[Better Defaults]

On 5/17/2019 at 7:42 AM, Eadword said:

While the current system is great for the average home network as a media server storing non-critical and non-confidential information on a private network, with a few changes, it could be ready for so much more...

 

Where I'm coming from: I'm new to unraid, and I am a long time Linux-user with widows as a side OS I avoid as much as possible. Currently I've been setting up a VFIO system, and because I won't just be using it to store media but to actually be my daily driver, I have certain security concerns with the current default configurations.

 

The following is a list of changes I've compiled, largely from http://kmwoley.com/blog/securing-a-new-unraid-installation/ and somewhat ordered by importance:

- SMB 1 disabled by default

- FTP and Tellnet disabled by default

- HTTPS enabled with a self-signed cert out of the gate (love the cert authority setup though!)

- make it more clear how to encrypt new drives (can't choose to encrypt when adding the device, has to be changed in the default filesystem setting)

- new shares not exported by default, and when exportrd, Private by default

- Don't export the USB boot media!!! (At least not by default and add an are you sure if you try to enable it)

- firewall such as UFW installed and enabled by default with only TCP port 80 and 443 set to LIMIT and whatever SMB uses opened. GUFW could be pulled from for the GUI. And providing quick check boxes for common ports would make it easy, possiblity auto enabling when you enable a core service.

- Docker Isolation through Linux namespaces / subuids

- allow tagging more shares for direct Linux VM mounting to prevent the need to pass through /mnt/user

- better multiple-user support, it's a server, right? So people other than root should be able to ssh in and access the UI; ideally root login would be disabled with use of a wheel group instead

- don't use 777 permissions by default, ideally users + groups, but at a minimum there is no reason for most things to be read, write, and execute by default!

- support for openvpn

- support for multiple different encryption keys

And add other lurking issues to this. Even if you're not exposing a system to the public internet, a lot of these things can still cause problems if the system is up 24/7. There is no such thing as a "friendly environment" outside air-gapped systems, and my daily driver will definitely not be air gapped.

 

Anyway, if you've made it this far and feel like this is a list of complaints, I'm sorry. I do like unraid and I already feel excited for where it's going.

Has any of this been resolved since may 2019? Asking for a friend considering a purchase and trying to get an idea as to how security focused unraid is.

[Mover not working on "clean" install]

Hi,

 

thanks for the response. But this is precisely what is not working for me (or I have a fundamental flaw of how mover is supposed to be working):

Quote

Cache: Prefer - keeps data mainly on the Cache drive or pool, but allows overflow to the array
- This is similar to Cache:Only, typically used for smaller shares or shares you want faster access to.  But it has additional advantages over Cache:Only - data that won't fit on the Cache drive can overflow to the array drives.  Also, if the Cache drive fails, the same share folders on the data drives will still continue working.  It's also useful if you don't yet have a Cache drive, but are planning to get one.  Once it is installed, the Mover will automatically (on its schedule) move all it can to the Cache drive.  And if you need to do maintenance on the Cache drive or pool, you can move all the files to the array, and they will be moved back once you are done 'maintaining'.

Cache Prefer:

It does not overflow (keeps saying folder full) nor does it move files off of the cache to free up space so it's not full anymore if I run mover manually.

 

Cache Yes / No:

Even if I set the cache to "Yes" or "No" and run mover manually it still keeps the files on the cache drive. For example attached screenshot is the result of setting it to no and running mover.

It does say:

May 23 09:41:16 BAK root: mover: started
May 23 09:41:16 BAK root: mover: finished

 

Am I looking at this the wrong way? For example is it impossible to move cached files off of the cache with mover if you set the share to cache: no?

[Mover not working on "clean" install]

Hi,

 

so I am testing unraid on a clean install right now.  Nothing major changed in terms of settings and nothing that should mess with the workings of the mover.

Base setup is a parity drive, 3 data drives and a cache.

I setup a testing homeshare for myself and set the caching to preferred.

Copying data to it works but the cache is now filled and not emptied as scheduled and when fired manually.

 

Running mover only results in

May 23 08:24:14 BAK root: mover: started
May 23 08:24:14 BAK root: mover: finished

 

No files are moved.

 

I tried to add the Community Addon "Mover Tuning" but it does not help my cause either.

I set mover logging to enabled but it appears to not prompt anything more in-depth or I am looking in the wrong spot.

 

I checked the log for "mover" related items but didn't find anything suspicious aside from "started" / "finished" being instantaneous.

 

Is there anything I overlooked or need to configure before mover can work?

bak-diagnostics-20200523-1725.zip