November 15, 20178 yr Upgrading: We have changed the way one checks for new unRAID OS releases. Please refer to Update OS below. Bugs: If you want to report an issue, please start a new topic in this board. This is a bug-fix/improvement release. Notable changes (-rc11i): Let's Encrypt SSL certificate renewal: if your certificate is within 30 days of expiration the Renew button on Settings/Identification/SSLCertificate Settings page will be enabled. LE certs have a lifetime of 90 days but it's free to renew. We are working on a configurable daemon to make this automatic. All encryption passphrase/keyfile handling is managed on the Main page. For now the Encryption Settings page is gone but will eventually return as a way of changing the default cipher settings. Also gone is the Restricted Start setting introduced in the last release (bad idea). Yet another attempt to reliably report NVMe temperatures. Notable changes (-rc10b): Finally looks like the AMD Ryzen GPU pass-through performance issue has been solved. We applied this patch and it does indeed appear to solve the problem. Fixed issue in the 'mover' where it wasn't handling split-levels correctly in moving files from cache to array. Further refinements in handling encryption keyfile. Added new config setting Settings/Disk Settings/Restricted Start [Yes/No]. When set to Yes, array will not Start if there are encrypted volumes and the encryption key is missing (this is the default). If set to No and encryption key is missing, array will Start but encrypted volumes will not be Mounted and also cannot be Formatted - any share data stored therein simply won't be available. After attempted array Start with missing/wrong keyfile, you can enter the passphrase/upload keyfile directly from Main page. If there are any encrypted volumes in your server, we recommend setting "Settings/Disk Settings/Enable auto start" to Yes. Following boot of course there will be no keyfile present so autostart will fail. But in this case s/w also now knows there are encrypted devices and you will see right on the Main page a place to enter the encryption passphrase or upload a keyfile. Numerous package updates, bug fixes and webGui enhancements. Notable changes (-rc9f): Improved handling of encryption passphrase/keyfile. When Starting array with encrypted volumes, you only need to enter the encryption passphrase once on the Encryption Settings page - no more confusing "passphrase confirmation". If no encrypted devices exist and you're trying to add some, then it will ask for passphrase confirmation. Introduce new Disk Setting called 'Restricted Start - Yes/No'. When set to 'Yes' then array will not Start if the encryption key is missing. If set to 'No' then array will Start (including autostart) but encrypted volumes will not be 'mounted', meaning shares and/or share data stored on them will not be accessible. The default (and normal) setting for this is 'Yes'. The Let's Encrypt SSL provisioning is only available when 'Use SSL/TLS' on Identification page is set to 'Auto'. Also, provisioning the cert no longer triggers complete restart of "services". If using 'https' all 'http' is redirected to 'https'. If not using 'https', all 'https' is redirected to 'http'. The result of this is you can always enter servername in browser address bar to get to webGui, for example "Tower/" or "Tower.local" should always get you to the webGui. In the case of SSL-enabled LE certificate, you will get redirected to the <hash>.unraid.net URL. Added an 'Update DNS' button on Identification page. If the IP address of your server changes and you're usng the LE certificate, you can click this button to tell unraid.net to update the DNS setting. We have set TTL to 60 seconds so it might take this long to see the update. Of course you have to already have the webGui open to do this. Finally fixed reporting of temperature for NVMe devices (hopefully). Updated OVMF firmware, tested with various OS types, seems to work. Other misc. fixes an improvements, refer to Changes below. We're at the end of life for linux kernel 4.12. Next release will move to 4.13 kernel. Secure Access (-rc8q): Probably some explanation is in order. The “major” feature we wanted to add into unRAID version 6.4 was block level device encryption. However to get there we realized there needs to exist a secure way of entering information such as passphrases. Hence phase 1 consisted of integrating nginx in order to leverage its support of SSL/TLS (https). Besides the benefit of https support, integration of nginx also lets us utilize websocket technology (which is an ongoing integration), and