Leaderboard

UPDATE (010/11/2019) PLUGIN Updated for 6.8.0 RC1 + @Squid was awesome again in keeping with the newer kernel update, and the more simplified syntax now of "mitigations=off". If you already installed the plugin on a lower release and enabled it, nothing is needed prior to upgrading. Squid thought of and accounted for that and the plugin will handle it during boot. UPDATE (06/03/2019) PLUGIN AVAILABLE!!! @Squid was awesome enough to take this work and put it into a plugin, as many have asked for. It's a great start, and covers the basics out of the gate for everyone at the moment. Once the kernel starts rolling higher, we can change the current long string to a shorter variation, but I think that will be later in the future, post 6.8.0+..... Original Post: As many are aware, Intel has had some serious security vulnerabilities released over the past year. "Spectre", "Meltdown", and now one of the strongest dubbed "Zombieload" aka MDS. Intel seems to be having some skeletons coming out of the closet, which saw a CEO resign, and market share loss now to AMD. The mitigation's to these vulnerabilities have all individually come with a performance cost, Spectre/Meltdown in the range of ~%15, and now MDS rumored to need Hyperthreading disabled altogether to mitigate, costing upwards of %30-%40 (sources are based on the internet, so take with a grain of salt). So add them all together, and that's a pretty hefty penalty for users who may not even be a target for this kind of attack. Personally, I have nothing that sensitive at my home running in individual dockers or VM's that I would worry enough about if someone from one area could read data from the other. As well, my local users are myself and my wife 🙂 , so she could just TAKE the money from the bank in person 🙂 Not a threat to me. I don't care if someone is watching me play games on a vm, or is watching that I am encoding or decrypting a movie, big deal, not much going on at my house anyone would work hard enough to watch....... and if someone did make it that far to target me, I got bigger problems than speculative execution, like checking my firewall rules!! So, with that said, this is ALL AT YOUR OWN RISK, I or the community do not assume any responsibility of damage due to the disablement of these mitigation's. As of 6.7.0, we have kernel level 4.19.41 which marks the last kernel to NOT mitigate against MDS. To disable Spectre/Meltdown for release 6.7.0, adjust your syslinux.cfg file as follows (and reboot): pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier As of 6.7.1 RC1, we have kernel level 4.19.43 which marks the first kernel TO mitigate against Spectre/Meltdown AND MDS. To disable Spectre/Meltdown/MDS for release 6.7.1 RC1+, adjust your syslinux.cfg as follows (and reboot): pti=off spectre_v2=off l1tf=off mds=off nospec_store_bypass_disable no_stf_barrier You can validate the mitigation's on the OS before/after by: cat /sys/devices/system/cpu/vulnerabilities/* BEFORE: Should look similar to (notice the Mitigation's): Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable Mitigation: Clear CPU buffers; SMT vulnerable Mitigation: PTI Mitigation: Speculative Store Bypass disabled via prctl and seccomp Mitigation: __user pointer sanitization Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling AFTER: Should look similar to (notice the Vulnerable): Mitigation: PTE Inversion; VMX: vulnerable Vulnerable; SMT vulnerable Vulnerable Vulnerable Mitigation: __user pointer sanitization Vulnerable, IBPB: disabled, STIBP: disabled

Update: Was able to install 6.2.2-24922 DSM as a VM. This is what I did: - Used bootloader 1.03b. - Used DS3615 - Installed DMS version 6.2.2-24922 (also tried DSM 6.2.1-23824 Update 6 and that worked too!) - Created VM as "CentOS". Used Seabios and highest version of machine (Q35-3.0) - After I configured the bootloader, I loaded the img as the first bootable primary vdisk first but set the type to "USB". (doing it this way, as "usb", DSM won't see the bootloader image file as a hard drive and will show only your other vdisks attached) - I created a vdisk, and used qcow (other type could be used, but I didn't try). Must be at least 5gb I found. (anything less it won't see and/or will fail during setup) - The main part!! -- manually go into the XML and change the nic to "e1000e". This worked for me on my Supermicro - X9SRH-7F E5-2690 v2. YMMV. Good luck.

