Jump to content

Leaderboard


Popular Content

Showing content with the highest reputation since 01/19/20 in Posts

  1. 22 points
    tldr: If you are running Unraid OS 6 version 6.8.1 or later, the following does not apply (mitigations are in place). If you are running any earlier Unraid OS 6 release, i.e., 6.8.0 and earlier, please read on. On Jan 5, 2020 we were informed by a representative from sysdream.com of security vulnerabilities they discovered in Unraid OS. Their report is attached to this post. At the time, version 6.8.0 was the stable release. The most serious issue concerns version 6.8.0. Here they discovered a way to bypass our forms-based authentication and look at the contents of various webGUI pages (that is, without having to log in first). Then using another exploit, they were further able to demonstrate the ability to inject "arbitrary code execution". Someone clever enough could use this latter exploit to execute arbitrary code on a server. (That person would have to have access to the same LAN as the server, or know the IP address:port of the server if accessible via the Internet.) Even in versions prior to 6.8.0, the "arbitrary code execution" vulnerability exists if an attacker can get you to visit a webpage using a browser that is already logged into an Unraid server (and they know or can guess the host name of the server). In this case, clicking the link could cause injection of code to the server. This is similar to the CSRF vulnerability we fixed a few years ago. In summary, sysdream.com recognizes 3 vulnerabilities: That it's possible to bypass username/password authentication and access pages directly in v6.8.0. That once authentication is bypassed, it's possible to inject and have server execute arbitrary code. That even if bug #1 is fixed, #2 is still possible if attacker can get you to click a link using browser already authenticated to your Unraid server (6.8.0 and all earlier versions of Unraid 6). Mitigations are as follows: First, if you are running version 6.8.0, either upgrade to latest stable release, or downgrade to an earlier release and install the sysdream mitigation plugin. We are not going to provide a mitigation plugin for 6.8.0. If you are running any 6.6 or 6.7 Unraid release, the best course of action is to upgrade to the latest stable release; otherwise, please install this mitigation plugin: https://raw.githubusercontent.com/limetech/sysdream/master/sysdream.plg This plugin will make a small patch to the webGUI template.php file in order to prevent arbitrary code execution. This plugin will work with all 6.6.x and 6.7.x releases and should also be available via Community Apps within a couple hours. We are not going to provide a mitigation for Unraid releases 6.5.x and earlier. If you are running an earlier release and cannot upgrade for some reason, please send us an email: support@lime-technology.com. I want to thank sysdream.com for bringing this to our attention, @eschultz for initial testing and fixes, and @bonienl for creation of the sysdream mitigation plugin. I also want to remind everyone: please set a strong root password, and carefully consider the implications and security measures necessary if your server is accessible via the Internet. Finally, try and keep your server up-to-date. VULNERABILITY_DISCLOSURE.pdf
  2. 18 points
    Something else I wanted to add, as long as we're talking about security measures in the pipe: we are looking at integrating various 2-Factor solutions directly in Unraid OS, such as google authenticator.
  3. 16 points
    v6.8.2 uploaded. Delayed for a few reasons, had problems (and still do) with the nvidia container runtime, worked around it in the end, but not a long term solution looking forward, I'm working like a dog at the moment as my current real life job finishes in 2 days and I'm having to put a ton of extra hours in, wife a bit ungainly at the moment as very heavily pregnant so I'm having to do a bit more for our existing beast, and to add to that bass_rock has been away for work, so kind of a perfect storm of not having much time to sit down with this, although I have been trying to get it working every chance I've had. Anyways, I've tested this version, think everything is working, and I believe all the out of tree drivers are squared away. Last version (v6.8.1) might have been missing the Intel 1gb driver as I hadn't realised that it was different to the 10gb driver.
  4. 12 points
    I haven't "danced" around anything, sorry if it appears like that. How does this apply in an Unraid server environment? Yes this is something we're looking at. why? why? There is only one user: root You can set file permissions however you want using standard linux command line tools. Again, what are you trying to accomplish? We do have plans to introduce the idea of multiple admin users with various roles they can take on within the Management Utility. For example, maybe you create a user named "Larry" who only has access to the Shares page with ability to browse shares only they have access to. However this functionality is not high on the list of features we want/need to implement. Earlier you were confused by my term "appliance". What this means is the server has a single user that can manage the box. If you don't have the root user password, all you can do is access shares on the network that you have permission for, and access Docker webUI's - but most of these have their own login mechanism. Things like the flash share exported by default, new shares public by default, telnet enabled by default, SMBv1 enabled by default, etc. are all simplifications to reduce frustration by new users. Nothing more frustrating that creating a share and then getting "You do not have permission..." when trying to browse your new share. We are trying to reduce the swearing and kicking of dogs by new users just trying to use the server. Eventually everyone needs to be more security conscious - and in that spirit we are working on "wizards" that will guide a user to setting up the correct settings for their needs. I hope this starts to answer some questions and sorry if I came across flippant to your concerns, but trust me, security is a foremost concern and to have someone imply otherwise ticks me off to be honest.
