Eadword

Members
 View Profile  See their activity

  • Posts

    8

  • Joined

  • Last visited

 Content Type 

Posts posted by Eadword

    Update SSL Certificate Address

    in General Support

    Posted · Edited by Eadword
    typo

    I have been meaning to fix this for a while, and I just finally decided now was the time. A while ago my server got moved to a new network and as a result has a new IP address (locally and externally). I had already set up an SSL certificate using the awesome let's encrypt support, however, now I find that anytime I go to the page after moving the server, the certificate is categorized as invalid because the address does not match the cert.

     

    What is the correct way to basically start from scratch here? I don't think the "Update DNS" button works at all, but I might just not understand what it is for.

    Allow custom network string for Docker

    in Feature Requests

    Posted · Edited by Eadword
    typo

    Currently when you create a new Docker image, you are allowed to set the network to one of `bridge`, `host`, `none`, or a custom bridge. I would like to be able to specify another container such as `--net=container:networkmonitor` for instance. Ultimately docker-compose support would be ideal as hand-constructing container networks can be problematic, but this would be a simple add that makes it much easier in the short term.

    • Like 1

    Windows 10 running slowly with NVIDIA GPU

    in VM Engine (KVM)

    Posted

    Hello everyone!

     

    Got a Linux VM (Antergos) up and running smoothly on my hardware, so I am a little surprised how many issues Windows has been giving me...

     

    I installed the virtio drivers and passed through my NVIDIA Asus GTX 1070 Strix OC 8GB. Before the nvidia drivers, the display was simply 800x600, after it correctly recognized my 3 displays and resolutions. However, I have found that when I open task manager to track down why the entire system feels laggy (with the exception of the cursor when moves as expected) and gets about 5FPS in the Superposition benchmark on medium 1080p seems to be linked to the video card running at 100% as soon as a move a window or open/do just about anything.

     

    I went ahead and followed the spaceinvaderone video on NVIDIA passthrough without needing a second video card and can boot with the modified rom file (worked before too). Currently have the exact same issue with/without the rom file so I am not sure what else I may be missing? Did try switching from Q35 to i440fx without any changes. (techpowerup search) (chosen rom)

     

    Below are my configs/system details. Please let me know if you have any ideas and or further questions. I feel soo close!

      

    <?xml version='1.0' encoding='UTF-8'?>
<domain type='kvm'>
  <name>Windows 10</name>
  <uuid>b1561c71-9755-eb1c-3fe2-84f420f54d8a</uuid>
  <metadata>
    <vmtemplate xmlns="unraid" name="Windows 10" icon="windows.png" os="windows10"/>
  </metadata>
  <memory unit='KiB'>22544384</memory>
  <currentMemory unit='KiB'>2097152</currentMemory>
  <memoryBacking>
    <nosharepages/>
  </memoryBacking>
  <vcpu placement='static'>6</vcpu>
  <cputune>
    <vcpupin vcpu='0' cpuset='1'/>
    <vcpupin vcpu='1' cpuset='5'/>
    <vcpupin vcpu='2' cpuset='2'/>
    <vcpupin vcpu='3' cpuset='6'/>
    <vcpupin vcpu='4' cpuset='3'/>
    <vcpupin vcpu='5' cpuset='7'/>
  </cputune>
  <os>
    <type arch='x86_64' machine='pc-i440fx-3.1'>hvm</type>
    <loader readonly='yes' type='pflash'>/usr/share/qemu/ovmf-x64/OVMF_CODE-pure-efi.fd</loader>
    <nvram>/etc/libvirt/qemu/nvram/b1561c71-9755-eb1c-3fe2-84f420f54d8a_VARS-pure-efi.fd</nvram>
  </os>
  <features>
    <acpi/>
    <apic/>
    <hyperv>
      <relaxed state='on'/>
      <vapic state='on'/>
      <spinlocks state='on' retries='8191'/>
      <vendor_id state='on' value='none'/>
    </hyperv>
  </features>
  <cpu mode='host-passthrough' check='none'>
    <topology sockets='1' cores='3' threads='2'/>
  </cpu>
  <clock offset='localtime'>
    <timer name='hypervclock' present='yes'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/local/sbin/qemu</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw' cache='writeback'/>
      <source file='/mnt/user/domains/Windows 10/vdisk1.img'/>
      <target dev='hdc' bus='virtio'/>
      <boot order='1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
    </disk>
    <controller type='virtio-serial' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </controller>
    <controller type='pci' index='0' model='pci-root'/>
    <controller type='sata' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </controller>
    <controller type='usb' index='0' model='qemu-xhci' ports='15'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
    </controller>
    <interface type='bridge'>
      <mac address='52:54:00:6f:92:0b'/>
      <source bridge='br0'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </interface>
    <serial type='pty'>
      <target type='isa-serial' port='0'>
        <model name='isa-serial'/>
      </target>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <channel type='unix'>
      <target type='virtio' name='org.qemu.guest_agent.0'/>
      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
    <input type='mouse' bus='ps2'/>
    <input type='keyboard' bus='ps2'/>
    <hostdev mode='subsystem' type='pci' managed='yes'>
      <driver name='vfio'/>
      <source>
        <address domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
      </source>
      <rom file='/mnt/user/isos/Asus.GTX1070.8192.161026.headerless.rom'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </hostdev>
    <hostdev mode='subsystem' type='pci' managed='yes'>
      <driver name='vfio'/>
      <source>
        <address domain='0x0000' bus='0x01' slot='0x00' function='0x1'/>
      </source>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
    </hostdev>
    <hostdev mode='subsystem' type='usb' managed='no'>
      <source>
        <vendor id='0x046d'/>
        <product id='0xc085'/>
      </source>
      <address type='usb' bus='0' port='1'/>
    </hostdev>
    <hostdev mode='subsystem' type='usb' managed='no'>
      <source>
        <vendor id='0x2516'/>
        <product id='0x0004'/>
      </source>
      <address type='usb' bus='0' port='2'/>
    </hostdev>
    <memballoon model='none'/>
  </devices>
</domain>

