limetech

This release includes some bug fixes and update of base packages. Notable changes: correct device status handling for single-slot pools collapse multiple underscores within nvme /dev/disk/by-id symlinks to single underscore WireGuard: fixed proper handling of ipv4 + ipv6 tunnels A few security related base package updates Added BPF support in the Linux kernel Please note: It would be extremely helpful to us to report issues by creating separate Reports here rather than creating a reply in this topic. 6.10.0 Summary of Changes and New Features As always, prior to updating, create a backup of your USB flash device: "Main/Flash/Flash Device Settings" - click "Flash Backup". [rc3] Plugin Authors: We patched the upgradepkg script to prevent it from replacing an installed package with an earlier version of the same package, i.e., no downgrading. If a plugin really needs to replace a package with a downgraded version it can include the '--reinstall' option. Also be sure to check out the Dynamix File Manager plugin available now through Community Apps! UPC and My Servers Plugin The most visible new feature is located in the upper right corner of the webGUI header. We call this the User Profile Component, or UPC. The UPC allows a user to better manage their registration keys and install the optional My Servers plugin. My Servers is what we call our set of cloud-based services and features that integrate with your Unraid server(s). After installing the My Servers plugin, you will be prompted to sign-in your server with an existing Unraid.net account, or create a new Unraid.net account. Once installed here are some of the features of My Servers: Real-time Status - with the plugin installed each server tile on the My Servers Dashboard will display real-time status such as whether the server is online or offline, storage utilization and other information. Local Access link - this is a direct link the the server webGUI on your LAN. Remote Access link - if enabled, a link is displayed on the My Servers Dashboard to bring up a server webGUI remotely and over the Internet. Automatic Flash Backup - every registered server is provided with a private git repo initially populated with the contents of your USB flash boot device (except for certain files which contain private information such as passwords). Thereafter, configuration changes are automatically committed. A link is provided to download a custom zip file that can be fed as input to the USB Flash Creator tool to move your configuration to a new USB flash device. Notification of critical security-related updates. In the event a serious security vulnerability has been discovered and patched, we will send out a notification to all email addresses associated with registered servers. Posting privilege in a new set of My Servers forum boards. Signed-in servers maintain a websocket connection to a cloud-based Lime Technology proxy server for the purpose of relaying real-time status. Refer to the Privacy section for more information. Security Changes It is now mandatory to define a root password. We also created a division in the Users page to distinguish root from other user names. The root UserEdit page includes a text box for pasting SSH authorized keys. For new configurations, the flash share default export setting is No. For all new user shares, the default export setting is No. For new configurations, SMBv1 is disabled by default. For new configurations, telnet, ssh, and ftp are disabled by default. We removed certain strings from Diagnostics such as passwords found in the 'go' file. [rc6] Changing root user password will log out all webGUI browser sessions. Virtualization Both libvirt and qemu have been updated. In addition, qemu has been compiled with OpenGL support, and [rc2] ARM emulation (experimental). [rc2] To support Windows 11 which requires TPM and Secure boot, we have added TPM emulation; and, added a "Windows 11" VM template which automatically selects TPM-aware OVMF bios. Also, here are instructions for upgrading a Windows 10 VM to Windows 11. Special thanks to @ich777 who researched and determined what changes and components were necessary to provide this functionality. The built-in Firefox browser available in GUI-mode boot is built as an AppImage and located in the bzfirmware compressed file system image. This saves approximately 60MB of RAM. The Wireguard plugin has been integrated into webGUI, that is, no need for the plugin. If you had the plugin installed previously, it will be uninstalled and moved to the "Plugins/Plugin File Install Errors" page. No action is needed unless you want to press the Delete button to remove it from that page. Your WireGuard tunnels and settings will be preserved. [rc5] Resident network guru @bonienl has added the capability to bind a Wireguard virtual network interface to a docker container. One use of this feature is to configure a Wireguard-enabled VPN which may then be exclusively used by that container, while you main server makes use of the normal LAN network interface. Please refer to this post for additional details. Simplified installation of the Community Apps plugin. The webGUI automatically includes the Apps menu item, and if CA is not already installed, the page offers an Install button. No need to hunt for the plugin link. [rc3] Moving to Let's Encrypt wildcard SSL certificates. Starting with this release, we no longer issue new single-host SSL certificates (which we're calling legacy certificates). Instead, all new Unraid.net SSL certificates are wildcard certificates (still provided by Let's Encrypt). The URL used to access your server making use of a wildcard certificate has this form: https://[lan-ip].[hash].myunraid.net where, [lan-ip] is your severs LAN IP address with dots changed to dashes [hash] is a 40-character hex string (160 bits) unique to this server (and different from similar [hash] in legacy certificates) example: https://192-168-100-1.af01305221921f93aabae93f13800dcea41dc681e.myunraid.net We added a new DDNS server which listens at "myunraid.net". This server extracts [lan-ip] from the domain name and returns the IP address where the dashes are changed back into dots. There are several benefits to this approach for both our users and for us: Eliminates DNS propagation delays when you first provision a certificate or when a server LAN IP address (or WAN IP address) changes. Since the domain name includes the IP address, any IP address change also changes the domain name, hence will not be contained in any intermediate DNS cache. We also changed the TTL from 1 hour to 7 days further reducing overhead and alleviating issues where someone's internet goes down for brief periods. There is no longer a requirement for the server to actively update a DDNS server. Improves privacy because your remote access WAN IP address can't be determined by simply prepending "www" to your local access URL. Moves DNS functionality off the 'unraid.net' domain and isolates it on 'myunraid.net' domain. In previous releases code that provisions (allocates and downloads) an Unraid.net SSL certificate would first test if DNS Rebinding Protection was enforced on the user's LAN; and, if so, would not provision the certificate. Since there are other uses for a LE certificate we changed the code so that provision would always proceed. Next, we changed the logic behind the Auto selection of "Use SSL/TLS" setting on the Management Access page. Now it is only possible to select Auto if both a LE certificate has been provisioned and DNS Rebinding Protection is not enforced. This is a subtle change but permits certain My Servers features such as Remote Access. Upon upgrading, you will need to modify any server bookmarks with the new the URL. Alternately, if you have installed the My Servers plugin, a local access link is included for each server on your Dashboard. If you have not installed My Servers plugin, since there is no DDNS update daemon, we recommend setting up either a static DHCP lease, or assign a static IP address for your server. Finally, we have set up nginx such that the URL's: http://<server-name>.