  5. 10 points
    Due to a security vulnerability discovered in forms-based authentication: ALL USERS ARE STRONGLY ENCOURAGED TO UPGRADE To upgrade: If you are running any 6.4 or later release, click 'Check for Updates' on the Tools/Update OS page. If you are running a pre-6.4 release, click 'Check for Updates' on the Plugins page. If the above doesn't work, navigate to Plugins/Install Plugin, select/copy/paste this plugin URL and click Install: https://s3.amazonaws.com/dnld.lime-technology.com/stable/unRAIDServer.plg Refer also to @ljm42 excellent 6.4 Update Notes which are helpful especially if you are upgrading from a pre-6.4 release. Bugs: If you discover a bug or other issue in this release, please open a Stable Releases Bug Report. Overfiew This is a bug fix and security update release. Some users are reporting problems booting due to a crash in the in-tree Intel IGB ethernet driver. We replaced the in-tree driver with latest out-of-tree driver. We fixed a longstanding issue where LibreELEC/Kodi could not browse NFS shares. The fix was to rebuild the rpcbind program, including a new option: --enable-rmtcalls Version 6.8.1 included a new docker option "Host access to custom networks" (thanks @bonienl) but I left out a critical change in the rc.docker script, sorry about that, now fixed. Fixed an encryption issue: if you first tried 'keyfile' method to specify encryption key, and that fails, any attempt to enter a passphrase would also fail, since a keyfile still exists, emhttpd used that as encryption key. This is fixed in webGUI by detecting presence of an encryption keyfile and offering only to re-download a new keyfile or delete the current one. Once deleted, you can then enter a passphrase. Small change to properly support custom SSL wildcard certs (thanks @ljm42) Updated kernel, wireguard, other base packages Numerous webGUI fixes and refinements (thanks @bonienl, @Squid, @gfjardim) A note regarding encryption passphrases: There is a warning in the Help text for passphrase which reads: Prior to this release (6.8.2) we did not enforce this restriction, but now we are. Unfortunately this means for those who have previously used a passphrase including other characters, you will need to use the "keyfile" method. We will add a feature in a future release that will let you change your passphrase/keyfile. Version 6.8.2 2020-01-26 Changes vs. 6.8.1 Base distro: fuse3: version 3.9.0 php: version 7.3.14 (CVE-2020-7060, CVE-2020-7059) rpcbind: version 1.2.5 (rebuilt with --enable-rmtcalls option) ttyd: version 20200120 wireguard-tools: version 1.0.20200121 Linux kernel: version 4.19.98 (CVE-2019-14615) CONFIG_ENIC: Cisco VIC Ethernet NIC Support removed: CONFIG_IGB: Intel(R) 82575/82576 PCI-Express Gigabit Ethernet support removed: CONFIG_IGBVF: Intel(R) 82576 Virtual Function Ethernet support kernel-firmware: version 20200122_1eb2408 oot: Intel igb: version 5.3.5.42 oot: wireguard: version 0.0.20200121 Management: rc.docker: include missing changes to suppoort new setting "Host access to custom networks" rc.nginx: support custom wildcard SSL certs webgui: User password: hide base64 conversion webgui: Select username field when login page is loaded webgui: login: autocapitalize="none" webgui: Passphrase printable charcaters only webgui: Encryption: enforced keyfile selection/deletion when file exists webgui: Use php json_encode to properly encode notifications webgui: Changed Delete keyfile button placement webgui: Detect missing key when keyfile is deleted webgui: Add Network:VPN as an application category webgui: further hardening in auth_request.php webgui: Style adjustment: buttons min-width webgui: login page favicon now matches the green/yellow/red icon from the other webgui pages webgui: VM Manager: add 'virtio-win-0.1.173-2' to VirtIO-ISOs list webgui: Add Network:VPN as an application category webgui: Network settings: updated help text webgui: Fix link for Password Recovery on login screen Version 6.8.1 2020-01-10 Changes vs. 6.8.0 Base distro: libuv: version 1.34.0 libvirt: version 5.10.0 mozilla-firefox: version 72.0.1 (CVE-2019-17026, CVE-2019-17015, CVE-2019-17016, CVE-2019-17017, CVE-2019-17018, CVE-2019-17019, CVE-2019-17020, CVE-2019-17021, CVE-2019-17022, CVE-2019-17023, CVE-2019-17024, CVE-2019-17025) php: version 7.3.13 (CVE-2019-11044 CVE-2019-11045 CVE-2019-11046 CVE-2019-11047 CVE-2019-11049 CVE-2019-11050) qemu: version 4.2.0 samba: version 4.11.4 ttyd: version 20200102 wireguard-tools: version 1.0.20200102 Linux kernel: version 4.19.94 kernel_firmware: version 20191218_c4586ff (with additional Intel BT firmware) CONFIG_THUNDERBOLT: Thunderbolt support CONFIG_INTEL_WMI_THUNDERBOLT: Intel WMI thunderbolt force power driver CONFIG_THUNDERBOLT_NET: Networking over Thunderbolt cable oot: Highpoint rr3740a: version v1.19.0_19_04_04 oot: Highpoint r750: version v1.2.11-18_06_26 [restored] oot: wireguard: version 0.0.20200105 Management: add cache-busting params for noVNC url assets emhttpd: fix cryptsetup passphrase input network: disable IPv6 for an interface when its settings is "IPv4 only". webgui: Management page: fixed typos in help text webgui: VM settings: fixed Apply button sometimes not working webgui: Dashboard: display CPU load full width when no HT webgui: Docker: show 'up-to-date' when status is unknown webgui: Fixed: handle race condition when updating share access rights in Edit User webgui: Docker: allow to set container port for custom bridge networks webgui: Better support for custom themes (not perfect yet) webgui: Dashboard: adjusted table positioning webgui: Add user name and user description verification webgui: Edit User: fix share access assignments webgui: Management page: remove UPnP conditional setting webgui: Escape shell arg when logging csrf mismatch webgui: Terminal button: give unsupported warning when Edge/MSIE is used webgui: Patched vulnerability in auth_request webgui: Docker: added new setting "Host access to custom networks" webgui: Patched vulnerability in template.php
  6. 9 points
    Also, either tonight or tomorrow an update to Fix Common Problems will be issued which will flag an error on affected systems if you do not have this plugin installed. See here
  7. 8 points
    Hey everyone! Stoked to have officially joined the team 🙌
  8. 8 points
    He's right, we don't need to be told, the rate limiting step isn't when we notice a new Unraid build, it's when I get a chance to build it, trust me, I'm an Unraid user, I get the same notifications as everyone else, I know when there's a new release.
