unRAID OS version 6.4.0 Stable Release Available


limetech

537 posts in this topic Last Reply

Recommended Posts

Download

 

If you are running a previous stable release, clicking 'Check for Updates' on the Plugins page is the preferred way to upgrade.

If you are running a 6.4.0-rc, click 'Check for Updates' on the Tools/Update OS page.

 

This release contains important security updates related to the recent Meltdown and Spectre vulnerabilities.  For this reason, all users are encouraged to update.  We expect additional updates in the near future as additional mitigations become available.

 

Aside from security patches, the primary goal of this release is to implement full device encryption utilizing LUKS.  Since LUKS permits the use of a passphrase as the encryption/decryption key, a secure method of entering the passphrase via the unRAID Management Utility, a.k.a., webGUI, is necessary; hence, we integrated nginx in order to provide SSL/TLS (https) support.  And since https requires SSL Certificates, we partnered with Let's Encrypt to provision free SSL certificates for all of our users right from within the webGUI.

 

Along the way several additional features and improvements have also been added, see below.

 

Finally, we want to express our sincere thanks and appreciation to all those who helped in the Prerelease 6.4 Support board.  And a special "thank you" to @bonienl who has made several amazing contributions, especially in the area of networking.

 

Following are the Release Notes:

Linux kernel

This release is running Linux kernel version 4.14.13 which contains patches to address the widely reported Meltdown and Spectre vulnerabilities. This kernel fully mitigates against Meltdown, but full mitigation for Spectre is not yet complete and has not been publicly released as of this date.

Management Utility

We now use the nginx webserver as the front-end to the unRAID OS Management Utility (aka, webGUI). Incorporating nginx provides several benefits, including:

  • Multi-threaded access results in much better response.
  • Websocket support.
  • SSL/TLS (https) support.

Moving forward, use of websockets will further improve webGUI functionality and responsiveness. At present only the CPU Load Statistics on the Dashboard and the web-based Terminal application make use of websockets.

Note: Unfortunately this functionality does not work with Safari.

There is now a Logout button for the webGUI which appears on the right side of the menu bar when you have defined a root password and are logged in. Clicking this will log you out from all tabs/windows in that browser.

Also new with this release are two new webGUI themes: Azure and Gray, along with numerous other bug fixes and improvements.

Secure Access

Secure webGUI access is now supported using the https protocol. We offer two methods for dealing with the SSL certificate:

  • Use of a self-signed certificate.
  • Use of a free SSL certificate provisioned by Let's Encrypt.

The selection of http/https and SSL certificate configuration is accomplished through the Settings/Identification page.

Note: The /usr/local/sbin/emhttp line in your /boot/config/go file is no longer used to specify the ports where the webGUI listens for connections. Instead you must configure these on the Identification page. Alternately if you need to set this up prior to server boot, you may add the port settings in /boot/config/ident.cfg. Please refer to /usr/local/sbin/emhttp script for more information if you care about this.

Let's Encrypt SSL Certificates

Lime Technology, Inc. has partnered with Let's Encrypt to provide free SSL certificates for all of our users. To obtain your certificate first go to Settings/Identification page, set Use SSL/TLS to Auto and click Apply.

Next, scroll to the bottom and click Provision. In one operation this will allocate your certificate, upload it to your server, and switch nginx to redirect all http to https. After clicking anywhere else in the webGUI you should see a nice green lock icon in your browser address bar!

You will also notice in your address bar a very funny looking URL consisting of a 40-hex-character subdomain of unraid.net. We have set up a LimeTech DNS server that will resolve that URL to your servers IP address on your local network. That FQDN is unique to your certificate. When your browser resolves that URL it is given your local IP address which it then uses to perform the https connection handshake.

Since Let's Encrypt SSL certificates expire every 90 days, we have included a background daemon that checks once per day if your certificate is within 30 days of expiration. If so, we automatically renew and upload a new certificate for you.

Finally, we have included another background daemon that checks every 10 minutes for a change in your servers IP address. If your IP address changes, then the DNS A-record for your server is updated.

Device Encryption

We have implemented full-device encryption as follows. In unRAID, encryption is selected as another type of file system. With array Stopped, click on a Device link and then click on File system type where you can selected encrypted versions of supported file system types:

  • xfs – encrypted
  • btrfs – encrypted
  • reiserfs – encrypted

If you change any device file system type to encrypted, you will notice a section on the Main page appears where you must enter a passphrase or upload an encryption keyfile before you can Start the array.

DO NOT FORGET YOUR PASSPHRASE OR LOSE YOUR KEYFILE. Once a device is encrypted, if you forget your passphrase or lose your keyfile, your data is lost forever!

