Jump to content

Leaderboard


Popular Content

Showing content with the highest reputation since 01/22/20 in all areas

  1. 24 points
    tldr: If you are running Unraid OS 6 version 6.8.1 or later, the following does not apply (mitigations are in place). If you are running any earlier Unraid OS 6 release, i.e., 6.8.0 and earlier, please read on. On Jan 5, 2020 we were informed by a representative from sysdream.com of security vulnerabilities they discovered in Unraid OS. Their report is attached to this post. At the time, version 6.8.0 was the stable release. The most serious issue concerns version 6.8.0. Here they discovered a way to bypass our forms-based authentication and look at the contents of various webGUI pages (that is, without having to log in first). Then using another exploit, they were further able to demonstrate the ability to inject "arbitrary code execution". Someone clever enough could use this latter exploit to execute arbitrary code on a server. (That person would have to have access to the same LAN as the server, or know the IP address:port of the server if accessible via the Internet.) Even in versions prior to 6.8.0, the "arbitrary code execution" vulnerability exists if an attacker can get you to visit a webpage using a browser that is already logged into an Unraid server (and they know or can guess the host name of the server). In this case, clicking the link could cause injection of code to the server. This is similar to the CSRF vulnerability we fixed a few years ago. In summary, sysdream.com recognizes 3 vulnerabilities: That it's possible to bypass username/password authentication and access pages directly in v6.8.0. That once authentication is bypassed, it's possible to inject and have server execute arbitrary code. That even if bug #1 is fixed, #2 is still possible if attacker can get you to click a link using browser already authenticated to your Unraid server (6.8.0 and all earlier versions of Unraid 6). Mitigations are as follows: First, if you are running version 6.8.0, either upgrade to latest stable release, or downgrade to an earlier release and install the sysdream mitigation plugin. We are not going to provide a mitigation plugin for 6.8.0. If you are running any 6.6 or 6.7 Unraid release, the best course of action is to upgrade to the latest stable release; otherwise, please install this mitigation plugin: https://raw.githubusercontent.com/limetech/sysdream/master/sysdream.plg This plugin will make a small patch to the webGUI template.php file in order to prevent arbitrary code execution. This plugin will work with all 6.6.x and 6.7.x releases and should also be available via Community Apps within a couple hours. We are not going to provide a mitigation for Unraid releases 6.5.x and earlier. If you are running an earlier release and cannot upgrade for some reason, please send us an email: support@lime-technology.com. I want to thank sysdream.com for bringing this to our attention, @eschultz for initial testing and fixes, and @bonienl for creation of the sysdream mitigation plugin. I also want to remind everyone: please set a strong root password, and carefully consider the implications and security measures necessary if your server is accessible via the Internet. Finally, try and keep your server up-to-date. VULNERABILITY_DISCLOSURE.pdf
  2. 20 points
    Something else I wanted to add, as long as we're talking about security measures in the pipe: we are looking at integrating various 2-Factor solutions directly in Unraid OS, such as google authenticator.
  3. 16 points
    v6.8.2 uploaded. Delayed for a few reasons, had problems (and still do) with the nvidia container runtime, worked around it in the end, but not a long term solution looking forward, I'm working like a dog at the moment as my current real life job finishes in 2 days and I'm having to put a ton of extra hours in, wife a bit ungainly at the moment as very heavily pregnant so I'm having to do a bit more for our existing beast, and to add to that bass_rock has been away for work, so kind of a perfect storm of not having much time to sit down with this, although I have been trying to get it working every chance I've had. Anyways, I've tested this version, think everything is working, and I believe all the out of tree drivers are squared away. Last version (v6.8.1) might have been missing the Intel 1gb driver as I hadn't realised that it was different to the 10gb driver.
  4. 13 points
    I haven't "danced" around anything, sorry if it appears like that. How does this apply in an Unraid server environment? Yes this is something we're looking at. why? why? There is only one user: root You can set file permissions however you want using standard linux command line tools. Again, what are you trying to accomplish? We do have plans to introduce the idea of multiple admin users with various roles they can take on within the Management Utility. For example, maybe you create a user named "Larry" who only has access to the Shares page with ability to browse shares only they have access to. However this functionality is not high on the list of features we want/need to implement. Earlier you were confused by my term "appliance". What this means is the server has a single user that can manage the box. If you don't have the root user password, all you can do is access shares on the network that you have permission for, and access Docker webUI's - but most of these have their own login mechanism. Things like the flash share exported by default, new shares public by default, telnet enabled by default, SMBv1 enabled by default, etc. are all simplifications to reduce frustration by new users. Nothing more frustrating that creating a share and then getting "You do not have permission..." when trying to browse your new share. We are trying to reduce the swearing and kicking of dogs by new users just trying to use the server. Eventually everyone needs to be more security conscious - and in that spirit we are working on "wizards" that will guide a user to setting up the correct settings for their needs. I hope this starts to answer some questions and sorry if I came across flippant to your concerns, but trust me, security is a foremost concern and to have someone imply otherwise ticks me off to be honest.