  9. 8 points
    My co-workers wondered why I was taking off my shirt. They are still baffled why I have to show my belly button to a squid. 😁
  10. 7 points
    This is a load of B.S. While I appreciate the sentiment of your post (wanting to improve security), it is not helpful to simply complain. What is helpful is to point out specific attack vectors that we can address. Unraid is rapidly evolving from a simple NAS mainly used by tech-savvy home users to a more general platform with a wider range of users. It used to be the introduction of some bug that causes customer data loss that kept me up a night. These days, having a bug that presents a security risk is far more worrisome. So don't tell me we don't take security seriously. That said, there is a trade-off between making the server easily accessible for a first-time user vs. locking it down so tight no one can figure out how to even get in. I'll give you an example. By default we export the 'flash' share as a public share. Some people's hair catches on fire because of this. But the reason it's done this way is that after a user creates a bootable USB flash a very simple test is to see of the 'flash' share shows up in network explorer. There are other reasons it's handy to have this public for at least some amount of time. These days we have an icon next to the flash share if it's public, where rollover warns about this. Moving forward we are developing an initial configuration wizard that will guide a user in setting up the level of security appropriate for them.
  11. 6 points
    All of us at Lime Technology Inc. are excited to announce the hiring of Zack Spear as a full-time web developer. Please help us give @zspearmint a warm welcome to the Unraid forums! Zack has a diverse skill set and is an all around great guy. Learn more about Zack from his website bio: Please feel free to ask Zack all about his digital nomad travels, Borussia Dortmund banter, love of old school analog film photography, or just drop in below to say "Hey". Welcome aboard Zack!
  12. 6 points
    This is why I trust unraid, accountability to the people that use your software.Thank you unraid team and developers for all your hard work and dedication! Regards, Shane (new unraid builder) Sent from my iPhone using Tapatalk
  13. 6 points
    My wife wants to watch the Notebook with me.... Please fix
  14. 5 points
    Please make 2FA an optional feature. My server is not exposed to the Internet so there's really no need for extra security. It would be a massive pain in the backside having to grab my phone just to check if a docker has crashed.
  15. 5 points
    Unraid 6.8.2 is now available! Along with the new release, we've published a blog on some general security tips and best practices to follow to keep your Unraid server safe and secure. What else do you do to keep your Unraid server safe? Let us know in the comments here!
  16. 5 points
    @limetech Not to be that guy but are we expecting a 6.9 RC soonish? I cannot use 6.8 due to BTRFS issues on 4.19 kernel. I am currently on 6.8RC7 due to kernel 5.3. Thanks again.
  17. 5 points
    Available within CA. Either go to the new apps section or search for sysdream or limetech. If it doesnt appear, then you're not running a version of unraid which the plugin will work on (or isn't needed - 6.8.1 / 6.8.2)
  18. 4 points
    #!/bin/bash #Set your Unraid version here in the form 6-7-3 UNRAID_VERSION="6-8-2" # Set the type of build you want here - nvidia or stock BUILD_TYPE="nvidia" #Set the download location here DOWNLOAD_LOCATION="/mnt/cache/downloads/nvidia" echo Downloading v$UNRAID_VERSION of the $BUILD_TYPE build to the $DOWNLOAD_LOCATION folder #Make target directory [[ ! -d ${DOWNLOAD_LOCATION} ]] && \ mkdir -p ${DOWNLOAD_LOCATION} #download files wget https://lsio.ams3.digitaloceanspaces.com/unraid-nvidia/${UNRAID_VERSION}/${BUILD_TYPE}/bzimage -O ${DOWNLOAD_LOCATION}/bzimage wget https://lsio.ams3.digitaloceanspaces.com/unraid-nvidia/${UNRAID_VERSION}/${BUILD_TYPE}/bzroot -O ${DOWNLOAD_LOCATION}/bzroot wget