Application Name: Musicbrainz Application Site: https://musicbrainz.org/ Docker Hub: https://hub.docker.com/r/linuxserver/musicbrainz/ Github: https://github.com/linuxserver/docker-musicbrainz Metabrainz Account Sign Up: https://metabrainz.org/supporters/account-type Please post any questions/issues relating to this docker you have in this thread. If you are not using Unraid (and you should be!) then please do not post here, instead head to linuxserver.io to see how to get support. *Please make sure you use /mnt/cache/ or /mnt/diskx/ for your mappings /mnt/user/ or /mnt/user0/ will not work.* EDIT: 04/03/2017 AFTER iniatilisation is complete you will need to edit the line sub WEB_SERVER { "localhost:5000" } in file /config/DBDefs.pm changing localhost to the ip of your host, this is to allow css to display properly. EDIT: 18/05/2017 With the update to schema24, please remove the contents of your /config and /data folders, pull the latest image and reinitialise the database.

In this inaugural blog in the New Users Blog Series, we talk about: Unraid and the USB flash drive Using the USB Flash Creator tool How drives are counted towards the license limit How to reset your root password How to rename your server (Tower) How to change banner images and themes Check it out and let us know what you think! Have ideas/questions about Unraid that you'd like to see a blog written about? Post them here or send me a DM. Cheers! https://unraid.net/blog/unraid-new-users-blog-series

Upgraded this morning. Completely flawless and took all of 5 minutes. My compliments!

For the USB creator tool, please enable UEFI by default, it took a bit of head scratching to figure out why the BIOS shows UEFI as a boot option for USB device, but it does not boot. Once I recreated the USB drive and selected the UEFI option under advanced settings, it showed UEFI and booted UEFI. From what I understand about the boot format, adding the UEFI option will still allow legacy booting, but not having the UEFI option will break UEFI booting.

You can check the log, for example on the diags you posted the array started at around 00:45 and the IRQ got disabled at around 01:05 May 20 01:04:56 Tower kernel: irq 16: nobody cared (try booting with the "irqpoll" option) So if the VMs are stuttering before this happens again it's not the IRQ.

Similarly, I have a 50Mbit/s connection (in Philippines), and I'm seeing download hovering around 5MBytes/sec (up to 5.3) on the Ubuntu image. What environment are you running in, itractus? I'm on unRAID with my incomplete files written to the cache drive and copied to a protected share on completion.

Upgraded two servers from V6.6.7, went very smoothly, especially compared to 6.5 -> 6.6 in my case. Really like the new dashboard, looks great! Zero issues so far, been running stable for a few days. I still have the following error message in the syslog, but as it doesn't seem cause problems, I have given up trying to look for a fix: kernel: i40e 0000:b5:00.0: Error I40E_AQ_RC_EINVAL adding RX filters on PF, promiscuous mode forced on

Seems that we will be getting a newer, more simplified, flag we can set to disable mitigation's called: mitigations=off Other options would be: - mitigations=off: Disable all mitigations. - mitigations=auto: [default] Enable all the default mitigations, but leave SMT enabled, even if it's vulnerable. - mitigations=auto,nosmt: Enable all the default mitigations, disabling SMT if needed by a mitigation. In the meantime, we can continue to use the options above until I can test the new options out on unraid with a newer kernel (future releases once unraid upgrades kernel). There seems to be validation of it working in 5.0.16 Kernel. However seems to be a release intended for Kernel 5.2. https://www.phoronix.com/scan.php?page=news_item&px=Spectre-Meltdown-Easy-Switch-52 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v4.19.43&id=8cb932aca5d6728661a24eaecead9a34329903ff

I got it to work! In the serverconfig.xml I changed <property name="ServerDisabledNetworkProtocols" value="SteamNetworking"/> to <property name="ServerDisabledNetworkProtocols" value=""/> (I removed SteamNetworking) I'm not sure why this works exactly but it might have something to do with some settings in my router (Asus RT-68U).

There is no "event" for a power down. And, since your script (presumably) requires the share system to be up and running, then running in the background isn't an option either.

Correct on all points. Setting a schedule like that means that the shutdown (or startup) procedure is on hold until the script is finished. Unless you start another script via the first one that launches in the background echo "the/real/script" | at NOW -m

I'm curious to hear an update on this. Perhaps there's a entertaining story to be told from behind the scenes where our heroes @OmgImAlexis & @limetech ventured forward 🏇 to enhance this feature but ran into some unforeseen challenges along the way.... 🐙🤺

6.7 Update, no issues updating from 6.6.7. Great Work everyone! Storinator AV 15 Here is my diagnostic, if anyone is interested tower-diagnostics-20190519-1349.zip