  5. 10 points
    Due to a security vulnerability discovered in forms-based authentication: ALL USERS ARE STRONGLY ENCOURAGED TO UPGRADE To upgrade: If you are running any 6.4 or later release, click 'Check for Updates' on the Tools/Update OS page. If you are running a pre-6.4 release, click 'Check for Updates' on the Plugins page. If the above doesn't work, navigate to Plugins/Install Plugin, select/copy/paste this plugin URL and click Install: https://s3.amazonaws.com/dnld.lime-technology.com/stable/unRAIDServer.plg Refer also to @ljm42 excellent 6.4 Update Notes which are helpful especially if you are upgrading from a pre-6.4 release. Bugs: If you discover a bug or other issue in this release, please open a Stable Releases Bug Report. Overfiew This is a bug fix and security update release. Some users are reporting problems booting due to a crash in the in-tree Intel IGB ethernet driver. We replaced the in-tree driver with latest out-of-tree driver. We fixed a longstanding issue where LibreELEC/Kodi could not browse NFS shares. The fix was to rebuild the rpcbind program, including a new option: --enable-rmtcalls Version 6.8.1 included a new docker option "Host access to custom networks" (thanks @bonienl) but I left out a critical change in the rc.docker script, sorry about that, now fixed. Fixed an encryption issue: if you first tried 'keyfile' method to specify encryption key, and that fails, any attempt to enter a passphrase would also fail, since a keyfile still exists, emhttpd used that as encryption key. This is fixed in webGUI by detecting presence of an encryption keyfile and offering only to re-download a new keyfile or delete the current one. Once deleted, you can then enter a passphrase. Small change to properly support custom SSL wildcard certs (thanks @ljm42) Updated kernel, wireguard, other base packages Numerous webGUI fixes and refinements (thanks @bonienl, @Squid, @gfjardim) A note regarding encryption passphrases: There is a warning in the Help text for passphrase which reads: Prior to this release (6.8.2) we did not enforce this restriction, but now we are. Unfortunately this means for those who have previously used a passphrase including other characters, you will need to use the "keyfile" method. We will add a feature in a future release that will let you change your passphrase/keyfile. Version 6.8.2 2020-01-26 Changes vs. 6.8.1 Base distro: fuse3: version 3.9.0 php: version 7.3.14 (CVE-2020-7060, CVE-2020-7059) rpcbind: version 1.2.5 (rebuilt with --enable-rmtcalls option) ttyd: version 20200120 wireguard-tools: version 1.0.20200121 Linux kernel: version 4.19.98 (CVE-2019-14615) CONFIG_ENIC: Cisco VIC Ethernet NIC Support removed: CONFIG_IGB: Intel(R) 82575/82576 PCI-Express Gigabit Ethernet support removed: CONFIG_IGBVF: Intel(R) 82576 Virtual Function Ethernet support kernel-firmware: version 20200122_1eb2408 oot: Intel igb: version 5.3.5.42 oot: wireguard: version 0.0.20200121 Management: rc.docker: include missing changes to suppoort new setting "Host access to custom networks" rc.nginx: support custom wildcard SSL certs webgui: User password: hide base64 conversion webgui: Select username field when login page is loaded webgui: login: autocapitalize="none" webgui: Passphrase printable charcaters only webgui: Encryption: enforced keyfile selection/deletion when file exists webgui: Use php json_encode to properly encode notifications webgui: Changed Delete keyfile button placement webgui: Detect missing key when keyfile is deleted webgui: Add Network:VPN as an application category webgui: further hardening in auth_request.php webgui: Style adjustment: buttons min-width webgui: login page favicon now matches the green/yellow/red icon from the other webgui pages webgui: VM Manager: add 'virtio-win-0.1.173-2' to VirtIO-ISOs list webgui: Add Network:VPN as an application category webgui: Network settings: updated help text webgui: Fix link for Password Recovery on login screen Version 6.8.1 2020-01-10 Changes vs. 6.8.0 Base distro: libuv: version 1.34.0 libvirt: version 5.10.0 mozilla-firefox: version 72.0.1 (CVE-2019-17026, CVE-2019-17015, CVE-2019-17016, CVE-2019-17017, CVE-2019-17018, CVE-2019-17019, CVE-2019-17020, CVE-2019-17021, CVE-2019-17022, CVE-2019-17023, CVE-2019-17024, CVE-2019-17025) php: version 7.3.13 (CVE-2019-11044 CVE-2019-11045 CVE-2019-11046 CVE-2019-11047 CVE-2019-11049 CVE-2019-11050) qemu: version 4.2.0 samba: version 4.11.4 ttyd: version 20200102 wireguard-tools: version 1.0.20200102 Linux kernel: version 4.19.94 kernel_firmware: version 20191218_c4586ff (with additional Intel BT firmware) CONFIG_THUNDERBOLT: Thunderbolt support CONFIG_INTEL_WMI_THUNDERBOLT: Intel WMI thunderbolt force power driver CONFIG_THUNDERBOLT_NET: Networking over Thunderbolt cable oot: Highpoint rr3740a: version v1.19.0_19_04_04 oot: Highpoint r750: version v1.2.11-18_06_26 [restored] oot: wireguard: version 0.0.20200105 Management: add cache-busting params for noVNC url assets emhttpd: fix cryptsetup passphrase input network: disable IPv6 for an interface when its settings is "IPv4 only". webgui: Management page: fixed typos in help text webgui: VM settings: fixed Apply button sometimes not working webgui: Dashboard: display CPU load full width when no HT webgui: Docker: show 'up-to-date' when status is unknown webgui: Fixed: handle race condition when updating share access rights in Edit User webgui: Docker: allow to set container port for custom bridge networks webgui: Better support for custom themes (not perfect yet) webgui: Dashboard: adjusted table positioning webgui: Add user name and user description verification webgui: Edit User: fix share access assignments webgui: Management page: remove UPnP conditional setting webgui: Escape shell arg when logging csrf mismatch webgui: Terminal button: give unsupported warning when Edge/MSIE is used webgui: Patched vulnerability in auth_request webgui: Docker: added new setting "Host access to custom networks" webgui: Patched vulnerability in template.php
  6. 9 points
    Also, either tonight or tomorrow an update to Fix Common Problems will be issued which will flag an error on affected systems if you do not have this plugin installed. See here
  7. 8 points
    This is a load of B.S. While I appreciate the sentiment of your post (wanting to improve security), it is not helpful to simply complain. What is helpful is to point out specific attack vectors that we can address. Unraid is rapidly evolving from a simple NAS mainly used by tech-savvy home users to a more general platform with a wider range of users. It used to be the introduction of some bug that causes customer data loss that kept me up a night. These days, having a bug that presents a security risk is far more worrisome. So don't tell me we don't take security seriously. That said, there is a trade-off between making the server easily accessible for a first-time user vs. locking it down so tight no one can figure out how to even get in. I'll give you an example. By default we export the 'flash' share as a public share. Some people's hair catches on fire because of this. But the reason it's done this way is that after a user creates a bootable USB flash a very simple test is to see of the 'flash' share shows up in network explorer. There are other reasons it's handy to have this public for at least some amount of time. These days we have an icon next to the flash share if it's public, where rollover warns about this. Moving forward we are developing an initial configuration wizard that will guide a user in setting up the level of security appropriate for them.
  8. 8 points
    Hey everyone! Stoked to have officially joined the team 🙌
  9. 8 points
    He's right, we don't need to be told, the rate limiting step isn't when we notice a new Unraid build, it's when I get a chance to build it, trust me, I'm an Unraid user, I get the same notifications as everyone else, I know when there's a new release.
  10. 8 points
    My co-workers wondered why I was taking off my shirt. They are still baffled why I have to show my belly button to a squid. 😁
  11. 6 points
    Please make 2FA an optional feature. My server is not exposed to the Internet so there's really no need for extra security. It would be a massive pain in the backside having to grab my phone just to check if a docker has crashed.
  12. 6 points
    All of us at Lime Technology Inc. are excited to announce the hiring of Zack Spear as a full-time web developer. Please help us give @zspearmint a warm welcome to the Unraid forums! Zack has a diverse skill set and is an all around great guy. Learn more about Zack from his website bio: Please feel free to ask Zack all about his digital nomad travels, Borussia Dortmund banter, love of old school analog film photography, or just drop in below to say "Hey". Welcome aboard Zack!
  13. 6 points
    This is why I trust unraid, accountability to the people that use your software.Thank you unraid team and developers for all your hard work and dedication! Regards, Shane (new unraid builder) Sent from my iPhone using Tapatalk
  14. 6 points
    My wife wants to watch the Notebook with me.... Please fix
  15. 5 points
    The main roadblock to adding Nvidia and AMD gpu drivers has been that Linux will grab those devices upon boot - which is what you want for them to be used by docker containers but makes it a real PITA for those wanting to passthrough the cards to VM's instead. Traditionally you had to find out vendor id and stub the drivers via syslinux kernel command line. To help with this we added vfio-pci.cfg method to select by PCI ID, but still no slick user interface for easily selecting the devices to stub - but lately I've seen a plugin called "VFIO-PCI Config" - maybe the author would help us integrate this natively into Unraid OS 😎 This would open door for us to add gpu drivers without adding a huge burden to VM users.....
  16. 5 points
    Unraid 6.8.2 is now available! Along with the new release, we've published a blog on some general security tips and best practices to follow to keep your Unraid server safe and secure. What else do you do to keep your Unraid server safe? Let us know in the comments here!
