Jump to content

Leaderboard


Popular Content

Showing content with the highest reputation since 04/01/19 in all areas

  1. 24 points
    tldr: If you are running Unraid OS 6 version 6.8.1 or later, the following does not apply (mitigations are in place). If you are running any earlier Unraid OS 6 release, i.e., 6.8.0 and earlier, please read on. On Jan 5, 2020 we were informed by a representative from sysdream.com of security vulnerabilities they discovered in Unraid OS. Their report is attached to this post. At the time, version 6.8.0 was the stable release. The most serious issue concerns version 6.8.0. Here they discovered a way to bypass our forms-based authentication and look at the contents of various webGUI pages (that is, without having to log in first). Then using another exploit, they were further able to demonstrate the ability to inject "arbitrary code execution". Someone clever enough could use this latter exploit to execute arbitrary code on a server. (That person would have to have access to the same LAN as the server, or know the IP address:port of the server if accessible via the Internet.) Even in versions prior to 6.8.0, the "arbitrary code execution" vulnerability exists if an attacker can get you to visit a webpage using a browser that is already logged into an Unraid server (and they know or can guess the host name of the server). In this case, clicking the link could cause injection of code to the server. This is similar to the CSRF vulnerability we fixed a few years ago. In summary, sysdream.com recognizes 3 vulnerabilities: That it's possible to bypass username/password authentication and access pages directly in v6.8.0. That once authentication is bypassed, it's possible to inject and have server execute arbitrary code. That even if bug #1 is fixed, #2 is still possible if attacker can get you to click a link using browser already authenticated to your Unraid server (6.8.0 and all earlier versions of Unraid 6). Mitigations are as follows: First, if you are running version 6.8.0, either upgrade to latest stable release, or downgrade to an earlier release and install the sysdream mitigation plugin. We are not going to provide a mitigation plugin for 6.8.0. If you are running any 6.6 or 6.7 Unraid release, the best course of action is to upgrade to the latest stable release; otherwise, please install this mitigation plugin: https://raw.githubusercontent.com/limetech/sysdream/master/sysdream.plg This plugin will make a small patch to the webGUI template.php file in order to prevent arbitrary code execution. This plugin will work with all 6.6.x and 6.7.x releases and should also be available via Community Apps within a couple hours. We are not going to provide a mitigation for Unraid releases 6.5.x and earlier. If you are running an earlier release and cannot upgrade for some reason, please send us an email: support@lime-technology.com. I want to thank sysdream.com for bringing this to our attention, @eschultz for initial testing and fixes, and @bonienl for creation of the sysdream mitigation plugin. I also want to remind everyone: please set a strong root password, and carefully consider the implications and security measures necessary if your server is accessible via the Internet. Finally, try and keep your server up-to-date. VULNERABILITY_DISCLOSURE.pdf
  2. 23 points
    Note: this community guide is offered in the hope that it is helpful, but comes with no warranty/guarantee/etc. Follow at your own risk. What can you do with WireGuard? Let's walk through each of the connection types: Remote access to server: Use your phone or computer to remotely access your Unraid server, including: Unraid administration via the webgui Access dockers, VMs, and network shares as though you were physically connected to the network Remote access to LAN: Builds on "Remote access to server", allowing you to access your entire LAN as well. Server to server access: Allows two Unraid servers to connect to each other. LAN to LAN access: Builds on "Server to server access", allowing two entire networks to communicate. (see this guide) Server hub & spoke access: Builds on "Remote access to server", except that all of the VPN clients can connect to each other as well. Note that all traffic passes through the server. LAN hub & spoke access: Builds on "Server hub & spoke access", allowing you to access your entire LAN as well. VPN tunneled access: Route traffic for specific Dockers and VMs through a commercial WireGuard VPN provider (see this guide) Remote tunneled access: Securely access the Internet from untrusted networks by routing all of your traffic through the VPN and out Unraid's Internet connection In this guide we will walk through how to setup WireGuard so that your trusted devices can VPN into your home network to access Unraid and the other systems on your network. Prerequisites You must be running Unraid 6.8 with the Dynamix WireGuard plugin from Community Apps Be aware that WireGuard is is technically classified as experimental. It has not gone through a full security audit yet and has not reached 1.0 status. But it is the first open source VPN solution that is extremely simple to install, fast, and designed from the ground up to be secure. Understand that giving someone VPN access to your LAN is just like giving them physical access to your LAN, except they have it 24x7 when you aren't around to supervise. Only give access to people and devices that you trust, and make certain that the configuration details (particularly the private keys) are not passed around insecurely. Regardless of the "connection type" you choose, assume that anyone who gets access to this configuration information will be able to get full access to your network. This guide works great for simple networks. But if you have Dockers with custom IPs or VMs with strict networking requirements, please see the "Complex Networks" section below. Unraid will automatically configure your WireGuard clients to connect to Unraid using your current public IP address, which will work until that IP address changes. To future-proof the setup, you can use Dynamic DNS instead. There are many ways to do this, probably the easiest is described in this 2 minute video from SpaceInvaderOne If your router has UPnP enabled, Unraid will be able to automatically forward the port for you. If not, you will need to know how to configure your router to forward a port. You will need to install WireGuard on a client system. It is available for many operating systems: https://www.wireguard.com/install/ Android or iOS make good first systems, because you can get all the details via QR code. Setting up the Unraid side of the VPN tunnel First, go to Settings -> Network Settings -> Interface eth0. If "Enable bridging" is "Yes", then WireGuard will work as described below. If bridging is disabled, then none of the "Peer type of connections" that involve the local LAN will work properly. As a general rule, bridging should be enabled in Unraid. If UPnP is enabled on your router and you want to use it in Unraid, go to Settings -> Management Access and confirm "Use UPnP" is set to Yes On Unraid 6.8, go to Settings -> VPN Manager Give the VPN Tunnel a name, such as "MyHome VPN" Press "Generate Keypair". This will generate a set of public and private keys for Unraid. Take care not to inadvertently share the private key with anyone (such as in a screenshot like this) By default the local endpoint will be configured with your current public IP address. If you chose to setup DDNS earlier, change the IP address to the DDNS address. Unraid will recommend a port to use. You typically won't need to change this unless you already have WireGuard running elsewhere on your network. Hit Apply If Unraid detects that your router supports UPnP, it will automatically setup port forwarding for you: If you see a note that says "configure your router for port forwarding..." you will need to login to your router and setup the port forward as directed by the note: Some tips for setting up the port forward in your router: Both the external (source) and internal (target/local) ports should be the set to the value Unraid provides. If your router interface asks you to put in a range, use the same port for both the starting and ending values. Be sure to specify that it is a UDP port and not a TCP port. For the internal (target/local) address, use the IP address of your Unraid system shown in the note. Google can help you find instructions for your specific router, i.e. "how to port forward Asus RT-AC68U" Note that after hitting Apply, the public and private keys are removed from view. If you ever need to access them, click the "key" icon on the right hand side. Similarly, you can access other advanced setting by pressing the "down chevron" on the right hand side. They are beyond the scope of this guide, but you can turn on help to see what they do. In the upper right corner of the page, change the Inactive slider to Active to start WireGuard. You can optionally set the tunnel to Autostart when Unraid boots. Defining a Peer (client) Click "Add Peer" Give it a name, such as "MyAndroid" For the initial connection type, choose "Remote access to LAN". This will give your device access to Unraid and other items on your network. Click "Generate Keypair" to generate public and private keys for the client. The private key will be given to the client / peer, but take care not to share it with anyone else (such as in a screenshot like this) For an additional layer of security, click "Generate Key" to generate a preshared key. Again, this should only be shared with this client / peer. Click Apply. Note: Technically, the peer should generate these keys and not give the private key to Unraid. You are welcome to do that, but it is less convenient as the config files Unraid generates will not be complete and you will have to finish configuring the client manually. Configuring a Peer (client) Click the "eye" icon to view the peer configuration. If the button is not clickable, you need to apply or reset your unsaved changes first. If you are setting up a mobile device, choose the "Create from QR code" option in the mobile app and take a picture of the QR code. Give it a name and make the connection. The VPN tunnel starts almost instantaneously, once it is up you can open a browser and connect to Unraid or another system on your network. Be careful not to share screenshots of the QR code with anyone, or they will be able to use it to access your VPN. If you are setting up another type of device, download the file and transfer it to the remote computer via trusted email or dropbox, etc. Then unzip it and load the configuration into the client. Protect this file, anyone who has access to it will be able to access your VPN. About DNS The 2019.10.20 release of the Dynamix Wireguard plugin includes a "Peer DNS Server" option (thanks @bonienl!) If you are having trouble with DNS resolution on the WireGuard client, return to the VPN Manager page in Unraid and switch from Basic to Advanced mode, add the IP address of your desired DNS server into the "Peer DNS Server" field, then install the updated config file on the client. You may want to use the IP address of the router on the LAN you are connecting to, or you could use a globally available IP like 8.8.8.8 This is required for "Remote tunneled access" mode, if the client's original DNS server is no longer accessible after all traffic is routed through the tunnel. If you are using any of the split tunneling modes, adding a DNS server may provide name resolution on the remote network, although you will lose name resolution on the client's local network in the process. The simplest solution is to add a hosts file on the client that provides name resolution for both networks. Complex Networks (updated Feb 20, 2020) The instructions above should work out of the box for simple networks. With "Use NAT" defaulted to Yes, all network traffic on Unraid uses Unraid's IP, and that works fine if you have a simple setup. However, if you have Dockers with custom IPs or VMs with strict networking requirements, things may not work right (I know, kind of vague, but feel free to read the two WireGuard threads for examples) To resolve: In the WireGuard config, set "Use NAT" to No In your router, add a static route that lets your network access the WireGuard "Local tunnel network pool" through the IP address of your Unraid system. For instance, for the default pool of 10.253.0.0/24 you should add this static route: Network: 10.253.0.0/24 (aka 10.253.0.0 with subnet 255.255.255.0) Gateway: <IP address of your Unraid system> On the Docker settings page, set "Host access to custom networks" to "Enabled". see this: https://forums.unraid.net/topic/84229-dynamix-wireguard-vpn/page/8/?tab=comments#comment-808801
  3. 22 points
    Since I can remember Unraid has never been great at simultaneous array disk performance, but it was pretty acceptable, since v6.7 there have been various users complaining for example of very poor performance when running the mover and trying to stream a movie. I noticed this myself yesterday when I couldn't even start watching an SD video using Kodi just because there were writes going on to a different array disk, and this server doesn't even have a parity drive, so did a quick test on my test server and the problem is easily reproducible and started with the first v6.7 release candidate, rc1. How to reproduce: -Server just needs 2 assigned array data devices (no parity needed, but same happens with parity) and one cache device, no encryption, all devices are btrfs formatted -Used cp to copy a few video files from cache to disk2 -While cp is going on tried to stream a movie from disk1, took a long time to start and would keep stalling/buffering Tried to copy one file from disk1 (still while cp is going one on disk2), with V6.6.7: with v6.7rc1: A few times transfer will go higher for a couple of seconds but most times it's at a few KB/s or completely stalled. Also tried with all unencrypted xfs formatted devices and it was the same: Server where problem was detected and test server have no hardware in common, one is based on X11 Supermicro board, test server is X9 series, server using HDDs, test server using SSDs so very unlikely to be hardware related.
  4. 21 points
    Something else I wanted to add, as long as we're talking about security measures in the pipe: we are looking at integrating various 2-Factor solutions directly in Unraid OS, such as google authenticator.
  5. 21 points
    It appears that the docker images --digests --no-trunc command is showing, for whatever reason, the digest of the manifest list rather than the manifest itself for containers pushed as part of a manifest list (https://docs.docker.com/engine/reference/commandline/manifest/#create-and-push-a-manifest-list). I'm not sure if that's always been the case, or is the result of some recent change on the Docker hub API. Also not sure if it's intentional or a bug. This causes an issue since in DockerClient.php (/usr/local/emhttp/plugins/dynamix.docker.manager/include), the request made to get the comparison digest is /** * Step 4: Get Docker-Content-Digest header from manifest file */ $ch = getCurlHandle($manifestURL, 'HEAD'); curl_setopt( $ch, CURLOPT_HTTPHEADER, [ 'Accept: application/vnd.docker.distribution.manifest.v2+json', 'Authorization: Bearer ' . $token ]); which retrieves information about the manifest itself, not the manifest list. So it ends up comparing the list digest as reported by the local docker commands to the individual manifest digests as retrieved from docker hub, which of course do not match. Changing the Accept header to the list mime type: 'application/vnd.docker.distribution.manifest.list.v2+json' causes it to no longer consistently report updates available for these containers. Doing this however reports updates for all containers that do not use manifest lists, since the call now falls back to a v1 manifest if the list is not available and the digest for the v1 manifest doesn't match the digest for the v2 manifest. If the Accept header is instead changed to 'application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.docker.distribution.manifest.v2+json' docker hub will fallback correctly to the v2 manifest, and the digests now match the local output for both containers using straight manifests and those using manifest lists. Until docker hub inevitably makes another change. /** * Step 4: Get Docker-Content-Digest header from manifest file */ $ch = getCurlHandle($manifestURL, 'HEAD'); curl_setopt( $ch, CURLOPT_HTTPHEADER, [ 'Accept: application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.docker.distribution.manifest.v2+json', 'Authorization: Bearer ' . $token ]);
  6. 19 points
    This is a bug fix and security update release. Due to a security vulnerability discovered in forms-based authentication: ALL USERS ARE STRONGLY ENCOURAGED TO UPGRADE To upgrade: If you are running any 6.4 or later release, click 'Check for Updates' on the Tools/Update OS page. If you are running a pre-6.4 release, click 'Check for Updates' on the Plugins page. If the above doesn't work, navigate to Plugins/Install Plugin, select/copy/paste this plugin URL and click Install: https://s3.amazonaws.com/dnld.lime-technology.com/stable/unRAIDServer.plg Refer also to @ljm42 excellent 6.4 Update Notes which are helpful especially if you are upgrading from a pre-6.4 release. Bugs: If you discover a bug or other issue in this release, please open a Stable Releases Bug Report. Version 6.8.1 2020-01-10 Changes vs. 6.8.0 Base distro: libuv: version 1.34.0 libvirt: version 5.10.0 mozilla-firefox: version 72.0.1 (CVE-2019-17026, CVE-2019-17015, CVE-2019-17016, CVE-2019-17017, CVE-2019-17018, CVE-2019-17019, CVE-2019-17020, CVE-2019-17021, CVE-2019-17022, CVE-2019-17023, CVE-2019-17024, CVE-2019-17025) php: version 7.3.13 (CVE-2019-11044 CVE-2019-11045 CVE-2019-11046 CVE-2019-11047 CVE-2019-11049 CVE-2019-11050) qemu: version 4.2.0 samba: version 4.11.4 ttyd: version 20200102 wireguard-tools: version 1.0.20200102 Linux kernel: version 4.19.94 kernel_firmware: version 20191218_c4586ff (with additional Intel BT firmware) CONFIG_THUNDERBOLT: Thunderbolt support CONFIG_INTEL_WMI_THUNDERBOLT: Intel WMI thunderbolt force power driver CONFIG_THUNDERBOLT_NET: Networking over Thunderbolt cable oot: Highpoint rr3740a: version v1.19.0_19_04_04 oot: Highpoint r750: version v1.2.11-18_06_26 [restored] oot: wireguard: version 0.0.20200105 Management: add cache-busting params for noVNC url assets emhttpd: fix cryptsetup passphrase input network: disable IPv6 for an interface when its settings is "IPv4 only". webgui: Management page: fixed typos in help text webgui: VM settings: fixed Apply button sometimes not working webgui: Dashboard: display CPU load full width when no HT webgui: Docker: show 'up-to-date' when status is unknown webgui: Fixed: handle race condition when updating share access rights in Edit User webgui: Docker: allow to set container port for custom bridge networks webgui: Better support for custom themes (not perfect yet) webgui: Dashboard: adjusted table positioning webgui: Add user name and user description verification webgui: Edit User: fix share access assignments webgui: Management page: remove UPnP conditional setting webgui: Escape shell arg when logging csrf mismatch webgui: Terminal button: give unsupported warning when Edge/MSIE is used webgui: Patched vulnerability in auth_request webgui: Docker: added new setting "Host access to custom networks" webgui: Patched vulnerability in template.php
  7. 18 points
    tldr: If you require hardware support offered by the Linux 5.x kernel then I suggest you remain on 6.8.0-rc7 and wait until 6.9.0-rc1 is published before upgrading. The "unexpected GSO type" bug is looking to be a show stopper for Unraid 6.8 using Linux kernel 5.3 or 5.4 kernel. We can get it to happen easily and quickly simply by having any VM running and then also start a docker App where Network Type has been set to "Custom : br0" (in my case) and I've set a static IP for the container or toggle between setting static IP and letting docker dhcp assign one. There are probably a lot of users waiting for a stable release who will see this issue, and therefore, I don't think we can publish with this bug. The bug does not occur with any 4.19.x or 4.20.x Linux kernel; but does occur with all kernels starting with 5.0. This implies the bug was introduced with some code change in the initial 5.0 kernel. The problem is that we are not certain where to report the bug; it could be a kernel issue or a docker issue. Of course, it could also be something we are doing wrong, since this issue is not reported in any other distro AFAIK. We are continuing investigation and putting together a report to submit either to kernel mailing list or as a docker issue. In any case, an actual fix will probably take quite a bit more time, especially since we are heading into the holidays. Therefore this is what we plan to do: For 6.8: revert kernel to 4.19.87 and publish 6.8.0-rc8. Those currently running stable (6.7.2) will see no loss of functionality because that release is also on 4.19 kernel. Hopefully this will be last or next to last -rc and then we can publish 6.8 stable. Note: we cannot revert to 4.20 kernel because that kernel is EOL and has not had any updates in months. For 6.9: as soon as 6.8 stable is published we'll release 6.9.0-rc1 on next release branch. This will be exactly the same as 6.8 except that we'll update to latest 5.4 kernel (and "unexpected GSO type" bug will be back). We will use the next branch to try and solve this bug. New features, such as multiple pools, will be integrated into 6.10 release, which is current work-in-progress. We'll wait a day or two to publish 6.8-rc8 with reverted kernel in hopes those affected will see this post first.