https://lsio.ams3.digitaloceanspaces.com/unraid-nvidia/${UNRAID_VERSION}/${BUILD_TYPE}/bzroot-gui -O ${DOWNLOAD_LOCATION}/bzroot-gui wget https://lsio.ams3.digitaloceanspaces.com/unraid-nvidia/${UNRAID_VERSION}/${BUILD_TYPE}/bzfirmware -O ${DOWNLOAD_LOCATION}/bzfirmware wget https://lsio.ams3.digitaloceanspaces.com/unraid-nvidia/${UNRAID_VERSION}/${BUILD_TYPE}/bzmodules -O ${DOWNLOAD_LOCATION}/bzmodules #download sha356 files wget https://lsio.ams3.digitaloceanspaces.com/unraid-nvidia/${UNRAID_VERSION}/${BUILD_TYPE}/bzimage.sha256 -O ${DOWNLOAD_LOCATION}/bzimage.sha256 wget https://lsio.ams3.digitaloceanspaces.com/unraid-nvidia/${UNRAID_VERSION}/${BUILD_TYPE}/bzroot.sha256 -O ${DOWNLOAD_LOCATION}/bzroot.sha256 wget https://lsio.ams3.digitaloceanspaces.com/unraid-nvidia/${UNRAID_VERSION}/${BUILD_TYPE}/bzroot-gui.sha256 -O ${DOWNLOAD_LOCATION}/bzroot-gui.sha256 wget https://lsio.ams3.digitaloceanspaces.com/unraid-nvidia/${UNRAID_VERSION}/${BUILD_TYPE}/bzfirmware.sha256 -O ${DOWNLOAD_LOCATION}/bzfirmware.sha256 wget https://lsio.ams3.digitaloceanspaces.com/unraid-nvidia/${UNRAID_VERSION}/${BUILD_TYPE}/bzmodules.sha256 -O ${DOWNLOAD_LOCATION}/bzmodules.sha256 #check sha256 files BZIMAGESHA256=$(cat ${DOWNLOAD_LOCATION}/bzimage.sha256 | cut -c1-64) BZROOTSHA256=$(cat ${DOWNLOAD_LOCATION}/bzroot.sha256 | cut -c1-64) BZROOTGUISHA256=$(cat ${DOWNLOAD_LOCATION}/bzroot-gui.sha256 | cut -c1-64) BZFIRMWARESHA256=$(cat ${DOWNLOAD_LOCATION}/bzfirmware.sha256 | cut -c1-64) BZMODULESSHA256=$(cat ${DOWNLOAD_LOCATION}/bzmodules.sha256 | cut -c1-64) #calculate sha256 on downloaded files BZIMAGE=$(sha256sum $DOWNLOAD_LOCATION/bzimage | cut -c1-64) BZROOT=$(sha256sum $DOWNLOAD_LOCATION/bzroot | cut -c1-64) BZROOTGUI=$(sha256sum $DOWNLOAD_LOCATION/bzroot-gui | cut -c1-64) BZFIRMWARE=$(sha256sum $DOWNLOAD_LOCATION/bzfirmware | cut -c1-64) BZMODULES=$(sha256sum $DOWNLOAD_LOCATION/bzmodules | cut -c1-64) #Compare expected with actual downloaded files [[ $BZIMAGESHA256 == $BZIMAGE ]]; echo "bzimage passed sha256 verification" [[ $BZROOTSHA256 == $BZROOT ]]; echo "bzroot passed sha256 verification" [[ $BZROOTGUISHA256 == $BZROOTGUI ]]; echo "bzroot-gui passed sha256 verification" [[ $BZFIRMWARESHA256 == $BZFIRMWARE ]]; echo "bzfirmware passed sha256 verification" [[ $BZMODULESSHA256 == $BZMODULES ]]; echo "bzmodules passed sha256 verification" That script will do it. Need to change the 3 parameters to suit. chmod +x it to make it executable, if all the SHA256 sums match copy it across to your flash disk.
  19. 4 points
    @bonienl The VM GUI editor is hard coded to set the thread count to 1 if it detects an AMD processor in libvirt.php // detect if the processor is AMD, and if so, force single threaded $strCPUInfo = file_get_contents('/proc/cpuinfo'); if (strpos($strCPUInfo, 'AuthenticAMD') !== false) { $intCPUThreadsPerCore = 1; } This was due to AMD reporting no support for hyperthreadding in a VM. With UNRAID 6.8.1 RC1, hyperthreadding is supported with CPU passthrough as is (and CPU cache) if the CPU feature topoext is enabled. Previously, the CPU had to be forced to report as an EPYC to get it to support hyperthreadding. <cpu mode='host-passthrough' check='none'> <topology sockets='1' cores='6' threads='2'/> <cache mode='passthrough'/> <feature policy='require' name='topoext'/> </cpu> Microsoft's CoreInfo returns Coreinfo v3.31 - Dump information on system CPU and memory topology Copyright (C) 2008-2014 Mark Russinovich Sysinternals - www.sysinternals.com Logical to Physical Processor Map: **---------- Physical Processor 0 (Hyperthreaded) --**-------- Physical Processor 1 (Hyperthreaded) ----**------ Physical Processor 2 (Hyperthreaded) ------**---- Physical Processor 3 (Hyperthreaded) --------**-- Physical Processor 4 (Hyperthreaded) ----------** Physical Processor 5 (Hyperthreaded) Note that changes to the CPU layout may not be detected in the VM until the VM is rebooted from inside the VM itself (for example: Start > Power > Restart) Prior to 6.8.1 RC1, I could not get CPU-Z to run, it would always hang at the 10%/Processors on load. It still takes a bit but does return now.
