aldengolab/truenas-jsonrpc-debug
skills/truenas-jsonrpc-debug/SKILL.md
Query TrueNAS using the JSON-RPC 2.0 WebSocket API (v25.10+) for storage and NVMe-oF debugging. Use this skill whenever you need to inspect TrueNAS state — NVMe subsystems, ZFS pool health, CSI-provisioned datasets, disk status, or service configuration. Replaces deprecated REST API calls. Trigger when: investigating NVMe-oF attach failures, checking pool/dataset health, verifying NVMe target port bindings, auditing democratic-csi provisioned volumes, or diagnosing any TrueNAS storage issue from within a Kubernetes debugging session.
development
Updated Apr 2, 2026
$ install --global
skillsauthnpx skillsauth add aldengolab/lorist truenas-jsonrpc-debugInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 2, 2026, 5:13 PM56.5s2 files scanned
SKILL.md
- name:
- truenas-jsonrpc-debug
- description:
- |
- Trigger when:
- investigating NVMe-oF attach failures, checking pool/dataset health, verifying
TrueNAS JSON-RPC 2.0 WebSocket Debugging
The TrueNAS REST API is deprecated as of v25.10. All queries now go through a JSON-RPC 2.0
WebSocket endpoint at ws://<host>/api/current (or wss:// for HTTPS).
Use the bundled script scripts/truenas_query.py for all TrueNAS queries.
Prerequisites
pip install websockets pyyaml
Step 1: Generate Credentials File
The credentials file is required for every session. Generate it at the start of each debugging session — it pulls the TrueNAS host and API key from the cluster secret each time:
python3 <skill-path>/scripts/truenas_query.py --get-creds --creds ~/.truenas-creds.json
This writes ~/.truenas-creds.json (persistent, survives reboots unlike /tmp). The file contains
the host IP, port, protocol, and API key extracted from the democratic-csi-driver-config secret.
One-Time Setup: API Key for JSON-RPC
The democratic-csi API key works for REST provisioning but is rejected by the JSON-RPC WebSocket
endpoint with AUTH_ERR. You need a separate key created in the TrueNAS UI:
- Open TrueNAS UI → Credentials → API Keys → Add
- Name it (e.g.,
claude-debug), create it under your admin account - Edit
~/.truenas-creds.json:- Set
"username"to the account that owns the key (e.g.,"truenas_admin") - Set
"api_key"to the new key value
- Set
After this one-time edit, --get-creds will refresh the host/port and API key from the cluster
secret on future runs but will preserve any username already in the file — so you only need to
set it once.
Auth method used:
- If
usernameis set in creds:auth.login_exwithAPI_KEY_PLAINmechanism - If
usernameis null:auth.login_with_api_key(legacy, may not work with v25.10+ keys)
Step 2: Run Diagnostics
NVMe-oF target state (subsystems, ports, namespaces)
python3 <skill-path>/scripts/truenas_query.py \
--creds ~/.truenas-creds.json --diag nvme --out /tmp/tn_nvme.json
Key fields to check in output:
nvmet_ports[*].addr_trsvcid— port number the target is listening on (default 4420)nvmet_ports[*].addr_traddr— IP address the target is bound to (if0.0.0.0, all interfaces)nvmet_subsystems— list of NQN subsystems (should match what democratic-csi provisioned)nvme_services— whether the NVMe service is running
ZFS pool and CSI dataset health
python3 <skill-path>/scripts/truenas_query.py \
--creds ~/.truenas-creds.json --diag storage --out /tmp/tn_storage.json
Key fields:
pools[*].status— should beONLINEcsi_datasets— all datasets matchingcsi-pvc-*(provisioned by democratic-csi)disks[*].devnameanddisks[*].status— physical disk health
System info
python3 <skill-path>/scripts/truenas_query.py \
--creds ~/.truenas-creds.json --diag system
Everything at once
python3 <skill-path>/scripts/truenas_query.py \
--creds ~/.truenas-creds.json --diag all --out /tmp/tn_full.json
Step 3: Call Any Method Directly
# List all services
python3 <skill-path>/scripts/truenas_query.py \
--creds ~/.truenas-creds.json --method service.query
# Query a specific dataset by name
python3 <skill-path>/scripts/truenas_query.py \