  17. 5 points
    @limetech Not to be that guy but are we expecting a 6.9 RC soonish? I cannot use 6.8 due to BTRFS issues on 4.19 kernel. I am currently on 6.8RC7 due to kernel 5.3. Thanks again.
  18. 5 points
    Available within CA. Either go to the new apps section or search for sysdream or limetech. If it doesnt appear, then you're not running a version of unraid which the plugin will work on (or isn't needed - 6.8.1 / 6.8.2)
  19. 4 points
    #!/bin/bash #Set your Unraid version here in the form 6-7-3 UNRAID_VERSION="6-8-2" # Set the type of build you want here - nvidia or stock BUILD_TYPE="nvidia" #Set the download location here DOWNLOAD_LOCATION="/mnt/cache/downloads/nvidia" echo Downloading v$UNRAID_VERSION of the $BUILD_TYPE build to the $DOWNLOAD_LOCATION folder #Make target directory [[ ! -d ${DOWNLOAD_LOCATION} ]] && \ mkdir -p ${DOWNLOAD_LOCATION} #download files wget https://lsio.ams3.digitaloceanspaces.com/unraid-nvidia/${UNRAID_VERSION}/${BUILD_TYPE}/bzimage -O ${DOWNLOAD_LOCATION}/bzimage wget https://lsio.ams3.digitaloceanspaces.com/unraid-nvidia/${UNRAID_VERSION}/${BUILD_TYPE}/bzroot -O ${DOWNLOAD_LOCATION}/bzroot wget https://lsio.ams3.digitaloceanspaces.com/unraid-nvidia/${UNRAID_VERSION}/${BUILD_TYPE}/bzroot-gui -O ${DOWNLOAD_LOCATION}/bzroot-gui wget https://lsio.ams3.digitaloceanspaces.com/unraid-nvidia/${UNRAID_VERSION}/${BUILD_TYPE}/bzfirmware -O ${DOWNLOAD_LOCATION}/bzfirmware wget https://lsio.ams3.digitaloceanspaces.com/unraid-nvidia/${UNRAID_VERSION}/${BUILD_TYPE}/bzmodules -O ${DOWNLOAD_LOCATION}/bzmodules #download sha356 files wget https://lsio.ams3.digitaloceanspaces.com/unraid-nvidia/${UNRAID_VERSION}/${BUILD_TYPE}/bzimage.sha256 -O ${DOWNLOAD_LOCATION}/bzimage.sha256 wget https://lsio.ams3.digitaloceanspaces.com/unraid-nvidia/${UNRAID_VERSION}/${BUILD_TYPE}/bzroot.sha256 -O ${DOWNLOAD_LOCATION}/bzroot.sha256 wget https://lsio.ams3.digitaloceanspaces.com/unraid-nvidia/${UNRAID_VERSION}/${BUILD_TYPE}/bzroot-gui.sha256 -O ${DOWNLOAD_LOCATION}/bzroot-gui.sha256 wget https://lsio.ams3.digitaloceanspaces.com/unraid-nvidia/${UNRAID_VERSION}/${BUILD_TYPE}/bzfirmware.sha256 -O ${DOWNLOAD_LOCATION}/bzfirmware.sha256 wget https://lsio.ams3.digitaloceanspaces.com/unraid-nvidia/${UNRAID_VERSION}/${BUILD_TYPE}/bzmodules.sha256 -O ${DOWNLOAD_LOCATION}/bzmodules.sha256 #check sha256 files BZIMAGESHA256=$(cat ${DOWNLOAD_LOCATION}/bzimage.sha256 | cut -c1-64) BZROOTSHA256=$(cat ${DOWNLOAD_LOCATION}/bzroot.sha256 | cut -c1-64) BZROOTGUISHA256=$(cat ${DOWNLOAD_LOCATION}/bzroot-gui.sha256 | cut -c1-64) BZFIRMWARESHA256=$(cat ${DOWNLOAD_LOCATION}/bzfirmware.sha256 | cut -c1-64) BZMODULESSHA256=$(cat ${DOWNLOAD_LOCATION}/bzmodules.sha256 | cut -c1-64) #calculate sha256 on downloaded files BZIMAGE=$(sha256sum $DOWNLOAD_LOCATION/bzimage | cut -c1-64) BZROOT=$(sha256sum $DOWNLOAD_LOCATION/bzroot | cut -c1-64) BZROOTGUI=$(sha256sum $DOWNLOAD_LOCATION/bzroot-gui | cut -c1-64) BZFIRMWARE=$(sha256sum $DOWNLOAD_LOCATION/bzfirmware | cut -c1-64) BZMODULES=$(sha256sum $DOWNLOAD_LOCATION/bzmodules | cut -c1-64) #Compare expected with actual downloaded files [[ $BZIMAGESHA256 == $BZIMAGE ]]; echo "bzimage passed sha256 verification" [[ $BZROOTSHA256 == $BZROOT ]]; echo "bzroot passed sha256 verification" [[ $BZROOTGUISHA256 == $BZROOTGUI ]]; echo "bzroot-gui passed sha256 verification" [[ $BZFIRMWARESHA256 == $BZFIRMWARE ]]; echo "bzfirmware passed sha256 verification" [[ $BZMODULESSHA256 == $BZMODULES ]]; echo "bzmodules passed sha256 verification" That script will do it. Need to change the 3 parameters to suit. chmod +x it to make it executable, if all the SHA256 sums match copy it across to your flash disk.