<local-tld>/ or https://<server-name>.<local-tld>/ will redirect to https://[lan-ip].[hash].myunraid.net More information including use cases may be found in Documentation here. Linux Kernel Upgrade to [rc4] Linux 5.15.x kernel which includes so-called Sequoia and Dirty Pipe vulnerability mitigations. In-tree GPU drivers are now loaded by default if corresponding hardware is detected: amdgpu ast i915 radeon These drivers are required mostly for motherboard on-board graphics used in GUI boot mode. Loading of a driver can be prohibited by creating the appropriate file named after the driver: echo "blacklist i915" > /boot/config/modprobe.d/i915.conf Alternately, the device can be isolated from Linux entirely via the System Devices page. Note that in Unraid OS 6.9 releases the in-tree GPU drivers are blacklisted by default and to enabling loading a driver you need to create an empty "conf" file. After upgrading to Unraid OS 6.10 you may delete those files, or leave them as-is. This change was made to greatly improve the Desktop GUI experience for new users. Added support for Intel GVT-g, which lets you split your Intel i915 iGPU into multiple virtual GPUs and pass them through to multiple VMs, using @ich777's Intel-GVT-g plugin. Added support for gnif/vendor-reset. This simplifies @ich777's AMD Vendor Reset plugin which permits users to get their AMD video cards to reset properly. [rc2] Added so-called "add-relaxable-rmrr-5_8_and_up.patch" modified for our kernel https://github.com/kiler129/relax-intel-rmrr/blob/master/patches/add-relaxable-rmrr-5_8_and_up.patch Thanks to @ich777 for pointing this out. [rc2] Enabled additional ACPI kernel options [rc2] Enabled TPM kernel modules (not utilized yet) - note this is for Unraid host utilizing physical TPM, not emulated TPM support for virtual machnes. [rc4] Updated out-of-tree drivers [rc5] Support Realtek RTL8152/RTL8153 Based USB Ethernet Adapters Base Packages Virtually the entire base package set has been updated. [rc2] For SMB: Samba version 4.15 SMB3 multi-channel is no longer marked "experimental", however is disabled by default. This may be enabled on the Settings/SMB Settings page. Some users have reported issues with SMB3 multi-channel in conjunction with certain network bond configurations. [rc2] Per request we added the mcelog package. With inclusion of this package, if you have an AMD processor you may see this error message in the system log: mcelog: ERROR: AMD Processor family 23: mcelog does not support this processor. Please use the edac_mce_amd module instead. We're not sure what to make of this. It appears mcelog is being deprecated in favor of rasdaemon. This is something we need to research further. Other improvements available in 6.10, which are maybe not so obvious to spot from the release notes and some of these improvements are internal and not really visible: Event driven model to obtain server information and update the webGUI in real-time The advantage of this model is its scalability. Multiple browsers can be opened simultaneously to the webGUI without much impact In addition stale browser sessions won't create any CSRF errors anymore People who keep their browser open 24/7 will find the webGUI stays responsive at all times [rc3] Consistent state information is maintained across all browser instances open to a particular server Docker labels Docker labels are added to allow people using Docker compose to make use of icons and GUI access Look at a Docker 'run' command output to see exactly what labels are used Docker custom networks A new setting for custom networks is available. Originally custom networks are created using the macvlan mode, and this mode is kept when upgrading to version 6.10 The new ipvlan mode is introduced to battle the crashes some people experience when using macvlan mode. If that is your case, change to ipvlan mode and test. Changing of mode does not require to reconfigure anything on Docker level, internally everything is being taken care off. Docker bridge network (docker0) docker0 now supports IPv6. This is implemented by assigning docker0 a private IPv6 subnet (fd17::/64), similar to what is done for IPv4 and use network translation to communicate with the outside world Containers connected to the bridge network now have both IPv4 and IPv6 connectivity (of course the system must have IPv6 configured in the network configuration) In addition several enhancements are made in the IPv6 implementation to better deal with the use (or no-use) of IPv6 Plugins page The plugins page now loads information in two steps. First the list of plugins is created and next the more time consuming plugin status field is retrieved in the background. The result is a faster loading plugins page, especially when you have a lot of plugins installed Dashboard graphs The dashboard has now two graphs available. The CPU graph is displayed by default, while the NETWORK graph is a new option under Interface (see the 'General Info' selection) The CPU graph may be hidden as well in case it is not desired Both graphs have a configurable time-line, which is by default 30 seconds and can be changed independently for each graph to see a longer or shorter history. Graphs are updated in real-time and are useful to observe the behavior of the server under different circumstances Scheduler Improvements [rc3] You can now split a parity check into smaller pieces and let it run over multiple days or weeks. For example a check can be performed in a time frame of 01:00am to 06:00am for several days in a row until it is completed. This way a long parity check won’t interfere with the normal day activities, like watching a movie. [rc3] Added ability to schedule pool 'balance' and 'scrub' operations and calculate whether a full balance is recommended. Other Changes We switched to a better-maintained version of the WSD server component called wsdd2 in an effort to eliminate instances where the wsd daemon would start consuming 100% of a CPU core. Fixed issue where you couldn't create a docker image on a share name