fluisterben Posted March 7, 2019 Share Posted March 7, 2019 Before I take the dive into buying Unraid. I've read and heard a lot of good things about it. I'm building my own NAS. I'm a server-admin and CISSP by trade, and this will mostly be the machine at home to fiddle with and make backups from videos, photos other data, and it shall run nextcloud, since that is what I serve to my homeys and some friends. Currently I do this from a plain debian machine, but I'm out of storage space on that, and needed faster/newer hardware and more storage options. What I really like about unraid, what attracts me to it, is the way it stores data on drives. I strongly dislike RAID arrays. Have had horrible experiences with either controllers or recoveries over the 30 years I've been using RAID types here and there. On my desktop I run StableBit DrivePool, which I'm extremely happy with, since it's transparent to the user. I can access all storage media separately whenever I would want to, it doesn't stripe files over several media, which, honestly, is a PITA. OK, that's for a short background. Now my questions; - Is a USB stick really needed? I don't really like that, to be perfectly honest. Can't I run the OS from a much faster M.2 SSD drive in my NAS, and have the rest of the space on that M.2 drive used for other purposes? Maybe even partition it so that Unraid is just one small partition? - I currently login to all my servers everywhere using Public key SSH crypto, with the Ed25519 public-key signature system, and for some devices I have a GUI of course, but I always have the SSH as a backup. Can I create one on my unraid OS as well, as to always have terminal access when needed? Can I install Midnight Commander for the shell? - How far do you allow users to dive into the underlying OS? Can I have it run dnsmasq natively, for example? I will have to run dnsmasq on this NAS anyway, so either that's going to be a plugin/docker, or on a VM started by Unraid, but to be honest, running it natively from the Unraid OS seems much smarter. That way I can have it cache all DNS requests made by everything under the unraid system/hardware, and thereby use blocklists and such. And can I run my own firewall on the Unraid OS? Like, for example, my favorite, CSF/LFD (ConfigServer Security & Firewall) as an iptables/ipset wrapper? That's it for now. I will peruse the forums some more in the meantime. Some of my questions may get answered that way. Thus far none got answered, but I've only been reading for about half a day, mostly about the way it handles data storage, which I really like about unraid. Thanks in advance! Quote Link to comment
trurl Posted March 7, 2019 Share Posted March 7, 2019 15 minutes ago, fluisterben said: Is a USB stick really needed? I don't really like that, to be perfectly honest. Can't I run the OS from a much faster M.2 SSD drive in my NAS, and have the rest of the space on that M.2 drive used for other purposes? Maybe even partition it so that Unraid is just one small partition? The OS doesn't run from that flash drive. At boot time, the OS is unpacked fresh from the archives on flash into RAM, and it runs completely in RAM. All the usual linux OS folders are in RAM. The flash drive is actually accessed very little, mostly just for saving configuration changes from the webUI. And since it isn't used much, you need little capacity or speed from the flash. USB2 is actually preferred because USB3 can sometimes have more problems. 1 Quote Link to comment
trurl Posted March 7, 2019 Share Posted March 7, 2019 7 minutes ago, fluisterben said: Is a USB stick really needed? And yes, it is really needed. Your license is associated with the GUID of the flash, and you can't do it any other way. Quote Link to comment
trurl Posted March 7, 2019 Share Posted March 7, 2019 1 hour ago, fluisterben said: - I currently login to all my servers everywhere using Public key SSH crypto, with the Ed25519 public-key signature system, and for some devices I have a GUI of course, but I always have the SSH as a backup. Can I create one on my unraid OS as well, as to always have terminal access when needed? Can I install Midnight Commander for the shell? You can SSH into the command line, and Midnight Commander is builtin. 1 Quote Link to comment
trurl Posted March 7, 2019 Share Posted March 7, 2019 10 minutes ago, fluisterben said: How far do you allow users to dive into the underlying OS? There is nothing preventing you from diving in. Unraid is running on a very lean version of slackware, with some customizations for the Unraid functionality. If you get in too deep you may be on your own. 1 Quote Link to comment
kizer Posted March 7, 2019 Share Posted March 7, 2019 You just have to remember if you do dive into the OS which is located in Ram than any changes you make will have to be reloaded every reboot or you’ll loose those changes every reboot. There are some tricks you can use like putting in some command lines into the go script and depending on how big your changes are simply might the boot up each time a little slower, but it’s expected. Quote Link to comment
