nearcatch

Restrict unbalanced LAN Access I haven't liked that unbalanced is available to anyone in my LAN once it's started, but I have figured out a solution for myself. Sharing the steps here for anyone else who is curious and uses a reverse proxy for other things, like I was. How-to 1. Set up your reverse proxy to have an authenticated subdomain for unbalanced. I use Traefik and Authelia. You will have to do something specific to your setup, but this is what I added to my Traefik config file: http: routers: unbalanced-rtr: rule: "Host(`unbalanced.unraid.lan`)" entryPoints: - websecure middlewares: - chain-authelia-lan - error-pages@docker service: unbalanced-svc services: unbalanced-svc: loadBalancer: servers: - url: "http://192.168.1.10:7090" # substitute your unraid server's IP address and unbalanced port 2. Run these iptables rules in a console session so that any request to unbalanced's port gets rejected, unless it is from Unraid's IP or the IP range of your reverse proxy's network. Substitute the correct IP addresses and ports for your network. You can also add these to your go file to have them activated every time Unraid is rebooted. iptables -A INPUT -p tcp --dport 7090 -s 10.10.1.0/24 -j ACCEPT # substitute the subnet your reverse proxy uses. you can also limit this to the exact IP of your reverse proxy docker container if you want iptables -A INPUT -p tcp --dport 7090 -s 192.168.1.10 -j ACCEPT iptables -A INPUT -p tcp --dport 7090 -j REJECT --reject-with tcp-reset Result After these two steps, unbalanced cannot be accessed by the ip:port of my Unraid server. It can only be accessed using https://unbalanced.unraid.lan, and because I add Authelia using a Traefik middleware, it requires authentication instead of being freely accessible. No reverse proxy? If you don't use a reverse proxy, you can still do step 2 and edit the 1st iptables rule to reject any request to unbalanced's port except from one specific computer on your LAN, which should still help limit access. EDIT: Also for those who don't know, you can remove the iptables rules by running them again with "- D" instead of "- A". Restarting your Unraid server will also reset your iptables if you haven't modified your go file with these rules.

I was able to fix this on my unRAID server. Iirc the fix was to not use external networks, and instead let docker-compose create the networks my stack needed. My networks block: ########################### NETWORKS networks: default: driver: bridge reverse_proxy: external: false name: reverse_proxy ipam: config: - subnet: ${REVERSE_PROXY_SUBNET} gateway: ${REVERSE_PROXY_GATEWAY} socket_proxy: external: false name: socket_proxy ipam: config: - subnet: ${SOCKET_PROXY_SUBNET} gateway: ${SOCKET_PROXY_GATEWAY} lan_ipvlan: external: false name: lan_ipvlan driver: ipvlan driver_opts: parent: br0 ipam: config: - subnet: ${LAN_IPVLAN_SUBNET} gateway: ${LAN_IPVLAN_GATEWAY} ip_range: ${LAN_IPVLAN_IP_RANGE}

For anyone interested, the below is the minimum required to run this container using docker-compose, based off the example docker command from the repo. You can modify it easily to use traefik or another reverse proxy instead of accessing directly by port. Change $CONTDIR to wherever you want to store the logs. preclear: container_name: preclear image: ghcr.io/binhex/arch-preclear:latest restart: unless-stopped privileged: true ports: - 5900:5900 - 6080:6080 environment: - WEBPAGE_TITLE=Preclear - VNC_PASSWORD=mypassword - ENABLE_STARTUP_SCRIPTS=yes - UMASK=000 - PUID=0 - PGID=0 volumes: - $CONTDIR/preclear/config:/config - /boot/config/disk.cfg:/unraid/config/disk.cfg:ro - /boot/config/super.dat:/unraid/config/super.dat:ro - /var/local/emhttp/disks.ini:/unraid/emhttp/disks.ini:ro - /usr/local/sbin/mdcmd:/unraid/mdcmd:ro - /dev/disk/by-id:/unraid/disk/by-id:ro - /boot/config/plugins/dynamix/dynamix.cfg:/unraid/config/plugins/dynamix/dynamix.cfg:ro - /etc/ssmtp/ssmtp.conf:/unraid/ssmtp/ssmtp.conf:ro - /etc/localtime:/etc/localtime:ro

Ah sorry, I misunderstood. I thought the other person was asking for the cli analogue, not the plugin analogue.