that contains a space. Fixed issue where 'mover' would not move to a pool name that contains a space. Fixed issue in User Share file system where permissions were not being honored. We increased the font size in Terminal and [rc2] fixed issue with macOS Monterey. Terminal font size is configurable via Settings/Display Settings page. [rc2] Fixed jumbo frames not working. [rc2] sysctl: handle net.netfilter.nf_conntrack_count max exceeded (increase setting to 131072) - hattip to Community Member @DieFalse [rc2] Mover will create '.partial' file and then rename upon completion. [rc2] Enabled NFSv4 support. [rc2] Check bz file sha256sums at boot time. [rc3] Fixed bug found by @thohell where md_sync_limit was not being honored to limit stripe_head cache usage when other I/O is active. The effect of this fix is to drastically slow down parity operations if other I/O is happening (such as streaming a video). Throttling of parity sync operations can be adjusted by changing the 'Settings/Disk Settings/Tunable (md_sync_limit)' value. [rc3] Fixed btrfs pool device replace corner cases. Important note: if you 'unassign' a device from a btrfs multiple-device pool, and that device is still physically present, upon array Start we will erase the LUKS header on the device if present, and delete the partition structure, thereby effectively erasing all the data contained on the device. This is necessary in order to convince btrfs to no longer use the device and to free it for assignment to another pool. [rc3] For cookies managed by webGUI, changed sameSite cookie attribute from 'strict' to 'lax'. This change was made to solve an issue with Terminal window not opening in Safari. [rc5] Fixed a bug where replacing a device in a multiple-device btrfs pool would still tag the old device as missing. [rc5] Fixed an issue where hot plugging a device in a server with spun-down SAS drive(s) could cause the SAS drive(s) to appear unassigned. [rc5] Fixed an issue where the server would disappear from Windows Network after docker and/or VM startup. [rc5] Fixed md/unraid driver regression which would confuse XFS, making it think an online shrink had occurred. [rc5] Fixed: Prevent Unraid from hanging when the array is stopped, while VMs are in paused or suspended state. [rc6] Added ServerChan and Pushplus notification agents, thanks to @ludoux Numerous other small bug fixes and improvements. Credits Special thanks to all our beta testers and especially: @bonienl for his continued refinement and updating of the Dynamix webGUI. @Squid for continued refinement of Community Apps and associated feed. @dlandon for continued refinement of Unassigned Devices plugin and patience as we change things under the hood. @ich777 for assistance and passing on knowledge of Linux kernel config changes to support third party drivers and other kernel-related functionality via plugins. @SimonF for refinements to System Devices page and other webGUI improvements. @thohell for an extra set of eyes looking at md/unraid driver and for work-in-progress of adding changes to support multiple Unraid arrays. @JorgeB for rigorous testing of storage subsystem Version 6.10.0-rc8 2022-05-10 (vs. 6.10.0-rc7) Base distro: libxml2: version 2.9.14 (CVE-2022-29824) openssl: version 1.1.1o (CVE-2022-1292) openssl-solibs: version 1.1.1o Linux kernel: Linux 5.15.38-Unraid enable BPF kernel options (user request): CONFIG_BPF_SYSCALL: Enable bpf() system call CONFIG_BPF_JIT: Enable BPF Just In Time compiler CONFIG_BPF_JIT_ALWAYS_ON: Permanently enable BPF JIT and remove BPF interpreter CONFIG_NET_CLS_BPF: BPF-based classifier CONFIG_NET_CLS_ACT: Actions CONFIG_NET_ACT_BPF: BPF based action CONFIG_IKHEADERS: Enable kernel headers through /sys/kernel/kheaders.tar.xz CONFIG_NET_SCH_SFQ: Stochastic Fairness Queueing (SFQ) CONFIG_NET_ACT_POLICE: Traffic Policing CONFIG_NET_ACT_GACT: Generic actions CONFIG_GACT_PROB: Probability support CONFIG_NET_SCH_INGRESS: Ingress/classifier-action Qdisc CONFIG_CGROUP_BPF: Support for eBPF programs attached to cgroups Management: emhttpd: correct device status handling for single-slot pools emhttpd: collapse multiple underscores within nvme /dev/disk/by-id symlinks to single underscore webgui: WireGuard: fixed proper handling of ipv4 + ipv6 tunnels webgui: Font files update clear-sans --> source sans pro bitstream --> source code pro webgui: Remove deprecated font extensions: eot, svg, ttf webgui: Cleanup styles folder webgui: Update css files to use woff and woff2 formats only webgui: Fixed balance/scrub schedule not saved when device name has "-" in it webgui: Fix side bar of themes azure/gray in firefox webgui: chore(upc): ENOKEYFILE2 message translation

This release corrects an issue in -rc6 where both the Intel out-of-tree ixgbe module (10Gbit Network driver) and the in-tree ixgbe module were included in the build. At system start time, the Intel driver was preferred. It was our intent to remove this driver and revert to the in-tree version, but a flaw in our build process permitted inclusion of both. This has been corrected in this release, and there are no other changes. If you have upgraded to -rc6 and you do not use Intel 10Gbit network driver there is no need to upgrade to this release. This release includes some bug fixes and update of base packages. Notable changes: Revert out-of-tree Intel ixgbe network driver back to in-tree version. Changing root user password will log out all webGUI browser sessions. Changed the row highlighting on Main and Shares page. WireGuard improvments Improved IPv6 support Please note: It would be extremely helpful to us to report issues by creating separate Reports here rather than creating a reply in this topic. 6.10.0 Summary of Changes and New Features As always, prior to updating, create a backup of your USB flash device: "Main/Flash/Flash Device Settings" - click "Flash Backup". [rc3] Plugin Authors: We patched the upgradepkg script to prevent it from replacing an installed package with an earlier version of the same package, i.e., no downgrading. If a plugin really needs to replace a package with a downgraded version it can include the '--reinstall' option. Also be sure to check out the Dynamix File Manager plugin available now through Community Apps! UPC and My Servers Plugin The most visible new feature is located in the upper right corner of the webGUI header. We call this the User Profile Component, or UPC. The UPC allows a user to better manage their registration keys and install the optional My Servers plugin. My Servers is what we call our set of cloud-based services and features that integrate with your Unraid server(s). After installing the My Servers plugin, you will be prompted to sign-in your server with an existing Unraid.net account, or create a new Unraid.net account. Once installed here are some of the features of My Servers: Real-time Status - with the plugin installed each server tile on the My Servers Dashboard will display real-time status such as whether the server is online or offline, storage utilization and other information. Local Access link - this is a