• Unraid OS version 6.10.0-rc2 available


    limetech

    6.10.0 Summary of Changes and New Features

     

    As always, prior to updating, create a backup of your USB flash device:  "Main/Flash/Flash Device Settings" - click "Flash Backup".

     

    Note: In order to permit ongoing development, some changes/features are marked experimental.  This means underlying support is included in the release, but high level functionality or UI has not been included yet.

     

    UPC and My Servers Plugin - [rc2] reworded

    The most visible new feature is located in the upper right of the webGUI header.  We call this the User Profile Component, or UPC.  The UPC allows a user to associate their server(s) and license key(s) with their Unraid Community forum account, also known as an Unraid.net account.

     

    Starting with this release, it will be necessary for a new user to either sign-in with existing forum credentials or sign-up, creating a new account via the UPC in order to download a Trial key.  All key purchases and upgrades are also handled exclusively via the UPC.

     

    Signing-in provides these benefits:

    1. My Servers Dashboard - when logged into the forum a new My Servers menu item appears. Clicking this brings up a Dashboard which displays a set of tiles representing servers associated with this account.  Each tile includes a link to bring up the servers webGUI on your LAN.  Install the My Servers plugin to provide real-time status and other advanced features (see below).
    2. Notification of critical security-related updates.  In the event a serious security vulnerability has been discovered and patched, we will send out a notification to all email addresses associated with registered servers.
    3. Posting privilege in a new set of My Servers forum boards.
    4. No more reliance on email and having to copy/paste key file URLs in order to install a license key - keys are delivered and installed automatically to your server.

     

    Once a license key has been provisioned, it is not necessary to remain signed-in, though there is no particular reason to sign-out.

    [rc2]  Exception:  A server must be signed-in to Provision and Renew a Let's Encrypt SSL certificate.

     

    My Servers Plugin

    My Servers is what we call our set of cloud-based or cloud-enabled services and features that integrate with your Unraid server(s).  Once installed here are some of the features of My Servers:

    • Real-time Status - with the plugin installed each server tile on the My Servers Dashboard will display real-time status such as whether the server is online or offline, storage utilization and other information. 
    • Remote Access link - if enabled, a link is displayed on the My Servers Dashboard to bring up a server webGUI remotely over the Internet.
    • Automatic Flash Backup - every registered server is provided with a private git repo initially populated with the contents of your USB flash boot device (except for certain files which contain private information such as passwords).  Thereafter, configuration changes are automatically committed.  A link is provided to download a custom zip file that can be fed as input to the USB Flash Creator tool to move your configuration to a new USB flash device.

     

    My Servers is an optional add-on, installed through Community Apps or via direct plugin URL.  Detailed instructions can be found here.

     

    If you have installed the My Servers plugin, signed-in servers will maintain a websocket connection to a cloud-based Lime Technology proxy server for the purpose of relaying real-time status.

     

    Security Changes

    • It is now mandatory to define a root password.  We also created a division in the Users page to distinguish root from other user names.  The root UserEdit page includes a text box for pasting SSH authorized keys.
    • For new configurations, the flash share default export setting is No.
    • For all new user shares, the default export setting is No.
    • For new configurations, SMBv1 is disabled by default.
    • For new configurations, telnet, ssh, and ftp are disabled by default.
    • We removed certain strings from Diagnostics such as passwords found in the 'go' file.

     

    Virtualization

    Both libvirt and qemu have been updated.  In addition qemu has been compiled with OpenGL support, and [rc2] ARM emulation (experimental).

     

    [rc2] To support Windows 11 which requires TPM and Secure boot, we have added TPM emulation; and, added a "Windows 11" VM template which automatically selects TPM-aware OVMF bios.  Also, here are instructions for upgrading a Windows 10 VM to Windows 11.  Special thanks to @ich777 who researched and determined what changes and components were necessary to provide this functionality.

     

    The built-in FireFox browser available in GUI-mode boot is built as an AppImage and located in the bzfirmware compressed file system image.  This saves approximately 60MB of RAM.

     

    The Wireguard plugin has been integrated into webGUI, that is, no need for the plugin.  If you had the plugin installed previously, it will be uninstalled and moved to the "Plugins/Plugin File Install Errors" page. No action is needed unless you want to press the Delete button to remove it from that page. Your WireGuard tunnels and settings will be preserved.