  20. 4 points
  21. 4 points
    I run a virtualized instance of an enterprise-grade firewall on my box. This keeps viruses and other nasties from penetrating my network and infecting my hardware. But at the same time, my friends with benefits can still gain access to my 9TB worth of Hard Disks for their pleasure. It may be hard to swallow, but taking the time to carefully setup your sever will pay dividends later with all that data going in and out, and in, and out.
  22. 3 points
    Plugin Name: Unraid Nvidia Github: https://github.com/linuxserver/Unraid-Nvidia-Plugin This plugin from LinuxServer.io allows you to easily install a modified Unraid version with Nvidia drivers compiled and the docker system modified to use an nvidia container runtime, meaning you can use your GPU in any container you wish. Any posts discussing circumvention of any Nvidia restrictions we will be asking mods to remove. We have worked hard to bring this work to you, and we don't want to upset Nvidia. If they were to threaten us with any legal action, all our source code and this plugin will be removed. Remember we are all volunteers, with regular jobs and families to support. Please if you see anyone else mentioning anything that contravenes this rule, flag it up to the mods. People that discuss this here could potentially ruin it for all of you. EDIT: 25/5/19 OK everyone, the Plex script seems to be causing more issues than the Unraid Nvidia build as far as I can tell. From this point on, to reduce the unnecessary noise and confusion on this thread, I'm going to request whoever is looking after, documenting or willing to support the Plex scripts spins off their own thread. We will only be answering any support questions on people not using the script. If your post is regarding Plex and you do not EXPLICITLY state that you are not using the Plex script then it will be ignored. I know some of you may think this is unreasonable but it's creating a lot of additional work/time commitments for something I never intended to support and something I don't use (Not being a Plex user) May I suggest respectfully, that one of you steps forward to create a thread, document it, and support it in it's own support place. I think we need to decouple issues with the work we've done versus issues with a currently unsupported script. Thanks.
  23. 3 points
    is hugepages related to thata hugebitch...... I guess I missed that Linus video.
  24. 3 points
  25. 3 points
    While that is the easy path mapping to make, it's not what I would call best practice from a security point of view. Plex really doesn't need access to your banking info, or your documents, or those "special" pictures everyone hides from their wife.
  26. 3 points
    Upload Script 0.95.2 Thanks to @watchmeexplode5 helping me fix me being stupid and not using my own script properly, which led to him adding another nice simplification. --drive-service-account-file added to upload remote, removing the need to add a remote that isn't 'used' for the upload job. Before if using an encrypted remote e.g. gdrive_vfs: the service account was added to gdrive: . Now, via --drive-service-account-file the rotating of SAs is done in gdrive_vfs: https://github.com/BinsonBuzz/unraid_rclone_mount/blob/latest---mergerfs-support/rclone_upload
  27. 3 points
    I think you are a bit short sighted too. In the past years several updates were done to improve security and today's level certainly has improved a lot. Here is a list top of my head, and likely I am forgetting some ... - Regular package upgrades to address reported CVEs - Address CSRF attacks - Address XSS attacks - Added SSL/TLS support - Added SSH support - Added disk encryption - Verify path validity when executing scripts - Disallow direct script execution from the USB device - Improved user input checks throughout the GUI
  28. 3 points
    Unraid is an appliance. There is only one user: root. We can rename to "admin" but it's still root. There are not traditional user logins. Users are only used to validate SMB connections. Running as non-root would not have prevented this vulnerability which btw, was a couple 1-line bugs. re: the request: we have a blog post that talk about this: https://unraid.net/blog/unraid-os-6-8-2-and-general-security-tips Sure I can go reply in there...