direct link the the server webGUI on your LAN. Remote Access link - if enabled, a link is displayed on the My Servers Dashboard to bring up a server webGUI remotely and over the Internet. Automatic Flash Backup - every registered server is provided with a private git repo initially populated with the contents of your USB flash boot device (except for certain files which contain private information such as passwords). Thereafter, configuration changes are automatically committed. A link is provided to download a custom zip file that can be fed as input to the USB Flash Creator tool to move your configuration to a new USB flash device. Notification of critical security-related updates. In the event a serious security vulnerability has been discovered and patched, we will send out a notification to all email addresses associated with registered servers. Posting privilege in a new set of My Servers forum boards. Signed-in servers maintain a websocket connection to a cloud-based Lime Technology proxy server for the purpose of relaying real-time status. Refer to the Privacy section for more information. Security Changes It is now mandatory to define a root password. We also created a division in the Users page to distinguish root from other user names. The root UserEdit page includes a text box for pasting SSH authorized keys. For new configurations, the flash share default export setting is No. For all new user shares, the default export setting is No. For new configurations, SMBv1 is disabled by default. For new configurations, telnet, ssh, and ftp are disabled by default. We removed certain strings from Diagnostics such as passwords found in the 'go' file. [rc6] Changing root user password will log out all webGUI browser sessions. Virtualization Both libvirt and qemu have been updated. In addition, qemu has been compiled with OpenGL support, and [rc2] ARM emulation (experimental). [rc2] To support Windows 11 which requires TPM and Secure boot, we have added TPM emulation; and, added a "Windows 11" VM template which automatically selects TPM-aware OVMF bios. Also, here are instructions for upgrading a Windows 10 VM to Windows 11. Special thanks to @ich777 who researched and determined what changes and components were necessary to provide this functionality. The built-in Firefox browser available in GUI-mode boot is built as an AppImage and located in the bzfirmware compressed file system image. This saves approximately 60MB of RAM. The Wireguard plugin has been integrated into webGUI, that is, no need for the plugin. If you had the plugin installed previously, it will be uninstalled and moved to the "Plugins/Plugin File Install Errors" page. No action is needed unless you want to press the Delete button to remove it from that page. Your WireGuard tunnels and settings will be preserved. [rc5] Resident network guru @bonienl has added the capability to bind a Wireguard virtual network interface to a docker container. One use of this feature is to configure a Wireguard-enabled VPN which may then be exclusively used by that container, while you main server makes use of the normal LAN network interface. Please refer to this post for additional details. Simplified installation of the Community Apps plugin. The webGUI automatically includes the Apps menu item, and if CA is not already installed, the page offers an Install button. No need to hunt for the plugin link. [rc3] Moving to Let's Encrypt wildcard SSL certificates. Starting with this release, we no longer issue new single-host SSL certificates (which we're calling legacy certificates). Instead, all new Unraid.net SSL certificates are wildcard certificates (still provided by Let's Encrypt). The URL used to access your server making use of a wildcard certificate has this form: https://[lan-ip].[hash].myunraid.net where, [lan-ip] is your severs LAN IP address with dots changed to dashes [hash] is a 40-character hex string (160 bits) unique to this server (and different from similar [hash] in legacy certificates) example: https://192-168-100-1.af01305221921f93aabae93f13800dcea41dc681e.myunraid.net We added a new DDNS server which listens at "myunraid.net". This server extracts [lan-ip] from the domain name and returns the IP address where the dashes are changed back into dots. There are several benefits to this approach for both our users and for us: Eliminates DNS propagation delays when you first provision a certificate or when a server LAN IP address (or WAN IP address) changes. Since the domain name includes the IP address, any IP address change also changes the domain name, hence will not be contained in any intermediate DNS cache. We also changed the TTL from 1 hour to 7 days further reducing overhead and alleviating issues where someone's internet goes down for brief periods. There is no longer a requirement for the server to actively update a DDNS server. Improves privacy because your remote access WAN IP address can't be determined by simply prepending "www" to your local access URL. Moves DNS functionality off the 'unraid.net' domain and isolates it on 'myunraid.net' domain. In previous releases code that provisions (allocates and downloads) an Unraid.net SSL certificate would first test if DNS Rebinding Protection was enforced on the user's LAN; and, if so, would not provision the certificate. Since there are other uses for a LE certificate we changed the code so that provision would always proceed. Next, we changed the logic behind the Auto selection of "Use SSL/TLS" setting on the Management Access page. Now it is only possible to select Auto if both a LE certificate has been provisioned and DNS Rebinding Protection is not enforced. This is a subtle change but permits certain My Servers features such as Remote Access. Upon upgrading, you will need to modify any server bookmarks with the new the URL. Alternately, if you have installed the My Servers plugin, a local access link is included for each server on your Dashboard. If you have not installed My Servers plugin, since there is no DDNS update daemon, we recommend setting up either a static DHCP lease, or assign a static IP address for your server. Finally, we have set up nginx such that the URL's: http://<server-name>.<local-tld>/ or https://<server-name>.<local-tld>/ will redirect to https://[lan-ip].