     

    Simplified installation of the Community Apps plugin.  The webGUI automatically includes the Apps menu item, and if CA is not already installed, the page offers an Install button.  No need to hunt for the plugin link.

     

    Let's Encrypt SSL provisioning change.  In previous releases code that provisions (allocates and downloads) a LE SSL certificate would first test if DNS Rebinding Protection was enforced on the user's LAN; and, if so, would not provision the certificate.  Since there are other uses for a LE certificate we changed the code so that provision would always proceed.  Next, we changed the logic behind the Auto selection of "Use SSL/TLS" setting on the Management Access page.  Now it is only possible to select Auto if both a LE certificate has been provisioned and DNS Rebinding Protection is not enforced.  This is a subtle change but permits certain My Servers features such as Remote Access.

     

    Linux Kernel

    Upgrade to [rc2] Linux 5.14.15 kernel which includes so-called Sequoia vulnerability mitigation.

     

    In-tree GPU drivers are now loaded by default if corresponding hardware is detected:

    • amdgpu
    • ast
    • i915
    • radeon

     

    These drivers are required mostly for motherboard on-board graphics used in GUI boot mode.  Loading of a driver can be prohibited by creating the appropriate file named after the driver:

    echo "blacklist i915" > /boot/config/modprobe.d/i915.conf

    Alternately, the device can be isolated from Linux entirely via the System Devices page.  Note that in Unraid OS 6.9 releases the in-tree GPU drivers are blacklisted by default and to enabling loading a driver you need to create an empty "conf" file.  After upgrading to Unraid OS 6.10 you may delete those files, or leave them as-is.  This change was made to greatly improve the Desktop GUI experience for new users.

     

    Added support for Intel GVT-g, which lets you split your Intel i915 iGPU into multiple virtual GPUs and pass them through to multiple VMs, using @ich777's Intel-GVT-g plugin.

     

    Added support for gnif/vendor-reset.  This simplifies @ich777's AMD Vendor Reset plugin which permits users to get their AMD video cards to reset properly.

     

    [rc2] Added so-called "add-relaxable-rmrr-5_8_and_up.patch" modified for our kernel
      https://github.com/kiler129/relax-intel-rmrr/blob/master/patches/add-relaxable-rmrr-5_8_and_up.patch

    Thanks to @ich777 for pointing this out,

     

    [rc2] Enabled additional ACPI kernel options
    [rc2] Updated out-of-tree drivers

    [rc2] Enabled TPM kernel modules (not utilized yet) - note this is for Unraid host utilizing physical TPM, not emulated TPM support for virtual machnes.

     

    Base Packages

    Virtually the entire base package set has been updated.

     

    [rc2] For SMB: Samba version 4.15 SMB3 multi-channel is no longer marked "experimental" and is enabled by default.

     

    [rc2] Per request we added the mcelog package.  With inclusion of this package, if you have an AMD processor you may see this error message in the system log:

    mcelog: ERROR: AMD Processor family 23: mcelog does not support this processor. Please use the edac_mce_amd module instead.

    We're not sure what to make of this.  It appears mcelog is begin deprecated in favor of rasdaemon.  This is something we need to research further.

     

    Other improvements available in 6.10, which are maybe not so obvious to spot from the release notes and some of these improvements are internal and not really visible:

     

    Event driven model to obtain server information and update the webGUI in real-time

    • The advantage of this model is its scalability. Multiple browsers can be opened simultaneously to the webGUI without much impact
    • In addition stale browser sessions won't create any CSRF errors anymore
    • People who keep their browser open 24/7 will find the webGUI stays responsive at all times

     

    Docker labels

    • Docker labels are added to allow people using Docker compose to make use of icons and GUI access
    • Look at a Docker 'run' command output to see exactly what labels are used

     

    Docker custom networks

    • A new setting for custom networks is available. Originally custom networks are created using the macvlan mode, and this mode is kept when upgrading to version 6.10
    • The new ipvlan mode is introduced to battle the crashes some people experience when using macvlan mode. If that is your case, change to ipvlan mode and test. Changing of mode does not require to reconfigure anything on Docker level, internally everything is being taken care off.