  20. 4 points
    I’ve seen a lot of people asking questions and having problems getting graphics cards and onboard usb controllers passed through on Ryzen X570 systems. I had some issues myself that thanks to a couple of people here on the forums I was able to get resolved. This guide is about setting up a Windows 10 vm using a single graphics card with onboard usb passed through. Because I have managed to get it working, I thought it might be a good idea to write a little guide based on my setup in case it can help some other people. While this was specific to my motherboard and hardware, there are parts that should be applicable for other hardware combinations. Let’s start with my hardware. I’m using a Ryzen 7 3800X with the AsRock X570 Taichi. The graphics card is a Geforce GTX 1070. BIOS First step is to make sure the bios is up to date. At the time I am writing this the newest bios for my motherboard is 2.70 dated 12-9-2019. This is the AGESA version: Update AMD AGESA Combo-AM4 1.0.0.4 Patch B Once updated, boot into the bios once then restore default settings, save, reboot and go back into the bios. To enable IOMMU I found this at level1techs: https://forum.level1techs.com/t/x570-taichi-iommu-groups/145762/2 After some trial and error, I found that in order to passthrough the motherboard usb controllers, I had to change some usb options from Auto to Enabled. Because there is one controller that can’t be passed through, not all of these probably need to be changed, but I’m not sure which ones are for which controllers. Doesn’t seem to be causing me any issues at the moment. Go to Advanced>AMD CBS>FCH Common Options>USB Configuration Options and change XHCI Controller to Enabled. While there go to MCM USB enable and set XHCI2 enable and XHCI3 enable to Enabled. Next is Advanced>AMD CBS>Chipset Common Options>Chipset USB Configuration Options. Change XHCI Controller0 enable and XHCI Controller1 enable to Enabled. The last thing is to set the boot device to the Unraid usb non uefi. (Supposedly booting the usb using uefi can cause problems, but I have not experienced those myself so I can’t comment on that. This is the better safe than sorry approach.) Save settings and reboot. Isolating Cores This next step may be considered optional, but it’s about making sure the vm has the best chance of performing as best it can. In Unraid go to Settings>CPU Pinning. At the bottom you can choose which CPU cores you would like to isolate. Unraid like to use core 0, so I stay away from that one and usually start at the other end. Keep in mind to match the hyperthreads together. In my case I went with cores 4-7 and the matching hyperthreads 12-15. Syslinux Next, in Unraid, go to the Main tab and click on Flash then scroll down to Syslinux Configuration. To edit these click on Menu View and it will change to Raw View. I like to have a separate menu option for hardware passthrough so I just copy everything for ‘label Unraid OS’, delete ‘menu default’ under ‘label Unraid OS’, then paste in the new menu item with the other menu items. Make sure to rename it and that it says ‘menu default’ so that’s the one that Unraid will boot into automatically. The only other change is to add ‘video=efifb:off’ after ‘ initrd=/bzroot’. I admit that I am not sure on the details of why this is necessary, but I believe it has to do with passing through the only graphics card in the system. label Unraid OS HWPT menu default kernel /bzimage append isolcpus=4-7,12-15 initrd=/bzroot video=efifb:off vfio-pci.cfg To stub the graphics card and usb controller I highly recommend using the VFIO-PCI CFG plugin. So far it works really well and makes things much easier. Plus, it gives useful information like if your device can be reset and also which devices are attached to which usb controllers (very useful for figuring out which usb ports belong to which usb controllers). The plugin can be found in Community Apps. Once installed you can find it in the Settings tab. Go there and it’s a good time to double check that the IOMMU groups are looking like they should. Then it’s as easy as selecting which devices you want to stub. Check the graphics card and it’s audio controller. For the onboard usb controllers, it’s tempting to try using the one that is off on in it’s own group. In my case that was this one: Group 33 10:00.3 [RESET] 1022:149c USB controller: Advanced Micro Devices, Inc. [AMD] Matisse USB 3.0 Host Controller However, that one will not work and was one of the problems I ran into, but thanks to an explanation by @Skitals it makes sense why that one would not work. The address is Bus:Device:Function. Notice that the Function for that usb controller is 3. That means that despite being in it’s own IOMMU group, it belongs to another device and therefore, can’t be passed through. Good thing there are two other usb controllers on this motherboard in this group: Group 20 03:08.0 [RESET] 1022:57a4 PCI bridge: Advanced Micro Devices, Inc. [AMD] Device 57a4 0a:00.0 [RESET] 1022:1485 Non-Essential Instrumentation [1300]: Advanced Micro Devices, Inc. [AMD] Starship/Matisse Reserved SPP 0a:00.1 1022:149c USB controller: Advanced Micro Devices, Inc. [AMD] Matisse USB 3.0 Host Controller 0a:00.3 [RESET] 1022:149c USB controller: Advanced Micro Devices, Inc. [AMD] Matisse USB 3.0 Host Controller Select the three Oa:00 devices. Make sure the usb drive that Unraid uses is not in one of the usb ports for those two controllers and then reboot. For reference, here’s a picture that shows the back panel of the X570 Taichi. The ports colored in red belong to the usb controller that’s off in it’s own group. The yellow and green colored ports belong to the two other usb controllers. I have not yet tried to figure out which controllers the mother usb headers belong to. vm xml – graphics card Before creating the vm, we’ll need a dump of the vbios. While it is possible to download from techpowerup, that may or may not be the right vbios for your exact card. I found it was easiest to put Hiren’s BootCD on a usb drive and swap that with the unraid usb drive, boot into that, dump the vbios with GPUZ and save that to the usb drive. Take that usb drive to another computer and edit the vbios with a hex editor to remove the header as seen in this Spaceinvader One video: https://www.youtube.com/watch?v=1IP-h9IKof0&t=438s Put the Unraid usb drive back in the server and start it up. (Now is a good time to make sure it’s still booting into Legacy mode and not uefi as I noticed mine had switched at this point.) Put the vbios file somewhere on your Unraid server so that the vm will be able to access it. (Maybe a vbios folder in with your ISO folders.) Time to create a Windows 10 vm. Go to the VMS tab, Add VM, Windows 10. I’ll just mention the things that I actually change and the rest of the settings will stay at defaults. Logical CPUs - change this to match the the cores you isolated earlier Initial and Max Memory – change these to the desired amount of RAM for the vm, I’m using 8192 MB for both Machine – Q35 OS Install ISO – point this to your Windows 10 install ISO VirtIO Drivers ISO – might want to make sure you have the latest version (virtio-win-0.1.171.iso as of the time I am writing this) They can be found here under Direct downloads virtio-win iso: https://docs.fedoraproject.org/en-US/quick-docs/creating-windows-virtual-machines-using-virtio-drivers/index.html Note: You can set your default virtio iso in Settings>VM Manager. Graphics Card – set to your graphics card Graphics ROM BIOS – point this to the vbios file you got from your graphics card earlier Sound Card – set to the graphics card audio controller Other PCI Devices – I had some issues with this but so far I have found two ways that seem to work. The first is to just select the usb controller that ends in .3. (In the reference photo above, I believe it’s the usb ports colored in yellow.) The other way is to select the 2 usb controllers and the non-essential instrumentation. Then the xml also needs to be edited which will be explained below. Uncheck Start VM after creation Click Create Now the xml of the vm needs to be edited, so go in to edit it and click on Form View to change it to XML View. Now we need to follow this video by Spaceinvader One. There is one thing I noticed that was different for my setup and that was that it was the Bus that was different and not the Slot, so I went ahead and changed the Bus to match. https://www.youtube.com/watch?v=QlTVANDndpM&t=601s Usb Controller If both usb controllers were selected, then the xml needs to be edited in a similar fashion as to the way the graphics card xml was edited. Here’s mine for an example: <hostdev mode='subsystem' type='pci' managed='yes'> <driver name='vfio'/> <source> <address domain='0x0000' bus='0x0a' slot='0x00' function='0x0'/> </source> <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0' multifunction='on'/> </hostdev> <hostdev mode='subsystem' type='pci' managed='yes'> <driver name='vfio'/> <source> <address domain='0x0000' bus='0x0a' slot='0x00' function='0x1'/> </source> <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x1'/> </hostdev> <hostdev mode='subsystem' type='pci' managed='yes'> <driver name='vfio'/> <source> <address domain='0x0000' bus='0x0a' slot='0x00' function='0x3'/> </source> <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x2'/> </hostdev> I should also mention that I changed the Bus since before it was audio was 5, non-essentials device was 6, usb controller was 7 and usb controller was 8. With the audio moved to Bus 4 with the graphics card, I changed the other 3 devices to the now vacated Bus 5. That should about cover it. If you are trying to use a previous vm and it doesn’t start and no error comes up and it’s just nothing on the screen, try removing the vm and recreating it. (Thanks to @testdasi for that one.)
  21. 4 points
  22. 4 points
    I run a virtualized instance of an enterprise-grade firewall on my box. This keeps viruses and other nasties from penetrating my network and infecting my hardware. But at the same time, my friends with benefits can still gain access to my 9TB worth of Hard Disks for their pleasure. It may be hard to swallow, but taking the time to carefully setup your sever will pay dividends later with all that data going in and out, and in, and out.
  23. 4 points
    My apologies for long delay since the last release, for those that care about why, I'll leave it in the postscript. In this version there are some major changes in addition to the usual bug fixes. A big bug fix, is that the plugin should now be able to handle parenthesis in your VM names (thanks to squid for suggesting a solution to that). New features include the ability to have multiple configs so that you can run backups on different schedules, as well as the ability to run pre and post scripts with those configs. Compression now uses pigz for multi-threaded compression (though a faster inline compression using zstandard is still coming). Full change-log below. v0.2.0 - 2020/01/21 The Resistance - fixed new config options not always getting added to user config. - fixed parenthesis in vm names. - added ability to run pre and post scripts. - added option to run backup without array started. - added confirmation dialogs to destructive or dangerous buttons. - added support for multiple configs/schedules. - added option to allow multiple configs to run simultaneously. - added option to set compression level. - added option to set the number of threads used during compression. - changed compression program from gzip to pigz to support multi-threading. - changed alert dialogs to use sweet alerts. - updated help for custom cron. https://github.com/JTok/unraid.vmbackup/tree/v0.2.0 -JTok The delay in this release was caused by me overhauling some of the code to prevent the pages from needed refreshed to update content, and I wound up needing to implement my own version of unRAID's markdown and inline-help to make that work the way I wanted.
  24. 4 points
    Back up. We updated the Search feature a few days ago to use "Elasticsearch", not sure if anyone noticed. Searches should be better and faster. However, what happened was it crashed with "java.lang.OutOfMemoryError: Java heap space". We'll keep an eye on it and might have to adjust some settings on Elasticsearch if it happens again.
  25. 3 points
    While that is the easy path mapping to make, it's not what I would call best practice from a security point of view. Plex really doesn't need access to your banking info, or your documents, or those "special" pictures everyone hides from their wife.