I modified my docker compose update script to create a script to install docker scout on unraid. Save the script somewhere, source it in your profile.sh with `source /YOURPATHTOSCRIPT/dsupdate.source`, and then run with `dsupdate` or `dsupdate check`. This works for me on a linux x86 system. If your system is different then you may need to edit line 12 to pull the proper filename from the release page. #!/bin/bash alias notify='/usr/local/emhttp/webGui/scripts/notify' dsupdate() { SCOUT_LOCAL=$(docker scout version 2>/dev/null | grep version | cut -d " " -f2) SCOUT_LOCAL=${SCOUT_LOCAL:-"none"} echo Current: ${SCOUT_LOCAL} SCOUT_REPO=$(curl -s https://api.github.com/repos/docker/scout-cli/releases/latest | grep 'tag_name' | cut -d '"' -f4) if [ ${SCOUT_LOCAL} != ${SCOUT_REPO} ]; then dsdownload() { echo Repo: ${SCOUT_REPO} # curl -L "https://github.com/docker/scout-cli/releases/download/${SCOUT_REPO}/docker-scout_${SCOUT_REPO/v/}_$(uname -s)_$(uname -m).tar.gz" --create-dirs -o /tmp/docker-scout/docker-scout.tar.gz curl -L "https://github.com/docker/scout-cli/releases/download/${SCOUT_REPO}/docker-scout_${SCOUT_REPO/v/}_linux_amd64.tar.gz" --create-dirs -o /tmp/docker-scout/docker-scout.tar.gz tar -xf "${_}" -C /tmp/docker-scout/ --no-same-owner mkdir -p /usr/local/lib/docker/scout mv -T /tmp/docker-scout/docker-scout /usr/local/lib/docker/scout/docker-scout && chmod +x "${_}" rm -r /tmp/docker-scout cat "$HOME/.docker/config.json" | jq '.cliPluginsExtraDirs[]' 2>/dev/null | grep -qs /usr/local/lib/docker/scout 2>/dev/null if [ $? -eq 1 ]; then echo "Scout entry not found in .docker/config.json. Creating a backup and adding the scout entry." cp -vnT "$HOME/.docker/config.json" "$HOME/.docker/config.json.bak" cat "$HOME/.docker/config.json" | jq '.cliPluginsExtraDirs[.cliPluginsExtraDirs| length] |= . + "/usr/local/lib/docker/scout"' >"$HOME/.docker/config.json.tmp" mv -vT "$HOME/.docker/config.json.tmp" "$HOME/.docker/config.json" fi echo "Installed: $(docker scout version | grep version | cut -d " " -f2)" notify -e "docker-scout updater" -s "Update Complete" -d "New version: $(docker scout version | grep version | cut -d " " -f2)<br>Previous version: ${SCOUT_LOCAL}" -i "normal" } if [ -n "${1}" ]; then if [ "${1}" = "check" ]; then echo "Update available: ${SCOUT_REPO}" notify -e "docker-scout updater" -s "Update Available" -d "Repo version: ${SCOUT_REPO}<br>Local version: ${SCOUT_LOCAL}" -i "normal" else dsdownload fi else dsdownload fi else echo Repo: ${SCOUT_REPO} echo "Versions match, no update needed" fi unset SCOUT_LOCAL unset SCOUT_REPO }

wouldn't the equivalent be `docker compose pull SERVICENAME`? I always get extraction progress when pulling via docker compose.

@jbrodriguezIf you take PRs, I sent one on github that losslessly compresses the png images.

If you don't want to wait for the plugin to update, you can update docker-compose with this function I wrote and shared earlier in this topic. You can add it to your profile.sh.

1. The scripts work fine if I click "Run Script" in the UserScripts plugin options. For now, I have just been clicking "Run Script" on all these scripts manually when the server restarts. These are old scripts that I have not changed. Something in the plugin is not working. The graphics driver is unrelated. I just mentioned it because it was the reason I had to restart. 2. Only "Run Script" button works. I don't believe they're successfully running when in the background, like it does when the server restarts. The "Run in Background" button from UserScripts plugin options produces the log I shared: the script logline followed by several atd[3975] loglines.

I restarted today to install a gfx driver. The backgrounding scripts during server restart redirect to /dev/null so no logs, but I found these when I tried to manually background a script: Nov 1 14:49:10 unRAID emhttpd: cmd: /usr/local/emhttp/plugins/user.scripts/backgroundScript.sh /tmp/user.scripts/tmpScripts/jellyfin_mergerfs/script Nov 1 14:49:10 unRAID atd[3975]: PAM unable to dlopen(/lib64/security/pam_unix.so): /lib64/libc.so.6: version `GLIBC_2.38' not found (required by /lib64/libcrypt.so.1) Nov 1 14:49:10 unRAID atd[3975]: PAM adding faulty module: /lib64/security/pam_unix.so Nov 1 14:49:10 unRAID atd[3975]: Module is unknown Nov 1 14:49:16 unRAID emhttpd: cmd: /usr/local/emhttp/plugins/user.scripts/backgroundScript.sh /tmp/user.scripts/tmpScripts/zsh/script Nov 1 14:49:16 unRAID atd[4052]: PAM unable to dlopen(/lib64/security/pam_unix.so): /lib64/libc.so.6: version `GLIBC_2.38' not found (required by /lib64/libcrypt.so.1) Nov 1 14:49:16 unRAID atd[4052]: PAM adding faulty module: /lib64/security/pam_unix.so Nov 1 14:49:16 unRAID atd[4052]: Module is unknown