lets us greatly improve the overall responsiveness of the webGui. Phase 1 integration of nginx in unRAID only supports self-signed SSL certificates. While in general, this may be OK to provide encrypted connections between a browser and a server in a trusted LAN, relying on self-signed certs is not good practice and is theoretically vulnerable to MITM attacks. With this release we have completed Phase 2 of nginx https integration by providing the ability for our users to provision a free SSL Certficate from Let’s Encrypt. To obtain your certificate go to Settings/Identification, scroll to the bottom and click Provision. In one operation this will allocate your certificate, upload it to your server, and switch nginx to redirect all http to https. After clicking anywhere else in the webGui you should see a nice green lock icon in your browser address bar! The other thing you’ll notice in your address bar is a very funny looking URL consisting of a 40-hex-character subdomain of unraid.net. We have set up a LimeTech DNS server that will resolve that URL to your servers IP address on your local network. That FQDN is unique to your certificate. When your browser resolves that URL it is given your local IP address which it then uses to perform the https connection handshake. For this reason, we recommend that you give your server a static IP address because if the IP address changes, the browser will not be able to connect to your server. This is like locking your keys in the car! We plan on implementing a small daemon which wakes up upon such IP address change and tells the LimeTech DNS server to update its A-record, but this has not been done yet. NOTE: if you do lock your keys in the car, the coat-hanger fix to restore http access is to telnet/ssh into the server and type: rm /boot/config/ssl/certs/certificate_bundle.pem /etc/rc.d/rc.nginx reload (You might also have to clear your browser cache.) Following re-enable of http, you can again Provision a certificate which will update the DNS entry. Device block level encryption (-rc8q): We have implemented full-device encryption as follows. In unRAID, encryption is selected as another type of file system. For example, with array Stopped, click on a Device link and then click on File system type. Three new “types” are available: xfs – encrypted btrfs – encrypted reiserfs – encrypted [should we get rid of this one?] If you change the File system type to one of these and then Start the array you will notice the device appears Unmountable and the Format button is available. Formatting the device will result in creating an encrypted partition on that device with the specified file system type. ALL PREVIOUS DATA ON THAT DEVICE WILL BE DESTROYED. Hence it is not possible, in this release, to encrypt in-place. We plan to add a utility in a future release to accomplish this however. The other thing you’ll notice when you click Format is that it may fail because there is no encryption key. In this case, click on Settings/Encryption Settings and enter in a passphrase to be used to secure your encrypted devices. At present we let you enter either a passphrase or upload a file which contains your passphrase (or binary data). DO NOT FORGET YOUR PASSPHRASE OR LOSE YOUR KEYFILE. Once a partition is encrypted, if you forget your passphrase or lose your keyfile, your data is forever lost - unless you know someone very high up in the NSA Also note that array Autostart following server boot will not succeed if any devices are encrypted. This is because the keyfile (passphrase) is kept in RAM and thus lost upon reboot. This means that following system reboot you must log into the webGui, go to Tools/Encryption and enter your passphrase (or upload your keyfile). Yes this is a nuisance and we have a few ideas for automating this, but at least you now have secure https access! In the case of a btrfs cache pool, all devices comprising the pool will be encrypted. For this release, we highly recommend using encryption only on a test server with test data which has been backed up. We plan on many more refinements in future releases. 