  8. 18 points
    To upgrade: If you are running any 6.4 or later release, click 'Check for Updates' on the Tools/Update OS page. If you are running a pre-6.4 release, click 'Check for Updates' on the Plugins page. If the above doesn't work, navigate to Plugins/Install Plugin, select/copy/paste this plugin URL and click Install: https://s3.amazonaws.com/dnld.lime-technology.com/stable/unRAIDServer.plg Refer also to @ljm42 excellent 6.4 Update Notes which are helpful especially if you are upgrading from a pre-6.4 release. Bugs: If you discover a bug or other issue in this release, please open a Stable Releases Bug Report. New in Unraid OS 6.8 release: The Update OS tool still downloads the new release zip file to RAM but then extracts directly to USB flash boot device. You will probably notice a slight difference in speed of extract messages. Also the 'sync' command at the end has been replaced with 'sync -f /boot' to prevent spin-up of all devices before the operation is considered complete. Forms based authentication If you have set a root password for your server, when accessing webGUI you'll now see a nice login form. There still is only one user for Unraid so for username enter root. This form should be compatible with all major password managers out there. We always recommend using a strong password. There is no auto-logout implemented yet, please click Logout on menu bar or completely close your browser to logout. Linux kernel We started 6.8 development and initial testing using Linux 5.x kernel. However there remains an issue when VM's and Docker containers using static IP addresses are both running on the same host network interface. This issue does not occur with the 4.19 kernel. We are still studying this issue and plan to address it in the Unraid 6.9 release. Changes to the kernel include: Update to 4.19.88 Include latest Intel microcode for yet another hardware vulnerability mitigation. Default scheduler now 'mq-deadline', but this can be changed via new Settings/Disk Settings/Scheduler setting. Enabled Huge Page support, though no UI control yet. binfmt_misc support. Fix chelsio missing firmware. Added oot: Realtek r8125: version 9.002.02 Removed Highpoint r750 driver [does not work] md/unraid driver Introduced "multi-stream" support: Reads on devices which are not being written should run at full speed. In addition, if you have set the md_write_method tunable to "reconstruct write", then while writing, if any read streams are detected, the write method is switched to "read/modifywrite". Parity sync/check should run at full speed by default. Parity sync/check is throttled back in presence of other active streams. The "stripe pool" resource is automatically shared evenly between all active streams. As a result got rid of some Tunables: md_sync_window md_sync_thresh and added some tunables: md_queue_limit md_sync_limit [-rc2] md_scheduler Please refer to Settings/Disk Settings help text for description of these settings. WireGuard® support - available as a plugin via Community Apps. Our WireGuard implementation and UI is still a work-in-process; for this reason we have made this available as a plugin, though the latest WireGuard module is included in our Linux kernel. I want to give special thanks to @bonienl who wrote the plugin with lots of guidance from @ljm42 - thank you! I also should give a shout out to @NAS who got us rolling on this. If you don't know about WireGuard it's something to look into! Note: WireGuard is a registered trademark of Jason A. Donenfeld. Guide here: WS-Discovery support - Finally you can get rid of SMBv1 and get reliable Windows network discovery. This feature is configured on the Settings/SMB Settings page and enabled by default. Also on same settings page is Enable NetBIOS setting. This is enabled by default, however if you no longer have need for NetBIOS discovery you can turn it off. When turned off, Samba is configured to accept only SMBv2 protocol and higher. Added mDNS client support in Unraid OS. This means, for example, from an Unraid OS terminal session to ping another Unraid OS server on your network you can use (e.g., 'tower'): ping tower.local instead of ping tower Note the latter will still work if you have NetBIOS enabled. User Share File System (shfs) changes: Integrated FUSE-3 - This should increase performance of User Share File System. Fixed bug with hard link support. Previously a 'stat' on two directory entries referring to same file would return different i-node numbers, thus making it look like two independent files. This has been fixed however there is a config setting on Settings/Global Share Settings called "Tunable (support hard links)". The default is Yes, but with certain very old media and DVD players which access shares via NFS, you may need to set this to No. Note: if you have custom config/extra.cfg file, get rid of any lines specifying additional FUSE options unless you know they are compatible with FUSE-3. Other improvements/bug fixes: Fixed SQLite DB Corruption bug. Format - during Format any running parity sync/check is automatically Paused and then resumed upon Format completion. Encryption - an entered passphrase is not saved to any file. Fixed bug where multi-device btrfs pool was leaving metadata set to dup instead of raid1. Fixed bug where quotes were not handled properly in passwords. Numerous base package updates including updating PHP to version 7.3.x, Samba to version 4.11.x. Several other small bug fixes and improvements. Known Issues and Other Errata Some users have reported slower parity sync/check rates for very wide arrays (20+ devices) vs. 6.7 and earlier releases - we are still studying this problem. In another step toward better security, the USB flash boot device is configured so that programs and scripts residing there cannot be directly executed (this is because the 'x' bit is set now only for directories). Commands placed in the 'go' file still execute because during startup, that file is copied to /tmp first and then executed from there. If you have created custom scripts you may need to take a similar approach. AFP is now deprecated and we plan to remove support. A note on password strings Password strings can contain any character however white space (space and tab characters) is handled specially: all leading and trailing white space is discarded multiple embedded white space is collapsed to a single space character. By contrast, encryption passphrase is used exactly as-is. Version 6.8.0 2019-12-10 Base distro: aaa_elflibs: version 15.0 build 16 acpid: version 2.0.32 adwaita-icon-theme: version 3.34.3 at-spi2-atk: version 2.34.1 at-spi2-core: version 2.34.0 at: version 3.2.1 atk: version 2.34.1 bash: version 5.0.011 binutils: version 2.33.1 btrfs-progs: version 5.4 bzip2: version 1.0.8 ca-certificates: version 20191130 cifs-utils: version 6.9 cpio: version 2.13 cryptsetup: version 2.2.2 curl: version 7.67.0 dbus-glib: version 0.110 dbus: version 1.12.16 dhcpcd: version 8.1.2 docker: version 19.03.5 e2fsprogs: version 1.45.4 ebtables: version 2.0.11 encodings: version 1.0.5 etc: version 15.0 ethtool: version 5.3 expat: version 2.2.9 file: version 5.37 findutils: version 4.7.0 freetype: version 2.10.1 fuse3: version 3.6.2 gdbm: version 1.18.1 gdk-pixbuf2: version 2.40.0 git: version 2.24.0 glib2: version 2.62.3 glibc-solibs: version 2.30 glibc-zoneinfo: version 2019c glibc: version 2.30 glu: version 9.0.1 gnutls: version 3.6.11.1 gtk+3: version 3.24.13 harfbuzz: version 2.6.4 haveged: version 1.9.8 hostname: version 3.23 hwloc: version 1.11.13 icu4c: version 65.1 intel-microcode: version 20191115 iproute2: version 5.4.0 iptables: version 1.8.4 iputils: version 20190709 irqbalance: version 1.6.0 kernel-firmware: version 20191118_e8a0f4c keyutils: version 1.6 less: version 551 libICE: version 1.0.10 libX11: version 1.6.9 libXi: version 1.7.10 libXt: version 1.2.0 libarchive: version 3.4.0 libcap-ng: version 0.7.10 libcroco: version 0.6.13 libdrm: version 2.4.99 libedit: version 20191025_3.1 libepoxy: version 1.5.4 libevdev: version 1.7.0 libevent: version 2.1.11 libgcrypt: version 1.8.5 libgudev: version 233 libidn2: version 2.3.0 libjpeg-turbo: version 2.0.3 libnftnl: version 1.1.5 libnl3: version 3.5.0 libpcap: version 1.9.1 libpciaccess: version 0.16 libpng: version 1.6.37 libpsl: version 0.21.0 librsvg: version 2.46.4 libseccomp: version 2.4.1 libssh2: version 1.9.0 libtasn1: version 4.15.0 libusb: version 1.0.23 libvirt-php: version 20190803 libvirt: version 5.8.0 (CVE-2019-10161, CVE-2019-10166, CVE-2019-10167, CVE-2019-10168) libwebp: version 1.0.3 libxml2: version 2.9.10 libxslt: version 1.1.34 libzip: version 1.5.2 lm_sensors: version 3.6.0 logrotate: version 3.15.1 lsof: version 4.93.2 lsscsi: version 0.30 lvm2: version 2.03.07 lz4: version 1.9.1 mkfontscale: version 1.2.1 mozilla-firefox: version 71.0 (CVE-2019-11751, CVE-2019-11746, CVE-2019-11744, CVE-2019-11742, CVE-2019-11736, CVE-2019-11753, CVE-2019-11752, CVE-2019-9812, CVE-2019-11741, CVE-2019-11743, CVE-2019-11748, CVE-2019-11749, CVE-2019-5849, CVE-2019-11750, CVE-2019-11737, CVE-2019-11738, CVE-2019-11747, CVE-2019-11734, CVE-2019-11735, CVE-2019-11740, CVE-2019-11754, CVE-2019-9811, CVE-2019-11711, CVE-2019-11712, CVE-2019-11713, CVE-2019-11714, CVE-2019-11729, CVE-2019-11715, CVE-2019-11716, CVE-2019-11717, CVE-2019-1 1718, CVE-2019-11719, CVE-2019-11720, CVE-2019-11721, CVE-2019-11730, CVE-2019-11723, CVE-2019-11724, CVE-2019-11725, CVE-2019-11727, CVE-2019-11728, CVE-2019-11710, CVE-2019-11709) (CVE-2018-6156, CVE-2019-15903, CVE-2019-11757, CVE-2019-11759, CVE-2019-11760, CVE-2019-11761, CVE-2019-11762, CVE-2019-11763, CVE-2019-11765, CVE-2019-17000, CVE-2019-17001, CVE-2019-17002, CVE-2019-11764) (CVE-2019-11756, CVE-2019-17008, CVE-2019-13722, CVE-2019-11745, CVE-2019-17014, CVE-2019-17009, CVE-2019-17010, CVE-2019-17005, CVE-2019-17011, CVE-2019-17012, CVE-2019-17013) nano: version 4.6 ncurses: version 6.1_20191026 net-tools: version 20181103_0eebece nettle: version 3.5.1 network-scripts: version 15.0 nghttp2: version 1.40.0 nginx: version 1.16.1 (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516) nodejs: version 10.16.3 nss-mdns: version 0.14.1 ntp: version 4.2.8p13 openldap-client: version 2.4.48 openssh: version 8.1p1 openssl-solibs: version 1.1.1d openssl: version 1.1.1d p11-kit: version 0.23.18.1 pcre2: version 10.34 php: version 7.3.12 (CVE-2019-11042, CVE-2019-11041) (CVE-2019-11043) pixman: version 0.38.4 pkgtools: version 15.0 build 28 procps-ng: version 3.3.15 qemu: version 4.1.1 (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091) (CVE-2019-14378, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-12068, CVE-2019-11091) qrencode: version 4.0.2 rpcbind: version 1.2.5 rsyslog: version 8.1908.0 samba: version 4.11.3 (CVE-2019-10197) (CVE-2019-10218, CVE-2019-14833, CVE-2019-14847) (CVE-2019-14861, CVE-2019-14870) sdparm: version 1.10 sessreg: version 1.1.2 setxkbmap: version 1.3.2 sg3_utils: version 1.44 shadow: version 4.7 shared-mime-info: version 1.15 sqlite: version 3.30.1 sudo: version 1.8.29 sysvinit-scripts: version 2.1 sysvinit: version 2.96 talloc: version 2.3.0 tdb: version 1.4.2 tevent: version 0.10.1 ttyd: version 20191025 usbutils: version 012 util-linux: version 2.34 wget: version 1.20.3 wireguard: version 0.0.20191206 wsdd: version 20180618 build 2 xauth: version 1.1 xclock: version 1.0.9 xfsprogs: version 5.3.0 xkeyboard-config: version 2.28 xorg-server: version 1.20.6 xrandr: version 1.5.1 xterm: version 351 xwininfo: version 1.1.5 zstd: version 1.4.4 Linux kernel: version 4.19.88 CONFIG_BINFMT_MISC: Kernel support for MISC binaries CONFIG_CGROUP_NET_PRIO: Network priority cgroup CONFIG_DEBUG_FS: Debug Filesystem CONFIG_DUMMY: Dummy net driver support CONFIG_HUGETLBFS: HugeTLB file system support CONFIG_ICE: Intel(R) Ethernet Connection E800 Series Support CONFIG_IGC: Intel(R) Ethernet Controller I225-LM/I225-V support CONFIG_IPVLAN: IP-VLAN support CONFIG_IPVTAP: IP-VLAN based tap driver CONFIG_IP_VS: IP virtual server support CONFIG_IP_VS_NFCT: Netfilter connection tracking CONFIG_IP_VS_PROTO_TCP: TCP load balancing support CONFIG_IP_VS_PROTO_UDP: UDP load balancing support CONFIG_IP_VS_RR: round-robin scheduling CONFIG_MLX5_CORE_IPOIB: Mellanox 5th generation network adapters (connectX series) IPoIB offloads support CONFIG_NETFILTER_XT_MATCH_IPVS: "ipvs" match support CONFIG_NET_CLS_CGROUP: Control Group Classifier CONFIG_SCSI_MQ_DEFAULT: SCSI: use blk-mq I/O path by default CONFIG_SCSI_SMARTPQI: Microsemi PQI Driver CONFIG_WIREGUARD: IP: WireGuard secure network tunnel chelsio: add missing firmware change schedulers from modules to built-ins default scheduler now mq-deadline md/unraid: version 2.9.13 (multi-stream support, do not fail read-ahead, more tunables) increase BLK_MAX_REQUEST_COUNT from 16 to 32 oot: Highpoint rr3740a: version: v1.17.0_18_06_15 oot: Highpoint rsnvme: version v1.2.16_19_05_06 oot: Highpoint r750 removed (does not work) oot: Intel ixgbe: version 5.6.5 oot: Realtek r8125: version 9.002.02 oot: Tehuti tn40xx: version 0.3.6.17.2 oot: Tehuti tn40xx: add x3310fw_0_3_4_0_9445.hdr firmware Management: add 'scheduler' tunable for array devices auto-mount hugetlbfs to support kernel huge pages emhttpd: fix improper handling of embedded quote characters in a password emhttpd: correct footer notifications emhttpd: do not write /root/keyfile if encryption passphrase provided via webGUI emhttpd: properly handle encoded passwords emhttpd: solve deadlock issue with 'emcmd' called from a plugin extract OS upgrade directly to USB flash fix btrfs bug where converting from single to multiple pool did not balance metadata to raid1, and converting from multiple to single did not balance metadata back to single. fix shfs hard link initially reported as enabled but not actually enabled fstab: mount USB flash boot device with root-only access nginx.conf: configure all nginx worker threads to run as 'root'. nginx: disable php session expiration php: set very long session timeout samba: if netbios enabled, set 'server min protocol = NT1' shfs: fix bug not accounting for device(s) not mounted yet shfs: support FUSE3 API changes; hard links report same st_ino; hard link support configurable start/stop WireGuard upon server start/shutdown support WS-Discovery method support disabling NetBIOS, and set Samba 'min server procotol' and 'min client protocol' to SMB2 if disabled support forms-based authentication support mDNS local name resolution via avahi unRAIDServer.plg (update OS) now executes 'sync -f /boot' instead of full sync at end of update webgui: Add share access to user edit webgui: Add shares: slashes are not allowed in share name webgui: Add support for the self-hosted Gotify notification agent. webgui: Added 'F1' key to toggle help text webgui: Added AFP deprecated notice webgui: Added UPnP to access script (to support WireGuard plugin) webgui: Added VM XML files to diagnostics webgui: Added cache and disk type to shares page webgui: Added conditional UPnP setting on Management page webgui: Aligned management page layout webgui: Allow Safari to use websockets webgui: Allow outside click to close popups webgui: Change PluginHelpers download to be PHP Curl webgui: Change dashbord link for mb/mem webgui: Changed config folder of TELEGRAM webgui: Dashboard: WG tunnel handshake in days when longer than 24 hours webgui: Dashboard: add up/down arrows to VPN tunnel traffic webgui: Dashboard: adjust column width for themes azure/gray webgui: Dashboard: fix WG direction arrows webgui: Dashboard: fixed user write + read counts webgui: Dashboard: show titles without text-transform webgui: Diagnostics: Adjust for timezone from webGUI webgui: Diagnostics: Remove OSK info from VM xml webgui: Do not display error if docker log files manually deleted webgui: Docker and VM settings: validate path and name input webgui: Docker: fixed multi container updates display oddity webgui: Enable notifications by default webgui: Enhanced display of network settings webgui: Ensure spinner always ontop webgui: Expanded help for Use Cache setting webgui: Fix custom case png not surviving reboot webgui: Fixed diagnostics errors when array was never started webgui: Fixed docker container update state webgui: Fixed misalignment of absent disk on Main page webgui: Fixed popup window in foreground webgui: Fixed typo in help text webgui: Fixed typo in shares settings webgui: Fixed: footer always on foreground webgui: Fixed: undo cleanup of disk.png webgui: Font, Icon and image cleanup webgui: If a page is loaded via https, prevent it from loading resources via http (ie, block mixed content) webgui: Improve Use Cache option webgui: Integrate CAs Plugin Helper webgui: Made notify script compatible with 6.8 new security scheme webgui: Main page: consolidate spin up/down action and device status into one webgui: Modified notify script to allow overriding email recipients in notification settings webgui: Only create session when user successfully logs in; also enable session.use_strict_mode to prevent session fixation attacks webgui: Open banner system to 3rd party apps webgui: Plugin Helpers: Follow redirects on downloads webgui: Rename docker repositories tab to template repositories webgui: Revamp Banner Warning System webgui: Select case correction + replace MD1510 for AVS-10/4 webgui: Standardize on lang="en" webgui: Submit passphrases and passwords in base64 format webgui: Support wireguard plugin in download.php webgui: Switch download routine to be PHP Curl webgui: Syslog: allow up to 5 digits port numbers webgui: Telegram notification agent: enable group chat IDs, update helper description webgui: Unraid fonts and cases update webgui: Update ArrayDevices.page help text webgui: Upgrade noVNC to git commit 9f557f5 webgui: Use complete HTML documents in popups webgui: Warning alert for Format operations webgui: dockerMan - Deprecate TemplateURL webgui: dockerMan: Redownload Icon if URL changes webgui: other minor text corrections webgui: show warning on login page when browser cookies are disabled webgui: support changed tunables on Disk Settings page
  9. 18 points
    Sneak peak, Unraid 6.8. The image is a custom "case image" I uploaded.
  10. 17 points
    Summary: Support Thread for ich777 Gameserver Dockers (CounterStrike: Source & ConterStrike: GO, TeamFortress 2, ArmA III,... - complete list in the second post) Application: SteamCMD DockerHub: https://hub.docker.com/r/ich777/steamcmd DonationLink: https://www.paypal.me/chips777 All dockers are easy to set up and are highly customizable, all dockers are tested with the standard configuration (port forwarding,...) if the are reachable and show up in the server list form the "outside". The default password for the gameservers if enabled is: Docker It there is a admin password the default password is: adminDocker Please read the discription of each docker and the variables that you install (some dockers need special variables to run). If you like my work please consider Donating for further requests of game server where i don't own the game. Created a Steam Group: https://steamcommunity.com/groups/dockersforunraid
  11. 17 points
    v6.8.2 uploaded. Delayed for a few reasons, had problems (and still do) with the nvidia container runtime, worked around it in the end, but not a long term solution looking forward, I'm working like a dog at the moment as my current real life job finishes in 2 days and I'm having to put a ton of extra hours in, wife a bit ungainly at the moment as very heavily pregnant so I'm having to do a bit more for our existing beast, and to add to that bass_rock has been away for work, so kind of a perfect storm of not having much time to sit down with this, although I have been trying to get it working every chance I've had. Anyways, I've tested this version, think everything is working, and I believe all the out of tree drivers are squared away. Last version (v6.8.1) might have been missing the Intel 1gb driver as I hadn't realised that it was different to the 10gb driver.
  12. 17 points
    We have this implemented for 6.8 release.
  13. 16 points
    PLEASE - PLEASE - PLEASE EVERYONE POSTING IN THIS THREAD IF YOU POST YOUR XML FOR THE VM HERE PLEASE REMOVE/OBSCURE THE OSK KEY AT THE BOTTOM. IT IS AGAINST THE RULES OF THE FORUM FOR OSK KEY TO BE POSTED....THANKYOU Here is a guide which explains how to use the container.
  14. 16 points
    ***Update*** : Apologies, it seems like there was an update to the Unraid forums which removed the carriage returns in my code blocks. This was causing people to get errors when typing commands verbatim. I've fixed the code blocks below and all should be Plexing perfectly now Y =========== Granted this has been covered in a few other posts but I just wanted to have it with a little bit of layout and structure. Special thanks to [mention=9167]Hoopster[/mention] whose post(s) I took this from. What is Plex Hardware Acceleration? When streaming media from Plex, a few things are happening. Plex will check against the device trying to play the media: Media is stored in a compatible file container Media is encoded in a compatible bitrate Media is encoded with compatible codecs Media is a compatible resolution Bandwith is sufficient If all of the above is met, Plex will Direct Play or send the media directly to the client without being changed. This is great in most cases as there will be very little if any overhead on your CPU. This should be okay in most cases, but you may be accessing Plex remotely or on a device that is having difficulty with the source media. You could either manually convert each file or get Plex to transcode the file on the fly into another format to be played. A simple example: Your source file is stored in 1080p. You're away from home and you have a crappy internet connection. Playing the file in 1080p is taking up too much bandwith so to get a better experience you can watch your media in glorious 240p without stuttering / buffering on your little mobile device by getting Plex to transcode the file first. This is because a 240p file will require considerably less bandwith compared to a 1080p file. The issue is that depending on which format your transcoding from and to, this can absolutely pin all your CPU cores at 100% which means you're gonna have a bad time. Fortunately Intel CPUs have a little thing called Quick Sync which is their native hardware encoding and decoding core. This can dramatically reduce the CPU overhead required for transcoding and Plex can leverage this using their Hardware Acceleration feature. How Do I Know If I'm Transcoding? You're able to see how media is being served by playing a first something on a device. Log into Plex and go to Settings > Status > Now Playing As you can see this file is being direct played, so there's no transcoding happening. If you see (throttled) it's a good sign. It just means is that your Plex Media Server is able to perform the transcode faster than is necessary. To initiate some transcoding, go to where your media is playing. Click on Settings > Quality > Show All > Choose a Quality that isn't the Default one If you head back to the Now Playing section in Plex you will see that the stream is now being Transcoded. I have Quick Sync enabled hence the "(hw)" which stands for, you guessed it, Hardware. "(hw)" will not be shown if Quick Sync isn't being used in transcoding. PreRequisites 1. A Plex Pass - If you require Plex Hardware Acceleration Test to see if your system is capable before buying a Plex Pass. 2. Intel CPU that has Quick Sync Capability - Search for your CPU using Intel ARK 3. Compatible Motherboard You will need to enable iGPU on your motherboard BIOS In some cases this may require you to have the HDMI output plugged in and connected to a monitor in order for it to be active. If you find that this is the case on your setup you can buy a dummy HDMI doo-dad that tricks your unRAID box into thinking that something is plugged in. Some machines like the HP MicroServer Gen8 have iLO / IPMI which allows the server to be monitored / managed remotely. Unfortunately this means that the server has 2 GPUs and ALL GPU output from the server passed through the ancient Matrox GPU. So as far as any OS is concerned even though the Intel CPU supports Quick Sync, the Matrox one doesn't. =/ you'd have better luck using the new unRAID Nvidia Plugin. Check Your Setup If your config meets all of the above requirements, give these commands a shot, you should know straight away if you can use Hardware Acceleration. Login to your unRAID box using the GUI and open a terminal window. Or SSH into your box if that's your thing. Type: cd /dev/dri ls If you see an output like the one above your unRAID box has its Quick Sync enabled. The two items were interested in specifically are card0 and renderD128. If you can't see it not to worry type this: modprobe i915 There should be no return or errors in the output. Now again run: cd /dev/dri ls You should see the expected items ie. card0 and renderD128 Give your Container Access Lastly we need to give our container access to the Quick Sync device. I am going to passively aggressively mention that they are indeed called containers and not dockers. Dockers are manufacturers of boots and pants company and have nothing to do with virtualization or software development, yet. Okay rant over. We need to do this because the Docker host and its underlying containers don't have access to anything on unRAID unless you give it to them. This is done via Paths, Ports, Variables, Labels or in this case Devices. We want to provide our Plex container with access to one of the devices on our unRAID box. We need to change the relevant permissions on our Quick Sync Device which we do by typing into the terminal window: chmod -R 777 /dev/dri Once that's done Head over to the Docker Tab, click on the your Plex container. Scroll to the bottom click on Add another Path, Port, Variable Select Device from the drop down Enter the following: Name: /dev/dri Value: /dev/dri Click Save followed by Apply. Log Back into Plex and navigate to Settings > Transcoder. Click on the button to SHOW ADVANCED Enable "Use hardware acceleration where available". You can now do the same test we did above by playing a stream, changing it's Quality to something that isn't its original format and Checking the Now Playing section to see if Hardware Acceleration is enabled. If you see "(hw)" congrats! You're using Quick Sync and Hardware acceleration [emoji4] Persist your config On Reboot unRAID will not run those commands again unless we put it in our go file. So when ready type into terminal: nano /boot/config/go Add the following lines to the bottom of the go file modprobe i915 chmod -R 777 /dev/dri Press Ctrl X, followed by Y to save your go file. And you should be golden!
  15. 15 points
    When my job, wife, daughter and sleep allow me to fit it in. For crying out loud, stop asking people. It's ready when it's ready. Now if you'll excuse me I have a game of hide and seek to play with my daughter. Sent from my Mi A1 using Tapatalk
  16. 14 points
    You've obviously got some ideas, why not do it? Problem is I see time and time again, is people keep telling us what we should be doing and how quick we should be doing it, now, don't be offended because this is a general observation, rather than personal. It's ten to one in the morning, I've just got back from work, I have a toddler that is going to get up in about five hours, my wife is heavily pregnant, Unraid Nvidia and beta testing just isn't up there in my list of priorities at this point. I've already looked at it and I need to look at compiling the newly added WireGuard out of tree driver. I will get around to it, but when I can. And if that means some Unraid users have to stick on v6.8.0 for a week or two then so be it, or, alternatively, forfeit GPU transcoding for a week or two, then so be it. I've tried every way I could when I was developing this to avoid completely repacking Unraid, I really did, nobody wanted to do that less than me. But, if we didn't do it this way, then we just saw loads of seg faults. I get a bit annoyed by criticism of turnaround time, because, as this forum approaches 100,000 users, how many actually give anything back? And of all the people who tell us how we should be quicker, how many step up and do it themselves? TL:DR It'll be ready when it's ready, not a moment sooner, and if my wife goes into labour, well, probably going to get delayed. My life priority order: 1. Wife/kids 2. Family 3. Work (Pays the mortgage and puts food on the table) @Marshalleq The one big criticism I have is comparing this to ZFS plugin, no disrespect, that's like comparing apples to oranges. Until you understand, and my last lengthy post on this thread might give you some insight. Please refrain from complaining. ZFS installs a package at boot, we replace every single file that makes up Unraid other than bzroot-gui. I've said it before, I'll say it again. WE ARE VOLUNTEERS Want enterprise level turnaround times, pay my wages.