      

    IOMMU group 0:	[8086:591f] 00:00.0 Host bridge: Intel Corporation Xeon E3-1200 v6/7th Gen Core Processor Host Bridge/DRAM Registers (rev 05)
IOMMU group 1:	[8086:1901] 00:01.0 PCI bridge: Intel Corporation Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor PCIe Controller (x16) (rev 05)
IOMMU group 2:	[8086:5912] 00:02.0 VGA compatible controller: Intel Corporation HD Graphics 630 (rev 04)
IOMMU group 3:	[8086:1911] 00:08.0 System peripheral: Intel Corporation Xeon E3-1200 v5/v6 / E3-1500 v5 / 6th/7th Gen Core Processor Gaussian Mixture Model
IOMMU group 4:	[8086:a2af] 00:14.0 USB controller: Intel Corporation 200 Series/Z370 Chipset Family USB 3.0 xHCI Controller
[8086:a2b1] 00:14.2 Signal processing controller: Intel Corporation 200 Series PCH Thermal Subsystem
IOMMU group 5:	[8086:a2e0] 00:15.0 Signal processing controller: Intel Corporation 200 Series PCH Serial IO I2C Controller #0
[8086:a2e1] 00:15.1 Signal processing controller: Intel Corporation 200 Series PCH Serial IO I2C Controller #1
IOMMU group 6:	[8086:a2ba] 00:16.0 Communication controller: Intel Corporation 200 Series PCH CSME HECI #1
IOMMU group 7:	[8086:a282] 00:17.0 SATA controller: Intel Corporation 200 Series PCH SATA controller [AHCI mode]
IOMMU group 8:	[8086:a2e7] 00:1b.0 PCI bridge: Intel Corporation 200 Series PCH PCI Express Root Port #17 (rev f0)
IOMMU group 9:	[8086:a2eb] 00:1b.4 PCI bridge: Intel Corporation 200 Series PCH PCI Express Root Port #21 (rev f0)
IOMMU group 10:	[8086:a290] 00:1c.0 PCI bridge: Intel Corporation 200 Series PCH PCI Express Root Port #1 (rev f0)
IOMMU group 11:	[8086:a294] 00:1c.4 PCI bridge: Intel Corporation 200 Series PCH PCI Express Root Port #5 (rev f0)
IOMMU group 12:	[8086:a297] 00:1c.7 PCI bridge: Intel Corporation 200 Series PCH PCI Express Root Port #8 (rev f0)
IOMMU group 13:	[8086:a2a7] 00:1e.0 Signal processing controller: Intel Corporation 200 Series/Z370 Chipset Family Serial IO UART Controller #0
IOMMU group 14:	[8086:a2c5] 00:1f.0 ISA bridge: Intel Corporation 200 Series PCH LPC Controller (Z270)
[8086:a2a1] 00:1f.2 Memory controller: Intel Corporation 200 Series/Z370 Chipset Family Power Management Controller
[8086:a2f0] 00:1f.3 Audio device: Intel Corporation 200 Series PCH HD Audio
[8086:a2a3] 00:1f.4 SMBus: Intel Corporation 200 Series/Z370 Chipset Family SMBus Controller
IOMMU group 15:	[8086:15b8] 00:1f.6 Ethernet controller: Intel Corporation Ethernet Connection (2) I219-V
IOMMU group 16:	[10de:1b81] 01:00.0 VGA compatible controller: NVIDIA Corporation GP104 [GeForce GTX 1070] (rev a1)
[10de:10f0] 01:00.1 Audio device: NVIDIA Corporation GP104 High Definition Audio Controller (rev a1)
IOMMU group 17:	[144d:a804] 02:00.0 Non-Volatile memory controller: Samsung Electronics Co Ltd NVMe SSD Controller SM961/PM961
IOMMU group 18:	[10b5:8609] 03:00.0 PCI bridge: PLX Technology, Inc. PEX 8609 8-lane, 8-Port PCI Express Gen 2 (5.0 GT/s) Switch with DMA (rev ba)
[10b5:8609] 03:00.1 System peripheral: PLX Technology, Inc. PEX 8609 8-lane, 8-Port PCI Express Gen 2 (5.0 GT/s) Switch with DMA (rev ba)
[10b5:8609] 04:01.0 PCI bridge: PLX Technology, Inc. PEX 8609 8-lane, 8-Port PCI Express Gen 2 (5.0 GT/s) Switch with DMA (rev ba)
[10b5:8609] 04:05.0 PCI bridge: PLX Technology, Inc. PEX 8609 8-lane, 8-Port PCI Express Gen 2 (5.0 GT/s) Switch with DMA (rev ba)
[10b5:8609] 04:07.0 PCI bridge: PLX Technology, Inc. PEX 8609 8-lane, 8-Port PCI Express Gen 2 (5.0 GT/s) Switch with DMA (rev ba)
[10b5:8609] 04:09.0 PCI bridge: PLX Technology, Inc. PEX 8609 8-lane, 8-Port PCI Express Gen 2 (5.0 GT/s) Switch with DMA (rev ba)
[1b21:1142] 05:00.0 USB controller: ASMedia Technology Inc. ASM1042A USB 3.0 Host Controller
[1b21:1142] 06:00.0 USB controller: ASMedia Technology Inc. ASM1042A USB 3.0 Host Controller
[1b21:1142] 07:00.0 USB controller: ASMedia Technology Inc. ASM1042A USB 3.0 Host Controller
[1b21:1142] 08:00.0 USB controller: ASMedia Technology Inc. ASM1042A USB 3.0 Host Controller
IOMMU group 19:	[1b21:2142] 0a:00.0 USB controller: ASMedia Technology Inc. ASM2142 USB 3.1 Host Controller
IOMMU group 20:	[168c:002e] 0b:00.0 Network controller: Qualcomm Atheros AR9287 Wireless Network Adapter (PCI-Express) (rev 01)