4Kn Device Support (-rc8q): Yeah should work now. Other notes (-rc8q): The /usr/local/sbin/emhttp line in your /boot/config/go file is no longer used to specify the ports where the webGui listens for connections. Instead you must configure these on the Identification page. Alternately if you need to set this up prior to server boot, you may add the port settings in /boot/config/ident.cfg. Please refer to /usr/local/sbin/emhttp script for more information if you care about this. It used to be that merely Starting the array would re-write a “unRAID standard partition layout”. This surprises some users because one would expect nothing to be written to a new device unless Format was invoked. This has been changed so that nothing is written to a device unless Format is invoked (except for Parity devices – those will still be written upon array Start if parity sync is indicated). Moving devices around between cache pool and array or unassigned is handled much better now. There are numerous webGui fixes and improvements. Upgraded linux kernel and several base packages. Where are releases -rc8a-rc8p you might ask? Those were non-public test releases. Credits (-rc8q): Thanks to @jonp for his work in securing us a Certifiate Authority (Let's Encrypt). Thanks to @eschultz for an incredible amount of work involved in setting up DNS servers and integrating with Let's Encrypt API, among other vital tasks in this release. Thanks to @bonienl for his continued dynamix amazing refinements and networking/IPv6 expertise. USB Flash boot device backup function (-rc7) Added "Flash backup" button on the flash device info page (Main/flash). Click this button to download a zip file with the entire contents of your USB Flash boot device. This zip file may be used to restore to a new unRAID USB Flash boot device either manually, or using our nifty new unRAID USB Creator tool. Linux 4.12 kernel (-rc7) - should provide better Ryzen support among other improvements. UEFI support (-rc5) It is now possible configure UEFI boot mode to boot unRAID OS. The make_bootable.bat (Windows), make_bootable_mac (MacOS) and make_bootable_linux (Linux) scripts will output a prompt: Permit UEFI boot mode [Y/N]: If answered with 'Y' a new directory is included on the USB flash boot device called 'EFI'. The presence of this directory along with its contents, and along with some additional linux kernel options permit UEFI boot. This is done in such a way that you could choose either BIOS (legacy) or UEFI to boot off your USB flash device (that is, even if you answer 'Y' here you can still configure your motherboard to use Legacy boot). If answered with 'N' the directory and contents are still created, but named 'EFI-' (a dash at the end). This will prevent UEFI firmware from considering this device. You can manually rename the 'EFI-' directory to 'EFI' and permit possible UEFI boot (and rename back to 'EFI-' to prevent it again). Note: Even if the 'EFI' directory exists, whether or not your motherboard actually uses UEFI to boot is determined by BIOS settings. In addition, some motherboards may present a strongly worded warning along the lines of "The system found unauthorized changes on the firmware, operating system or UEFI drivers." In this case look for a "Secure Boot" BIOS setting and change to "Other OS" or "Disable". If you update your server using Check for updates on the Plugin page, an 'EFI-' directory and files will be automatically created on your USB flash boot device. If you prepare a new USB flash using this release, the 'EFI-' directory and files will also be included. If you use the "manual" method of updating by copying the bz* files from the release zip, beware you will need to manually also copy over the 'EFI-' directory (and modify the first line of syslinux.cfg and copy it to 'EFI-/boot' directory). There is also a webGui setting to permit UEFI boot located on the 'flash' device information page in the 'Syslinux Configuration' section. Update OS (-rc5) Instead of bundling an "unRAID Server" plugin on the Plugins page, there is a new page on the Tools menu in the About section called 'Update OS'. Here you can check for a new unRAID OS release as well as switch between the latest release in the stable branch or the next branch. In addition there is a separate control on the Notification Settings page that configures whether or not to automatically check for updates. enabling https (-rc3) To enable https support it's necessary to edit your 'config/go' file on your USB flash boot device. Use the -p option to specify the port(s) and optionally include the -r option to redirect http request from your browser to using https. Here's the detailed usage: # Usage: # emhttp [-r] [-p port [,sslport]] [OPER] # OPER is start or stop. Default is start. # By default nginx will be setup to listen only at port 80 (http). # The -p option may be used to define different listening ports and/or setup nginx # to listen at a specified port for https. The -r option may be used to setup # nginx so that any http request is redirected to https (this requires that both # ports have been specified with -p