  17. 14 points
    This was an interesting one, builds completed and looked fine, but wouldn't boot, which was where the fun began. Initially I thought it was just because we were still using GCC v8 and LT had moved to GCC v9, alas that wasn't the case. After examining all the bits and watching the builds I tried to boot with all the Nvidia files but using a stock bzroot, which worked. So then tried to unpack and repack a stock bzroot, which also reproduced the error. And interestingly the repackaged stock bzroot was about 15mb bigger. Asked LT if anything had changed, as we were still using the same commands as we were when I started this back in ~June 2018. Tom denied anything had changed their end recently. Just told us they were using xz --check=crc32 --x86 --lzma2=preset=9 to pack bzroot with. So changed the packaging to use that for compression, still wouldn't work. At one point I had a repack that worked, but when I tried a build again, I couldn't reproduce it, which induced a lot of head scratching and I assumed my version control of the changes I was making must have been messed up, but damned if I could reproduce a working build, both @bass_rock and me were trying to get something working with no luck. Ended up going down a rabbit hole of analysing bzroot with binwalk, and became fairly confident that the microcode prepended to the bzroot file was good, and it must be the actual packaging of the root filesystem that was the error. We focused in on the two lines relevant the problem being LT had given us the parameter to pack with, but that is receiving an input from cpio so can't be fully presumed to be good, and we still couldn't ascertain that the actual unpack was valid, although it looked to give us a complete root filesystem. Yesterday @bass_rock and I were both running "repack" tests on a stock bzroot to try and get that working, confident that if we could do that the issue would be solved. Him on one side of the pond and me on the other..... changing a parameter at a time and discussing it over Discord. Once again managed to generate a working bzroot file, but tested the same script again and it failed. Got to admit that confused the hell out of me..... Had to go to the shops to pick up some stuff, which gave me a good hour in the car to think about things and I had a thought, I did a lot of initial repacking on my laptop rather than via an ssh connection to an Unraid VM, and I wondered if that may have been the reason I couldn't reproduce the working repack. Reason being, tab completion on my Ubuntu based laptop means I have to prepend any script with ./ whereas on Unraid I can just enter the first two letters of the script name and tab complete will work, obviously I will always take the easiest option. I asked myself if the working build I'd got earlier was failing because it was dependent on being run using ./ and perhaps I'd run it like that on the occasions it had worked. Chatted to bass_rock about it and he kicked off a repackaging of stock bzroot build with --no-absolute-filenames removed from the cpio bit and it worked, we can only assume something must have changed LT side at some point. To put it into context this cpio snippet we've been using since at least 2014/5 or whenever I started with the DVB builds. The scripts to create a Nvidia build are over 800 lines long (not including the scripts we pull in from Slackbuilds) and we had to change 2 of them........ There are 89 core dependencies, which occasionally change with an extra one added or a version update of one of these breaks things. I got a working Nvidia build last night and was testing it for 24 hours then woke up to find FML Slackbuilds have updated the driver since. Have run a build again, and it boots in my VM. Need to test transcoding on bare metal but I can't do that as my daughter is watching a movie, so it'll have to wait until either she goes for a nap or the movie finishes. Just thought I'd give some background for context, please remember all the plugin and docker container authors on here do this in our free time, people like us, Squid, dlandon, bonienl et al put a huge amount of work in, and we do the best we can. Comments like this are not helpful, nor appreciated, so please read the above to find out, and get some insight into why you had to endure the "exhaustion" of constant reminders to upgrade to RC7. Comments like this are welcome and make me happy..... EDT: Tested and working, uploading soon.
  18. 13 points
    I haven't "danced" around anything, sorry if it appears like that. How does this apply in an Unraid server environment? Yes this is something we're looking at. why? why? There is only one user: root You can set file permissions however you want using standard linux command line tools. Again, what are you trying to accomplish? We do have plans to introduce the idea of multiple admin users with various roles they can take on within the Management Utility. For example, maybe you create a user named "Larry" who only has access to the Shares page with ability to browse shares only they have access to. However this functionality is not high on the list of features we want/need to implement. Earlier you were confused by my term "appliance". What this means is the server has a single user that can manage the box. If you don't have the root user password, all you can do is access shares on the network that you have permission for, and access Docker webUI's - but most of these have their own login mechanism. Things like the flash share exported by default, new shares public by default, telnet enabled by default, SMBv1 enabled by default, etc. are all simplifications to reduce frustration by new users. Nothing more frustrating that creating a share and then getting "You do not have permission..." when trying to browse your new share. We are trying to reduce the swearing and kicking of dogs by new users just trying to use the server. Eventually everyone needs to be more security conscious - and in that spirit we are working on "wizards" that will guide a user to setting up the correct settings for their needs. I hope this starts to answer some questions and sorry if I came across flippant to your concerns, but trust me, security is a foremost concern and to have someone imply otherwise ticks me off to be honest.
  19. 13 points
  20. 13 points
    The corruption occurred as a result of failing a read-ahead I/O operation with "BLK_STS_IOERR" status. In the Linux block layer each READ or WRITE can have various modifier bits set. In the case of a read-ahead you get READ|REQ_RAHEAD which tells I/O driver this is a read-ahead. In this case, if there are insufficient resources at the time this request is received, the driver is permitted to terminate the operation with BLK_STS_IOERR status. Here is an example in Linux md/raid5 driver. In case of Unraid it can definitely happen under heavy load that a read-ahead comes along and there are no 'stripe buffers' immediately available. In this case, instead of making calling process wait, it terminated the I/O. This has worked this way for years. When this problem first happened there were conflicting reports of the config in which it happened. My first thought was an issue in user share file system. Eventually ruled that out and next thought was cache vs. array. Some reports seemed to indicate it happened with all databases on cache - but I think those reports were mistaken for various reasons. Ultimately decided issue had to be with md/unraid driver. Our big problem was that we could not reproduce the issue but others seemed to be able to reproduce with ease. Honestly, thinking failing read-aheads could be the issue was a "hunch" - it was either that or some logic in scheduler that merged I/O's incorrectly (there were kernel bugs related to this with some pretty extensive patches and I thought maybe developer missed a corner case - this is why I added config setting for which scheduler to use). This resulted in release with those 'md_restrict' flags to determine if one of those was the culprit, and what-do-you-know, not failing read-aheads makes the issue go away. What I suspect is that this is a bug in SQLite - I think SQLite is using direct-I/O (bypassing page cache) and issuing it's own read-aheads and their logic to handle failing read-ahead is broken. But I did not follow that rabbit hole - too many other problems to work on
  21. 13 points
    Overview of what Macinabox does. This is a container that is designed to help make installing a macOS KVM Virtual Machine very easy. The VM doesnt run in a docker container but runs as a full fat Unraid KVM VM selectable in the VM tab of the webUI. However your server's hardware must be 'fairly' modern to run a macOS VM. You are going to need a CPU that supports SSE 4.2 & AVX2 for macOS Mojave and above to work. Both Intel and AMD processors are fine to use. To use just select the OS type, vdisk type and size. ( I suggest you use raw disk type) Then let Macinabox make a vdisk for the install, download the recovery media, clover boot-loader and create a vm xml file that is preconfigured to work. (The xml files created will have unique uuids and network mac addresses) Sit back and let the container do its stuff - note - To see the progress of the container, you do this by looking at the log whilst it runs. You will know when it has finished as you will see a message saying to stop then start the array. This container doesn't have a webUI (but clicking on the webUI button of this container will just take you too a video of how to use this container) - - - - - - - - - - - So after the container has done its stuff. Stop the array then start it again and the VM will become visible in the Unraid VM manger. (you will not see it if you dont do this) Click start to start the VM and you will boot into a clover boot-loader. Then press enter to continue to load the recovery media. Goto disk utility and format the vdisk. Close disk utility. Select re-install macOS then sit back and wait until done.. Please be patient when installing as the install speed will depend on your internet connection and how busy the Apple servers are. After installing the VM don't run the container again or else it will overwrite the vdisk with the install on. (I will change this so it cant happen soon) Probably best after installing to remove the container for now just to be safe. edit - I have now added checks to stop the container re downloading install media if run again. It will also check for an existing vdisk and if found not create another and therefore not overwrite it. Same goes for the xml file. However if the container is run again it will download another clover and ovmf files. I have done this so people can easily update clover and ovmf files if needed.
  22. 13 points
    To upgrade: If you are running any 6.4 or later release, click 'Check for Updates' on the Tools/Update OS page. If you are running a pre-6.4 release, click 'Check for Updates' on the Plugins page. If the above doesn't work, navigate to Plugins/Install Plugin, select/copy/paste this plugin URL and click Install: https://s3.amazonaws.com/dnld.lime-technology.com/stable/unRAIDServer.plg Refer also to @ljm42 excellent 6.4 Update Notes which are helpful especially if you are upgrading from a pre-6.4 release. Bugs: If you discover a bug or other issue in this release, please open a Stable Releases Bug Report. This is a bug fix and security update release. Due to another set of processor vulnerabilities called Zombieland, and a set of TCP denial-of-service vulnerabilities called SACK panic, all users are encouraged to update. We are also still trying to track down the source of SQLite Database corruption. It will also be very helpful for those affected by this issue to also upgrade to this release. Version 6.7.1 2019-06-22 Base distro: btrfs-progs: version 5.1.1 curl: version 7.65.1 (CVE-2019-5435, CVE-2019-5436) dhcpcd: version 7.2.2 docker: version 18.09.6 kernel-firmware: version 20190607_1884732 mozilla-firefox: version 66.0.5 openssl: version 1.1.1c openssl-solibs: version 1.1.1c php: version 7.2.19 (removed sqlite support) samba: version 4.9.8 (CVE-2018-16860) xfsprogs: version 5.0.0 Linux kernel: version: 4.19.55 (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091, CVE-2019-11833, CVE-2019-11477, CVE-2019-11478, CVE-2019-11479) intel-microcode: version 20190618 Management: shfs: support FUSE use_ino option Dashboard: added draggable fields in table Dashboard: added custom case image selection Dashboard: enhanced sorting Docker + VM: enhanced sorting Docker: disable button "Update All" instead of hiding it when no updates are available Fix OS update banner overhanging in Auzre / Gray themes Do not allow plugin updates to same version misc style corrections
  23. 12 points
    Welcome to 6.9 beta release development! This initial -beta1 release is exactly the same code set of 6.8.3 except that the Linux kernel has been updated to 5.5.8 (latest stable as of this date). We have only done basic testing on this release; normally we would not release 'beta' code but some users require the hardware support offered by the latest kernel along with security updates added into 6.8. Important: Beta code is not fully tested and not feature-complete. We recommend running on test servers only! Unfortunately none of our out-of-tree drivers will build with this kernel. Some were reverted back to in-tree version, some were omitted. We anticipate that by the time 6.9 enters 'rc' phase, we'll be on the 5.6 kernel and hopefully some of these out-of-tree drivers will be restored. We will be phasing in some new features, improvements, and changes to address certain bugs over the coming weeks - these will all be -beta releases. Don't be surprised if you see a jump in the beta number, some releases will be private. Version 6.9.0-beta1 2020-03-06 Linux kernel: version 5.5.8 igb: in-tree ixgbe: in-tree r8125: in-tree r750: (removed) rr3740a: (removed) tn40xx: (removed)
  24. 12 points
    This is a bug fix and security update release. To upgrade: If you are running any 6.4 or later release, click 'Check for Updates' on the Tools/Update OS page. If you are running a pre-6.4 release, click 'Check for Updates' on the Plugins page. If the above doesn't work, navigate to Plugins/Install Plugin, select/copy/paste this plugin URL and click Install: https://s3.amazonaws.com/dnld.lime-technology.com/stable/unRAIDServer.plg Bugs: If you discover a bug or other issue in this release, please open a Stable Releases Bug Report. Overview: Added ability to rebalance a btrfs cache pool to different btrs-raid levels. Support a nifty password strength checker (requires the "Dynamix Password Validator" plugin). Fixed issue where vdisk paths on /mnt/user were not being de-referenced due to qemu change. Added ability to specify whether share file and directory names should be case sensitive or not via SMB. Add docker container VPN network support. Updated kernel, several base packages. Several other small bug fixes. Version 6.8.3 2020-03-05 Changes vs. 6.8.2 Base distro: btrfs-progs: version 5.4.1 cryptsetup: version 2.3.0 mozilla-firefox: version 73.0.1 (CVE-2020-6796, CVE-2020-6797, CVE-2020-6798, CVE-2020-6799, CVE-2020-6800, CVE-2020-6801) libarchive: version 3.4.2 libwebsockets: version 3.2.2 smartmontools: version 7.1 ttyd: version 20200211 wireguard-tools: version 1.0.20200206 (build 2) xfsprogs: version 5.4.0 Linux kernel: version 4.19.108 (CVE-2020-2732) kernel-firmware: version 20200207_6f89735 oot: wireguard: version 0.0.20200215 Management: rc.docker: Allow host access to containers on IPv6 subnets other then /64 rc.inet1: add delay to allow bond initialization smb: add case-sensitiviy config setting per share webgui: removed obsolete 'Notify My Android' notification agent webgui: Docker settings: updated help text webgui: Added "Reboot Now" in banner when OS upgrade is available webgui: dockerMan: Add Security as a category webgui: Docker: added container vpn network support: - allow extra parameters using --net= to overrule default network assignment - add vpn containers are referenced by name in network assignment - add update containers reference when vpn container is updated webgui: Updated: animated spinner logic webgui: Fixed VM settings: allow to stop service when no hardware support webgui: Fixed plugin manager - show correct version for "next" branch webgui: remove 'nl-be' from VM keyboard types webgui: Dont force single threaded VMs for AMD webgui: VMs: enable cpu cache passthrough; AMD + multithreaded webgui: Other miscellaneous updates and css style corrections webgui: Array button renaming webgui: Docker: curl connection time to 15s webgui: Fixed cloning of share attributes webgui: Updated VMs table styling webgui: Updated icon fonts webgui: dockerMan: Add Security as a category webgui: Block referrals to 3rd Party Sites webgui: Fix: /mnt/user path transpose for VM disks webgui: Preserve Reboot Required Notifications across pages webgui: dockerMan: Preserve \n on overview in basic mode webgui: diagnostics: Remove plain-text VNC password webgui: Device Info: added automatic status updating webgui: Added BTRFS balance mode dropdown options webgui: Disallow characters incompatible with FAT32 in share names webgui: Support dropbox/zxcvbn password stregth meter (requires plugin) webgiu: dockerMan: Security enhancements webgui: Notifications: Add switch to not send a browser notification: - Will be utilized by CA to send a notification, but not have the notification appear on the browser but rather as a banner warning Version 6.8.2 2020-01-26 Changes vs. 6.8.1 Base distro: fuse3: version 3.9.0 php: version 7.3.14 (CVE-2020-7060, CVE-2020-7059) rpcbind: version 1.2.5 (rebuilt with --enable-rmtcalls option) ttyd: version 20200120 wireguard-tools: version 1.0.20200121 Linux kernel: version 4.19.98 (CVE-2019-14615) CONFIG_ENIC: Cisco VIC Ethernet NIC Support removed: CONFIG_IGB: Intel(R) 82575/82576 PCI-Express Gigabit Ethernet support removed: CONFIG_IGBVF: Intel(R) 82576 Virtual Function Ethernet support kernel-firmware: version 20200122_1eb2408 oot: Intel igb: version 5.3.5.42 oot: wireguard: version 0.0.20200121 Management: rc.docker: include missing changes to suppoort new setting "Host access to custom networks" rc.nginx: support custom wildcard SSL certs webgui: User password: hide base64 conversion webgui: Select username field when login page is loaded webgui: login: autocapitalize="none" webgui: Passphrase printable charcaters only webgui: Encryption: enforced keyfile selection/deletion when file exists webgui: Use php json_encode to properly encode notifications webgui: Changed Delete keyfile button placement webgui: Detect missing key when keyfile is deleted webgui: Add Network:VPN as an application category webgui: further hardening in auth_request.php webgui: Style adjustment: buttons min-width webgui: login page favicon now matches the green/yellow/red icon from the other webgui pages webgui: VM Manager: add 'virtio-win-0.1.173-2' to VirtIO-ISOs list webgui: Add Network:VPN as an application category webgui: Network settings: updated help text webgui: Fix link for Password Recovery on login screen Version 6.8.1 2020-01-10 Changes vs. 6.8.0 Base distro: libuv: version 1.34.0 libvirt: version 5.10.0 mozilla-firefox: version 72.0.1 (CVE-2019-17026, CVE-2019-17015, CVE-2019-17016, CVE-2019-17017, CVE-2019-17018, CVE-2019-17019, CVE-2019-17020, CVE-2019-17021, CVE-2019-17022, CVE-2019-17023, CVE-2019-17024, CVE-2019-17025) php: version 7.3.13 (CVE-2019-11044 CVE-2019-11045 CVE-2019-11046 CVE-2019-11047 CVE-2019-11049 CVE-2019-11050) qemu: version 4.2.0 samba: version 4.11.4 ttyd: version 20200102 wireguard-tools: version 1.0.20200102 Linux kernel: version 4.19.94 kernel_firmware: version 20191218_c4586ff (with additional Intel BT firmware) CONFIG_THUNDERBOLT: Thunderbolt support CONFIG_INTEL_WMI_THUNDERBOLT: Intel WMI thunderbolt force power driver CONFIG_THUNDERBOLT_NET: Networking over Thunderbolt cable oot: Highpoint rr3740a: version v1.19.0_19_04_04 oot: Highpoint r750: version v1.2.11-18_06_26 [restored] oot: wireguard: version 0.0.20200105 Management: add cache-busting params for noVNC url assets emhttpd: fix cryptsetup passphrase input network: disable IPv6 for an interface when its settings is "IPv4 only". webgui: Management page: fixed typos in help text webgui: VM settings: fixed Apply button sometimes not working webgui: Dashboard: display CPU load full width when no HT webgui: Docker: show 'up-to-date' when status is unknown webgui: Fixed: handle race condition when updating share access rights in Edit User webgui: Docker: allow to set container port for custom bridge networks webgui: Better support for custom themes (not perfect yet) webgui: Dashboard: adjusted table positioning webgui: Add user name and user description verification webgui: Edit User: fix share access assignments webgui: Management page: remove UPnP conditional setting webgui: Escape shell arg when logging csrf mismatch webgui: Terminal button: give unsupported warning when Edge/MSIE is used webgui: Patched vulnerability in auth_request webgui: Docker: added new setting "Host access to custom networks" webgui: Patched vulnerability in template.php
  25. 12 points
    Can you promote SpaceInvaderOne? He's the only reason I use Unraid.
