex:plex /var/lib/plexmediaserver
4. Start PMS

NFS mount
vienna:/movies /vie/movies nfs intr,rw,vers=4,auto,async,nofail,bg 0 0

QNAP share export

Thanks, I appreciate you taking the time to answer!

@ChuckPA said:

1. As default, PMS is installed as user plex, group plex, secondary membership to video, not login capabile, no root priv

So, I created the plex user manually, and looking at his groups - he is part of the video group. His UID:GID is 1001:1001. He has /bin/bash for login and no entry in the sudoers file.

I’m really hoping that editing /etc/passwd to /sbin/nologin and removing his home and mail-spool directories will suffice. I really don’t want to uninstall and reinstall PMS.

2. When you setup the share permissions, there’s no need to get too fancy. I leave mine open because my home LAN is safe and I write to the share when I rip.

The problem is that all the files ripped by sabnzbd get owner:group sabnzbd and permission 644. So I either need to have sabnzbd set the permissions to 777 (or 776) or have all the services in the same group. Having them in the same group and tightening the permission seems to be best practice?

My home LAN is not safe. Yet. When I got all this up and running I’m going to set up nginx and certificates.

3. The local NFS mount should be as clean (I enable and use NFSv4)

From the looks of it, we use the same settings (apart from IP lockdown) and I also use NFSv4.

On the client I use defaults. I’m not sure how that stands against the settings you have.

Thanks again!

Where did you place Plex’s home directory? When creating by hand, it gets placed in /home/plex.
We put it in /var/lib/plexmediaserver because it is then part of the root filesystem. This guarantees it has exec privilege for the codecs. /home is not guaranteed to have this privilege in the mount. Granted it can be moved (with an override) but it’s a step in the process to check when /home is a separate partition.

/sbin/nologin is all you need to set. Make sure you don’t leave /etc/passwd writable when done and all good on security

regarding permissions, you need to look at the Linux sticky bit (inheritance) It can do all kinds of neat tricks.

https://forums.plex.tv/categories/linux-tips

regarding defaults, do the man fstab and also look at the others. defaults is a little looser than what I did. I locked down how I wanted the connection made… It’s up to you there.

Since QNAP is also Linux, those same sticky bit functions exist in its kernel. Linux -> Linux via NFS and it’s flawless. All you need now is a little UID matching (edit /etc/passwd) and it’s all set. Personally, I would track UID between workstation and QNAP. Let GID float to be ‘everyone’ on QNAP (the default).

Ok, I need to break this down a little further, a lot of this is new to me. Trying to learn as I go along, thanks for your patience.

@ChuckPa said:
Where did you place Plex’s home directory? When creating by hand, it gets placed in /home/plex.

Result from ls -l /home/plex:
drwxrwxr-x. 2 plex plex 60 Feb 5 13:33 Downloads

Downloads only contains the pms .rpm

This is the entry in /etc/passwd: plex:x:1001:1001:Plex Media Server User:/home/plex:/bin/bash

We put it in /var/lib/plexmediaserver because it is then part of the root filesystem.

Looking in /var/lib/, I find this drwxr-xr-x. 3 plex plex 21 Feb 10 21:29 plexmediaserver (see screenshot below)

While sabnzbd for instance has drwxr-xr-x 8 root root 97 Feb 12 22:34 sabnzbd

This guarantees it has exec privilege for the codecs.

From the screenshot above it looks correct?

/home is not guaranteed to have this privilege in the mount.

“in the mount” confuses me here. I only have one disk in the centos machine, no partitions (apart from efi, and recovery). The only thing that is placed on the QNAP via the NFS mount are the libraries “Movies” and “Series” (TV shows).

Granted it can be moved (with an override) but it’s a step in the process to check when /home is a separate partition.

usermod -m -d /var/lib/plexmediaserver plex ?

Will that fix the /etc/passwd-entry?