option). For example, to have nginx listen # at both standard ports but redirect all http to https use: # emhttp -rp 80,443 # To listen at only port 443 use: # emhttp -p ,443 # Note: the stop operation is only "safe" if the array has already been stopped # (this will be fixed). Improved shfs/mover (-rc1) The LimeTech user share file system (shfs) has been improved in two areas. First, we now make use of FUSE read_buf/write_buf methods. This should result in significant throughput increases. Second, the mover script/move program no longer uses rsync to move files/directories between the cache pool and the parity array. Instead the move program invokes a new shfs ioctl() call. This should result in complete preservation of all metadata including atime and mtime. While this function has been fairly extensively tested, please keep an eye on mover activities - there shouldn't be any data loss, but it's a fairly significant code change. nginx http server (-rc1) We now use the nginx webserver as the front-end to the unRAID OS Management Utility (aka, webGui). The emhttp process has been changed to a daemon (emhttpd) listening at a unix socket. Incorporating nginx provides several features: Multi-threaded access, though emhttpd is still single-threaded. https (SSL) support. At present unRAID OS will generate a self-signed certificate. https works but you will get a scary warning from your browser about not being able to verify the certificate. No worries. nchan (websocket) support. We have only just begun the process of converting many of the browser javascript polling functions to an event-driven websocket paradigm. This opens the door for us to create something like a process manager where we can have several background operations in process, all monitored in real-time via webGui dashboard. IPv6 support (-rc1) We want to again, give a big "thank you" to bonienl who has greatly improved unRAID OS networking with the addition of IPv6 support. Give it a try and report any issues. Other (-rc1) Two new webGUI themes: Azure and Gray. Again, thanks to bonienl. Expanded driver support (QLogic) and more hardware monitoring support. Kernel modules and firmware are left on the Flash in a squashfs loopback and loaded into RAM on demand. Many more misc. improvements Version 6.4.0_rc11i 2017-11-14 Changes Base distro: docker: Fixed bug in IPv6 assignment when privacy extensions is enabled docker: fixed interfaces with IPv6 are only included if IPv6 assignment exists docker: added default IPv6 gateway ::1 networking: fixed VLAN interfaces were not correctly created when IPv4 + IPv6 assignment is used nginx: redirect https requests to the domain name in LE unraid cert php-fpm.d/www.conf - increase pm.max_children from 10 to 20 smartmontools: update drivedb and hwdata/{pci.ids,usb.ids,oui.txt,manuf.txt} Linux kernel: version 4.13.12 (with kvm_svm_obey_guest_pat.patch: https://patchwork.kernel.org/patch/10027525/) md/unraid: 2.9.2 (with 2 disks disabled, report recovery_action as simply "check", not "check P" or "check Q") Management: emhttp: yet another attempt to read nvme device temperature correctly webgui: Add ability to renew LE cert webgui: DeviceList code optimization webgui: Fix generating diagnostics zip for bug report feedback webgui: Make Format warning always present webgui: Add ceiling to temperature and utilization checks (ignore insane values) webgui: Minor text adjustments webgui: Show last parity history log when system is restarted webgui: Hide move button in schedule page when array is stopped webgui: Visual enhancements Array Operation page webgui: All encryption settings on Main page webgui: Improved SMART support (including NVMe) webgui: Support temperature readings+warnings in Dashboard array overview webgui: Monitor script: support temperature reading of NVMe devices webgui: Minor dashboard enhancement for themes white and black webgui: Use 'version_compare' for unRAID version testing webgui: Add missing network mask choices webgui: Enhancements in page forward/backward movement webgui: Hide empty assignments in VLANs webgui: Do not display device spin up/down icons for non-present devices. webgui: Other minor code updates Edited November 16, 20178 yr by limetech typo
November 15, 20178 yr Author 16 minutes ago, clowrym said: Mine is stuck at syncing - please wait... do I just reboot? How long did you wait? Depending on speed of your USB flash, could take a while (minutes) though typically less than a minute.
November 15, 20178 yr Author Just now, clowrym said: Its been at least 15 minutes.....still waiting Sounds like it's stuck, maybe you should reboot.