  26. 11 points
    Hi everyone: I am Squids wife. I just wanted everyone to know he will be 50 on Sunday March 22nd, If you all can wish him a happy birthday that would be great.Due to Covid 19 - no party. Thanks Tracey
  27. 11 points
    Yes we are preparing a 6.9 beta release with 5.5.8 kernel, and then move to 5.6 kernel ultimately.
  28. 11 points
    Currently unRAID uses basic auth to enter credentials for the web gui, but many password managers don't support this. Would be great if we could get a proper login page. Examples This kind of login page always works with password managers. This does not
  29. 11 points
    I've been doing this for a long time now via command line with my important VM's. First, my VM vdisk's are in the domains share, where I have created the individual VM directory as a btrfs subvolume instead of a normal directory, ie: btrfs subv create /mnt/cache/domains/my-vm results in: /mnt/cache/domains/my-vm <--- a btrfs subvolume Then let vm-manager create vdisks in here normally and create your VM. Next, when I want to take a snapshot I hibernate the VM (win10) or shut it down. Then from host: btrfs subv snapshot -r /mnt/cache/domains/my-vm /mnt/cache/domains/my-vm/backup Of course you can name the snapshot anything, perhaps include a timestamp. In my case, after taking this initial backup snapshot, a subsequent backup will do something like this: btrfs subv snapshot -r /mnt/cache/domains/my-vm /mnt/cache/domains/my-vm/backup-new Then I send the block differences to a backup directory on /mnt/disk1 btrfs send -p /mnt/cache/domains/myh-vm/backup /mnt/cache/domains/myh-vm/backup-new | pv | btrfs receive /mnt/disk1/Backup/domains/my-vm and then delete backup and rename backup-new to backup. What we want to do is add option in VM manager that says, "Create snapshot upon shut-down or hibernation" and then add a nice GUI to handle snapshots and backups. I have found btrfs send/recv somewhat fragile which is one reason we haven't tackled this yet. Maybe there's some interest in a blog post describing the process along with the script I use?
  30. 11 points
    Thanks for the fix @bluemonster ! Here is a bash file that will automatically implement the fix in 6.7.2 (and probably earlier, although I'm not sure how much earlier): https://gist.github.com/ljm42/74800562e59639f0fe1b8d9c317e07ab It is meant to be run using the User Scripts plugin, although that isn't required. Note that you need to re-run the script after every reboot. Remember to uninstall the script after you upgrade to Unraid 6.8 More details in the script comments.
  31. 10 points
    Just caught onto this today (Thx @SpaceInvaderOne !), saw we're "only" #2, which just won't do --- Just "remembered" I have a Threadripper 2950x new in box - was going to sell the old dual Xeon E5 V2s and upgrade, but now going to bring this out & join the fray with the I9-9900 Hackintosh [AMD 580] and Ryzen 3700x. The threadripper will have to go "benchtop bare" for now, but that's OK. Should probably just use the office for a sauna now 🥵. Think the UPS is sweating a tad.... I am regional medical director for a company that does home medical visits on the sickest of the (US Medicare) population, IE top tier risk for COVID, avg. patient age 80+. We have offices in all the top affected cities in US so far. We're working nonstop to try to keep our patients safe at home. We've had to retreat temporarily to mostly telephonic visits due to shortage of PPE (protective gear) til our supply improves so we don't spread it to them - very frustrating. Now I can feel better about being stuck at home, still helping on the compute side as well til we get to get back safely in their homes. I wanted to thank everyone here for being so eager to take part / take action and with such impressive results. It means alot in the medical world to see folks being resourceful and doing their part. Please stay home, stay safe, and round up some more CPU's for this !
  32. 10 points
  33. 10 points
    Due to a security vulnerability discovered in forms-based authentication: ALL USERS ARE STRONGLY ENCOURAGED TO UPGRADE To upgrade: If you are running any 6.4 or later release, click 'Check for Updates' on the Tools/Update OS page. If you are running a pre-6.4 release, click 'Check for Updates' on the Plugins page. If the above doesn't work, navigate to Plugins/Install Plugin, select/copy/paste this plugin URL and click Install: https://s3.amazonaws.com/dnld.lime-technology.com/stable/unRAIDServer.plg Refer also to @ljm42 excellent 6.4 Update Notes which are helpful especially if you are upgrading from a pre-6.4 release. Bugs: If you discover a bug or other issue in this release, please open a Stable Releases Bug Report. Overfiew This is a bug fix and security update release. Some users are reporting problems booting due to a crash in the in-tree Intel IGB ethernet driver. We replaced the in-tree driver with latest out-of-tree driver. We fixed a longstanding issue where LibreELEC/Kodi could not browse NFS shares. The fix was to rebuild the rpcbind program, including a new option: --enable-rmtcalls Version 6.8.1 included a new docker option "Host access to custom networks" (thanks @bonienl) but I left out a critical change in the rc.docker script, sorry about that, now fixed. Fixed an encryption issue: if you first tried 'keyfile' method to specify encryption key, and that fails, any attempt to enter a passphrase would also fail, since a keyfile still exists, emhttpd used that as encryption key. This is fixed in webGUI by detecting presence of an encryption keyfile and offering only to re-download a new keyfile or delete the current one. Once deleted, you can then enter a passphrase. Small change to properly support custom SSL wildcard certs (thanks @ljm42) Updated kernel, wireguard, other base packages Numerous webGUI fixes and refinements (thanks @bonienl, @Squid, @gfjardim) A note regarding encryption passphrases: There is a warning in the Help text for passphrase which reads: Prior to this release (6.8.2) we did not enforce this restriction, but now we are. Unfortunately this means for those who have previously used a passphrase including other characters, you will need to use the "keyfile" method. We will add a feature in a future release that will let you change your passphrase/keyfile. Version 6.8.2 2020-01-26 Changes vs. 6.8.1 Base distro: fuse3: version 3.9.0 php: version 7.3.14 (CVE-2020-7060, CVE-2020-7059) rpcbind: version 1.2.5 (rebuilt with --enable-rmtcalls option) ttyd: version 20200120 wireguard-tools: version 1.0.20200121 Linux kernel: version 4.19.98 (CVE-2019-14615) CONFIG_ENIC: Cisco VIC Ethernet NIC Support removed: CONFIG_IGB: Intel(R) 82575/82576 PCI-Express Gigabit Ethernet support removed: CONFIG_IGBVF: Intel(R) 82576 Virtual Function Ethernet support kernel-firmware: version 20200122_1eb2408 oot: Intel igb: version 5.3.5.42 oot: wireguard: version 0.0.20200121 Management: rc.docker: include missing changes to suppoort new setting "Host access to custom networks" rc.nginx: support custom wildcard SSL certs webgui: User password: hide base64 conversion webgui: Select username field when login page is loaded webgui: login: autocapitalize="none" webgui: Passphrase printable charcaters only webgui: Encryption: enforced keyfile selection/deletion when file exists webgui: Use php json_encode to properly encode notifications webgui: Changed Delete keyfile button placement webgui: Detect missing key when keyfile is deleted webgui: Add Network:VPN as an application category webgui: further hardening in auth_request.php webgui: Style adjustment: buttons min-width webgui: login page favicon now matches the green/yellow/red icon from the other webgui pages webgui: VM Manager: add 'virtio-win-0.1.173-2' to VirtIO-ISOs list webgui: Add Network:VPN as an application category webgui: Network settings: updated help text webgui: Fix link for Password Recovery on login screen Version 6.8.1 2020-01-10 Changes vs. 6.8.0 Base distro: libuv: version 1.34.0 libvirt: version 5.10.0 mozilla-firefox: version 72.0.1 (CVE-2019-17026, CVE-2019-17015, CVE-2019-17016, CVE-2019-17017, CVE-2019-17018, CVE-2019-17019, CVE-2019-17020, CVE-2019-17021, CVE-2019-17022, CVE-2019-17023, CVE-2019-17024, CVE-2019-17025) php: version 7.3.13 (CVE-2019-11044 CVE-2019-11045 CVE-2019-11046 CVE-2019-11047 CVE-2019-11049 CVE-2019-11050) qemu: version 4.2.0 samba: version 4.11.4 ttyd: version 20200102 wireguard-tools: version 1.0.20200102 Linux kernel: version 4.19.94 kernel_firmware: version 20191218_c4586ff (with additional Intel BT firmware) CONFIG_THUNDERBOLT: Thunderbolt support CONFIG_INTEL_WMI_THUNDERBOLT: Intel WMI thunderbolt force power driver CONFIG_THUNDERBOLT_NET: Networking over Thunderbolt cable oot: Highpoint rr3740a: version v1.19.0_19_04_04 oot: Highpoint r750: version v1.2.11-18_06_26 [restored] oot: wireguard: version 0.0.20200105 Management: add cache-busting params for noVNC url assets emhttpd: fix cryptsetup passphrase input network: disable IPv6 for an interface when its settings is "IPv4 only". webgui: Management page: fixed typos in help text webgui: VM settings: fixed Apply button sometimes not working webgui: Dashboard: display CPU load full width when no HT webgui: Docker: show 'up-to-date' when status is unknown webgui: Fixed: handle race condition when updating share access rights in Edit User webgui: Docker: allow to set container port for custom bridge networks webgui: Better support for custom themes (not perfect yet) webgui: Dashboard: adjusted table positioning webgui: Add user name and user description verification webgui: Edit User: fix share access assignments webgui: Management page: remove UPnP conditional setting webgui: Escape shell arg when logging csrf mismatch webgui: Terminal button: give unsupported warning when Edge/MSIE is used webgui: Patched vulnerability in auth_request webgui: Docker: added new setting "Host access to custom networks" webgui: Patched vulnerability in template.php
  34. 10 points
    Disable Security Mitigations Thanks to @cybrnook's research (https://forums.unraid.net/topic/80235-disabling-spectremeltdownzombieload-mitigations/), this plugin will disable the OS mitigations for Spectre, Meltdown, and Zombieload (MDS) to possibly give you better CPU performance. Note that these mitigations are valid security concerns, and depending upon your workload you may want them mitigated. Myself, I'm not running a bank out of my house, and I don't think that the odds are too great that Plex would ever implement a Meltdown hack on my server to try and figure out my passwords (which doesn't exist anywhere on the server in the first place), so I'd just as soon have my CPU power back. That, and spectre et al are all proof of concept hacks. But disabling these mitigations is definitely one of the "Use at your own risk" type of thing. If your lawyer gets hauled before a FISA court, and can't tell you why, and you've wound up being transported off to another country where all sorts of things can be done to you simply because it's not on American soil all without due process, then don't blame me. Find it in the Apps tab by searching for Disable Security Mitigations, and then go to the Settings Tab (User Preferences), Mitigation Settings (6.7.0+ only) Note that the plugin will only disable the mitigations for your default boot mode. All other boot modes are left untouched (ie: Safe Mode will have all mitigations enabled). Also, while the plugin isn't required per se to be installed once the mitigations are disabled, uninstalling the plugin will automatically re-enable all of the mitigations.