/sbin/nologin is all you need to set. Make sure you don’t leave /etc/passwd writable when done and all good on security

Cool. It has -rw-r--r-- 1 root root 1222 Feb 12 22:34 /etc/passwd

Which according to this is correct? If I edit it as root I don’t have to change permissions, right?

regarding permissions, you need to look at the Linux sticky bit (inheritance) It can do all kinds of neat tricks.

Wow, that was a lot to take in. Need to read it a couple of times and let it sink in.

Since QNAP is also Linux, those same sticky bit functions exist in its kernel. Linux → Linux via NFS and it’s flawless. All you need now is a little UID matching (edit /etc/passwd) and it’s all set. Personally, I would track UID between workstation and QNAP. Let GID float to be ‘everyone’ on QNAP (the default).

This is what it looks like on the QNAP:

lrwxrwxrwx 1 admin administ 15 Feb 17 14:44 Movies -> HDB_DATA/Movies/
lrwxrwxrwx 1 admin administ 15 Feb 17 14:44 Series -> HDB_DATA/Series/
drwxrwxrwx 6 admin administ 4096 Feb 8 15:32 HDB_DATA/
drwxrwxrwx 30 admin administ 12288 Feb 18 00:16 Movies/ ← in HDB_DATA/
drwxrwxrwx 26 admin administ 4096 Feb 18 00:12 Series/ ← in HDB_DATA/

The content that was already there on the QNAP (I’ve gone from macOS to CentOS) has this:
drwxrwxrwx 3 plex everyone 4096 Feb 11 14:18 Krakel Spektakel (2014)/

While content added since the OS change, has this:
drwxr-xr-x 2 998 996 4096 Feb 18 00:45 The Usual Suspects (1995)/

That UID and GID comes from this guy on the workstation (centos):
sabnzbd:x:998:996:SABnzbd:/usr/share/sabnzbd:/bin/sh

This is the plex user on the QNAP:
plex:x:501:100:Linux User,,Plex Media Server user,:/share/homes/plex:/bin/sh

1. You don’t need to move the contents of /home/plex. Abandon it in place. usermod -d /var/lib/plexmediaserver plex
2. The shell (sh) needs $HOME to point to /var/lib/plexmediaserver
3. Use the sticky bit on the target directories. e.g. /HDB_DATA/Movies not the symlink in /share
4. Use the QNAP tools to create the user. You can then directly modify /etc/passwd to change it. Don’t forget to chown -R on /share/homes/sabnzdb

Remember, the QNAP is ultimately the slave in this configuration when sec=sys is used. It only looks for a numerical match, whatever it is.

Walk the chain from source -> destination and actually play with the sticky bit flags. It’s the best and quickest way to learn

Edit: When the Redhat package creates the Plex user, it looks like this:

[chuck@lizum ~.101]$ grep plex /etc/passwd
plex:x:888:100:RPM Created PlexUser:/var/lib/plexmediaserver:/sbin/nologin
[chuck@lizum ~.102]$ 

i have followed these excellent steps but I think the instructions are missing something in the firewall file xml. I created the file using the steps.

<?xml version=“1.0” encoding=“utf-8”?> plexmediaserver Plex TV Media Server

but I"m sure there are supposed to be more in it than just this. when I try to add the service ‘plexmediaserver’ using the command ‘firewall-cmd --permanent --add-service=plexmediaserver’ it tells me
‘Error: INVALID_SERVICE: ‘plexmediaserver’ not among existing services’

updated:

I found some guides on firewalls and I tried this:

1. If plexmediaserver.service is not valid, PMS isn’t installed.
2. There is no reference to firewall above because everyone’s firewall is different and most don’t use a firewall inside their home LAN.

I followed these instructions and all was working, but I had a power outage and my PMS server went down and now when I boot CENTOS 7 I get prompted for a password for root@@///video with this message “Please enter password with the systemd-tty-ask-password-agent tool!”. I get this every time I reboot the PMS server and enter the password I am not able to access the share on my NAS. Does anyone know how to fix this issue? I have googled this issue with no luck at all. I checked my fstab file all looks good according to the article. I am not sure what is going on. Any information would be a great help. Thank you in advance.

have you attempted to rerun mkconfig ?