     

    Docker bridge network (docker0)

    • docker0 now supports IPv6. This is implemented by assigning docker0 a private IPv6 subnet (fd17::/64), similar to what is done for IPv4 and use network translation to communicate with the outside world
    • Containers connected to the bridge network now have both IPv4 and IPv6 connectivity (of course the system must have IPv6 configured in the network configuration)
    • In addition several enhancements are made in the IPv6 implementation to better deal with the use (or no-use) of IPv6

     

    Plugins page

    • The plugins page now loads information in two steps. First the list of plugins is created and next the more time consuming plugin status field is retrieved in the background. The result is a faster loading plugins page, especially when you have a lot of plugins installed

     

    Dashboard graphs

    • The dashboard has now two graphs available. The CPU graph is displayed by default, while the NETWORK graph is a new option under Interface (see the 'General Info' selection)
    • The CPU graph may be hidden as well in case it is not desired
    • Both graphs have a configurable time-line, which is by default 30 seconds and can be changed independently for each graph to see a longer or shorter history.
    • Graphs are updated in real-time and are useful to observe the behavior of the server under different circumstances

     

    Other Changes

    • We switched to a better-maintained version of the WSD server component called wsdd2 in an effort to eliminate instances where the wsd daemon would start consuming 100% of a CPU core.  [rc2] Automatically restrict wsdd to listen only at the primary network interface (br0, bond0, or eth0, depending on config).
    • Fixed issue where you couldn't create a docker image on a share name that contains a space.
    • Fixed issue where 'mover' would not move to a pool name that contains a space.
    • Fixed issue in User Share file system where permissions were not being honored.
    • We increased the font size in Terminal and [rc2] fixed issue with macOS Monterey.
    • [rc2] Fixed jumbo frames not working.
    • [rc2] sysctl: handle net.netfilter.nf_conntrack_count max exceeded (increase setting to 131072) - hattip to Community Member @DieFalse

    • [rc2] Mover will create '.partial' file and then rename upon completion.

    • [rc2] Check bz file sha256sums at boot time.

     

    Credits

    Special thanks to all our beta testers and especially:

    @bonienl for his continued refinement and updating of the Dynamix webGUI.

    @Squid for continued refinement of Community Apps and associated feed.

    @dlandon for continued refinement of Unassigned Devices plugin and patience as we change things under the hood.

    @ich777 for assistance and passing on knowledge of Linux kernel config changes to support third party drivers and other kernel-related functionality via plugins.

    @SimonF for refinements to System Devices page and other webGUI improvements.  We intend to merge your mover progress changes during this RC series.

     


     

    Version 6.10.0-rc2 2021-11-01 (vs. 6.10.0-rc1)

     

    Base distro:

    • acpid: version 2.0.33
    • at-spi2-core: version 2.42.0
    • bind: version 9.16.22
    • btrfs-progs: version 5.14.2
    • ca-certificates: version 20211005
    • cifs-utils: version 6.14
    • coreutils: version 9.0
    • cryptsetup: version 2.4.1
    • curl: version 7.79.1
    • dhcpcd: version 9.4.1
    • dnsmasq: version 2.86
    • docker: version 20.10.9
    • e2fsprogs: version 1.46.4
    • ethtool: version 5.14
    • file: version 5.41
    • fribidi: version 1.0.11
    • fuse3: version 3.10.5
    • gd: version 2.3.3
    • gdbm: version 1.22
    • git: version 2.33.1
    • glib2: version 2.70.0
    • glibc-zoneinfo: version 2021e
    • gnutls: version 3.7.2
    • grep: version 3.7
    • gzip: version 1.11
    • harfbuzz: version 3.0.0
    • haveged: version 1.9.15
    • htop: version 3.1.1
    • iproute2: version 5.14.0
    • jansson: version 2.14
    • json-glib: version 1.6.6
    • libXi: version 1.8
    • libarchive: version 3.5.2
    • libedit: version 20210910_3.1
    • libepoxy: version 1.5.9
    • libgcrypt: version 1.9.4
    • libgudev: version 237
    • libjpeg-turbo: version 2.1.1
    • libssh: version 0.9.6
    • libssh2: version 1.10.0
    • libtpms: version 0.9.0
    • libvirt: version 7.8.0
    • libvirt-php: version 0.5.6a
    • libwebp: version 1.2.1
    • libxkbcommon: version 1.3.1
    • lvm2: version 2.03.13
    • mc: version 4.8.27
    • mcelog: version 179
    • nano: version 5.9
    • ncurses: version 6.3
    • nghttp2: version 1.46.0
    • nginx: version 1.19.10
    • ntfs-3g: version 2021.8.22
    • openssh: version 8.8p1
    • openssl: version 1.1.1l
    • openssl-solibs: version 1.1.1l
    • pam: version 1.5.2
    • pango: version 1.48.10
    • pcre2: version 10.38
    • php: version 7.4.24
    • qemu: version 6.1.0
    • samba: version 4.15.0
    • sudo: version 1.9.8p2
    • swtpm: version 0.6.1
    • ttyd: version 20211023
    • usbutils: version 014
    • util-linux: version 2.37.2
    • wget: version 1.21.2
    • wireguard-tools: version 1.0.20210914
    • wsdd2: version 1.8.6
    • xfsprogs: version 5.13.0
    • xkeyboard-config: version 2.34
    • xrdb: version 1.2.1
    • xterm: version 369