  26. 3 points
    Plugin Name: Unraid Nvidia Github: https://github.com/linuxserver/Unraid-Nvidia-Plugin This plugin from LinuxServer.io allows you to easily install a modified Unraid version with Nvidia drivers compiled and the docker system modified to use an nvidia container runtime, meaning you can use your GPU in any container you wish. Any posts discussing circumvention of any Nvidia restrictions we will be asking mods to remove. We have worked hard to bring this work to you, and we don't want to upset Nvidia. If they were to threaten us with any legal action, all our source code and this plugin will be removed. Remember we are all volunteers, with regular jobs and families to support. Please if you see anyone else mentioning anything that contravenes this rule, flag it up to the mods. People that discuss this here could potentially ruin it for all of you. EDIT: 25/5/19 OK everyone, the Plex script seems to be causing more issues than the Unraid Nvidia build as far as I can tell. From this point on, to reduce the unnecessary noise and confusion on this thread, I'm going to request whoever is looking after, documenting or willing to support the Plex scripts spins off their own thread. We will only be answering any support questions on people not using the script. If your post is regarding Plex and you do not EXPLICITLY state that you are not using the Plex script then it will be ignored. I know some of you may think this is unreasonable but it's creating a lot of additional work/time commitments for something I never intended to support and something I don't use (Not being a Plex user) May I suggest respectfully, that one of you steps forward to create a thread, document it, and support it in it's own support place. I think we need to decouple issues with the work we've done versus issues with a currently unsupported script. Thanks.
  27. 3 points
    I think you are a bit short sighted too. In the past years several updates were done to improve security and today's level certainly has improved a lot. Here is a list top of my head, and likely I am forgetting some ... - Regular package upgrades to address reported CVEs - Address CSRF attacks - Address XSS attacks - Added SSL/TLS support - Added SSH support - Added disk encryption - Verify path validity when executing scripts - Disallow direct script execution from the USB device - Improved user input checks throughout the GUI
  28. 3 points
    lol You guys got hit in the 10 minute window where that mistake of mine was there. It's fixed now. If it doesn't install, a reboot and a reinstall will work
  29. 3 points
    Update: Thanks to inspiration from @senpaibox I've made a major revision this evening to the scripts on github: They are now much easier to setup through the use of configurable variables Much better messaging Upload script has better --bwlimit options allowing daily schedules, faster or slower uploads without worrying about daily quotas (rclone 1.5.1 upwards needed) e.g. you can now do a 30MB/s upload job overnight for 7 hours to use up your quota, rather than a slow 10MB/s trickle over the day. Or, schedule a slow trickle over the day and a max speed upload overnight option to bind individual rclone mounts and uploads to different IPs. I use this to put my mount traffic in a high-priority queue on pfsense, and my uploads in a low If you haven't switched from unionfs to mergerfs I really recommend that you do now and the layout of the new scripts should make it easier to do so. These are now the scripts (except for my upload script which is modified which rotates remotes to upload more than 750GB/day) I'm using myself, so it'll be easier for me to maintain. I've also updated the first two posts in this thread to align with the new scripts. Any teething problems, please let me know.
  30. 3 points
    A template repository from a group of Unraid users that wants to bring more awesome containers into this community. We already have 40 containers in Community applications, Including; Bitwarden_rs, Huginn, Paperless and Tdarr. Templates with their own support thread: Paperless Bitwarden_rs The way we work is by taking suggestions, or Pull Request about potential applications to include into our repository trough GitHub. This is our support thread for most of the containers, however some might get its own dedicated thread in based on feedback. We wont necessarily provide app-support but we will for the best of our abilities point you towards the right channels for such. We also have discord server.
  31. 3 points
    When dealing with multi-function devices (e.g. GPU with GPU + HDMI audio), Unraid GUI will assign a new bus for each additional device by default. This can cause compatibility / performance issues in some cases, most notably but not exclusive to MacOS VM. The workaround is adding multifunction='on' and change the bus + function values in the xml. If any edit is done via the GUI, it will revert the bus + function back to the default method, requiring additional edits. New users are also unlikely to be able to make these manual xml edits. It would be a good idea to enhance the VM GUI to detect and make the appropriate edits in the xml automatically for these devices. E.g. group devices by bus + function and create the bus + function in the xml accordingly (adding multifunction='on' for the first device of a multi-function group). At least, I would imagine it would not too complicated to apply it as a priority to GPU and HDMI audio devices since they have their own dedicated GUI boxes so matching them is rather simple.