Did you ever find a fix for this? I'm finding today that "on array start" scripts aren't running for me either. I'm not sure when the issue started since I don't often reboot my server, but I'm also on 6.12.4.

New version of this function. Now it checks your local version and only downloads a new one if the github repo version is different or if docker-compose is missing entirely. It also sends an unRAID notification when a download happens, so you can run this function daily using cron or a userscript and get notified when an update happens. EDIT: new-new version. Now if you pass "check" when calling the function, it only notifies of new versions instead of downloading. Passing anything else or nothing will download a new version if available. HELP: If anyone knows how to print newlines into an unraid notification without using <br>, please let me know. <br> works fine for dashboard notifications but they look weird in discord notifications using a slack webhook. # notify [-e "event"] [-s "subject"] [-d "description"] [-i "normal|warning|alert"] [-m "message"] [-x] [-t] [-b] [add] alias notify='/usr/local/emhttp/webGui/scripts/notify' # dc update dcupdate() { COMPOSE_LOCAL=$(docker compose version 2>/dev/null | cut -d " " -f4) COMPOSE_LOCAL=${COMPOSE_LOCAL:-"none"} COMPOSE_REPO=$(curl -s https://api.github.com/repos/docker/compose/releases/latest | grep 'tag_name' | cut -d '"' -f4) echo Current: ${COMPOSE_LOCAL} if [ ${COMPOSE_LOCAL} != ${COMPOSE_REPO} ]; then dcdownload() { echo Repo: ${COMPOSE_REPO} curl -L "https://github.com/docker/compose/releases/download/${COMPOSE_REPO}/docker-compose-$(uname -s)-$(uname -m)" --create-dirs -o /usr/local/lib/docker/cli-plugins/docker-compose && chmod +x "${_}" echo "Installed: $(docker compose version | cut -d ' ' -f4)" notify -e "docker-compose updater" -s "Update Complete" -d "New version: $(docker compose version | cut -d ' ' -f4)<br>Previous version: ${COMPOSE_LOCAL}" -i "normal" } if [ -n "${1}" ]; then if [ "${1}" = "check" ]; then echo "Update available: ${COMPOSE_REPO}" notify -e "docker-compose updater" -s "Update Available" -d "Repo version: ${COMPOSE_REPO}<br>Local version: ${COMPOSE_LOCAL}" -i "normal" else dcdownload fi else dcdownload fi else echo Repo: ${COMPOSE_REPO} echo "Versions match, no update needed" fi unset COMPOSE_LOCAL unset COMPOSE_REPO } First run passes "check" as an argument to check for updates without downloading. Second is passing a non "check" argument. Third is no argument.: Notification for check only: Notification for completed update:

See this post for an updated version of this function. I have this function in my profile.sh to update docker-compose without waiting for the plugin to be updated. This function works even if the plugin isn't installed, so if you only use docker-compose from the command-line, this is all you need. You'll need to re-run the command on a reboot. If you have the plugin installed, then a reboot will reset docker-compose to the plugin's docker-compose version. If you don't have the plugin, a reboot will remove docker-compose entirely. Probably you could add the function to the go file to install docker-compose on every reboot but I haven't tried. EDIT: I tried it in my go file and it worked on reboot to install on server start. dcupdate() { echo Current: $(docker compose version) COMPOSE_VERSION=$(curl -s https://api.github.com/repos/docker/compose/releases/latest | grep 'tag_name' | cut -d\" -f4) curl -L "https://github.com/docker/compose/releases/download/${COMPOSE_VERSION}/docker-compose-$(uname -s)-$(uname -m)" --create-dirs -o /usr/local/lib/docker/cli-plugins/docker-compose && sudo chmod +x "${_}" unset COMPOSE_VERSION echo Updated: $(docker compose version) } looks like this when you run it:

Just following up to finish this thread: the second parity check just finished and 0 errors corrected. Hopefully helps someone in the future who searches for this issue.

I precleared the parity drives to stress test them before doing the swaps, so I thought they would've been zeroed anyway. But I'll run a second parity check and see how it goes.