Once you have Started the array, newly encrypted devices appear Unmountable and the Format button is available. Formatting will result in creating an encrypted partition on those devices with the specified file system type.

ALL PREVIOUS DATA ON THAT DEVICE WILL BE DESTROYED. Hence it is not possible, in this release, to encrypt in-place. We plan to add a utility in a future release to accomplish this however.

Also note that array Autostart following server boot will not succeed if any devices are encrypted. This is because the passphrase or keyfile is kept in RAM and thus lost upon reboot. This means that following system reboot you must log into the webGUI, enter your passphrase (or upload your encryption keyfile), and then click the Start button.

In the case of a btrfs cache pool, all devices comprising the pool will be encrypted.

UEFI support

It is now possible configure UEFI boot mode to boot unRAID OS. This may be enabled by clicking on the Flash device link from the Main page where you will find a checkbox to select UEFI boot mode.

In addition, UEFI boot mode may be selected when a new USB Flash device is provisioned using the USB Creator tool.

When using the manual method of preparing a USB Flash device, the make_bootable scripts will output a UEFI boot mode selection prompt.

Web-based Terminal

We now have a web-based Terminal application available by clicking the Terminal button on the Menu bar. You may also open the Terminal in a new tab by right-clicking the button. This application makes use of websockets and appears to be quite fast, give it a try!

NOTE: Unfortunately the web-based Terminal app does not work with Safari.

Update OS

Instead of bundling an unRAID Server plugin on the Plugins page, there is a new page on the Tools menu in the About section called Update OS.

Here you can check for a new unRAID OS release as well as switch between the latest release in the stable branch or the latest release in the next (development) branch.

In addition there is a separate control on the Notification Settings page that configures whether or not to automatically check for updates.

Improved shfs/mover

The unRAID user share file system (shfs) has been improved in two areas.

First, we now make use of FUSE readbuf/writebuf methods. This should result in significant throughput increases.

Second, the mover script/move program no longer uses rsync to move files/directories between the cache pool and the parity array. Instead the move program invokes a new shfs ioctl() call. This should result in complete preservation of all metadata including atime and mtime.

Other

  • IPv6 support. Entirely designed, coded, and tested by user bonienl who has greatly improved unRAID OS networking.

  • We now fully support 4Kn devices, that is, devices with both 4096-byte physical and 4096-byte logical block sizes.

  • It used to be that merely Starting the array would re-write an unRAID standard partition layout on all devices assigned to the array. This has been changed so that nothing is written to a device unless Format is invoked (except for Parity devices – those will still be written upon array Start if parity sync is indicated).

  • Moving devices around between cache pool and array or unassigned is handled much better now.

  • Added Flash backup button on the Flash device info page (Main/Flash). Click this button to download a zip file with the entire contents of your USB Flash boot device. This zip file may be used to restore to a new unRAID USB Flash boot device either manually, or using the USB Creator tool.

  • We ported a simplified version of the zenstates.py utility to C (to avoid including python in bzroot) which may be used to disable Ryzen C6 states (as workaround for Ryzen idle freeze issue). We have found that sometimes bios option to disable C6 does not exist or does not do the right thing. If you want to use this utility, we suggest that you edit the config/go file on your USB flash device. Add this line just before emhttp is invoked:

    /usr/local/sbin/zenstates --c6-disable

  • Expanded driver support and more hardware monitoring support.

  • Kernel modules and firmware are now left on the Flash in a squashfs loopback and loaded into RAM on demand.

  • Many more misc. improvements

Known Issues

  • Certain motherboards with on-board Aspeed IPMI graphics adaptors may lose video or switch to different colored text during the boot process. To prevent this, add the nomodeset kernel option to your syslinux append line.

  • Some users report vmwrite syslog errors as a result of VM startup. This is a harmless message and can be ignored; however, please report if you see this.

  • AMD Ryzen CPU is known to freeze on linux-based distros and unRAID OS is no exception. Disabling C6 state either in your bios or using our zenstates program seems to be the most reliable mitigation for this issue. Maybe some day AMD will fix this.

  • AMD Threadripper GPU passthrough to VM's does not work reliably. This is an AMD bug, maybe some day they'll fix it.

  • Like 7
Link to post
  • Replies 536
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Download   If you are running a previous stable release, clicking 'Check for Updates' on the Plugins page is the preferred way to upgrade. If you are running a 6.4.0-rc, click 'Check fo

Not criticizing. It's just that simple answers to simple questions often lead to more questions, some of which may have already been answered.   By the way, we are all mostly just volunteers

For PFSense if you're using unbound dns resolver just put into custom options and this will work correctly server: private-domain: "unraid.net"  

Posted Images

Great news - been a RC tester since the start so I know how much work has gone into this.