  35. 10 points
    New in Unraid OS 6.8 release: The unRAIDServer.plg file (update OS) still downloads the new release zip file to RAM but then extracts directly to USB flash boot device. You will probably notice a slight difference in speed of extract messages. There is still a 'sync' command at the end, which causes each device to spin up serially as Linux kernel syncs each device (why does kernel do this serially? I have no idea). I am tempted to remove this because a Reboot of course spins everything up in parallel, but I'm concerned about users out there who might just hit Reset button and USB flash write data is not fully written. Forms based authentication If you have set a root password for your server, upon boot you'll now see a nice login form. There still is only one user for Unraid so for username enter root. This form should be compatible with all major password managers out there. We always recommend using a strong password. We have auto-logout set to 1 hour. Linux kernel 5.3 default scheduler now 'mq-deadline' enabled Huge Page support, though no UI control yet binfmt_misc support added "Vega 10 Reset bug" patch more device drivers Some out-of-tree (oot) drivers are currently omitted either because the source code doesn't compile or driver doesn't work with the 5.3 kernel: Intel ixgbe [does not build] (using in-tree driver) Highpoint r750 [does not work] Highpoint rr3740a [does not build] This is always the risk with including vendor-supplied drivers. Until the vendor fixes their code we must omit their driver. md/unraid driver Introduced "multi-stream" support: Reads on devices which are not being written should run at full speed. In addition, if you have set the md_write_method tunable to "reconstruct write", then while writing, if any read streams are detected, the write method is switched to "read/modifywrite". Parity sync/check should run at full speed by default. Parity sync/check can be throttled back in presence of other active streams. The "stripe pool" resource is automatically shared evenly between all active streams. As a result got rid of some Tunables: md_sync_window md_sync_thresh and added some tunables: md_queue_limit md_sync_limit Please refer to Settings/Disk Settings help text for description of these settings. Remaining issue: some users have reported slower parity sync/check rates for very wide arrays (20+ devices) vs. 6.7 and earlier releases - we are still studying this problem. WireGuard support - available as a plugin via Community Apps. Our WireGuard implementation and UI is still a work-in-process; for this reason we have made this available as a plugin, though the latest WireGuard module is included in our Linux kernel. Full WireGuard implementation will be merged into Unraid OS itself in a future release. I want to give special thanks to @bonienl who wrote the plugin with lots of guidance from @ljm42 - thank you! I also should give a shout out to @NAS who got us rolling on this. If you don't know about WireGuard it's something to look into! Guide here: WS-Discovery support - Finally you can get rid of SMBv1 and get reliable Windows network discovery. This feature is configured on the Settings/SMB Settings page and enabled by default. Also on same settings page is Enable NetBIOS setting. This is enabled by default, however if you no longer have need for NetBIOS discovery you can turn it off. When turned off, Samba is configured to accept only SMBv2 protocol and higher. Added mDNS client support in Unraid OS. This means, for example, from an Unraid OS terminal session to ping another Unraid OS server on your network you can use (e.g., 'tower'): ping tower.local instead of ping tower Note the latter will still work if you have NetBIOS enabled. User Share File System (shfs) changes: Integrated FUSE-3 - This should increase performance of User Share File System somewhat. Fixed bug with hard link support. Previously a 'stat' on two directory entries referring to same file would return different i-node numbers, thus making it look like two independent files. This has been fixed however there is a config setting on Settings/Global Share Settings called "Tunable (support hard links)". The default is Yes, but with certain very old media and DVD players which access shares via NFS, you may need to set this to No. Note: if you have custom config/extra.cfg file, get rid of it. Other improvements/bug fixes: Format - during Format any running parity sync/check is automatically Paused and then resumed upon Format completion. Encryption - an entered passphrase is not saved to any file. Also included an API for Unassigned devices plugin to open encrypted volumes. Fixed bug where multi-device btrfs pool was leaving metadata set to dup instead of raid1. Several other small bug fixes and improvements. Numerous base package updates. Finally - please note that AFP is now deprecated and we plan to remove in Unraid 6.9 release. Version 6.8.0-rc1 2019-10-11 Base distro: aaa_elflibs: version 15.0 build 11 acpid: version 2.0.32 at-spi2-atk: version 2.34.0 at-spi2-core: version 2.34.0 atk: version 2.34.1 bash: version 5.0.011 btrfs-progs: version 5.2.2 bzip2: version 1.0.8 ca-certificates: version 20190826 cifs-utils: version 6.9 cryptsetup: version 2.2.1 curl: version 7.66.0 dbus: version 1.12.16 dbus-glib: version 0.110 dhcpcd: version 8.0.6 docker: version 19.03.3 e2fsprogs: version 1.45.4 encodings: version 1.0.5 etc: version 15.0 ethtool: version 5.3 expat: version 2.2.9 file: version 5.37 findutils: version 4.7.0 freetype: version 2.10.1 fuse3: version 3.6.2 gdbm: version 1.18.1 gdk-pixbuf2: version 2.38.2 git: version 2.23.0 glib2: version 2.62.0 glibc-solibs: version 2.30 glibc-zoneinfo: version 2019c glibc: version 2.30 glu: version 9.0.1 gnutls: version 3.6.10 gtk+3: version 3.24.10 harfbuzz: version 2.6.0 haveged: version 1.9.8 hostname: version 3.22 hwloc: version 1.11.13 icu4c: version 64.2 intel-microcode: version 20190918 iproute2: version 5.3.0 iptables: version 1.8.3 iputils: version 20190709 irqbalance: version 1.6.0 less: version 551 libICE: version 1.0.10 libX11: version 1.6.8 libXi: version 1.7.10 libXt: version 1.2.0 libarchive: version 3.4.0 libcap-ng: version 0.7.10 libcroco: version 0.6.13 libdrm: version 2.4.99 libedit: version 20190324_3.1 libevdev: version 1.7.0 libevent: version 2.1.11 libgcrypt: version 1.8.5 libgudev: version 233 libjpeg-turbo: version 2.0.3 libnftnl: version 1.1.4 libnl3: version 3.5.0 libpcap: version 1.9.1 libpciaccess: version 0.16 libpng: version 1.6.37 libpsl: version 0.21.0 librsvg: version 2.44.14 libseccomp: version 2.4.1 libssh2: version 1.9.0 libtasn1: version 4.14 libusb: version 1.0.23 libvirt-php: version 0.5.5 libvirt: version 5.7.0 (CVE-2019-10161, CVE-2019-10166, CVE-2019-10167, CVE-2019-10168) libwebp: version 1.0.3 libzip: version 1.5.2 logrotate: version 3.15.1 lsof: version 4.93.2 lsscsi: version 0.30 lvm2: version 2.03.05 lz4: version 1.9.1 mkfontscale: version 1.2.1 mozilla-firefox: version 68.0.2 (CVE-2019-11751, CVE-2019-11746, CVE-2019-11744, CVE-2019-11742, CVE-2019-11736, CVE-2019-11753, CVE-2019-11752, CVE-2019-9812, CVE-2019-11741, CVE-2019-11743, CVE-2019-11748, CVE-2019-11749, CVE-2019-5849, CVE-2019-11750, CVE-2019-11737, CVE-2019-11738, CVE-2019-11747, CVE-2019-11734, CVE-2019-11735, CVE-2019-11740, CVE-2019-11754, CVE-2019-9811, CVE-2019-11711, CVE-2019-11712, CVE-2019-11713, CVE-2019-11714, CVE-2019-11729, CVE-2019-11715, CVE-2019-11716, CVE-2019-11717, CVE-2019-1 1718, CVE-2019-11719, CVE-2019-11720, CVE-2019-11721, CVE-2019-11730, CVE-2019-11723, CVE-2019-11724, CVE-2019-11725, CVE-2019-11727, CVE-2019-11728, CVE-2019-11710, CVE-2019-11709) nano: version 4.5 ncurses: version 6.1_20190720 net-tools: version 20181103_0eebece nettle: version 3.5.1 nghttp2: version 1.39.2 nginx: version 1.16.1 (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516) nodejs: version 10.16.3 nss-mdns: version 0.14.1 ntp: version 4.2.8p13 openldap-client: version 2.4.48 openssh: version 8.0p1 openssl-solibs: version 1.1.1d openssl: version 1.1.1d p11-kit: version 0.23.18.1 pcre2: version 10.33 php: version 7.2.23 (CVE-2019-11042, CVE-2019-11041) pixman: version 0.38.4 pkgtools: version 15.0 procps-ng: version 3.3.15 qemu: version 4.1.0 (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091) qrencode: version 4.0.2 rpcbind: version 1.2.5 rsyslog: version 8.1908.0 samba: version 4.10.8 (CVE-2019-10197) sdparm: version 1.10 sessreg: version 1.1.2 setxkbmap: version 1.3.2 sg3_utils: version 1.44 shadow: version 4.7 shared-mime-info: version 1.12 sqlite: version 3.29.0 sysvinit-scripts: version 2.1 sysvinit: version 2.96 talloc: version 2.3.0 tdb: version 1.4.2 tevent: version 0.10.1 ttyd: version 1.5.2 usbutils: version 012 util-linux: version 2.34 wget: version 1.20.3 wireguard: version 0.0.20190913 wsdd: version 20180618 build 2 xauth: version 1.1 xclock: version 1.0.9 xfsprogs: version 5.2.1 xkeyboard-config: version 2.27 xorg-server: version 1.20.5 xrandr: version 1.5.1 xterm: version 348 xwininfo: version 1.1.5 zstd: version 1.4.3 Linux kernel: version 5.3.6 default scheduler now mq-deadline CONFIG_BINFMT_MISC: Kernel support for MISC binaries CONFIG_DEBUG_FS: Debug Filesystem CONFIG_HUGETLBFS: HugeTLB file system support CONFIG_ICE: Intel(R) Ethernet Connection E800 Series Support CONFIG_IGC: Intel(R) Ethernet Controller I225-LM/I225-V support CONFIG_MLX5_CORE_IPOIB: Mellanox 5th generation network adapters (connectX series) IPoIB offloads support CONFIG_SCSI_SMARTPQI: Microsemi PQI Driver CONFIG_WIREGUARD: IP: WireGuard secure network tunnel patch: fix_vega_reset (user request) patch: increase BLK_MAX_REQUEST_COUNT from 16 to 32 oot: LimeTech md/unraid: version 2.9.10 (multi-stream support) oot: Highpoint rsnvme: version v1.2.16_19_05_06 oot: Tehuti tn40xx: version 0.3.6.17.2 oot: omitted: Intel ixgbe [does not build] (using in-tree driver) oot: omitted: Highpoint r750 [does not work] oot: omitted: Highpoint rr3740a [does not build] Management: fix btrfs bug where converting from single to multiple pool did not balance metadata to raid1, and converting from multiple to single did not balance metadata back to single. auto-mount hugetlbfs to support kernel huge pages emhttpd: do not write /root/keyfile if encryption passphrase provided via webGUI fstab: mount USB flash boot device with root-only access nginx.conf: configure all nginx worker threads to run as 'root'. start/stop WireGuard upon server start/shutdown support forms-based authentication shfs: support FUSE3 API changes; hard links report same st_ino; hard link support configurable support disabling NetBIOS, and set Samba 'min server procotol' and 'min client protocol' to SMB2 if disabled support WS-Discovery method support mDNS local name resolution via avahi extract OS upgrade directly to USB flash webgui: Revamp Banner Warning System webgui: Fix custom case png not surviving reboot webgui: Enhanced display of network settings webgui: Open banner system to 3rd party apps webgui: Modified notify script to allow overriding email recipients in notification settings webgui: Allow Safari to use websockets webgui: Select case correction + replace MD1510 for AVS-10/4 webgui: Font, Icon and image cleanup webgui: Added AFP deprecated notice webgui: Changed config folder of TELEGRAM webgui: Add share access to user edit webgui: Added cache and disk type to shares page webgui: Aligned management page layout webgui: Added conditional UPnP setting on Management page webgui: Support wireguard plugin in download.php webgui: Added UPnP to access script (to support WireGuard plugin) webgui: Made notify script compatible with 6.8 new security scheme webgui: Fixed misalignment of absent disk on Main page webgui: Update ArrayDevices.page help text webgui: show warning on login page when browser cookies are disabled webgui: Fixed docker container update state webgui: Added VM XML files to diagnostics webgui: Telegram notification agent: enable group chat IDs, update helper description webgui: Integrate CAs Plugin Helper webgui: Switch download routine to be PHP Curl webgui: Change PluginHelpers download to be PHP Curl webgui: dockerMan - Deprecate TemplateURL webgui: Fixed: footer always on foreground webgui: Plugin Helpers: Follow redirects on downloads webgui: dockerMan: Redownload Icon if URL changes webgui: If a page is loaded via https, prevent it from loading resources via http (ie, block mixed content) webgui: Ensure spinner always ontop webgui: Allow outside click to close popups webgui: Use complete HTML documents in popups webgui: Standardize on lang="en" webgui: Added 'F1' key to toggle help text webgui: Main page: consolidate spin up/down action and device status into one webgui: support changed tunables on Disk Settings page
  36. 10 points
    To upgrade: If you are running any 6.4 or later release, click 'Check for Updates' on the Tools/Update OS page. If you are running a pre-6.4 release, click 'Check for Updates' on the Plugins page. If the above doesn't work, navigate to Plugins/Install Plugin, select/copy/paste this plugin URL and click Install: https://s3.amazonaws.com/dnld.lime-technology.com/stable/unRAIDServer.plg Refer also to @ljm42 excellent 6.4 Update Notes which are helpful especially if you are upgrading from a pre-6.4 release. Bugs: If you discover a bug or other issue in this release, please open a Stable Releases Bug Report. New in Unraid OS 6.7 release: New Dashboard layout, along with new Settings and Tools icons. Designed by user @Mex and implemented in collaboration with @bonienl. We think you will find this is a big step forward. Time Machine support via SMB. To enable this feature it is necessary to first turn on "Enhanced OS X interoperability" on the Settings/SMB page. Next, select a share to Export for Time Machine in the share SMB Security Settings section. Note: AFP is now deprecated and macOS users are encouraged to use SMB only. Enhanced syslog handling. On Settings/Network Services page click on Syslog Server. Here you can designate this server to receive system logs from other Unraid OS servers, or forward this servers syslog to another local or remote server. Parity sync/Data rebuild/Check pause/resume capability. Main functionality in place. Pause/resume not preserved across system restarts yet however. Linux kernel 4.19. This is the latest Long Term Support kernel. Here are some other kernel-related updates: Added TCP "BBR Congestion control" and made it the default. This should improve network throughput but probably not too many users will notice anything different. Added Bluetooth support in the Linux kernel. We did not add the user-space tools so this will be mostly useful to support Bluetooth in docker containers. AMD firmware update for Threadripper. Ignore case in validating user share names. If there are multiple top-level directories which differ only in case, then we use the first such share name encountered, checking in order: cache, disk1, disk2, ..., diskN. Additional top-level directories encountered will be ignored. For example, suppose we have: /mnt/cache/ashare /mnt/disk1/Ashare /mnt/disk2/ashare The name of the exported share will be 'ashare' and will consist of a union of /mnt/cache/ashare and /mnt/disk2/ashare. The contents of /mnt/disk1/Ashare will not appear in /mnt/user/ashare. If you then delete the contents of /mnt/user/ashare followed by deleting the 'ashare' share itself, this will result in share 'Ashare' becoming visible. Similar, if you delete the contents of /mnt/cache/ashare (or gets moved), then you will now see share 'Ashare' appear, and it will look like the contents of 'ashare' are missing! Thankfully very few (if any) users should be affected by this, but handles a corner case in both the presentation of shares in windows networking and storage of share config data on the USB flash boot device. New vfio-bind method. Since it appears that the xen-pciback/pciback kernel options no longer work, we introduced an alternate method of binding, by ID, selected PCI devices to the vfio-pci driver. This is accomplished by specifying the PCI ID(s) of devices to bind to vfio-pci in the file 'config/vfio-pci.cfg' on the USB flash boot device. This file should contain a single line that defines the devices: BIND=<device> <device> ... Where <device> is a Domain:Bus:Device.Function string, for example, BIND=02:00.0 Multiple device should be separated with spaces. The script /usr/local/sbin/vfio-pci is called very early in system start-up, right after the USB flash boot device is mounted but before any kernel modules (drivers) have been loaded. The function of the script is to bind each specified device to the vfio-pci driver, which makes them available for assignment to a virtual machine, and also prevents the Linux kernel from automatically binding them to any present host driver. In addition, and importantly, this script will bind not only the specified device(s), but all other devices in the same IOMMU group as well. For example, suppose there is an NVIDIA GPU which defines both a VGA device at 02:00.0 and an audio device at 02.00.1. Specifying a single device (either one) on the BIND line is sufficient to bind both device to vfio-pci. The implication is that either all devices of an IOMMU group are bound to vfio-pci or none of them are. Other highlights: Added the '--allow-discards' option to LUKS open. This should only have any effect when using encrypted Cache device/pool with SSD devices. It allows a file system to notice if underlying device supports TRIM and if so, passes TRIM commands down. Added 'telegram' notification agent support - thank you @realies Updated several base packages, including move to Samba 4.9 and docker 18.09. Fixed a number of minor bugs. Finally: as always, a big "Thank You!" to everyone who contributed and helped with testing. Version 6.7.0 2019-05-08 Base distro: aaa_elflibs: version 15.0 (rev 3) acpid: version 2.0.31 adwaita-icon-theme: version 3.32.0 at-spi2-atk: version 2.32.0 at-spi2-core: version 2.32.1 at: version 3.1.23 atk: version 2.32.0 bash: version 5.0.007 bin: version 11.1 (rev 3) bluez: version 4.101 bridge-utils: version 1.6 btrfs-progs: version v4.19.1 ca-certificates: version 20190308 cairo: version 1.16.0 cifs-utils: version 6.9 coreutils: version 8.31 curl: version 7.64.1 (CVE-2019-8907, CVE-2019-3822, CVE-2019-3823) cyrus-sasl: version 2.1.27 dbus: version 1.12.12 dhcpcd: version 7.2.0 diffutils: version 3.7 dmidecode: version 3.2 dnsmasq: version 2.80 docker: version 18.09.5 (CVE-2019-5736) e2fsprogs: version 1.45.0 etc: version 15.0 (rev 9) ethtool: version 5.0 file: version 5.36 (CVE-2019-8906, CVE-2019-8907) findutils: version 4.6.0 freetype: version 2.10.0 fribidi: version 1.0.5 gdbm: version 1.18.1 gdk-pixbuf2: version 2.38.0 git: version 2.21.0 glib2: version 2.60.1 glibc-solibs: version 2.29 glibc-zoneinfo: version 2019a glibc: version 2.29 gnutls: version 3.6.7 (CVE-2018-16868) gptfdisk: version 1.0.4 graphite2: version 1.3.13 grep: version 3.3 gtk+3: version 3.24.8 gzip: version 1.10 harfbuzz: version 2.4.0 haveged: version 1.9.4 hdparm: version 9.58 hostname: version 3.21 hwloc: version 1.11.11 icu4c: version 64.2 infozip: version 6.0 (CVE-2014-8139, CVE-2014-8140, CVE-2014-8141, CVE-2016-9844, CVE-2018-18384, CVE-2018-1000035) inotify-tools: version 3.20.1 intel-microcode: version 20180807a iproute2: version 5.0.0 iptables: version 1.8.2 iputils: version 20190324 irqbalance: version 1.5.0 jansson: version 2.12 jemalloc: version 4.5.0 jq: version 1.6 (rev2) kernel-firmware: version 20190424_4b6cf2b keyutils: version 1.6 kmod: version 26 libSM: version 1.2.3 libX11: version 1.6.7 libXcomposite: version 0.4.5 libXcursor: version 1.2.0 libXdamage: version 1.1.5 libXdmcp: version 1.1.3 libXext: version 1.3.4 libXft: version 2.3.3 libXmu: version 1.1.3 libXrandr: version 1.5.2 libXxf86dga: version 1.1.5 libaio: version 0.3.112 libarchive: version 3.3.3 libcap-ng: version 0.7.9 libcap: version 2.27 libcroco: version 0.6.13 libdrm: version 2.4.98 libedit: version 20190324_3.1 libepoxy: version 1.5.3 libestr: version 0.1.11 libevdev: version 1.6.0 libgcrypt: version 1.8.4 libgpg-error: version 1.36 libjpeg-turbo: version 2.0.2 libnftnl: version 1.1.2 libpcap: version 1.9.0 libpng: version 1.6.37 (CVE-2018-14048 CVE-2018-14550 CVE-2019-7317) libpsl: version 0.21.0 libpthread-stubs: version 0.4 (rev 3) librsvg: version 2.44.11 libssh2: version 1.8.2 (CVE-2019-3855, CVE-2019-3856, CVE-2019-3857, CVE-2019-3858, CVE-2019-3859, CVE-2019-3860, CVE-2019-3861, CVE-2019-3862, CVE-2019-3863) libtirpc: version 1.1.4 libvirt: version 5.1.0 libwebp: version 1.0.2 libwebsockets: version 3.1.0 libxcb: version 1.13.1 libxkbfile: version 1.1.0 libxml2: version 2.9.9 libxslt: version 1.1.33 libzip: version 1.5.2 lm_sensors: version 3.5.0 logrotate: version 3.15.0 lsscsi: version 0.30 lvm2: version 2.03.02 lz4: version 1.8.3 lzip: version 1.21 mc: version 4.8.22 mcelog: version 162 mesa: version 18.3.0 miniupnpc version: 2.1 mkfontscale: version 1.2.1 mozilla-firefox: version 66.0 (CVE-2018-18500, CVE-2018-18504, CVE-2018-18505, CVE-2018-18503, CVE-2018-18506, CVE-2018-18502, CVE-2018-18501, CVE-2018-18356, CVE-2019-5785, CVE-2018-18511, CVE-2019-9790, CVE-2019-9791, CVE-2019-9792, CVE-2019-9793, CVE-2019-9794, CVE-2019-9795, CVE-2019-9796, CVE-2019-9797, CVE-2019-9798, CVE-2019-9799, CVE-2019-9801, CVE-2019-9802, CVE-2019-9803, CVE-2019-9804, CVE-2019-9805, CVE-2019-9806, CVE-2019-9807, CVE-2019-9809, CVE-2019-9808, CVE-2019-9789, CVE-2019-9788) mpfr: version 4.0.2 nano: version 4.2 ncompress: version 4.2.4.5 ncurses: version 6.1_20190420 netatalk: version 3.1.12 (CVE-2018-1160) nettle: version 3.4.1 (CVE-2018-16869) nghttp2: version 1.38.0 nginx: version 1.14.2 (+ nchan 1.2.3) (CVE-2018-16843, CVE-2018-16844, CVE-2018-16845) ntp: version 4.2.8p13 (CVE-2019-8936) oniguruma: version 6.9.1 (CVE-2017-9224, CVE-2017-9225, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229) openldap-client: version 2.4.47 openssh: version 8.0p1 openssl-solibs: version 1.1.1b (CVE-2019-1559) openssl: version 1.1.1b (CVE-2019-1559) p11-kit: version 0.23.15 pciutils: version 3.6.2 pcre2: version 10.33 pcre: version 8.43 php: version 7.2.18 (CVE-2019-11034, CVE-2019-11035, CVE-2019-11036) pixman: version 0.38.4 pkgtools: version 15.0 (rev 23) pv: version 1.6.6 qemu: version 3.1.0 (rev 2) patched pcie link speed and width support rpcbind: version 1.2.5 rsyslog: version 8.40.0 samba: version 4.9.7 (CVE-2018-14629, CVE-2018-16841, CVE-2018-16851, CVE-2018-16852, CVE-2018-16853, CVE-2018-16857) sdparm: version 1.10 sed: version 4.7 sg3_utils: version 1.44 shadow: version 4.6 shared-mime-info: version 1.12 smartmontools: version 7.0 spice-protocol: version 0.12.14 spice: version 0.14.1 sqlite: version 3.28.0 sudo: version 1.8.27 sysvinit-scripts: version 2.1 (rev 26) sysvinit: version 2.94 talloc: version 2.2.0 tar: version 1.32 tdb: version 1.4.0 tevent: version 0.10.0 tree: version 1.8.0 ttyd: version 1.4.2 ttyd: version 20190223 util-linux: version 2.33.2 wget: version 1.20.3 (CVE-2019-5953) xauth: version 1.0.10 (rev 3) xfsprogs: version 4.20.0 xkeyboard-config: version 2.25 xprop: version 1.2.4 xterm: version 341 xtrans: version 1.4.0 zstd: version 1.4.0 Linux kernel: version: 4.19.41 added drivers: CONFIG_USB_SERIAL_CH341: USB Winchiphead CH341 Single Port Serial Driver CONFIG_X86_MCELOG_LEGACY: Support for deprecated /dev/mcelog character device added TCP BBR congestion control kernel support and set as default: CONFIG_NET_KEY: PF_KEY sockets CONFIG_TCP_CONG_BBR: BBR TCP CONFIG_NET_SCH_FQ: Fair Queue CONFIG_NET_SCH_FQ_CODEL: Fair Queue Controlled Delay AQM (FQ_CODEL) added Bluetooth kernel support: CONFIG_BT: Bluetooth subsystem support CONFIG_BT_BREDR: Bluetooth Classic (BR/EDR) features CONFIG_BT_RFCOMM: RFCOMM protocol support CONFIG_BT_RFCOMM_TTY: RFCOMM TTY support CONFIG_BT_BNEP: BNEP protocol support CONFIG_BT_BNEP_MC_FILTER: Multicast filter support CONFIG_BT_BNEP_PROTO_FILTER: Protocol filter support CONFIG_BT_HIDP: HIDP protocol support CONFIG_BT_HS: Bluetooth High Speed (HS) features CONFIG_BT_LE: Bluetooth Low Energy (LE) features CONFIG_BT_HCIBTUSB: HCI USB driver CONFIG_BT_HCIBTUSB_AUTOSUSPEND: Enable USB autosuspend for Bluetooth USB devices by default CONFIG_BT_HCIBTUSB_BCM: Broadcom protocol support CONFIG_BT_HCIBTUSB_RTL: Realtek protocol support CONFIG_BT_HCIUART: HCI UART driver CONFIG_BT_HCIUART_H4: UART (H4) protocol support CONFIG_BT_HCIUART_BCSP: BCSP protocol support CONFIG_BT_HCIUART_ATH3K: Atheros AR300x serial support CONFIG_BT_HCIUART_AG6XX: Intel AG6XX protocol support CONFIG_BT_HCIUART_MRVL: Marvell protocol support CONFIG_BT_HCIBCM203X: HCI BCM203x USB driver CONFIG_BT_HCIBPA10X: HCI BPA10x USB driver CONFIG_BT_HCIVHCI: HCI VHCI (Virtual HCI device) driver CONFIG_BT_MRVL: Marvell Bluetooth driver support CONFIG_BT_ATH3K: Atheros firmware download driver firmware: added BCM20702A0-0a5c-21e8.hcd added BCM20702A1-0a5c-21e8.hcd md/unraid: version 2.9.7: setup queue properties correctly support sync pause/resume fix: kernel BUG if read phase of read/modify/write with FUA flag set fails on stripe with multiple read failures OOT Intel 10Gbps network driver: ixgbe: version 5.5.5 OOT Tehuti 10Gbps network driver: tn40xx: version 0.3.6.17 patch: support Mozart 395S chip patch: hpsa: change scsi_host_template.max_sectors from 2048 to 1024 per request Management: add early vfio-bind utility restore PHP E_WARNING in /etc/php/php.ini support Apple Time Machine via SMB acpi: silence undefined ACPI event logging docker: preserve container fixed IPv4 and IPv6 addresses across reboot/docker restart emhttp: bug fix: cache-only/cache-prefer share not initially created on cache emhttp: ignore *.key files that begin with "._" emhttp: properly dismiss "Restarting services" message emhttp: use mkfs.btrfs defaults for metadata and SSD support emhttpd: Add --allow-discard luksOpen option emhttpd: Increase number of queued inotify IN_MOVED_TO events from 16 to 1024 for /var/local/emhttp directory. fix: docker log rotation fix: inconsistent share name case fix: terminal instances limited to 8 (now lifted) fstab: mount USB flash boot device with 'flush' keyword networking: pass user-specified MAC address through to bridge rc.nginx: eliminate unnecessary 10 sec delays rc.nginx: implement better status wait loop - thanks ljm42 rc.sshd: only copy new key files to USB flash boot device smartmontools: update drivedb and hwdata/{pci.ids,usb.ids,oui.txt,manuf.txt} smb: when Enhanced OS X interoperability set, include "fruit:nfs_aces = no" to be compatible with Unraid security model smb: disable samba auto-register with avahi for now webgui: Add GameServers to category for docker containers webgui: Add log-size and log-file options to docker run command webgui: Added new font icons webgui: Added parity pause/resume button webgui: Added syslog server functionality webgui: Allow optional notifications on background docker update checks webgui: Allow plugins to use font awesome for icon webgui: Dashboard: add settings shortcuts webgui: Dashboard: added control buttons webgui: Dashboard: create more space for Dokcer/VM names (3 columns) webgui: Dashboard: cut off long container and VM names webgui: Dashboard: fix color consistency webgui: Dashboard: fix incorrect memory type webgui: Dashboard: fixed display of Wattage in UPS load webgui: Dashboard: fixed hanging when no share exports are defined webgui: Dashboard: fixed wrapping of long lines webgui: Dashboard: fixed wrong display of memory size webgui: Dashboard: include links to settings webgui: Dashboard: replace inline style statements for style section webgui: Dashboard: table adjustment in three columns view webgui: Dashboard: table right adjustment in two columns view webgui: Dashboard: use disk thresholds for utlization bars webgui: Dashboard: wrap long descriptions webgui: Diagnostics: dynamic file name creation webgui: Do not capitalize path names in title of themes Azure and Gray webgui: Docker: single column for CPU/Memory load webgui: Docker: Add More Info link (docker registry) to context menus webgui: Docker: textual update webgui: Docker: usage memory usage in advanced view webgui: Escape quotes on a containers template webgui: File browser: force download of files webgui: Fix Background color when installing container webgui: Fixed share/disk size calculation when names include space webgui: Fixed version display in system information webgui: Fixed: slots selection always disabled after "New Config" webgui: Keep status visible for paused array operations webgui: Main: make disk identification mono-spaced font webgui: Minor textual changes webgui: Move "Management Access" directly under Settings webgui: New icon reference webgui: OS update: style correction webgui: Open link under Unraid logo in new window webgui: Per Device Font Size Setting webgui: Permit configuration of parity device(s) spinup group. webgui: Plugin manager: add .png option to Icon tag webgui: Plugin manager: align icon size with rest of the GUI webgui: Plugin manager: enlarge readmore height webgui: Plugin manager: table style update webgui: Position context menu always left + below icon webgui: Prevent update notification if plugin is not compatible webgui: Replace string "OS X" with "macOS" webgui: Replaced orb png icons by font-awesome webgui: Revamped dashboard page webgui: Share settings: fixed exclude "All" from write function webgui: Suppress PHP warnings from corrupted XML files webgui: Switch button: use blue color in ON state webgui: Switch plugins to a compressed download webgui: Syslinux config: replace checkbox with radio button webgui: Syslog: add '' entry in local folder selection webgui: Syslog: added log rotation settings webgui: Syslog: added viewer webgui: Syslog: included rsyslog.d conf files and chmod 0666 webgui: Syslog: sort logs webgui: Updated Unraid icons webgui: Updated icons and cases webgui: Updated jquery cookie script from 1.3.1 to 1.4.1 webgui: Use cookie for display setting font size webgui: VM manager: remove and rebuild USB controllers webgui: VM page: allow long VM names webgui: added new case icons webgui: other GUI enhancements webgui: prevent dashboard bar animations from queuing up on inactive browser tab webgui: sort notification agents alphabetically, add telegram notifications webgui: syslog icon update webgui: telegram notification agent bug fixes
  37. 9 points
    Use extra Unraid CPU or GPU computing power to help take the fight to COVID-19 with BOINC or Folding@Home! https://unraid.net/blog/help-take-the-fight-to-covid-19-with-boinc-or-folding-home Stay safe everyone. -Spencer
  38. 9 points
    Plugin Name: Unraid Nvidia Github: https://github.com/linuxserver/Unraid-Nvidia-Plugin This plugin from LinuxServer.io allows you to easily install a modified Unraid version with Nvidia drivers compiled and the docker system modified to use an nvidia container runtime, meaning you can use your GPU in any container you wish. Any posts discussing circumvention of any Nvidia restrictions we will be asking mods to remove. We have worked hard to bring this work to you, and we don't want to upset Nvidia. If they were to threaten us with any legal action, all our source code and this plugin will be removed. Remember we are all volunteers, with regular jobs and families to support. Please if you see anyone else mentioning anything that contravenes this rule, flag it up to the mods. People that discuss this here could potentially ruin it for all of you. EDIT: 25/5/19 OK everyone, the Plex script seems to be causing more issues than the Unraid Nvidia build as far as I can tell. From this point on, to reduce the unnecessary noise and confusion on this thread, I'm going to request whoever is looking after, documenting or willing to support the Plex scripts spins off their own thread. We will only be answering any support questions on people not using the script. If your post is regarding Plex and you do not EXPLICITLY state that you are not using the Plex script then it will be ignored. I know some of you may think this is unreasonable but it's creating a lot of additional work/time commitments for something I never intended to support and something I don't use (Not being a Plex user) May I suggest respectfully, that one of you steps forward to create a thread, document it, and support it in it's own support place. I think we need to decouple issues with the work we've done versus issues with a currently unsupported script. Thanks.