[hash].myunraid.net More information including use cases may be found in Documentation here. Linux Kernel Upgrade to [rc4] Linux 5.15.x kernel which includes so-called Sequoia and Dirty Pipe vulnerability mitigations. In-tree GPU drivers are now loaded by default if corresponding hardware is detected: amdgpu ast i915 radeon These drivers are required mostly for motherboard on-board graphics used in GUI boot mode. Loading of a driver can be prohibited by creating the appropriate file named after the driver: echo "blacklist i915" > /boot/config/modprobe.d/i915.conf Alternately, the device can be isolated from Linux entirely via the System Devices page. Note that in Unraid OS 6.9 releases the in-tree GPU drivers are blacklisted by default and to enabling loading a driver you need to create an empty "conf" file. After upgrading to Unraid OS 6.10 you may delete those files, or leave them as-is. This change was made to greatly improve the Desktop GUI experience for new users. Added support for Intel GVT-g, which lets you split your Intel i915 iGPU into multiple virtual GPUs and pass them through to multiple VMs, using @ich777's Intel-GVT-g plugin. Added support for gnif/vendor-reset. This simplifies @ich777's AMD Vendor Reset plugin which permits users to get their AMD video cards to reset properly. [rc2] Added so-called "add-relaxable-rmrr-5_8_and_up.patch" modified for our kernel https://github.com/kiler129/relax-intel-rmrr/blob/master/patches/add-relaxable-rmrr-5_8_and_up.patch Thanks to @ich777 for pointing this out. [rc2] Enabled additional ACPI kernel options [rc2] Enabled TPM kernel modules (not utilized yet) - note this is for Unraid host utilizing physical TPM, not emulated TPM support for virtual machnes. [rc4] Updated out-of-tree drivers [rc5] Support Realtek RTL8152/RTL8153 Based USB Ethernet Adapters Base Packages Virtually the entire base package set has been updated. [rc2] For SMB: Samba version 4.15 SMB3 multi-channel is no longer marked "experimental", however is disabled by default. This may be enabled on the Settings/SMB Settings page. Some users have reported issues with SMB3 multi-channel in conjunction with certain network bond configurations. [rc2] Per request we added the mcelog package. With inclusion of this package, if you have an AMD processor you may see this error message in the system log: mcelog: ERROR: AMD Processor family 23: mcelog does not support this processor. Please use the edac_mce_amd module instead. We're not sure what to make of this. It appears mcelog is being deprecated in favor of rasdaemon. This is something we need to research further. Other improvements available in 6.10, which are maybe not so obvious to spot from the release notes and some of these improvements are internal and not really visible: Event driven model to obtain server information and update the webGUI in real-time The advantage of this model is its scalability. Multiple browsers can be opened simultaneously to the webGUI without much impact In addition stale browser sessions won't create any CSRF errors anymore People who keep their browser open 24/7 will find the webGUI stays responsive at all times [rc3] Consistent state information is maintained across all browser instances open to a particular server Docker labels Docker labels are added to allow people using Docker compose to make use of icons and GUI access Look at a Docker 'run' command output to see exactly what labels are used Docker custom networks A new setting for custom networks is available. Originally custom networks are created using the macvlan mode, and this mode is kept when upgrading to version 6.10 The new ipvlan mode is introduced to battle the crashes some people experience when using macvlan mode. If that is your case, change to ipvlan mode and test. Changing of mode does not require to reconfigure anything on Docker level, internally everything is being taken care off. Docker bridge network (docker0) docker0 now supports IPv6. This is implemented by assigning docker0 a private IPv6 subnet (fd17::/64), similar to what is done for IPv4 and use network translation to communicate with the outside world Containers connected to the bridge network now have both IPv4 and IPv6 connectivity (of course the system must have IPv6 configured in the network configuration) In addition several enhancements are made in the IPv6 implementation to better deal with the use (or no-use) of IPv6 Plugins page The plugins page now loads information in two steps. First the list of plugins is created and next the more time consuming plugin status field is retrieved in the background. The result is a faster loading plugins page, especially when you have a lot of plugins installed Dashboard graphs The dashboard has now two graphs available. The CPU graph is displayed by default, while the NETWORK graph is a new option under Interface (see the 'General Info' selection) The CPU graph may be hidden as well in case it is not desired Both graphs have a configurable time-line, which is by default 30 seconds and can be changed independently for each graph to see a longer or shorter history. Graphs are updated in real-time and are useful to observe the behavior of the server under different circumstances Scheduler Improvements [rc3] You can now split a parity check into smaller pieces and let it run over multiple days or weeks. For example a check can be performed in a time frame of 01:00am to 06:00am for several days in a row until it is completed. This way a long parity check won’t interfere with the normal day activities, like watching a movie. [rc3] Added ability to schedule pool 'balance' and 'scrub' operations and calculate whether a full balance is recommended. Other Changes We switched to a better-maintained version of the WSD server component called wsdd2 in an effort to eliminate instances where the wsd daemon would start consuming 100% of a CPU core. Fixed issue where you couldn't create a docker image on a share name that contains a space. Fixed issue where 'mover' would not move to a pool name that contains a space. Fixed issue in User Share file system where permissions were not being honored. We increased the font size in Terminal and [rc2] fixed issue with macOS Monterey. Terminal font size is configurable via Settings/Display Settings page. [rc2] Fixed jumbo frames not working. [rc2] sysctl: handle net.netfilter.nf_conntrack_count max exceeded (increase setting to 131072) - hattip to Community Member @DieFalse [rc2] Mover will create '.partial' file and then rename upon completion. [rc2] Enabled NFSv4 support. [rc2] Check bz file sha256sums at boot time. [rc3] Fixed bug found by @thohell where md_sync_limit was not being honored to limit stripe_head cache usage when other I/O is active. The effect of this fix is to drastically slow down parity operations if other I/O is happening (such as streaming a video). Throttling of parity sync operations can be adjusted by changing the 'Settings/Disk Settings/Tunable (md_sync_limit)' value. [rc3] Fixed btrfs pool device replace corner cases. Important note: if you 'unassign' a device from a btrfs multiple-device pool, and that device is still physically present, upon array Start we will erase the LUKS header on the device if present, and delete the partition structure, thereby effectively erasing all the data contained on the device. This is necessary in order to convince btrfs to no longer use the device and to free it for assignment to another pool. [rc3] For cookies managed by webGUI, changed sameSite cookie attribute from 'strict' to 'lax'. This change was made to solve an issue with Terminal window not opening in Safari. [rc5] Fixed a bug where replacing a device in a multiple-device btrfs pool would still tag the old device as missing. [rc5] Fixed an issue where hot plugging a device in a server with spun-down SAS drive(s) could cause the SAS