You need to edit the auth file in appdata folder and create a user/pass to access deluge by adding a line like so: username:userpassword:10 These are the credentials you use to access via the thin client More info here: https://dev.deluge-torrent.org/wiki/UserGuide/ThinClient

@limetech Okay, so I did a bit a googling, and to build up, this is what I found based on Kernel level and availability (Leaving zombieload off the table for now since latest release does not yet mitigate it, that will be next): Kernel 4.15 Spectre v2 (CVE-2017-5715) - "nospectre_v2" Kernel 4.17 Spectre v4 (CVE-2018-3639) - "nospec_store_bypass_disable" Kernel 4.19 PR_SPEC_DISABLE_NOEXEC - During compilation Spectre v1 (CVE-2017-5753) - "nospectre_v1" Spectre v2 (CVE-2017-5715) - "nospectre_v2" Spectre v4 (CVE-2018-3639) - "nospec_store_bypass_disable" So checking uname on the latest 6.7.0 (non RC1), I can see we are at 4.19.41, so all three should be available nospectre_v1,v2, and store_bypass_disable. Of course seems there is a flag that can be set during compile, but that's not even worth getting into since that will never happen understandably. Then I found a phoronix forum thread that went back and forth, and I ultimately came out with this: pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier Where would be the best place to do this in Unraid during boot? Would it simple be an append in the syslinux file? append pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier EDIT: Seems zombieload (aka MDS) will be mds=off EDIT2: I am testing adding this to my unraid backup servers syslinux.cfg files boot section, like this: default menu.c32 menu title Lime Technology, Inc. prompt 0 timeout 50 label Unraid OS menu default kernel /bzimage append initrd=/bzroot pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier label Unraid OS GUI Mode kernel /bzimage append initrd=/bzroot,/bzroot-gui label Unraid OS Safe Mode (no plugins, no GUI) kernel /bzimage append initrd=/bzroot unraidsafemode label Unraid OS GUI Safe Mode (no plugins) kernel /bzimage append initrd=/bzroot,/bzroot-gui unraidsafemode label Memtest86+ kernel /memtest So far I have rebooted with the change, and boot was successful. I am working now to validate these are actually disabled. EDIT3: Okay, it worked. Here is my before and after: BEFORE: cat /sys/devices/system/cpu/vulnerabilities/* Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable Mitigation: PTI Mitigation: Speculative Store Bypass disabled via prctl and seccomp Mitigation: __user pointer sanitization Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling AFTER: cat /sys/devices/system/cpu/vulnerabilities/* Mitigation: PTE Inversion; VMX: vulnerable Vulnerable Vulnerable Mitigation: __user pointer sanitization Vulnerable, IBPB: disabled, STIBP: disabled You will notice "conditional cache flushes", "SMT vulnerable", "PTI", "Speculative Store Bypass disabled via prctl and seccomp", "Full generic retpoline"* are all disabled now. 😁😁😁😁😁😁😁😁😁😁😁😁😁😁😁😁😁😁😁😁😁😁 I don't know about you, but I don't care if someone is watching me play games on a vm, or is watching that I am encoding or decrypting a movie, big deal, not much going on at my house anyone would work hard enough to watch....... and if someone did make it that far to target me, I got bigger problems than speculative execution, like checking my firewall rules!! I will post this in another thread for better visibility if you all agree?

This makes me thinks is still related to the UUID issue, you can try changing it again, but even if it works probably best to backup and reformat the disk. If the UUID change doesn't help and you want to try and recover any data before formatting try the btrfs recovery options on the FAQ.

Ok, I used to be able to connect to Host network with this before the update....that allowed me to be assigned an IP on my WiFi subnet, which then allowed me to access the UnRAID GUI interface. NOW, instructions make us connect to Bridge network......so how do we access the UnRAID GUI interface if we are on the bridge network? OpenVPN dished me out a 172.27.xxx.xxx address (docker subnet). Update: Figured out how to access UnRAID GUI. Did NOT figure out how to be assigned a local address on my primary WiFi subnet though. In Admin Page ----> VPN Settings go to Routing section and add a line for the subnet you want your clients to have access to (for example, I added 192.168.1.0/24 which is my primary WiFi subnet and where I can access my UnRAID GUI locally)

Yes, it doesn't spin down but it enters a lower power state, though it won't make much difference on power with SSDs.