 

I have two questions I should have asked before.  What are the advantages of UEFI boot as I haven't made that switch yet? Also, with the crazy unraid URL that is created, does this mean I can access my server remotely?

Link to post
4 minutes ago, DZMM said:

What are the advantages of UEFI boot as I haven't made that switch yet?

Mainly this was added because there are motherboards that only support UEFI boot.  Also, certain h/w is initialized differently which may make it easier to pass through to virtual machines.  Jon may have more to say about that later.

 

7 minutes ago, DZMM said:

Also, with the crazy unraid URL that is created, does this mean I can access my server remotely?

Yes this is going to be possible, but don't tell anyone about it yet :)

  • Like 2
Link to post

I just updated my system to 6.4.0 without any issues, it took approx 10-15 minutes

 

Brief description of my system:

- Gigabyte H270N-WIFI motherboard, 16GB DDR4 and an Intel Pentium G4560 (3,5 GHz)

- array consists of 5x 3TB WD Red HDD's and a 120GB SSD for caching

- use Docker containers for MySQL, Apache webservers, Plex and Duplicati (all work fine)

- VM are not in use (currently)

 

Update:--> Docker LetsEncrypt raises some issues, which I need to investigate. The log of this docker now reports 
 

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
sed: /etc/php7/php.ini: No such file or directory
sed: /etc/php7/php-fpm.conf: No such file or directory
sed: /etc/php7/php-fpm.d/www.conf: No such file or directory
sed: /etc/php7/php-fpm.d/www.conf: No such file or directory
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.<<removed by me before posting log>>
E-mail address entered: <<my email>>
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --cert-path: No such file or directory
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Found some information here, but I will need to investigate some more.

https://community.letsencrypt.org/t/solution-client-with-the-currently-selected-authenticator-does-not-support-any-combination-of-challenges-that-will-satisfy-the-ca/49983

 

Thank you very much  

Edited by Richard Aarnink
  • Like 2
Link to post

This is some fine work, currently upgrading it now. 

One thing has caught my eye though:
 

12 hours ago, limetech said:

You will also notice in your address bar a very funny looking URL consisting of a 40-hex-character subdomain of unraid.net. We have set up a LimeTech DNS server that will resolve that URL to your servers IP address on your local network. That FQDN is unique to your certificate. When your browser resolves that URL it is given your local IP address which it then uses to perform the https connection handshake.

 

This will rely on contacting a sever, well at least two, outside of the network unRAID lives in. This means it'll have to be on an internet capable network to achieve this.
What happens on a secure network where unRAID has been completely blocked from access from the internet? And is there the potential for users to one day manage the certificates themselves?

Edited by Ryonez
Link to post
6 minutes ago, Ryonez said:

This is some fine work, currently upgrading it now. 

One thing has caught my eye though:
 

 

This will rely on contacting a sever, well at least two, outside of the network unRAID lives in. This means it'll have to be on an internet capable network to achieve this.
What happens on a secure network where unRAID has been completely blocked from access from the internet? And is there the potential for user to one day manage the certificates themselves?

 

Using self-signed certificate may be configured already, and you can upload your own SSL certificate if you have a local CA running on your network.  Check out the Help for the Identification page where there are details re: the implementation.

Link to post

Ignore this post. Found it in DEV pack.

 

Upgrade on my machines went smooth. Running Perl und upgrading packages from NERD pack did throw a new error. Never seen this with the previous version:

 

/usr/bin/make: error while loading shared libraries: libunistring.so.0: cannot open shared object file: No such file or directory

Where do I get that beast?

 

Thanks in advance.

 

Edited by hawihoney
Link to post

Right, I am having no luck with being provisioned a Lets Encrypt Cert.
I added "unraid.net" to the "DNS Rebind Protection" exception list for my router. I also changed the DNS used to openDNS. Despite multiple reboots and attempts, I get the error shown in the image consistently. As far as I know openDNS doesn't have DNS Rebind Protection on, so I have no clue at this stage where to go.

2018-01-13_23-32-39_AtlantisIdentification.png

Link to post

@limetech you should add the virtio upgrade:

 

  • webgui: VM Manager: add 'virtio-win-0.1.141-1' to VirtIO-ISOs list

From the 21b notes to the 6.4 release notes.  I just upgraded my W10 drivers and it fixed my logitech camera not getting passed through - very happy!