drive(s) to appear unassigned. [rc5] Fixed an issue where the server would disappear from Windows Network after docker and/or VM startup. [rc5] Fixed md/unraid driver regression which would confuse XFS, making it think an online shrink had occurred. [rc5] Fixed: Prevent Unraid from hanging when the array is stopped, while VMs are in paused or suspended state. [rc6] Added ServerChan and Pushplus notification agents, thanks to @ludoux Numerous other small bug fixes and improvements. Credits Special thanks to all our beta testers and especially: @bonienl for his continued refinement and updating of the Dynamix webGUI. @Squid for continued refinement of Community Apps and associated feed. @dlandon for continued refinement of Unassigned Devices plugin and patience as we change things under the hood. @ich777 for assistance and passing on knowledge of Linux kernel config changes to support third party drivers and other kernel-related functionality via plugins. @SimonF for refinements to System Devices page and other webGUI improvements. @thohell for an extra set of eyes looking at md/unraid driver and for work-in-progress of adding changes to support multiple Unraid arrays. Version 6.10.0-rc7 2022-05-05 (vs. 6.10.0-rc5) Base distro: curl: version 7.83.0 (CVE-2022-22576 CVE-2022-27774 CVE-2022-27775 CVE-2022-27776) docker: version 20.10.14 (CVE-2022-24769) intel-microcode: version 20220419 kernel-firmware: version 20220425_ac21ab5 libvirt: 8.2.0 nginx: verstion 1.21.6 php: version 7.4.29 samba: version 4.15.7 (CVE-2021-44141 CVE-2021-441412 CVE-2022-0336) swtpm:version 0.7.3 (CVE-2022-23645) Linux kernel: Linux 5.15.37-Unraid GIGABYTE_WMI: Gigabyte WMI temperature driver patch: "drm/i915/gen11: Moving WAs to icl_gt_workarounds_init()" oot: ixgbe: revert back to in-tree driver [-rc7] Management: better IPv6 suport emhttpd: delete all PHP sessions when root password is changed (logs everyone out) rc.libvirt: test the existence of a VM before adding it to the NAMES list webgui: Adjusted row highlighting on main and shares page to better suit people with color impairment webgui: Shares: fix wrong size computation webgui: Wireguard: fix import function to accept all keys webgui: Parity check: allow spinup/spindown when operation is paused webgui: fix: remove reauthentication msg from email notifications webgui: Docker: Ignore icon references to default question mark webgui: Docker: translation optimization webgui: Translations: fix creation of empty sessions webgui: Add notification agent for ServerChan webgui: Add notification agent for Pushplus webgui: fix(upc): postmessage interference v1.0.1

This release includes some bug fixes and update of base packages. Notable changes: Revert out-of-tree Intel ixgbe network driver back to in-tree version. Changing root user password will log out all webGUI browser sessions. Changed the row highlighting on Main and Shares page. WireGuard improvments Improved IPv6 support Please note: It would be extremely helpful to us to report issues by creating separate Reports here rather than creating a reply in this topic. 6.10.0 Summary of Changes and New Features As always, prior to updating, create a backup of your USB flash device: "Main/Flash/Flash Device Settings" - click "Flash Backup". [rc3] Plugin Authors: We patched the upgradepkg script to prevent it from replacing an installed package with an earlier version of the same package, i.e., no downgrading. If a plugin really needs to replace a package with a downgraded version it can include the '--reinstall' option. Also be sure to check out the Dynamix File Manager plugin available now through Community Apps! UPC and My Servers Plugin The most visible new feature is located in the upper right corner of the webGUI header. We call this the User Profile Component, or UPC. The UPC allows a user to better manage their registration keys and install the optional My Servers plugin. My Servers is what we call our set of cloud-based services and features that integrate with your Unraid server(s). After installing the My Servers plugin, you will be prompted to sign-in your server with an existing Unraid.net account, or create a new Unraid.net account. Once installed here are some of the features of My Servers: Real-time Status - with the plugin installed each server tile on the My Servers Dashboard will display real-time status such as whether the server is online or offline, storage utilization and other information. Local Access link - this is a direct link the the server webGUI on your LAN. Remote Access link - if enabled, a link is displayed on the My Servers Dashboard to bring up a server webGUI remotely and over the Internet. Automatic Flash Backup - every registered server is provided with a private git repo initially populated with the contents of your USB flash boot device (except for certain files which contain private information such as passwords). Thereafter, configuration changes are automatically committed. A link is provided to download a custom zip file that can be fed as input to the USB Flash Creator tool to move your configuration to a new USB flash device. Notification of critical security-related updates. In the event a serious security vulnerability has been discovered and patched, we will send out a notification to all email addresses associated with registered servers. Posting privilege in a new set of My Servers forum boards. Signed-in servers maintain a websocket connection to a cloud-based Lime Technology proxy server for the purpose of relaying real-time status. Refer to the Privacy section for more information. Security Changes It is now mandatory to define a root password. We also created a division in the Users page to distinguish root from other user names. The root UserEdit page includes a text box for pasting SSH authorized keys. For new configurations, the flash share default export setting is No. For all new user shares, the default export setting is No. For new configurations, SMBv1 is disabled by default. For new configurations, telnet, ssh, and ftp are disabled by default. We removed certain strings from Diagnostics such as passwords found in the 'go' file. [rc6] Changing root user password will log out all webGUI browser sessions. Virtualization Both libvirt and qemu have been updated. In addition, qemu has been compiled with OpenGL support, and [rc2] ARM emulation (experimental). [rc2] To support Windows 11 which requires TPM and Secure boot, we have added TPM emulation; and, added a "Windows 11" VM template which automatically selects TPM-aware OVMF bios. Also, here are instructions for upgrading a Windows 10 VM to Windows 11. Special thanks to @ich777 who researched and determined what changes and components were necessary to provide this functionality. The built-in Firefox browser available in GUI-mode boot is built as an AppImage and located in the bzfirmware compressed file system image. This saves approximately 60MB of RAM. The Wireguard plugin has been integrated into webGUI, that is, no need for the plugin. If you had the plugin installed previously, it will be uninstalled