  29. 3 points
    @bonienl The VM GUI editor is hard coded to set the thread count to 1 if it detects an AMD processor in libvirt.php // detect if the processor is AMD, and if so, force single threaded $strCPUInfo = file_get_contents('/proc/cpuinfo'); if (strpos($strCPUInfo, 'AuthenticAMD') !== false) { $intCPUThreadsPerCore = 1; } This was due to AMD reporting no support for hyperthreadding in a VM. With UNRAID 6.8.1 RC1, hyperthreadding is supported with CPU passthrough as is (and CPU cache) if the CPU feature topoext is enabled. Previously, the CPU had to be forced to report as an EPYC to get it to support hyperthreadding. <cpu mode='host-passthrough' check='none'> <topology sockets='1' cores='6' threads='2'/> <cache mode='passthrough'/> <feature policy='require' name='topoext'/> </cpu> Microsoft's CoreInfo returns Coreinfo v3.31 - Dump information on system CPU and memory topology Copyright (C) 2008-2014 Mark Russinovich Sysinternals - www.sysinternals.com Logical to Physical Processor Map: **---------- Physical Processor 0 (Hyperthreaded) --**-------- Physical Processor 1 (Hyperthreaded) ----**------ Physical Processor 2 (Hyperthreaded) ------**---- Physical Processor 3 (Hyperthreaded) --------**-- Physical Processor 4 (Hyperthreaded) ----------** Physical Processor 5 (Hyperthreaded) Note that changes to the CPU layout may not be detected in the VM until the VM is rebooted from inside the VM itself (for example: Start > Power > Restart) Prior to 6.8.1 RC1, I could not get CPU-Z to run, it would always hang at the 10%/Processors on load. It still takes a bit but does return now.
  30. 3 points
    lol You guys got hit in the 10 minute window where that mistake of mine was there. It's fixed now. If it doesn't install, a reboot and a reinstall will work
  31. 3 points
    Update: Thanks to inspiration from @senpaibox I've made a major revision this evening to the scripts on github: They are now much easier to setup through the use of configurable variables Much better messaging Upload script has better --bwlimit options allowing daily schedules, faster or slower uploads without worrying about daily quotas (rclone 1.5.1 upwards needed) e.g. you can now do a 30MB/s upload job overnight for 7 hours to use up your quota, rather than a slow 10MB/s trickle over the day. Or, schedule a slow trickle over the day and a max speed upload overnight option to bind individual rclone mounts and uploads to different IPs. I use this to put my mount traffic in a high-priority queue on pfsense, and my uploads in a low If you haven't switched from unionfs to mergerfs I really recommend that you do now and the layout of the new scripts should make it easier to do so. These are now the scripts (except for my upload script which is modified which rotates remotes to upload more than 750GB/day) I'm using myself, so it'll be easier for me to maintain. I've also updated the first two posts in this thread to align with the new scripts. Any teething problems, please let me know.
  32. 3 points
    A template repository from a group of Unraid users that wants to bring more awesome containers into this community. We already have 40 containers in Community applications, Including; Bitwarden_rs, Huginn, Paperless and Tdarr. Templates with their own support thread: Paperless Bitwarden_rs The way we work is by taking suggestions, or Pull Request about potential applications to include into our repository trough GitHub. This is our support thread for most of the containers, however some might get its own dedicated thread in based on feedback. We wont necessarily provide app-support but we will for the best of our abilities point you towards the right channels for such. We also have discord server.
  33. 3 points
    When dealing with multi-function devices (e.g. GPU with GPU + HDMI audio), Unraid GUI will assign a new bus for each additional device by default. This can cause compatibility / performance issues in some cases, most notably but not exclusive to MacOS VM. The workaround is adding multifunction='on' and change the bus + function values in the xml. If any edit is done via the GUI, it will revert the bus + function back to the default method, requiring additional edits. New users are also unlikely to be able to make these manual xml edits. It would be a good idea to enhance the VM GUI to detect and make the appropriate edits in the xml automatically for these devices. E.g. group devices by bus + function and create the bus + function in the xml accordingly (adding multifunction='on' for the first device of a multi-function group). At least, I would imagine it would not too complicated to apply it as a priority to GPU and HDMI audio devices since they have their own dedicated GUI boxes so matching them is rather simple.