 

Edit: realised it might not be the drivers but something else in 6.4 as I didn't try passing through until I updated the drivers.  Still happy though!

Edited by DZMM
Link to post
2 hours ago, Ryonez said:

Right, I am having no luck with being provisioned a Lets Encrypt Cert.
I added "unraid.net" to the "DNS Rebind Protection" exception list for my router. I also changed the DNS used to openDNS. Despite multiple reboots and attempts, I get the error shown in the image consistently. As far as I know openDNS doesn't have DNS Rebind Protection on, so I have no clue at this stage where to go.

2018-01-13_23-32-39_AtlantisIdentification.png

 

Try Google's public dns server. Worked for me

Edited by Woodpusherghd
Link to post

I seem to be having problems with this release. After the update was applied through the GUI my server is not booting up. I get the boot selection screen and unRAID OS is selected. I get two lines of text pertaining to bzimage and bzroot and then the server reboots. I attempted to boot to unRAID OS GUI Mode and that was successful. However, my network settings did not seem to be applied. Thinking that there might have been an issue with the files from the GUI update I downloaded the 6.4 zip and applied it to my unRaid USB drive and I got the same results. Is there a way to get additional information to see what might be happening in the boot sequence?

 

Link to post
27 minutes ago, cyberrad said:

I seem to be having problems with this release. After the update was applied through the GUI my server is not booting up. I get the boot selection screen and unRAID OS is selected. I get two lines of text pertaining to bzimage and bzroot and then the server reboots. I attempted to boot to unRAID OS GUI Mode and that was successful. However, my network settings did not seem to be applied. Thinking that there might have been an issue with the files from the GUI update I downloaded the 6.4 zip and applied it to my unRaid USB drive and I got the same results. Is there a way to get additional information to see what might be happening in the boot sequence?

 

Put flash in PC and checkdisk.

Link to post
9 minutes ago, trurl said:

Put flash in PC and checkdisk.

Could you elaborate on what you are recommending? Do you mean to run a checkdisk utility or should I physically check the contents of the flash drive? Checkdisk shows no errors and the contents of the drive appear to be what is expected. 

Link to post

People who get the 403 error and you have an USG Gateway,  SSH into the gateway and enter this command:

configure
set service dns forwarding options rebind-domain-ok=/unraid.net/

Whoever added all the useful 'Help' information, you're amazing!

Edited by Zero
  • Like 1
Link to post
3 minutes ago, J_Hizzal said:

Is there a preferred way to update? This will be my first rodeo going through the update process. Should I stop all my Apps? Backup the configuration files? Modify any settings? 

 

You could stop the array and make a complete copy of your flash drive to an other PC before starting the upgrade.  This way you can quickly return to the earlier version in a few seconds-- even after you have made some changes in the new 6.4.0 configuration.  

 

EDIT IF you have configuration files on your cache drive, you could copy them also.  

Edited by Frank1940
Link to post
17 minutes ago, cyberrad said:

Could you elaborate on what you are recommending? Do you mean to run a checkdisk utility or should I physically check the contents of the flash drive? Checkdisk shows no errors and the contents of the drive appear to be what is expected. 

Try booting from a USB2 port.

Link to post
17 hours ago, limetech said:

Moving devices around between cache pool and array or unassigned is handled much better now.

 

Adding and removing cache pool disks is definitely much better but there's an operation that still needs improvement, cache pool disk replacement/upgrade, how to reproduce:

 

-start with a two disk pool

-replace one of the cache disks with a new one (replacement disk was completely wiped)

-start the array, I see a device delete for the replaced drive on the log:

 

Jan 13 13:53:32 Test emhttpd: shcmd (354): /sbin/btrfs device delete /dev/sdf1 /mnt/cache && /sbin/btrfs balance start /mnt/cache &

-the main page shows the pool with the new disk (sdb) looking all normal:

 

5a5a114d211ee_Screenshot2018-01-1313_59_10.thumb.png.5ce81e209695fde91b3451ff68b64338.png

 

-but the device wasn't actually replaced and the pool is still both original devices, sdg and the now unassigned sdf:

 

btrfs fi show /mnt/cache
Label: none  uuid: 07e28824-181c-4d05-b599-da7f58770ec1
        Total devices 2 FS bytes used 640.00KiB
        devid    1 size 29.82GiB used 2.03GiB path /dev/sdf1
        devid    2 size 29.82GiB used 2.03GiB path /dev/sdg1

sdb isn't being used at all, I can reproduce this behavior every time, this can lead to confusion and data loss on the pool.

 

 

Link to post
  • limetech unpinned and locked this topic
Guest
This topic is now closed to further replies.