--creds ~/.truenas-creds.json \
--method pool.dataset.query \
--params '[["id", "=", "nvme-of-k8s/democratic-csi-provisioner"]]'
# Check NVMe target host port bindings
python3 <skill-path>/scripts/truenas_query.py \
--creds ~/.truenas-creds.json --method nvmet.port.query
Protocol Reference
Connection URL: ws://<host>:<port>/api/current
Request format:
{"jsonrpc": "2.0", "id": 1, "method": "pool.query", "params": []}
- Batch requests are not supported — send one at a time
- Server may send unsolicited
collection_updatenotifications (no"id") — ignore these - Auth must succeed before any other method call
Useful Methods for NVMe/Storage Debugging
| Method | Purpose |
|--------|---------|
| system.info | Version, uptime |
| nvmet.subsystem.query | NVMe subsystem list |
| nvmet.port.query | NVMe listener ports and bound IPs |
| nvmet.namespace.query | NVMe namespaces (backed by zvols) |
| service.query | All service states |
| pool.query | ZFS pool health |
| pool.dataset.query | All datasets (supports filter params) |
| disk.query | Physical disk inventory and health |
| interface.query | Network interfaces and IP addresses |
| network.configuration.config | Hostname, DNS, gateway |
Notes
- TrueNAS host and port come from
httpConnectionin the driver config secret — this is the HTTP/WS management interface, not the NVMe-oF data port (4420). They are different. - The
shareHost/sharePortin the driver config is the NVMe-oF data endpoint. Thehost/portinhttpConnectionis the management API endpoint. - If the cluster can't reach TrueNAS at the management IP, check CoreDNS and Tailscale routing.
From within the cluster:
kubectl run -it --rm dns-test --image=busybox --restart=Never -- nslookup <host>
References
- TrueNAS JSON-RPC 2.0 API docs
Related Skills
aldengolab/ubuntu-secureboot-pxe-netboot
development
VerifiedTrustedCommunity
Build a UEFI Secure Boot PXE netboot server for Ubuntu autoinstall. Use when: designing or implementing network boot infrastructure for automated Ubuntu provisioning with Secure Boot enabled. Covers the complete chain: signed shim+GRUB selection, TFTP layout, kernel parameters, autoinstall config requirements, and post-install bootstrapping scripts. Also applicable when debugging an existing PXE setup that uses the wrong GRUB binary or config paths.
SKILL.mdUpdated Apr 10, 2026
aldengolab/pxe-grub-persistent-server-pattern
development
VerifiedTrustedCommunity
Design pattern for running a persistent PXE/TFTP server that safely coexists with already-installed nodes. Use when: building PXE infrastructure that should stay always-on, designing automated bare-metal provisioning in GitOps/Kubernetes environments, or any PXE setup where UEFI boot order has network boot first. Eliminates boot loops without requiring UEFI firmware changes.
SKILL.mdUpdated Apr 10, 2026
aldengolab/orwell-clear-writing
development
VerifiedTrustedCommunity
This skill governs all prose output — Claude's own responses, documentation, PR descriptions, commit messages, README content, comments, and any text the user asks to draft or edit. It should also be used when the user asks to "review my writing", "edit this for clarity", "make this clearer", "simplify this text", "rewrite this", "check my prose", "tighten this up", or "make this more concise". Based on George Orwell's "Politics and the English Language" (1946).
SKILL.mdUpdated Apr 10, 2026
aldengolab/k8s-hostnetwork-port-conflict
development
VerifiedTrustedCommunity
Debug Kubernetes pods using hostNetwork: true that crash with "Address already in use" or "failed to create listening socket for port N". Use when: (1) a hostNetwork pod container is in CrashLoopBackOff and logs show a port bind failure, (2) the port works fine in non-hostNetwork pods but fails with hostNetwork, (3) you need to identify which host-level process holds a port from within Kubernetes (no SSH). Covers /proc/net/udp inspection and kubectl debug node with nsenter.
SKILL.mdUpdated Apr 10, 2026