  34. 3 points
    I agree with the previous post by Ellis34771: I think at the moment ZFS would just introduce unwanted complexity for the majority of home users of Unraid, and think the Lime team would be better adding features such as Server to Server native backup/sync. I realize I might be in the minority here holding this view! 😎
  35. 3 points
    I’m in a very similar place with my upcoming build. I believe I’ve done a lot of research and can probably help. 1. TDP is really a limit to what the processor will operate at under load. Also, AMD and Intel calculate TDP differently so it’s harder to do a direct comparison. Idle power is usually considerably lower with Intel CPU’s while Ryzen processors tend to only idle a little lower than their TDP (but also have a lower ceiling in terms of power consumption). That 80W Intel processor will idle about 20-30W below that Ryzen processor. It’s important to consider this because if you’re primarily using your server as a Plex/Emby server, it will be at idle most of the time. The P2000 is limited to 75W max but if it’s just transcoding and nothing else, it will consume very little power. **Ideally, the P2000 when it’s sitting idle should be below 10W but due to a bug somewhere in Plex and the P2000, it will stay in an active state even after transcoding is done which will cause it to consume somewhere closer to 20W. Plex is looking into it but who knows when that will be fixed. 2. I’m not saying that UnRAID with Ryzen is unstable or not adequate, but there are some known quirks that are still in the process of being worked out (especially with the X470D4U and X470D4U2-2T). You will most likely need to set the power state to Typical Idle Power or something similar and you’ll be without some temperature sensors that are nice to have but won’t be in until UnRAID updates their Linux kernel. You also might run into issues with your PSU you are using causing your processor to run at very low speeds. This seems to be correctable but it’s something you need to be aware of. UnRAID updates for Ryzen also tend to cause a few more issues on average than Intel. 3. With the Intel CPU and QuickSync, you should be able to easily do 15+ 1080p transcodes with little effort except for a few changes in your BIOS and in your go file. Otherwise, you can run it with any form of UnRAID as long at it has a newer kernel where your iGPU is supported (generally anything 6.8.0rc-1 and above). With Ryzen and the P2000, you’ll need to install the Nvidia version of UnRAID which isn’t updated as fast as the regular UnRAID version (it’s still relatively fast but if you want to update when a newer version of UnRAID comes out you’ll need to wait for the Nvidia guys to bake in their drivers). Granted, with the P2000, you’ll be able to do 20+ 1080p transcodes with ease. I’m personally leaning toward an E-2288G and Supermicro X11SCH-F (I don’t need 10g and I have a Supermicro chassis). It will cost more, have more security patches in the future that will lower performance, and the CPU won’t be upgradeable. With all that said though, QuickSync is incredibly efficient, the CPU will idle below 40W, I’ll get 2 full speed NVME slots, it will be powerful enough to last me about 5 years, and I can always add a P2000 down the road if I need more transcoding power. Ryzen is a very powerful CPU at a very affordable price and if the newer Linux kernels bring forward some much needed improvements and ASRock keeps updating their BIOS to be better, I might end up going that route. We’ll see what the next few months brings.
  36. 3 points
    There is a hidden character that gets copied over from the forums. It is a known issue. Get notepad++ and do 'show all symbols' to see.
  37. 3 points
  38. 3 points
    remotely connected using wireguard, from my phone upgraded 6.8.1 to 6.8.2 without error. thank you unraid team!
  39. 3 points
    And the response is, since people are already not happy with the perceived slowness of fixes and new features in the core product, adding a whole new layer of problems and complexities for limetech to deal with will slow releases down even more, causing even more complaining about things not being kept up to date. If limetech was responsible for the nvidia build as well as the core product, you would see less timely progress, not more. Limetech is absorbing more and more of the community pioneered features as time goes on, at some point they may very well decide to start doing nvidia drivers if they feel it's a good use of their limited resources. That time is not soon™.
  40. 3 points
  41. 3 points
    You're welcome. Make sure this area of your config.php looks like this. 'trusted_domains' => array ( 0 => 'unRAIDIP:NextcloudPort', 1 => 'nextcloud.server.com', ), 'trusted_proxies' => array('unRAIDIP'), 'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'), 'dbtype' => 'mysql', 'version' => '18.0.0.10', 'overwrite.cli.url' => 'https://nextcloud.server.com', 'overwritehost' => 'nextcloud.server.com', 'overwriteprotocol' => 'https',
  42. 3 points
    I had issues with the same was able to eventually figure it out. You need to console into the Nextcloud docker and run the below command, changing the end of it which perhaps you already did to get the BigINT conversion done. So "db:add-missing-indices" after the "occ" instead of what I have here. For the HSTS, add the line "add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";" in the "default" file in the "\nextcloud\nginx\site-confs" folder. I put it above the line that has "SAMEORIGIN" in it, not all that far from the top of the file.
  43. 3 points
    FYI: We've released a security tips and best practices blog alongside this release. TIA for reading!
  44. 3 points
    Thanks but we don't need to be told.
  45. 3 points
    A client asked me to build this frame, which can hold 12x 5.25-inch drives.
