L0rdRaiden
-
Posts
568 -
Joined
-
Last visited
Content Type
Profiles
Forums
Downloads
Store
Gallery
Bug Reports
Documentation
Landing
Posts posted by L0rdRaiden
-
-
I have a problem with this compose, If I start the server and docker start automatically the proxy won't work, the dockers runs no apparent error appears but it will return a 404.
If I stop and start the compose it will work at any time, just after a reboot, just after an array stop, at any point in time it will return correctly the app behind traefik.
Any idea why is this and how to troubleshoot it?
############################################################### # Web Proxy DMZ ############################################################### # Common settings ############################################# x-default: &config restart: unless-stopped cpuset: 10,22,11,23,8,20,9,21 security_opt: - no-new-privileges:true x-dns: &dns dns: - 10.10.50.5 - 10.10.50.6 x-labels: &labels com.centurylinklabs.watchtower.enable: "true" net.unraid.docker.managed: "composeman" net.unraid.docker.shell: "sh" # Services #################################################### services: ## Traefik #################################################### traefik: container_name: ProxyDMZ-Traefik image: traefik:latest <<: [*config, *dns] depends_on: # - wpsocketproxy: # - modsecurity - crowdsec networks: # wp-netsocketproxy: # wp-netmodsecurity: wp-netredis: eth2: ipv4_address: ${ProxyDMZTraefik_ip} ports: - 80:80 - 443:443 - 8080:8080 # Dashboard port volumes: - /mnt/services/docker/WebProxyDMZ/Traefik:/etc/traefik/ environment: - TZ # - DOCKER_HOST=wpsocketproxy:2375 - CF_API_EMAIL_FILE - CF_DNS_API_TOKEN_FILE secrets: - CF_API_EMAIL - CF_DNS_API_TOKEN labels: <<: *labels net.unraid.docker.icon: "https://raw.githubusercontent.com/ibracorp/unraid-templates/master/icons/traefik.png" net.unraid.docker.webui: "https://traefik.domain.com/dashboard/#/" ## CrowdSec ################################################### crowdsec: image: crowdsecurity/crowdsec container_name: ProxyDMZ-CrowdSec <<: [*config, *dns] depends_on: - redis-cs networks: eth2: ipv4_address: ${ProxyDMZCrowdSec_ip} ports: - 8080:8080 #- 6060:6060 # PROMETEUS environment: TZ: COLLECTIONS: "crowdsecurity/traefik crowdsecurity/home-assistant crowdsecurity/http-cve crowdsecurity/whitelist-good-actors" # GID: "${GID-1000}" PGID: PUID: CUSTOM_HOSTNAME: CrowdSecDMZ DISABLE_LOCAL_API: "false" # True Only after successfully registering and validating remote agent below. volumes: - /mnt/services/docker/WebProxyDMZ/CrowdSec/data:/var/lib/crowdsec/data - /mnt/services/docker/WebProxyDMZ/CrowdSec:/etc/crowdsec - /mnt/services/docker/WebProxyDMZ/Traefik/logs:/var/log/traefik:ro - /mnt/services/docker/HomeAssistant:/var/log/homeassistant:ro labels: <<: *labels net.unraid.docker.icon: "https://raw.githubusercontent.com/ibracorp/app-logos/main/crowdsec/crowdsec.png" ## CrowdSec - Redis ########################################### redis-cs: image: redis:alpine container_name: ProxyDMZ-CrowdSec-Redis <<: *config command: [ "sh", "-c", "exec redis-server --requirepass $REDIS_PASSWORD" ] # redis-cli -a "password" --stat # select 1 # dbsize networks: wp-netredis: volumes: - /mnt/services/docker/WebProxyDMZ/Redis:/data environment: - TZ labels: <<: *labels net.unraid.docker.icon: "https://raw.githubusercontent.com/A75G/docker-templates/master/templates/icons/redis.png" # Networks #################################################### networks: eth2: name: eth2 external: true eth1: name: eth1 external: true # wp-netsocketproxy: # internal: true wp-netredis: internal: true # wp-netmodsecurity: # internal: true # Secrets ##################################################### secrets: # Traefik - CF_API_EMAIL CF_API_EMAIL: file: $SECRETSDIR/CF_API_EMAIL # Traefik - CF_API_EMAIL CF_DNS_API_TOKEN: file: $SECRETSDIR/CF_DNS_API_TOKEN -
2 minutes ago, ich777 said:
The necessary options in the Kernel should be included in 6.13.x so that community developers can build a plugin around it.