and moved to the "Plugins/Plugin File Install Errors" page. No action is needed unless you want to press the Delete button to remove it from that page. Your WireGuard tunnels and settings will be preserved. [rc5] Resident network guru @bonienl has added the capability to bind a Wireguard virtual network interface to a docker container. One use of this feature is to configure a Wireguard-enabled VPN which may then be exclusively used by that container, while you main server makes use of the normal LAN network interface. Please refer to this post for additional details. Simplified installation of the Community Apps plugin. The webGUI automatically includes the Apps menu item, and if CA is not already installed, the page offers an Install button. No need to hunt for the plugin link. [rc3] Moving to Let's Encrypt wildcard SSL certificates. Starting with this release, we no longer issue new single-host SSL certificates (which we're calling legacy certificates). Instead, all new Unraid.net SSL certificates are wildcard certificates (still provided by Let's Encrypt). The URL used to access your server making use of a wildcard certificate has this form: https://[lan-ip].[hash].myunraid.net where, [lan-ip] is your severs LAN IP address with dots changed to dashes [hash] is a 40-character hex string (160 bits) unique to this server (and different from similar [hash] in legacy certificates) example: https://192-168-100-1.af01305221921f93aabae93f13800dcea41dc681e.myunraid.net We added a new DDNS server which listens at "myunraid.net". This server extracts [lan-ip] from the domain name and returns the IP address where the dashes are changed back into dots. There are several benefits to this approach for both our users and for us: Eliminates DNS propagation delays when you first provision a certificate or when a server LAN IP address (or WAN IP address) changes. Since the domain name includes the IP address, any IP address change also changes the domain name, hence will not be contained in any intermediate DNS cache. We also changed the TTL from 1 hour to 7 days further reducing overhead and alleviating issues where someone's internet goes down for brief periods. There is no longer a requirement for the server to actively update a DDNS server. Improves privacy because your remote access WAN IP address can't be determined by simply prepending "www" to your local access URL. Moves DNS functionality off the 'unraid.net' domain and isolates it on 'myunraid.net' domain. In previous releases code that provisions (allocates and downloads) an Unraid.net SSL certificate would first test if DNS Rebinding Protection was enforced on the user's LAN; and, if so, would not provision the certificate. Since there are other uses for a LE certificate we changed the code so that provision would always proceed. Next, we changed the logic behind the Auto selection of "Use SSL/TLS" setting on the Management Access page. Now it is only possible to select Auto if both a LE certificate has been provisioned and DNS Rebinding Protection is not enforced. This is a subtle change but permits certain My Servers features such as Remote Access. Upon upgrading, you will need to modify any server bookmarks with the new the URL. Alternately, if you have installed the My Servers plugin, a local access link is included for each server on your Dashboard. If you have not installed My Servers plugin, since there is no DDNS update daemon, we recommend setting up either a static DHCP lease, or assign a static IP address for your server. Finally, we have set up nginx such that the URL's: http://<server-name>.<local-tld>/ or https://<server-name>.<local-tld>/ will redirect to https://[lan-ip].[hash].myunraid.net More information including use cases may be found in Documentation here. Linux Kernel Upgrade to [rc4] Linux 5.15.x kernel which includes so-called Sequoia and Dirty Pipe vulnerability mitigations. In-tree GPU drivers are now loaded by default if corresponding hardware is detected: amdgpu ast i915 radeon These drivers are required mostly for motherboard on-board graphics used in GUI boot mode. Loading of a driver can be prohibited by creating the appropriate file named after the driver: echo "blacklist i915" > /boot/config/modprobe.d/i915.conf Alternately, the device can be isolated from Linux entirely via the System Devices page. Note that in Unraid OS 6.9 releases the in-tree GPU drivers are blacklisted by default and to enabling loading a driver you need to create an empty "conf" file. After upgrading to Unraid OS 6.10 you may delete those files, or leave them as-is. This change was made to greatly improve the Desktop GUI experience for new users. Added support for Intel GVT-g, which lets you split your Intel i915 iGPU into multiple virtual GPUs and pass them through to multiple VMs, using @ich777's Intel-GVT-g plugin. Added support for gnif/vendor-reset. This simplifies @ich777's AMD Vendor Reset plugin which permits users to get their AMD video cards to reset properly. [rc2] Added so-called "add-relaxable-rmrr-5_8_and_up.patch" modified for our kernel https://github.com/kiler129/relax-intel-rmrr/blob/master/patches/add-relaxable-rmrr-5_8_and_up.patch Thanks to @ich777 for pointing this out. [rc2] Enabled additional ACPI kernel options [rc2] Enabled TPM kernel modules (not utilized yet) - note this is for Unraid host utilizing physical TPM, not emulated TPM support for virtual machnes. [rc4] Updated out-of-tree drivers [rc5] Support Realtek RTL8152/RTL8153 Based USB Ethernet Adapters Base Packages Virtually the entire base package set has been updated. [rc2] For SMB: Samba version 4.15 SMB3 multi-channel is no longer marked "experimental", however is disabled by default. This may be enabled on the Settings/SMB Settings page. Some users have reported issues with SMB3 multi-channel in conjunction with certain network bond configurations. [rc2] Per request we added the mcelog package. With inclusion of this package, if you have an AMD processor you may see this error message in the system log: mcelog: ERROR: AMD Processor family 23: mcelog does not support this processor. Please use the edac_mce_amd module instead. We're not sure what to make of this. It appears mcelog is being deprecated in favor of rasdaemon. This is something we need to research further. Other improvements available in 6.10, which are maybe not so obvious to spot from the release notes and some of these improvements are internal and not really visible: Event driven model to obtain server information and update the webGUI in real-time The advantage of this model is its scalability. Multiple browsers can be opened simultaneously to the webGUI without much impact In addition stale browser sessions won't create any CSRF errors anymore People who keep their browser open 24/7 will find the webGUI stays responsive at all times [rc3] Consistent state information is maintained across all browser instances open to a particular server Docker labels Docker labels are added to allow people using Docker compose to make use of icons and GUI access Look at a Docker 'run' command