November 15, 20178 yr 4 minutes ago, limetech said: Sounds like it's stuck, maybe you should reboot. Now I'm stuck at Stopping services.... Nov 15 09:54:29 Test emhttpd: req (14): startState=STARTED&file=&optionCorrect=correct&csrf_token=****************&cmdStop=Stop Nov 15 09:54:29 Test emhttpd: Spinning up all drives... Nov 15 09:54:29 Test emhttpd: shcmd (86): /usr/sbin/hdparm -S0 /dev/sde Nov 15 09:54:29 Test kernel: mdcmd (41): nocheck Nov 15 09:54:29 Test kernel: md: nocheck_array: check not active Nov 15 09:54:29 Test kernel: mdcmd (42): spinup 0 Nov 15 09:54:29 Test kernel: mdcmd (43): spinup 1 Nov 15 09:54:29 Test kernel: mdcmd (44): spinup 2 Nov 15 09:54:29 Test kernel: mdcmd (45): spinup 3 Nov 15 09:54:29 Test root: SG_IO: bad/missing sense data, sb[]: 70 00 05 00 00 00 00 0a 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Nov 15 09:54:29 Test root: Nov 15 09:54:29 Test root: /dev/sde: Nov 15 09:54:29 Test root: setting standby to 0 (off) Nov 15 09:54:30 Test emhttpd: Stopping services... Nov 15 09:54:30 Test emhttpd: shcmd (89): /etc/rc.d/rc.docker stop Nov 15 09:54:30 Test root: stopping dockerd ... Nov 15 09:54:31 Test kernel: docker0: port 2(veth7d5c8ad) entered disabled state Nov 15 09:54:31 Test kernel: veth4a00c6c: renamed from eth0 Nov 15 09:54:31 Test avahi-daemon[13238]: Interface veth7d5c8ad.IPv6 no longer relevant for mDNS. Nov 15 09:54:31 Test avahi-daemon[13238]: Leaving mDNS multicast group on interface veth7d5c8ad.IPv6 with address fe80::5cf1:fcff:feb2:49e7. Nov 15 09:54:31 Test kernel: docker0: port 2(veth7d5c8ad) entered disabled state Nov 15 09:54:31 Test kernel: device veth7d5c8ad left promiscuous mode Nov 15 09:54:31 Test kernel: docker0: port 2(veth7d5c8ad) entered disabled state Nov 15 09:54:31 Test avahi-daemon[13238]: Withdrawing address record for fe80::5cf1:fcff:feb2:49e7 on veth7d5c8ad. Nov 15 09:57:29 Test nginx: 2017/11/15 09:57:29 [error] 13288#13288: *561022 upstream timed out (110: Connection timed out) while reading upstream, client: 10.1.0.10, server: , request: "POST /update.htm HTTP/1.1", upstream: "http://unix:/var/run/emhttpd.socket:/update.htm", host: "192.168.0.11", referrer: "http://192.168.0.11/Main"
November 15, 20178 yr 1 hour ago, limetech said: nginx: redirect https requests to the domain name in LE unraid cert I need a way to prevent this, or to make it smarter. I have the unraid webui behind a reverse proxy as described here: https://forums.lime-technology.com/topic/42003-requestdone-lets-encrypt-container/?page=7#comment-461739 This worked fine until 6.4.0-rc11i, now when I try to access: https://unraid.mydomain.com/ it gets forcibly redirected to: https://<hash>.unraid.net/ which is not accessible outside of my network. I do have the reverse proxy pointing to the proper https url: proxy_pass https://<hash>.unraid.net/; so the problems the redirect is trying to solve are not really problems in this case. One solution would be to have unRAID behave differently if a particular http header exists. For instance if the proxy setup includes: proxy_set_header X-unRAID-redirect "no"; then unRAID would know not to redirect at all. Or, if for some reason unRAID needs the domain it could look for something like this to redirect to: proxy_set_header X-unRAID-domain "unraid.mydomain.com"; The benefit of solving this using http headers set by the proxy is that when accessed directly (not through the proxy) all of the standard redirect functionality can still apply. (I realize that a lot of people will say "use VPN instead", but that isn't realistic for me. I need remote access without VPN. And don't worry, I use client certificates for authentication and not just passwords, so it has about the same level of security as VPN anyway.)