That SSD is dropping offline: Apr 30 12:18:33 Tower kernel: sd 1:0:8:0: Power-on or device reset occurred Apr 30 12:18:33 Tower kernel: sd 1:0:8:0: Device offlined - not ready after error recovery Apr 30 12:18:33 Tower kernel: sd 1:0:8:0: [sdj] tag#0 UNKNOWN(0x2003) Result: hostbyte=0x00 driverbyte=0x08 Apr 30 12:18:33 Tower kernel: sd 1:0:8:0: [sdj] tag#0 Sense Key : 0x2 [current] Apr 30 12:18:33 Tower kernel: sd 1:0:8:0: [sdj] tag#0 ASC=0x4 ASCQ=0x2 Apr 30 12:18:33 Tower kernel: sd 1:0:8:0: [sdj] tag#0 CDB: opcode=0x28 28 00 15 d5 43 38 00 00 08 00 Apr 30 12:18:33 Tower kernel: print_req_error: I/O error, dev sdj, sector 366297912 Apr 30 12:18:33 Tower kernel: sd 1:0:8:0: rejecting I/O to offline device Apr 30 12:18:33 Tower kernel: sd 1:0:8:0: [sdj] killing request Apr 30 12:18:33 Tower kernel: sd 1:0:8:0: [sdj] UNKNOWN(0x2003) Result: hostbyte=0x01 driverbyte=0x00 Apr 30 12:18:33 Tower kernel: sd 1:0:8:0: [sdj] CDB: opcode=0x35 35 00 00 00 00 00 00 00 00 00 Apr 30 12:18:33 Tower kernel: print_req_error: I/O error, dev sdj, sector 244198784 You can try replacing cables, though you should connect the SSDs to the onboard SATA controller (and set to AHCI) to be able to trim them.

This docker requires a code from musicbrainz so that the database can be updated from their servers. BEFORE ADDING THIS DOCKER Go the metabrainz site and click non-commercial. Then create an account like so. Go through the pages, filling in as appropriate.. Then generate your access token like so... Select, and copy this access token, you'll need it for the next bit. NOW ADD THE DOCKER You'll need to click the advanced tab and paste your access token into the BRAINZCODE section under Environmental Variables like so. Map your two folders to appropriate locations as normal and then click create. The docker will then generate a blank postgres data structure, download the latest data dump from musicbrainz and then import the data. THE DOWNLOAD MAY BE UP TO 5GB AND THE PROCESS OF DOWNLOADING AND SUBSEQUENT IMPORT CAN TAKE A LONG TIME. The docker may appear unresponsive and the logs can look stuck on BEGINNING INITIAL DATABASE IMPORT ROUTINE, THIS COULD TAKE SEVERAL HOURS AND THE DOCKER MAY LOOK UNRESPONSIVE DO NOT STOP DOCKER UNTIL IT IS COMPLETED This is normal, just go off and start another civilisation on a small uninhabited island, or drink a metric ton of coffee and be patient. Every hour or so check the log an eventually it should show something like this IMPORT IS COMPLETE, MOVING TO NEXT PHASE *** Running /etc/my_init.d/004-import-databases--and-or-run-everything.sh... *** Running /etc/my_init.d/00_regen_ssh_host_keys.sh... *** Running /etc/rc.local... *** Booting runit daemon... *** Runit started as PID 609 May 23 12:34:49 1cd29f5762de syslog-ng[614]: syslog-ng starting up; version='3.5.3' May 23 12:59:01 1cd29f5762de /USR/SBIN/CRON[695]: (root) CMD (/bin/bash /root/update-script.sh) May 23 13:00:01 1cd29f5762de /USR/SBIN/CRON[718]: (root) CMD (/bin/bash /root/update-script.sh) May 23 13:17:01 1cd29f5762de /USR/SBIN/CRON[873]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) May 23 13:59:01 1cd29f5762de /USR/SBIN/CRON[1266]: (root) CMD (/bin/bash /root/update-script.sh) May 23 14:00:01 1cd29f5762de /USR/SBIN/CRON[1283]: (root) CMD (/bin/bash /root/update-script.sh) May 23 14:17:01 1cd29f5762de /USR/SBIN/CRON[1444]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) May 23 14:59:01 1cd29f5762de /USR/SBIN/CRON[1622]: (root) CMD (/bin/bash /root/update-script.sh) May 23 15:00:01 1cd29f5762de /USR/SBIN/CRON[1634]: (root) CMD (/bin/bash /root/update-script.sh) May 23 15:17:01 1cd29f5762de /USR/SBIN/CRON[1694]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) It's done...