Why it would need a plugin? To configure it via webui?
-
9 hours ago, bland328 said:
@bobbintb, did you happen to use any particular guide to accomplish this? Or have one in mind that you recommend? I'm also in need of auditd support, and though I have many years of Linux experience, I have yet to build a custom kernel. Thanks for any advice!
Someone told me that they might add auditd in 6.13. So I am waiting for it
-
Could you please include docker scout cli binaries as part of compose manager?
-
2 hours ago, jcbshw said:
Thanks @mtongnz for the fixes! I am new to Unraid and my biggest annoyances was the docker gui when using compose.
Everything is mostly working as expected. Only my gluetun container keeps showing an update after doing "update stack". All other updates have disappeared.
It's a general issue, the integration between compose and docker is not native. I guess unRAID should do some changes to accommodate better docker compose while using compose manager
-
On 11/27/2023 at 11:46 AM, yolo said:
is this differ from bridge and host? --dns for bridge, another for host?
With that settings the docker will use both DNS, it is something "normal" in case 1 fails to add 2 DNS, you can add 1 only and will work as well
-
any chance someone can add this packages via plugin?
-
6 hours ago, hrv231 said:
Hello,
I just want to check if this is normal in this plugin?
I'm running a normal docker compose to test the plugin.Each of my services are running like this, example:
graylog: networks: eth0: ipv4_address: 10.10.10.20 networks: eth0: external: true name: eth0The Docker tab doesn't show the name of my network, instead it shows the id of it.
I'm using macvlan, "no bridge" and "no bonding"
root@Tower:~# docker network inspect eth0 [ { "Name": "eth0", "Id": "a38b1ae9bf3865b59f1c58c33308a3885528d2d57241ed44fe812caa63aae6d3", "Created": "2023-11-18T17:02:18.576907217-08:00", "Scope": "local", "Driver": "macvlan", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": {}, "Config": [ {
I have the same config with the same result. Everything is fine the problem is unRAID compatibility with docker compose to represent the config in the webui
-
8 minutes ago, Ademar said:
To make it easy for myself, I set up a dedicated Debian VM where I follow the official "Docker install" procedure.
https://support.sandflysecurity.com/support/solutions/articles/72000078453-docker-image-installhttps://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html
Wazuh AGENT as a docker container sounds like a terrible idea.But I understand that wazuh is useless if you can't install wazuh agent directly on unRAID OS, right?
I will try with sandy first and the once auditd is ready I will integrate the logs in security onion
-
On 12/3/2023 at 10:26 PM, Ademar said:
@InfInIty I've tried Sandfly, and that is able to scan Unraid over SSH. Some of the checks it's trying to do can't be completed, possibly due to Docker being used. But it does pass a lot of checks, and fail some. I also see there is an agentless mode to Wazuh, I haven't tried that yet.
Where you have installed sandfly? in a VM? have you encountered any issue during installation or it works fine just by following the documentation?
Wazuh agent over docker is not officially supported, although there are some unofficial images on github.
I have been told in private that soon there will be official support for auditd in Unraid, I think this will be the best option to monitor the security, anyway I plan to try sandfly.
-
unRAID should open source some of the basic components like VM and docker, and leave everything else close source.
-
1
-
-
If I add my the "compose manager" labels to my docker compose file, should I delete the docker-compose.override.yml? is there a way to override this file and use exclusively whatever I set in the compose label?
I see in some cases inconsistencies where the content of this file does not match the labels defined for it in docker compose.
I am using labels like this
lables:
- "com.centurylinklabs.watchtower.enable=true"
- "net.unraid.docker.managed=composeman"
- "net.unraid.docker.shell=sh"
- "net.unraid.docker.icon=https://raw.githubusercontent.com/ibracorp/unraid-templates/master/icons/traefik.png"
- "net.unraid.docker.webui=https://traefik.dsaasddsa.com.es/dashboard/#/"
-
3 hours ago, mans_ said:
I don't understand why the developers force us on having reliance on other software. Unraid devs simply force us users to using proxmox because there is no native VM backup and snapshot. Multiple unraid array pools is kind of a luxury to have with present options already available but native VM backup and snapshot is a necessity. There is complete lack of ignorance and no proper support for VMs by not giving us native VM backup and snapshot. This is the only reason why people virtulize unraid with proxmox. I love unraid and the thank the devs for their work but I'm deeply disappointed in this aspect. I hope this constructive feedback finds y'all well.