output to see exactly what labels are used Docker custom networks A new setting for custom networks is available. Originally custom networks are created using the macvlan mode, and this mode is kept when upgrading to version 6.10 The new ipvlan mode is introduced to battle the crashes some people experience when using macvlan mode. If that is your case, change to ipvlan mode and test. Changing of mode does not require to reconfigure anything on Docker level, internally everything is being taken care off. Docker bridge network (docker0) docker0 now supports IPv6. This is implemented by assigning docker0 a private IPv6 subnet (fd17::/64), similar to what is done for IPv4 and use network translation to communicate with the outside world Containers connected to the bridge network now have both IPv4 and IPv6 connectivity (of course the system must have IPv6 configured in the network configuration) In addition several enhancements are made in the IPv6 implementation to better deal with the use (or no-use) of IPv6 Plugins page The plugins page now loads information in two steps. First the list of plugins is created and next the more time consuming plugin status field is retrieved in the background. The result is a faster loading plugins page, especially when you have a lot of plugins installed Dashboard graphs The dashboard has now two graphs available. The CPU graph is displayed by default, while the NETWORK graph is a new option under Interface (see the 'General Info' selection) The CPU graph may be hidden as well in case it is not desired Both graphs have a configurable time-line, which is by default 30 seconds and can be changed independently for each graph to see a longer or shorter history. Graphs are updated in real-time and are useful to observe the behavior of the server under different circumstances Scheduler Improvements [rc3] You can now split a parity check into smaller pieces and let it run over multiple days or weeks. For example a check can be performed in a time frame of 01:00am to 06:00am for several days in a row until it is completed. This way a long parity check won’t interfere with the normal day activities, like watching a movie. [rc3] Added ability to schedule pool 'balance' and 'scrub' operations and calculate whether a full balance is recommended. Other Changes We switched to a better-maintained version of the WSD server component called wsdd2 in an effort to eliminate instances where the wsd daemon would start consuming 100% of a CPU core. Fixed issue where you couldn't create a docker image on a share name that contains a space. Fixed issue where 'mover' would not move to a pool name that contains a space. Fixed issue in User Share file system where permissions were not being honored. We increased the font size in Terminal and [rc2] fixed issue with macOS Monterey. Terminal font size is configurable via Settings/Display Settings page. [rc2] Fixed jumbo frames not working. [rc2] sysctl: handle net.netfilter.nf_conntrack_count max exceeded (increase setting to 131072) - hattip to Community Member @DieFalse [rc2] Mover will create '.partial' file and then rename upon completion. [rc2] Enabled NFSv4 support. [rc2] Check bz file sha256sums at boot time. [rc3] Fixed bug found by @thohell where md_sync_limit was not being honored to limit stripe_head cache usage when other I/O is active. The effect of this fix is to drastically slow down parity operations if other I/O is happening (such as streaming a video). Throttling of parity sync operations can be adjusted by changing the 'Settings/Disk Settings/Tunable (md_sync_limit)' value. [rc3] Fixed btrfs pool device replace corner cases. Important note: if you 'unassign' a device from a btrfs multiple-device pool, and that device is still physically present, upon array Start we will erase the LUKS header on the device if present, and delete the partition structure, thereby effectively erasing all the data contained on the device. This is necessary in order to convince btrfs to no longer use the device and to free it for assignment to another pool. [rc3] For cookies managed by webGUI, changed sameSite cookie attribute from 'strict' to 'lax'. This change was made to solve an issue with Terminal window not opening in Safari. [rc5] Fixed a bug where replacing a device in a multiple-device btrfs pool would still tag the old device as missing. [rc5] Fixed an issue where hot plugging a device in a server with spun-down SAS drive(s) could cause the SAS drive(s) to appear unassigned. [rc5] Fixed an issue where the server would disappear from Windows Network after docker and/or VM startup. [rc5] Fixed md/unraid driver regression which would confuse XFS, making it think an online shrink had occurred. [rc5] Fixed: Prevent Unraid from hanging when the array is stopped, while VMs are in paused or suspended state. [rc6] Added ServerChan and Pushplus notification agents, thanks to @ludoux Numerous other small bug fixes and improvements. Credits Special thanks to all our beta testers and especially: @bonienl for his continued refinement and updating of the Dynamix webGUI. @Squid for continued refinement of Community Apps and associated feed. @dlandon for continued refinement of Unassigned Devices plugin and patience as we change things under the hood. @ich777 for assistance and passing on knowledge of Linux kernel config changes to support third party drivers and other kernel-related functionality via plugins. @SimonF for refinements to System Devices page and other webGUI improvements. @thohell for an extra set of eyes looking at md/unraid driver and for work-in-progress of adding changes to support multiple Unraid arrays. Version 6.10.0-rc6 2022-05-04 (vs. 6.10.0-rc5) Base distro: curl: version 7.83.0 (CVE-2022-22576 CVE-2022-27774 CVE-2022-27775 CVE-2022-27776) docker: version 20.10.14 (CVE-2022-24769) intel-microcode: version 20220419 kernel-firmware: version 20220425_ac21ab5 libvirt: 8.2.0 nginx: verstion 1.21.6 php: version 7.4.29 samba: version 4.15.7 (CVE-2021-44141 CVE-2021-441412 CVE-2022-0336) swtpm:version 0.7.3 (CVE-2022-23645) Linux kernel: Linux 5.15.37-Unraid GIGABYTE_WMI: Gigabyte WMI temperature driver patch: "drm/i915/gen11: Moving WAs to icl_gt_workarounds_init()" oot: ixgbe: revert back to in-tree driver Management: better IPv6 suport emhttpd: delete all PHP sessions when root password is changed (logs everyone out) rc.libvirt: test the existence of a VM before adding it to the NAMES list webgui: Adjusted row highlighting on main and shares page to better suit people with color impairment webgui: Shares: fix wrong size computation webgui: Wireguard: fix import function to accept all keys webgui: Parity check: allow spinup/spindown when operation is paused webgui: fix: remove reauthentication msg from email notifications webgui: Docker: Ignore icon references to default question mark webgui: Docker: translation optimization webgui: Translations: fix creation of empty sessions webgui: Add notification agent for ServerChan webgui: Add notification agent for Pushplus webgui: fix(upc): postmessage interference v1.0.1