     

    Linux kernel:

    • version 5.14.15
    • restore CONFIG_X86_X32: x32 ABI for 64-bit mode
    • added so-called "add-relaxable-rmrr-5_8_and_up.patch" modified for this kernel
    • added several ACPI-related CONFIG settings
    • added CONFIG_TCG_TPM and associated TPM chip drivers
    • added CONFIG_NFSD_V4: NFS server support for NFS version 4
    • added CONFIG_USB_NET_AQC111: Aquantia AQtion USB to 5/2.5GbE Controllers support
    • added NFS_V4: NFS client support for NFS version 4
    • oot: md/unriad: version 2.9.19
    • oot: nvidia: version 470.63.01 [via plugin]
    • oot: r8125:version 9.006.04
    • oot: r8152: version 2.15.0

     

    Management:

    • emhttpd: fix regression: user shares should be enabled by default
    • emhttpd: minimize information transmitted by 'stock' UpdateDNS function
    • firefox: version 91.0.r20210823123856 (AppImage)
    • mover: append '.partial' suffix to filename when move in-progess
    • rc.mcelog: mcelog added to base distro
    • rc.nginx: support custom wildcard self-signed certs
    • rc.S: check bz file sha256 during initial boot
    • sysctl: handle net.netfilter.nf_conntrack_count max exceeded (increase setting to 131072)
    • wsdd2: listen only on active interface by default (br0, bond0, or eth0)
    • webgui: remove 'My Servers' skeleton page
    • webgui: present CA-signed certificate subject as a link
    • webgui: Relax update frequency a bit
    • webgui: Docker: Only save templates as v2
    • webgui: Fix pools display on Main page when empty pool exists
    • webgui: Escape double quotes in text input submit
    • webgui: Add 'root' folder protection to filetree
    • webgui: Support multi-language in filetree display
    • webgui: Use background checking for flash corruption
    • webgui: Proactive script security hardening
    • webgui: Diagnostics: add check for DNS Rebinding Protection
    • webgui: Diagnostics: privatize routable IPs
    • webgui: Diagnostics: add url details
    • webgui: Docker: Fix incorrect caching when deleting / recreating image
    • webgui: Silence PHP error on syslinux page if flash drive is missing
    • webgui: various Multi-language corrections
    • webgui: VM Manager: added Windows 11 template and OVMF TPM
    • webgui: VM Manager: add virtio-win-0.1.208.iso download link
    • webgui: Sign-in required to provision/renew Unraid LE SSL certificate
    • Like 10
    • Thanks 4



    User Feedback

    Recommended Comments



    4 hours ago, jademonkee said:

    I heard that the NAND chips run better hot, so you shouldn't add heatsinks (which is why they don't come with them in the first place).

    That's kind of true.  You don't want to chill the chips with liquid hydrogen or anything, but no air cooler is going to get them cool enough to hurt perf.  And some do come with heatsinks now, also most high end motherboards have small heatsinks that go on them as well.  The biggest thing with Samsung drives though is to cool the processor, they run notoriously hot.  My drives idle at 43C but when heavily used go well above 62c which causes the drive to throttle down to reduce heat.

    • Like 1
    Link to comment

    When my public IP changed by ISP, the unraid OS can't connect to internet before i change network settings in system and save.