Or proxmox is forcing me to use unRAID because they don't have native docker support. Although unRAID doesn't support docker compose either
-
After a cold boot is working again, I did a scrub and ended ok just in case.
But what is the meeaning of CKSUM at 3? do I have to do something else? do I have to be worried about this?
-
I have 2 samsung 990 pro nvme that are a few weeks old in a mirror zfs pool.
Now one of them is degraded
The problem started with this log
Unraid kernel: nvme nvme2: I/O 249 (I/O Cmd) QID 1 timeout, aborting
You can see everything in the diagnostics.
Is really the HW broken? is there a way to recover it if it's not a hw problem?
In scrutiny both drives seems ok
-
On 11/8/2023 at 9:42 PM, primeval_god said:
Right but the things it reports arent things that the user can do anything about (unless they are willing to build there own docker images that is). Its primary audience would be the developers who build the images. The majority of unRAID users aren't building their own images, or even getting them from Docker hub i would wager, they are using what is available in CA.
Unraid apps catalog contains many dead projects, abandoned images, etc. mainly because you are force to use docker run instead compose so people in the community in many cases have done custom images to overcome unraid's limitations, like when needs more than 1 image to work, any project like this requires a custom unofficial image to be an app in Unraid's catalog.
The reports are useful to understand the vulnerabilities of the images and act about it, you can do a lot, like using another image or not using it at all because is a service that you have published on internet and is vulnerable to a remote attack.
-
3 hours ago, primeval_god said:
This looks like a tool for docker images developers. I am not sure of how much utility it would be for unRAID users.
It's a tool that can give you all the vulnerabilities and misconfigurations of the local images.
Is meant for devs in an enterprise environment because enterprises don't use docker CLI in production or preprod environments but since unRAID does we can use it to have this information about the security vulnerabilities of the images used by the containers.
-
Docker recently release Docker Scout.
I think it would be interesting at least to have the scout-cli already included in Unraid by default. An step further would be an additional page in unraid to see a report of the vulnerabilities found, the command line is pretty simple and the output could be easily formated for a web internface.
https://docs.docker.com/scout/
https://github.com/docker/scout-cli
https://docs.docker.com/scout/dashboard (this is only docker hub, doesn't apply just interesting)
@primeval_god I think it might be of your interest since you are already adding the compose packages via plugin, although official support would be ideal
-
9 minutes ago, JorgeB said:
Still the same as what I wrote before.
But is there any logic behind why this error appears for the first time after years of using the same processor with unRAID? It's a 3900x
-
On 8/16/2022 at 1:14 PM, JorgeB said:
Unraid will still boot, just mcelog won't load, the unsupported CPU message is just about that, LT already mentioned that in the future mcelog will be replaced wit rasdemon, that one also supports newer AMD CPUs.
Is this still a problem?
Nov 5 07:37:19 Unraid root: mcelog: ERROR: AMD Processor family 23: mcelog does not support this processor. Please use the edac_mce_amd module instead.