  39. 9 points
    Also, either tonight or tomorrow an update to Fix Common Problems will be issued which will flag an error on affected systems if you do not have this plugin installed. See here
  40. 9 points
    I'll try and take a look at this tomorrow. Main issue at the moment is I need to sort out the Wireguard OOT drivers. Any new OOT driver is a PITA
  41. 9 points
    A fairly large kernel update was published yesterday as was a new WireGuard release and I thought it important to update and sanity-check. We'll let this bake over the weekend and if no new big issue shows up we'll publish to stable. Then we can move on to the 5.4 kernel in Unraid 6.9. -rc9 summary: Update kernel to 4.19.88. Update to latest WireGuard release Other package updates. Specific changes in [-rcN] are indicated in bold below. New in Unraid OS 6.8 release: The unRAIDServer.plg file (update OS) still downloads the new release zip file to RAM but then extracts directly to USB flash boot device. You will probably notice a slight difference in speed of extract messages. [-rc2] The 'sync' command at the end has been replaced with 'sync -f /boot'. Forms based authentication If you have set a root password for your server, when accessing webGUI you'll now see a nice login form. There still is only one user for Unraid so for username enter root. This form should be compatible with all major password managers out there. We always recommend using a strong password. [-rc2] There is no auto-logout implemented yet, please click Logout on menu bar or completely close your browser to logout. Linux kernel [-rc8] Remains on 4.19 [-rc6/-rc7] include latest Intel microcode for yet another hardware vulnerability mitigation. default scheduler now 'mq-deadline' [-rc2] but this can be changed via Settings/Disk Settings/Scheduler setting. enabled Huge Page support, though no UI control yet binfmt_misc support added "Vega 10 Reset bug" [-rc2] and 'navi-reset' patches removed [-rc5] [-rc2] added oot: Realtek r8125: version 9.002.02 [-rc3] additional md/unraid changes and instrumentation [-rc6] fix chelsio missing firmware [-rc8] removed Highpoint r750 driver [does not work] md/unraid driver Introduced "multi-stream" support: Reads on devices which are not being written should run at full speed. In addition, if you have set the md_write_method tunable to "reconstruct write", then while writing, if any read streams are detected, the write method is switched to "read/modifywrite". Parity sync/check should run at full speed by default. Parity sync/check is throttled back in presence of other active streams. The "stripe pool" resource is automatically shared evenly between all active streams. As a result got rid of some Tunables: md_sync_window md_sync_thresh and added some tunables: md_queue_limit md_sync_limit [-rc2] md_scheduler Please refer to Settings/Disk Settings help text for description of these settings. WireGuard support - available as a plugin via Community Apps. Our WireGuard implementation and UI is still a work-in-process; for this reason we have made this available as a plugin, though the latest WireGuard module is included in our Linux kernel. Full WireGuard implementation will be merged into Unraid OS itself in a future release. I want to give special thanks to @bonienl who wrote the plugin with lots of guidance from @ljm42 - thank you! I also should give a shout out to @NAS who got us rolling on this. If you don't know about WireGuard it's something to look into! Guide here: WS-Discovery support - Finally you can get rid of SMBv1 and get reliable Windows network discovery. This feature is configured on the Settings/SMB Settings page and enabled by default. Also on same settings page is Enable NetBIOS setting. This is enabled by default, however if you no longer have need for NetBIOS discovery you can turn it off. When turned off, Samba is configured to accept only SMBv2 protocol and higher. Added mDNS client support in Unraid OS. This means, for example, from an Unraid OS terminal session to ping another Unraid OS server on your network you can use (e.g., 'tower'): ping tower.local instead of ping tower Note the latter will still work if you have NetBIOS enabled. User Share File System (shfs) changes: Integrated FUSE-3 - This should increase performance of User Share File System. Fixed bug with hard link support. Previously a 'stat' on two directory entries referring to same file would return different i-node numbers, thus making it look like two independent files. This has been fixed however there is a config setting on Settings/Global Share Settings called "Tunable (support hard links)". [-rc2 ] Fixed the default value Yes, but with certain very old media and DVD players which access shares via NFS, you may need to set this to No. [-rc5] Fixed not accounting for devices not mounted yet. Note: if you have custom config/extra.cfg file, get rid of it. Other improvements/bug fixes: Format - during Format any running parity sync/check is automatically Paused and then resumed upon Format completion. Encryption - an entered passphrase is not saved to any file. Fixed bug where multi-device btrfs pool was leaving metadata set to dup instead of raid1. Several other small bug fixes and improvements. [-rc5] Fixed bug where quotes were not handled properly in passwords. Numerous base package updates [-rc2] including updating PHP to version 7.3.x, Samba to version 4.11.x. Known Issues and Other Errata Some users have reported slower parity sync/check rates for very wide arrays (20+ devices) vs. 6.7 and earlier releases - we are still studying this problem. [-rc6] this is fixed: If you are using Unassigned Devices plugin with encrypted volumes, you must use the file method of specifying the encryption passphrase. Note that a file containing your passphrase must consist of a single null-terminated string with no other line ending characters such as LF or CR/LF. In another step toward better security, the USB flash boot device is configured so that programs and scripts residing there cannot be directly executed (this is because the 'x' bit is set now only for directories). Commands placed in the 'go' file still execute because during startup, that file is copied to /tmp first and then executed from there. If you have created custom scripts you may need to take a similar approach. AFP is now deprecated and we plan to remove support in Unraid 6.9 release. A note on password strings Password strings can contain any character however white space (space and tab characters) is handled specially: all leading and trailing white space is discarded multiple embedded white space is collapsed to a single space character. By contrast, encryption passphrase is used exactly as-is. Version 6.8.0-rc9 2019-12-06 Base distro: btrfs-progs: version 5.4 ca-certificates: version 20191130 ebtables: version 2.0.11 gnutls: version 3.6.11.1 gtk+3: version 3.24.13 iproute2: version 5.4.0 iptables: version 1.8.4 keyutils: version 1.6 libepoxy: version 1.5.4 libnftnl: version 1.1.5 librsvg: version 2.46.4 libtasn1: version 4.15.0 lvm2: version 2.03.07 nano: version 4.6 pcre2: version 10.34 pkgtools: version 15.0 build 28 wireguard: version 0.0.20191205 xorg-server: version 1.20.6 Linux kernel: version 4.19.88
  42. 9 points
    You should let limetech know about your issues and concerns. After all, it's really limetech who should be providing you with a solution, not a third party like us. We do what we can (chbmb and bassrock put a lot of work into it) but there is only so much an outsider can do when they only have partial info and have to reverse engineer everything. As an example, qnap worked directly with plex employees to make sure their OS included the necessary drivers and packages to make sure transcoding worked with plex on their devices. We are neither the OS provider (limetech) or the client (plex/emby). We're just folks trying to give back to the community.
  43. 9 points
    Preparing another release. Mondays are always very busy but will try to get it out asap.
  44. 9 points
    The next release has wireguard included. The GUI component to manage wireguard will be available as a plugin.
  45. 9 points
    Not sure if I'm disappointed or not. I had it in my head (based upon the avatar) that Tom wore Hawaiian shirts all the time.
  46. 8 points
    All of us at Lime Technology Inc. are excited to announce the hiring of Zack Spear as a full-time developer. Please help us give @zspearmint a warm welcome to the Unraid forums! Zack has a diverse skill set and is an all around great guy. Learn more about Zack from his website bio: Please feel free to ask Zack all about his digital nomad travels, Borussia Dortmund banter, love of old school analog film photography, or just drop in below to say "Hey". Welcome aboard Zack!
  47. 8 points
    Hey everyone! Stoked to have officially joined the team 🙌
  48. 8 points
    UPDATE (010/11/2019) PLUGIN Updated for 6.8.0 RC1 + @Squid was awesome again in keeping with the newer kernel update, and the more simplified syntax now of "mitigations=off". If you already installed the plugin on a lower release and enabled it, nothing is needed prior to upgrading. Squid thought of and accounted for that and the plugin will handle it during boot. UPDATE (06/03/2019) PLUGIN AVAILABLE!!! @Squid was awesome enough to take this work and put it into a plugin, as many have asked for. It's a great start, and covers the basics out of the gate for everyone at the moment. Once the kernel starts rolling higher, we can change the current long string to a shorter variation, but I think that will be later in the future, post 6.8.0+..... Original Post: As many are aware, Intel has had some serious security vulnerabilities released over the past year. "Spectre", "Meltdown", and now one of the strongest dubbed "Zombieload" aka MDS. Intel seems to be having some skeletons coming out of the closet, which saw a CEO resign, and market share loss now to AMD. The mitigation's to these vulnerabilities have all individually come with a performance cost, Spectre/Meltdown in the range of ~%15, and now MDS rumored to need Hyperthreading disabled altogether to mitigate, costing upwards of %30-%40 (sources are based on the internet, so take with a grain of salt). So add them all together, and that's a pretty hefty penalty for users who may not even be a target for this kind of attack. Personally, I have nothing that sensitive at my home running in individual dockers or VM's that I would worry enough about if someone from one area could read data from the other. As well, my local users are myself and my wife 🙂 , so she could just TAKE the money from the bank in person 🙂 Not a threat to me. I don't care if someone is watching me play games on a vm, or is watching that I am encoding or decrypting a movie, big deal, not much going on at my house anyone would work hard enough to watch....... and if someone did make it that far to target me, I got bigger problems than speculative execution, like checking my firewall rules!! So, with that said, this is ALL AT YOUR OWN RISK, I or the community do not assume any responsibility of damage due to the disablement of these mitigation's. As of 6.7.0, we have kernel level 4.19.41 which marks the last kernel to NOT mitigate against MDS. To disable Spectre/Meltdown for release 6.7.0, adjust your syslinux.cfg file as follows (and reboot): pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier As of 6.7.1 RC1, we have kernel level 4.19.43 which marks the first kernel TO mitigate against Spectre/Meltdown AND MDS. To disable Spectre/Meltdown/MDS for release 6.7.1 RC1+, adjust your syslinux.cfg as follows (and reboot): pti=off spectre_v2=off l1tf=off mds=off nospec_store_bypass_disable no_stf_barrier You can validate the mitigation's on the OS before/after by: cat /sys/devices/system/cpu/vulnerabilities/* BEFORE: Should look similar to (notice the Mitigation's): Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable Mitigation: Clear CPU buffers; SMT vulnerable Mitigation: PTI Mitigation: Speculative Store Bypass disabled via prctl and seccomp Mitigation: __user pointer sanitization Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling AFTER: Should look similar to (notice the Vulnerable): Mitigation: PTE Inversion; VMX: vulnerable Vulnerable; SMT vulnerable Vulnerable Vulnerable Mitigation: __user pointer sanitization Vulnerable, IBPB: disabled, STIBP: disabled
  49. 8 points
    He's right, we don't need to be told, the rate limiting step isn't when we notice a new Unraid build, it's when I get a chance to build it, trust me, I'm an Unraid user, I get the same notifications as everyone else, I know when there's a new release.
  50. 8 points
    The issue is that writes originating from a fast source (as opposed to a slow source such as 1Gbit network) completely consume all available internal "stripe buffers" used by md/unraid to implement array writes. When reads come in they get starved for resources to efficiently execute. The method used to limit the number of I/O's directed to a specific md device in the Linux kernel no longer works in newer kernels, hence I've had to implement a different throttling mechanism. Changes to md/unraid driver require exhaustive testing. All functional tests pass however, driver bugs are notorious for only showing up under specific workloads due to different timing. As I write this I'm 95% confident there are no new bugs. Since this will be a stable 'patch' release, I need to finish my testing.