    Link to comment
    3 hours ago, tinyflag East said:

    When my public IP changed by ISP, the unraid OS can't connect to internet before i change network settings in system and save.

    Why not?  What settings were you changing?  Public IP addresses change all the the time (usually a simple modem reset will get you a new one)

    Link to comment
    On 1/22/2022 at 3:48 PM, jademonkee said:

    I heard that the NAND chips run better hot, so you shouldn't add heatsinks (which is why they don't come with them in the first place).

    Not sure where you heard that.  In silicon based semiconductor, leakage current increase with temperature.  Also transistor speed tends to reduce with temperature, slowing things down.  While flash memory cells (NAND or NOR) are designed to operate over a range of temperatures, there is no benefit in running them hot.  You will run the risk of slightly shortening their working life.  The best thing for semiconductors is always moderate temperatures with good long-term stability to prevent stresses caused by thermal cycling and differential expansion.  The latter is not a big issue, but is best minimised. 

     

    These devices do not as a rule come with heatsinks because the manufactures expect that appropriate cooling methods are already in place (adequate airflow, motherboard heat spreaders, etc.) and because it adds cost.  Where heatsinks are provided it's either because the devices run abnormally hot, or in many cases I suspect it's a marketing gimmick (based on the advertising that tends to accompany such devices).      

    Edited by S80_UK
    Link to comment

    Why RC3 is not "open" for so long that is available?
    In fact 6.10 should have probably be released already.

    Is there some serious issue pending?

     

    • Like 1
    Link to comment
    1 hour ago, NLS said:

    Why RC3 is not "open" for so long that is available?
    In fact 6.10 should have probably be released already.

    Is there some serious issue pending?

     

    Doubt there's any "serious" issues. But there are still bugs being worked on / stuff being tested to death.  I'm sure it'll be released whenever it's deemed ready to be released.

    Link to comment

    Has the DEVS posted when a RC3 will be available?

     I’m only asking this question because RC2 was released 6 months ago. 

    Link to comment
    3 minutes ago, Tequila&Lime said:

    Has the DEVS posted when a RC3 will be available?

    As far as I remember (over 10 years now) they never do.

     

    20 hours ago, Squid said:

    it'll be released whenever it's deemed ready to be released

      

    • Like 1
    Link to comment
    On 2/6/2022 at 7:07 AM, S80_UK said:

    Not sure where you heard that.  In silicon based semiconductor, leakage current increase with temperature.  Also transistor speed tends to reduce with temperature, slowing things down.  While flash memory cells (NAND or NOR) are designed to operate over a range of temperatures, there is no benefit in running them hot.  You will run the risk of slightly shortening their working life.  The best thing for semiconductors is always moderate temperatures with good long-term stability to prevent stresses caused by thermal cycling and differential expansion.  The latter is not a big issue, but is best minimised. 

     

    These devices do not as a rule come with heatsinks because the manufactures expect that appropriate cooling methods are already in place (adequate airflow, motherboard heat spreaders, etc.) and because it adds cost.  Where heatsinks are provided it's either because the devices run abnormally hot, or in many cases I suspect it's a marketing gimmick (based on the advertising that tends to accompany such devices).      

     

    When I looked at this last year, it was a matter that people were cooling them with liquid nitrogen to see if they could get faster performance and instead were getting slower results... So the conclusion that you didn't want to cool them to that extent became a generalized "they run better without cooling".

     

    Link to comment
    6 minutes ago, Arbadacarba said:

    The best thing for semiconductors is always moderate temperatures with good long-term stability to prevent stresses caused by thermal cycling and differential expansion.

    I know I'm quoting something you didn't say, but I wanted to expand on it.

     

    When you add a passive heatsink to a chip, you help moderate the thermal cycling by adding mass. The overall cooling effect may be minimal, but absorbing the peaks and valleys helps the chip cope.

     

    The huge spikes in temp when nvme drives are writing could be bad, it's good to add mass so the spike is spread out, reducing the thermal shock.

    • Like 2
    Link to comment
    1 hour ago, Tequila&Lime said:

    because RC2 was released 6 months ago.

    Not really, the proper date is probably Nov 1st.

    Tom prepared the first post super early but kept it hidden. ;) 

    Link to comment
    2 hours ago, Noim said:

    For me there are two broken things:

    23 minutes ago, Dephcon said:

    Did you clear your browser cache?