  32. 3 points
    I agree with the previous post by Ellis34771: I think at the moment ZFS would just introduce unwanted complexity for the majority of home users of Unraid, and think the Lime team would be better adding features such as Server to Server native backup/sync. I realize I might be in the minority here holding this view! 😎
  33. 3 points
    I’m in a very similar place with my upcoming build. I believe I’ve done a lot of research and can probably help. 1. TDP is really a limit to what the processor will operate at under load. Also, AMD and Intel calculate TDP differently so it’s harder to do a direct comparison. Idle power is usually considerably lower with Intel CPU’s while Ryzen processors tend to only idle a little lower than their TDP (but also have a lower ceiling in terms of power consumption). That 80W Intel processor will idle about 20-30W below that Ryzen processor. It’s important to consider this because if you’re primarily using your server as a Plex/Emby server, it will be at idle most of the time. The P2000 is limited to 75W max but if it’s just transcoding and nothing else, it will consume very little power. **Ideally, the P2000 when it’s sitting idle should be below 10W but due to a bug somewhere in Plex and the P2000, it will stay in an active state even after transcoding is done which will cause it to consume somewhere closer to 20W. Plex is looking into it but who knows when that will be fixed. 2. I’m not saying that UnRAID with Ryzen is unstable or not adequate, but there are some known quirks that are still in the process of being worked out (especially with the X470D4U and X470D4U2-2T). You will most likely need to set the power state to Typical Idle Power or something similar and you’ll be without some temperature sensors that are nice to have but won’t be in until UnRAID updates their Linux kernel. You also might run into issues with your PSU you are using causing your processor to run at very low speeds. This seems to be correctable but it’s something you need to be aware of. UnRAID updates for Ryzen also tend to cause a few more issues on average than Intel. 3. With the Intel CPU and QuickSync, you should be able to easily do 15+ 1080p transcodes with little effort except for a few changes in your BIOS and in your go file. Otherwise, you can run it with any form of UnRAID as long at it has a newer kernel where your iGPU is supported (generally anything 6.8.0rc-1 and above). With Ryzen and the P2000, you’ll need to install the Nvidia version of UnRAID which isn’t updated as fast as the regular UnRAID version (it’s still relatively fast but if you want to update when a newer version of UnRAID comes out you’ll need to wait for the Nvidia guys to bake in their drivers). Granted, with the P2000, you’ll be able to do 20+ 1080p transcodes with ease. I’m personally leaning toward an E-2288G and Supermicro X11SCH-F (I don’t need 10g and I have a Supermicro chassis). It will cost more, have more security patches in the future that will lower performance, and the CPU won’t be upgradeable. With all that said though, QuickSync is incredibly efficient, the CPU will idle below 40W, I’ll get 2 full speed NVME slots, it will be powerful enough to last me about 5 years, and I can always add a P2000 down the road if I need more transcoding power. Ryzen is a very powerful CPU at a very affordable price and if the newer Linux kernels bring forward some much needed improvements and ASRock keeps updating their BIOS to be better, I might end up going that route. We’ll see what the next few months brings.
  34. 3 points
    There is a hidden character that gets copied over from the forums. It is a known issue. Get notepad++ and do 'show all symbols' to see.
  35. 3 points
    remotely connected using wireguard, from my phone upgraded 6.8.1 to 6.8.2 without error. thank you unraid team!
  36. 3 points
    And the response is, since people are already not happy with the perceived slowness of fixes and new features in the core product, adding a whole new layer of problems and complexities for limetech to deal with will slow releases down even more, causing even more complaining about things not being kept up to date. If limetech was responsible for the nvidia build as well as the core product, you would see less timely progress, not more. Limetech is absorbing more and more of the community pioneered features as time goes on, at some point they may very well decide to start doing nvidia drivers if they feel it's a good use of their limited resources. That time is not soon™.
  37. 3 points
  38. 3 points
    You're welcome. Make sure this area of your config.php looks like this. 'trusted_domains' => array ( 0 => 'unRAIDIP:NextcloudPort', 1 => 'nextcloud.server.com', ), 'trusted_proxies' => array('unRAIDIP'), 'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'), 'dbtype' => 'mysql', 'version' => '18.0.0.10', 'overwrite.cli.url' => 'https://nextcloud.server.com', 'overwritehost' => 'nextcloud.server.com', 'overwriteprotocol' => 'https',
  39. 3 points
    I had issues with the same was able to eventually figure it out. You need to console into the Nextcloud docker and run the below command, changing the end of it which perhaps you already did to get the BigINT conversion done. So "db:add-missing-indices" after the "occ" instead of what I have here. For the HSTS, add the line "add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";" in the "default" file in the "\nextcloud\nginx\site-confs" folder. I put it above the line that has "SAMEORIGIN" in it, not all that far from the top of the file.
  40. 3 points
    FYI: We've released a security tips and best practices blog alongside this release. TIA for reading!
  41. 3 points
    Thanks but we don't need to be told.
  42. 3 points
    A client asked me to build this frame, which can hold 12x 5.25-inch drives.
  43. 3 points
    A true emergency! We're on it! Could be worse, could be Notting Hill ...
  44. 2 points
    Upload Script 0.95.2 Thanks to @watchmeexplode5 helping me fix me being stupid and not using my own script properly, which led to him adding another nice simplification. --drive-service-account-file added to upload remote, removing the need to add a remote that isn't 'used' for the upload job. Before if using an encrypted remote e.g. gdrive_vfs: the service account was added to gdrive: . Now, via --drive-service-account-file the rotating of SAs is done in gdrive_vfs: https://github.com/BinsonBuzz/unraid_rclone_mount/blob/latest---mergerfs-support/rclone_upload
  45. 2 points
    Unraid is an appliance. There is only one user: root. We can rename to "admin" but it's still root. There are not traditional user logins. Users are only used to validate SMB connections. Running as non-root would not have prevented this vulnerability which btw, was a couple 1-line bugs. re: the request: we have a blog post that talk about this: https://unraid.net/blog/unraid-os-6-8-2-and-general-security-tips Sure I can go reply in there...
  46. 2 points
    For the record, I highly recommend no one surfs the internet using the unRaid GUI boot mode and included web browser and no one exposes their server to the internet. In my opinion, those two issues are more dangerous than disabling these mitigations.
  47. 2 points
  48. 2 points
    I don't know if this post is appropriate for a support topic. I couldn't find a gratitude topic. I wanted to thank you for this amazing plugin. It has saved me from a lot of headaches more than I care to admit. I appreciate your hard work and what you do for this community.
  49. 2 points
    Not simply a matter of drive failure during rebuild. Bad disks can also give bad data that makes the rebuild no good.
  50. 2 points
    These instructions should be stickied! THANK YOU!