  46. 3 points
    Has to do with how POSIX-compliant we want to be. Here are the issues: If 2 dirents (directory entries) refer to the same file, then if you 'stat' either dirent it should return: a) 'st_nlink' will be set to 2 in this case, and b) the same inode number in 'st_ino'. Prior to 6.8 release a) was correct, but b) was not (it returns an internal FUSE inode number associated with dirents). This is incorrect behavior and can confuse programs such as 'rsync', but fixes NFS stale file handle issue. To fix this, you can tell FUSE to pass along the actual st_ino of the underlying file instead of it's own FUSE inode number. This works except for 2 problems: 1. If the file is physically moved to a different file system, the st_ino field changes. This causes NFS stale file handles. 2. There is still a FUSE delay because it caches stat data (default for 1 second). For example, if kernel asks for stat data for a file (or directory), FUSE will ask user-space filesystem to provide it. Then if kernel asks for stat data again for same object, if time hasn't expired FUSE will just return the value it read last time. If timeout expired, then FUSE will again ask user-space filesystem to provide it. Hence in our example above, one could remove one of the dirents for a file and then immediately 'stat' the other dirent, and that stat data will not reflect fact that 'st_nlink' is now 1 - it will still say 2. Obviously whether this is an issue depends entirely on timing (the worse kind of bugs). In the FUSE example code there is this comment in regards to hard link support: static void *xmp_init(struct fuse_conn_info *conn, struct fuse_config *cfg) { (void) conn; cfg->use_ino = 1; cfg->nullpath_ok = 1; /* Pick up changes from lower filesystem right away. This is also necessary for better hardlink support. When the kernel calls the unlink() handler, it does not know the inode of the to-be-removed entry and can therefore not invalidate the cache of the associated inode - resulting in an incorrect st_nlink value being reported for any remaining hardlinks to this inode. */ cfg->entry_timeout = 0; cfg->attr_timeout = 0; cfg->negative_timeout = 0; return NULL; } But the problem is the kernel is very "chatty" when it comes to directory listings. Basically it re-'stat's the entire parent directory tree each time it wants to 'stat' a file returned by READDIR. If we have the 'attr_timeout' set to 0, then each one of those 'stat's results in a round trip from kernel space to user space (and processing done by user-space filesystem). I have set it up so that if you enable hard link support, those timeouts are as above and hence you see huge slowdown because of all the overhead. I could remove that code that sets the timeouts to 0, but as I mentioned, not sure what "bugs" this might cause for other users - our policy is, better to be slow than to be wrong. So this is kinda where it stands. We have ideas for fixing but will involve modifying FUSE which is not a small project.
  47. 3 points
    A true emergency! We're on it! Could be worse, could be Notting Hill ...
  48. 2 points
    Ok, Updates finished https://github.com/BinsonBuzz/unraid_rclone_mount. Tidy ups to mount and cleanup script. Upload script has some good changes: configurable --min-age as part of the config section configurable --exclusion as part of the config section. I've added 8 which should be plenty Service account counters work 100% now (I think!) Added ability to do backup jobs For 99% of users this should mean the main script doesn't need touching. I added #4 to reduce the amount of edits I have to do to support my own jobs, including my backup job. Now that the main body supports my backup job, future updates will be much faster and they'll be fewer errors.
  49. 2 points
    @DZMM New script looks good but doesn't work if you use encryption because you need to edit the service account remote but then upload to the crypt for the service account. To edit the service account but upload via crypt I made these changes (added ServiceAccountRemote variable): # REQUIRED SETTINGS RcloneUploadRemoteName="service_account_vfs" # If you have a second remote created for uploads put it here. Otherwise use the same remote as RcloneRemoteName. # Use Service Accounts. Instructions: https://github.com/xyou365/AutoRclone ServiceAccountRemote="service_account" # Name of Remote which authenticates via service_account.json files # Adjusting service_account_file if using Service Accounts if [[ $UseServiceAccountUpload == 'Y' ]]; then ServiceAccountFile+=$CounterNumber.json rclone config update $ServiceAccountRemote service_account_file $ServiceAccountDirectory/$ServiceAccountFile echo "$(date "+%d.%m.%Y %T") INFO: Adjusted service_account_file for upload remote ${ServiceAccountRemote} to ${ServiceAccountFile} based on counter ${CounterNumber}." else echo "$(date "+%d.%m.%Y %T") INFO: Uploading using upload remote ${RcloneUploadRemoteName}" fi This way rclone updates the ServiceAccountRemote instead of the RcloneUploadRemoteName.
  50. 2 points
    Thank you all for playing! Winners have been drawn, contacted and prizes have been mailed out! The following list of members won case badges: hotio juan11perez wreave Scorpionhl Mr.Meeseeks Fiala06 BrettS HonkyTonk Rob- sausuke deepthought JKY 2FA Trembler ManlyJack jrdnlc dtctechs cgi2099 joshstrange mattgob86 Exa Coolamasta lemus89 Moussekateer revilo951 Splatter21 Ectropian nas_nerd Kasper56 Mmr8cmh Em poh ping dgriff yendi mikekim4x Morphed ghost82 korotkov VTX1800Rider what? Joey0live TRAVMO justinwebb egut125 Konijntjes Bespin iurab normtodd sikedsyko glennv TRaSH Bjorn1902 klipp01 none_really madelectron nuhll niko7 ikkuranus vektor unrateable bigsing Sander0542 nacat78 Fuoman eggman9713 twistedsanity thomas Raad ElectricBadger couscous_anonym0us RecycledBits FranciumF jj9987 eXtremeSHOK Dave-M JKChapman PigNib macattack erax0r Twinsen sharpfork intertet unabletoconnect DJ Callyman julianhj makesh86 mlapaglia busa1 FMG O_M_R snazz The following list of members won case badges and gift cards to the Unraid merch store: willk danman Notsure cyndor1 tr3bjockey jpowell8672 braydencw1 MarkRMonaco ilmadrya The following member won case badges a gift card to the Unraid merch store AND an Unraid Pro License: vagrantprodigy Congratulations to all of the winners and a big thanks to you all for being a part of our 100,000+ strong online community!