    And whitelist your server on any adblocker or anything else that might interfere with your browsers?

     

    What browser are you using?

    Link to comment
    17 hours ago, Dephcon said:

     

    Did you clear your browser cache?

    Yes, first thing I tried. 

    Link to comment

    And it just brakes randomly sometimes. After some time it starts working again, and then randomly brakes again. 

     

    Quote

    And whitelist your server on any adblocker or anything else that might interfere with your browsers?

     

    Version 1.34.81 Chromium: 97.0.4692.99 (Official Build) (x86_64) Brave

     

    And no request gets blocked if I look into dev tools. 

     

    And I also expect there should be some kind of ws message. I think this is why it shows nothing:

    193802698_Screenshot2022-02-08at14_27_30.thumb.png.9ba1bd2771cc115e7a86052e7513fa3a.png

     

    Maybe I am dum and did something wrong, but dk what. 


    So far it didn't brake in safari. 

     

    Link to comment
    On 2/6/2022 at 3:41 PM, Dephcon said:

    @limetech with slackware 15.0/kernel 5.15.x now out, are you looking to bump up this RC or will you be staying on 5.14?

    This. Will 6.10 final be utilizing Slackware 15?

    Edited by loukaniko85
    Link to comment
    On 2/6/2022 at 1:24 PM, Squid said:

    Doubt there's any "serious" issues. But there are still bugs being worked on / stuff being tested to death.  I'm sure it'll be released whenever it's deemed ready to be released.

     

    They never do but RC3 in progress.

     

     

    As @binhex said, you don't rush art.

    Link to comment

    Updating to 6.10.0-rc2 from 6.9.2 broke my SSL and SSH setup.

     

    My self signed certificate (for local SSL access) was overwritten by the new automatically generated certificate and I am now forced to use the hostname + (optional) local TLD while I wish to use IP address access. I am not turning off SSL so I can access my server with an IP address. At my first attempt to replace /boot/config/ssl/certs/Hostname_unraid_bundle.pem with my own bundle (signed by my own root CA so it is trusted) failed and it got overwritten again. Can I please just use my own stuff?

     

    Regarding SSH, prior to updating I did migrate to the new way of providing authorized_keys. The file /boot/config/ssh/root/authorized_keys does contain my public keys and I confirmed ~/.ssh/authorized_keys does aswell. However when I try to connect as before I get "Server refused our key".

     

    Edit: Using this comment by @maxstevens2 I created and put the following into my /boot/config/go file to disable the SSL certificate bundle overwrite and I also added something to get IP address access with SSL back. If you copy this, don't forget to replace the IP with yours.

    # Patch certificate bundle overwrite.
    sed -i 's/\[\[ \$SUBJECT != \$LANFQDN ]]/# Patched out by go script/g' /etc/rc.d/rc.nginx
    
    # Patch hostname redirect.
    sed -i 's/server_name \$LANFQDN;/server_name \$LANFQDN 192.168.1.2;/g' /etc/rc.d/rc.nginx

     

    Edit 2: Updating my SSH client fixed the SSH issues.

    Edited by AeonLucid
    Link to comment
    On 2/10/2022 at 7:13 PM, AeonLucid said:

    Edit 2: Updating my SSH client fixed the SSH issues.

    Glad to hear it!

     

    On 2/10/2022 at 7:13 PM, AeonLucid said:

    I created and put the following into my /boot/config/go file to disable the SSL certificate bundle overwrite

     

    It is very dangerous to tweak the nginx config, changes here have security implications and you are on your own if you do anything like this. Other parts of the system expect rc.nginx to behave a certain way so you may have unexpected issues by changing this file. I highly recommend that you do not do anything that exposes your webgui to the Internet after doing this, including our Remote Access solution.

    Please do not encourage other people to risk their systems with this type of change. 

     

    On 2/10/2022 at 7:13 PM, AeonLucid said:

    My self signed certificate (for local SSL access) was overwritten by the new automatically generated certificate and I am now forced to use the hostname + (optional) local TLD while I wish to use IP address access. I am not turning off SSL so I can access my server with an IP address. At my first attempt to replace /boot/config/ssl/certs/Hostname_unraid_bundle.pem with my own bundle (signed by my own root CA so it is trusted) failed and it got overwritten again. Can I please just use my own stuff?