     

    Better Defaults

    in Security

    Posted · Edited by Eadword
    Appended contributed ideas

    While the current system is great for the average home network as a media server storing non-critical and non-confidential information on a private network, with a few changes, it could be ready for so much more...

     

    Where I'm coming from: I'm new to unraid, and I am a long time Linux-user with widows as a side OS I avoid as much as possible. Currently I've been setting up a VFIO system, and because I won't just be using it to store media but to actually be my daily driver, I have certain security concerns with the current default configurations.

     

    The following is a list of changes I've compiled, largely from http://kmwoley.com/blog/securing-a-new-unraid-installation/ and somewhat ordered by importance:

    - SMB 1 disabled by default

    - FTP and Tellnet disabled by default

    - HTTPS enabled with a self-signed cert out of the gate (love the cert authority setup though!)

    - make it more clear how to encrypt new drives (can't choose to encrypt when adding the device, has to be changed in the default filesystem setting)

    - new shares not exported by default, and when exportrd, Private by default

    - Don't export the USB boot media!!! (At least not by default and add an are you sure if you try to enable it)

    - firewall such as UFW installed and enabled by default with only TCP port 80 and 443 set to LIMIT and whatever SMB uses opened. GUFW could be pulled from for the GUI. And providing quick check boxes for common ports would make it easy, possiblity auto enabling when you enable a core service.

    - Docker Isolation through Linux namespaces / subuids

    - allow tagging more shares for direct Linux VM mounting to prevent the need to pass through /mnt/user

    - better multiple-user support, it's a server, right? So people other than root should be able to ssh in and access the UI; ideally root login would be disabled with use of a wheel group instead

    - don't use 777 permissions by default, ideally users + groups, but at a minimum there is no reason for most things to be read, write, and execute by default!

    - support for openvpn

    - support for multiple different encryption keys


    And add other lurking issues to this. Even if you're not exposing a system to the public internet, a lot of these things can still cause problems if the system is up 24/7. There is no such thing as a "friendly environment" outside air-gapped systems, and my daily driver will definitely not be air gapped.

     

    Anyway, if you've made it this far and feel like this is a list of complaints, I'm sorry. I do like unraid and I already feel excited for where it's going.

    • Like 6
    • Upvote 1

    Keyfile Permissions

    in Security

    Posted

    6 hours ago, trurl said:

    Did you actually read the linked thread? The whole point was explaining that the keyfile isn't actually in persistent storage.

     

    Yes the link was illuminating to see that it is actually using a tmpfs mount or something, however, rephrasing my point to be "it's still in the filesystem" would be more accurate and any user could read it given the permissions. At least, that is where my mind went based on normal unix logic. Since apparently unraid doesn't really support users other than root according to itimpi, this point is moot.

    Keyfile Permissions

    in Security

    Posted

    5 minutes ago, itimpi said:

    The /root location will not be visible acros the network so not easily accessible.    If you can log in as root then the permissions are irrelevant.

    Trying to set up different user accounts, they still would be able to access it with the default permissions--if I am not mistaken.

    Keyfile Permissions

    in Security

    Posted

    Hello everyone!

    Just setup a fully encrypted array and I noticed that by default the keyfile `/root/keyfile` is readable by all users. Wanted to see if maybe I am missing a security setting somewhere or if this is actually the default... I did write a quick user script to run at array startup which simply performs `chmod -R og-rwx /root`.