November 15, 20178 yr Author 9 minutes ago, ljm42 said: I need a way to prevent this, or to make it smarter. I have the unraid webui behind a reverse proxy as described here: https://forums.lime-technology.com/topic/42003-requestdone-lets-encrypt-container/?page=7#comment-461739 This worked fine until 6.4.0-rc11i, now when I try to access: https://unraid.mydomain.com/ it gets forcibly redirected to: https://<hash>.unraid.net/ which is not accessible outside of my network. I do have the reverse proxy pointing to the proper https url: proxy_pass https://<hash>.unraid.net/; so the problems the redirect is trying to solve are not really problems in this case. One solution would be to have unRAID behave differently if a particular http header exists. For instance if the proxy setup includes: proxy_set_header X-unRAID-redirect "no"; then unRAID would know not to redirect at all. Or, if for some reason unRAID needs the domain it could look for something like this to redirect to: proxy_set_header X-unRAID-domain "unraid.mydomain.com"; The benefit of solving this using http headers set by the proxy is that when accessed directly (not through the proxy) all of the standard redirect functionality can still apply. (I realize that a lot of people will say "use VPN instead", but that isn't realistic for me. I need remote access without VPN. And don't worry, I use client certificates for authentication and not just passwords, so it has about the same level of security as VPN anyway.) I'll have Eric look at this, but if you have your own "mydomain.com", maybe you should not be using LE certificates that we generate. Instead get your own certificate and upload to file 'config/ssl/certs/certificate_bundle.pem'.
November 15, 20178 yr 2 hours ago, limetech said: All encryption passphrase/keyfile handling is managed on the Main page. For now the Encryption Settings page is gone but will eventually return as a way of changing the default cipher settings. Also gone is the Restricted Start setting introduced in the last release (bad idea). Will anything replace Restricted Start (the no option)? I was planning on using it...
November 15, 20178 yr 13 minutes ago, limetech said: I'll have Eric look at this, but if you have your own "mydomain.com", maybe you should not be using LE certificates that we generate. Instead get your own certificate and upload to file 'config/ssl/certs/certificate_bundle.pem'. That would have the same problem, because if https://unraid.mydomain.com is the reverse proxy url, I still need a different FQDN to access unRAID directly. And rc11i will redirect to unRAID's FQDN. Which brings up a second issue... unRAID seems to be redirecting to the first "DNS Name" listed in the cert. If I used my own LE cert, it would need to redirect to the 4th or 5th "DNS Name". So probably easiest to use yours
November 15, 20178 yr Author 35 minutes ago, doron said: Will anything replace Restricted Start (the no option)? I was planning on using it... Please describe your use case.
November 15, 20178 yr Do ryzen users still have to use the rcu_nocbs=0-# line in the syslinux config?
November 15, 20178 yr 1 hour ago, ljm42 said: That would have the same problem, because if https://unraid.mydomain.com is the reverse proxy url, I still need a different FQDN to access unRAID directly. And rc11i will redirect to unRAID's FQDN. Which brings up a second issue... unRAID seems to be redirecting to the first "DNS Name" listed in the cert. If I used my own LE cert, it would need to redirect to the 4th or 5th "DNS Name". So probably easiest to use yours You just need a local DNS record pointing unraid.mydomain.com to the local address and you'd be good to go. That's how I access my servers locally that are behind my reverse proxy. Edited November 15, 20178 yr by IamSpartacus
November 15, 20178 yr Author 1 hour ago, david279 said: Do ryzen users still have to use the rcu_nocbs=0-# line in the syslinux config? Yes. Best thing to do is monitor this topic: https://bugzilla.kernel.org/show_bug.cgi?id=196683 We are doing the same. Eventually the correct solution will show up there, but sadly, imho, it appears AMD does not care much about linux support.
November 15, 20178 yr 2 hours ago, limetech said: Please describe your use case. If the server starts while the encryption key is not around, due to either the passphrase holder being away on business travel or the server being "relocated"(...) to a place distant from the keyfile, some parts of the data (the less sensitive part) would still be mounted and made available on the network. Was that not the initial intention? Curious why it is seen as a bad idea. What am I missing?
November 15, 20178 yr Author 2 hours ago, doron said: If the server starts while the encryption key is not around, due to either the passphrase holder being away on business travel or the server being "relocated"(...) to a place distant from the keyfile, some parts of the data (the less sensitive part) would still be mounted and made available on the network. Was that not the initial intention? Curious why it is seen as a bad idea. What am I missing? The main problem is that an encrypted device could normally hold one of the 'system' shares and if that device does not mount following boot, quite a bit of functionality could be lost or not work correctly, or possibly the share could be auto-created on another device. We need to think this out some more. The design/coding for this is quite involved because we can't get into a situation where "keys are locked in the car". Not sure what you mean by being "relocated".