    Security is a major focus for this release. Therefore if you have enabled SSL, the certificate must match your server's settings, and the server will only respond on urls that are configured in the certificate.  Responding to urls that are not configured undermines the security of the certificate.

     

    Even so, the system is quite flexible. You can provide your own self-signed or fully legit certificate. Or Unraid will generate a self-signed certificate for you, or you can provision a fully legit unraid.net certificate from Let's Encrypt. Or even a combination of the two, with one cert for local access and an unraid.net cert for remote access.

     

    As mentioned, the settings must match the certificate. Specifically, your hostname + Local TLD must match the certificate's subject. So if your certificate's subject is myunraid.mydomain.com, you just need to set your server's hostname to "myunraid" and your Local TLD to "mydomain.com". Then the certificate will not be overwritten. For more details see https://wiki.unraid.net/Manual/Security#Securing_webGui_connections_.28SSL.29

     

    Link to comment
    6 hours ago, ljm42 said:

    It is very dangerous to tweak the nginx config, changes here have security implications and you are on your own if you do anything like this. Other parts of the system expect rc.nginx to behave a certain way so you may have unexpected issues by changing this file. I highly recommend that you do not do anything that exposes your webgui to the Internet after doing this, including our Remote Access solution.

     

    I understand, but I can easily comment them out, reboot and go back to stock. There is no intent to expose this to the internet or use the unraid remote access solution. I just want to use SSL with a local IP address, which is properly supported by SSL certificates.

     

    6 hours ago, ljm42 said:

    Security is a major focus for this release. Therefore if you have enabled SSL, the certificate must match your server's settings, and the server will only respond on urls that are configured in the certificate.  Responding to urls that are not configured undermines the security of the certificate.

     

    Yes I know that, which is why I am forcing the nginx configuration to use the IP address as server_name that I have configured inside my SNI certificate.

     

    authorityKeyIdentifier=keyid,issuer
    basicConstraints=CA:FALSE
    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    subjectAltName = @alt_names
    
    [alt_names]
    IP.1 = 192.168.1.2

     

    7 hours ago, ljm42 said:

    Even so, the system is quite flexible. You can provide your own self-signed or fully legit certificate. Or Unraid will generate a self-signed certificate for you, or you can provision a fully legit unraid.net certificate from Let's Encrypt. Or even a combination of the two, with one cert for local access and an unraid.net cert for remote access.

     

    There is no option to "provide your own self-signed" certificate. Which is why I had to patch the nginx script.

     

    7 hours ago, ljm42 said:

    As mentioned, the settings must match the certificate.

     

    It does, now.

     

    7 hours ago, ljm42 said:

    So if your certificate's subject is myunraid.mydomain.com, you just need to set your server's hostname to "myunraid" and your Local TLD to "mydomain.com".

     

    I want to use a local IP Address.

    • Like 1
    Link to comment

    @limetech@bonienl

    I would like to kindly ask for an official answer regarding my feature request:

    I really think Unraid would benefit from having its own icon font. Maybe it doesn't even need to replace Font Awesome, but could complement it.

    Link to comment

    Ok, so I think I've found an issue. When I run mover with the following setting in the share:1060263845_sharessettings.thumb.png.7aedbb6fdad8c59e1c7391d5404e17f4.png

     

    It then moves all the data to Disk 1 only as per:

    array.thumb.png.3e513f888fc0357c5aa7af9124cb320b.png

     

    When I specifically exclude disk 1 and run the mover for just that share, it still pushes all data to disk 1 only.

     

    I have done a full server reboot, and still get the same behaviour. I am using the mover tuner plugin if that makes a difference.

    Link to comment



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Restore formatting

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Status Definitions

     

    Open = Under consideration.

     

    Solved = The issue has been resolved.

     

    Solved version = The issue has been resolved in the indicated release version.

     

    Closed = Feedback or opinion better posted on our forum for discussion. Also for reports we cannot reproduce or need more information. In this case just add a comment and we will review it again.

     

    Retest = Please retest in latest release.


    Priority Definitions

     

    Minor = Something not working correctly.

     

    Urgent = Server crash, data loss, or other showstopper.

     

    Annoyance = Doesn't affect functionality but should be fixed.

     

    Other = Announcement or other non-issue.