Nov 5 07:37:19 Unraid root: CPU is unsupportedI got this today on 6.12.4
-
more elegant now with the labels in the compose
###############################################################
# Adguard Home 6
###############################################################
# Common settings #############################################
x-default: &config
restart: unless-stopped
cpuset: 12,13,14,15
security_opt:
- no-new-privileges:true
#dns:
# - 10.10.50.5
# - 10.10.50.6
x-labels: &labels
com.centurylinklabs.watchtower.enable: "true"
net.unraid.docker.managed: "composeman"
net.unraid.docker.shell: "sh"
net.unraid.docker.icon: "https://raw.githubusercontent.com/SiwatINC/unraid-ca-repository/master/icons/adguard.png"
# Services ####################################################
services:
# Adguard Home 6 Internal ######################################
adguardhomeint6:
container_name: AdGuardHomeINT6
image: adguard/adguardhome
<<: *config
networks:
eth1:
ipv4_address: 10.10.40.6
ports:
- "53:53/tcp" # Plain DNS
- "53:53/udp" # Plain DNS
# - "67:67/udp" # DHCP
# - "68:68/tcp" # DHCP
# - "68:68/udp" # DHCP
- "80:80/tcp" # HTTPS/DNS-over-HTTPS server & admin panel
- "443:443/tcp" # HTTPS/DNS-over-HTTPS server & admin panel
- "443:443/udp" # HTTPS/DNS-over-HTTPS server & admin panel
- "3000:3000/tcp" # admin panel
# - "853:853/tcp" # DNS-over-TLS server
# - "5443:5443/tcp" # DNSCrypt server
# - "5443:5443/udp" # DNSCrypt server
volumes:
- /mnt/services/docker/AdguardINT6/config:/opt/adguardhome/conf
- /mnt/services/docker/AdguardINT6/workingdir:/opt/adguardhome/work
labels:
<<: *labels
net.unraid.docker.webui: "http://10.10.40.6:80/"
# Adguard Home 6 DMZ ###########################################
adguardhomedmz6:
container_name: AdGuardHomeDMZ6
image: adguard/adguardhome
<<: *config
networks:
eth2:
ipv4_address: 10.10.50.6
ports:
- "53:53/tcp" # Plain DNS
- "53:53/udp" # Plain DNS
# - "67:67/udp" # DHCP
# - "68:68/tcp" # DHCP
# - "68:68/udp" # DHCP
- "80:80/tcp" # HTTPS/DNS-over-HTTPS server & admin panel
- "443:443/tcp" # HTTPS/DNS-over-HTTPS server & admin panel
- "443:443/udp" # HTTPS/DNS-over-HTTPS server & admin panel
- "3000:3000/tcp" # admin panel
# - "853:853/tcp" # DNS-over-TLS server
# - "5443:5443/tcp" # DNSCrypt server
# - "5443:5443/udp" # DNSCrypt server
volumes:
- /mnt/services/docker/AdguardDMZ6/config:/opt/adguardhome/conf
- /mnt/services/docker/AdguardDMZ6/workingdir:/opt/adguardhome/work
labels:
<<: *labels
net.unraid.docker.webui: "http://10.10.50.6:80/"
# Networks ####################################################
networks:
eth1:
name: eth1
external: true
eth2:
name: eth2
external: true
-
1
-
-
I have this error constantly hitting my log, any idea what it could be or how to troubleshoot it?
-
On 6/10/2023 at 7:24 PM, L0rdRaiden said:
can we get support for auditd?
https://unix.stackexchange.com/questions/502878/slackware-14-2-turn-on-the-auditd-daemon
https://slackbuilds.org/repository/14.2/system/audit/ a newer version would be better.
https://slackbuilds.org/repository/15.0/system/audit/
https://github.com/linux-audit
I think is crucial to be able to monitor Unraid security
Or wazuh agent? not sure if it's compatible but this is the only reference to slackware I have found
https://github.com/wazuh/wazuh/blob/master/src/init/init.sh
Hi @EUGENI_CAT could you please consider this? right now Unraid lacks of any security monitor capabilities and this will open the door to any SIEM or recurity tool to be used to monitor Unraid host.
-
2 hours ago, tjb_altf4 said:
There are SKUs of the mellonox cards that are infiniband only, but don't think there are any in the MCX353A line up.
You can confirm support in the product manual
https://network.nvidia.com/pdf/user_manuals/ConnectX-3_VPI_Single_and_Dual_QSFP_Port_Adapter_Card_User_Manual.pdf
MCX353A working in Jerod's video below (after some troubleshooting)So any melanox card based on QSFP+ will be compatible with Unraid but if it's based on infinitiband I could have problems?
like these would be compatible?
Mellanox CX314A MCX314A-BCCT ConnectX-3 Pro 40GbE Dual-Port QSFP PCIe Card | eBay
Mellanox ConnectX-3 MCX354A-FCBT CX354A VPI 40/56GbE Dual-Port QSFP Adapter 789398906032 | eBay
[Plugin] Docker Compose Manager
in Plugin Support
Posted
that is exactly the problem, if you use the autostart built in docker compose manager, with some stacks it won't work correctly, don't ask me why.
I'm going to try the script and report back