November 15, 20178 yr 3 minutes ago, limetech said: The main problem is that an encrypted device could normally hold one of the 'system' shares and if that device does not mount following boot, quite a bit of functionality could be lost or not work correctly, or possibly the share could be auto-created on another device. We need to think this out some more. The design/coding for this is quite involved because we can't get into a situation where "keys are locked in the car". Good point. Understood. Clearly a lot of functionality is lost/twisted in that partial start mode. Perhaps this can be an "advanced" or hidden option, make-sure-you-know-what-you're-doin kind of thing. 3 minutes ago, limetech said: Not sure what you mean by being "relocated". Stolen.
November 15, 20178 yr Author 10 minutes ago, doron said: Perhaps this can be an "advanced" or hidden option, make-sure-you-know-what-you're-doin kind of thing. That's why the 'Restricted Start' was kinda buried in the Disk Settings page. Honestly, I think this feature will come back, but a large majority of users won't use it, and would probably be confused by it, and making it work properly in the code is going to take more time that we don't want to spend now because we need to publish 6.4.0 release. 10 minutes ago, doron said: Stolen Gotcha. If your server is at risk of theft, wouldn't this be precisely the reason you would want everything encrypted?
November 16, 20178 yr 24 minutes ago, limetech said: That's why the 'Restricted Start' was kinda buried in the Disk Settings page. Honestly, I think this feature will come back, but a large majority of users won't use it, and would probably be confused by it, and making it work properly in the code is going to take more time that we don't want to spend now because we need to publish 6.4.0 release. Got it. Appreciate the effort. 24 minutes ago, limetech said: Gotcha. If your server is at risk of theft, wouldn't this be precisely the reason you would want everything encrypted? Ah. Great question. This can now quickly "deteriorate" into a threat model discussion :-) Basically it depends on who grabs the server. For some thiefs, who are after your data (not just your mobo/hdds), it would be good if they'd believe they did get the file server to load and mount. Which is what's likely to happen if some shares would become available.
November 16, 20178 yr 40 minutes ago, limetech said: That's why the 'Restricted Start' was kinda buried in the Disk Settings page. Honestly, I think this feature will come back, but a large majority of users won't use it, and would probably be confused by it, and making it work properly in the code is going to take more time that we don't want to spend now because we need to publish 6.4.0 release. Gotcha. If your server is at risk of theft, wouldn't this be precisely the reason you would want everything encrypted? In some cases, not really. I like the idea of just having specific shares/drives encrypted. I can backup other systems, important files, etc. to the encrypted share. Without the overhead or complication of encryption for my media files. The vast majority of my data (movies, music, games, etc.) is perfectly acceptable for a thief to obtain, but there are specific slices that warrant much better protection. I do hope the restricted start comes back. Allowing most of my media, VMs, and Dockers that handle utility functions or media sharing to startup, unattended would be ideal. The fact that some protected files, VMs, or Dockers will remain down until human intervention is reasonable.
November 16, 20178 yr 14 hours ago, limetech said: All encryption passphrase/keyfile handling is managed on the Main page This works great! Very intuitive way to add a passphrase after booting.
November 16, 20178 yr 15 hours ago, limetech said: Fixed issue in the 'mover' where it wasn't handling slit-levels correctly in moving files from cache to array. I do believe there is a small typo, that should state 'split-levels'. Edited November 16, 20178 yr by zoggy
November 16, 20178 yr 15 hours ago, limetech said: Yet another attempt to reliably report NVMe temperatures. It's not a surprise since@bonienlwas kind enough to work with me to get it working on the previous release with a modification, still happy to report that it's finally working
November 16, 20178 yr 11 minutes ago, johnnie.black said: still happy to report that it's finally working Good to hear This release allows correct monitoring of NVMe device temperature too. You can set warning and critical thresholds as needed.
Archived
This topic is now archived and is closed to further replies.