trurl Posted March 7, 2019 Share Posted March 7, 2019 I would also mention that you should probably get a good handle on how Unraid works before "diving in". It isn't really intended to be a general purpose linux OS and many things you may be used to with a general purpose linux may be somewhat different or altogether missing. Only root has access to the command line or webUI, for example, and the users you create in the Unraid webUI only have network access to the data. There is a lot of additional functionality already provided by the user community through plugins and dockers, nearly 400 dockers currently and more being added all the time. And of course, you can host VMs on Unraid if you do want a general purpose linux OS, for example. Quote Link to comment
fluisterben Posted April 16, 2019 Author Share Posted April 16, 2019 On 3/7/2019 at 4:18 PM, trurl said: I would also mention that you should probably get a good handle on how Unraid works before "diving in". It isn't really intended to be a general purpose linux OS and many things you may be used to with a general purpose linux may be somewhat different or altogether missing. Only root has access to the command line or webUI, for example, and the users you create in the Unraid webUI only have network access to the data. There is a lot of additional functionality already provided by the user community through plugins and dockers, nearly 400 dockers currently and more being added all the time. And of course, you can host VMs on Unraid if you do want a general purpose linux OS, for example. Yes, I see where you're coming from, but my question here comes from latency and speed related issues. Let's just say I'd like to run dnsmasq as a dns-server proxy and dhcp server for my LAN here, running that in dockers or a vm is adding points of failure and another virtual network-hop. I'm not so sure doing that inside a vm would be detrimental to speed or latency, what do you think? Quote Link to comment
primeval_god Posted April 17, 2019 Share Posted April 17, 2019 On 3/7/2019 at 10:18 AM, trurl said: It isn't really intended to be a general purpose linux OS and many things you may be used to with a general purpose linux may be somewhat different or altogether missing. In my opinion this is the key answer. Diving deeply into the underlying linux system is neither the recommended nor supported way of doing things in unRAID. The way I have always understood it is applications and additional services belong in dockers (where possible), extension to the unRAID system (particularly the webUI) should be done with plugins (and should be used sparingly), all else can be handled by a VM if needed. Can you do what you want directly on the unRAID system? Maybe but probably not without frustration, and unless you are following in the footsteps of someone else on the forums you may end up in uncharted waters with questions that no-one else here knows how to answer. Though I have no knowledge of the services you are talking about specifically, my experience has been that the performance of dockerized applications, both large and small, is surprisingly good, not bare metal but good. On 3/7/2019 at 8:15 AM, fluisterben said: - I currently login to all my servers everywhere using Public key SSH crypto, with the Ed25519 public-key signature system, and for some devices I have a GUI of course, but I always have the SSH as a backup. Can I create one on my unraid OS as well, as to always have terminal access when needed? I also want to jump in on this question, but i admit i am not the most knowledgeable on the topic so maybe we should both defer to the wisdom of @trurl on this one. Yes unRAID has SSH, which I use regularly locally. However the common consensus is that no surface of the unRAID OS itself should be exposed directly to (made accessible directly from) the internet (containers and VMs being a different story). UnRAID is by no means a hardened or security focused OS. The OS and its components are updated relatively slowly, though it has gotten a lot better is recent times particularly in regards to security related patches. unRAID is designed to be safely sequestered in a local network and the recommended way to access it remotely is through a VPN into your home network (then on to the WebGUI or terminal). I hope that helps somewhat. Quote Link to comment
fluisterben Posted April 17, 2019 Author Share Posted April 17, 2019 3 hours ago, primeval_god said: I also want to jump in on this question, but i admit i am not the most knowledgeable on the topic so maybe we should both defer to the wisdom of @trurl on this one. Yes unRAID has SSH, which I use regularly locally. However the common consensus is that no surface of the unRAID OS itself should be exposed directly to (made accessible directly from) the internet (containers and VMs being a different story). UnRAID is by no means a hardened or security focused OS. The OS and its components are updated relatively slowly, though it has gotten a lot better is recent times particularly in regards to security related patches. unRAID is designed to be safely sequestered in a local network and the recommended way to access it remotely is through a VPN into your home network (then on to the WebGUI or terminal). Yes, while I fully understand that premise, even then, CSF/LFD is fairly simple (and free) to implement into the core of Unraid. It could, for example, track login failures and its sources, it can use blocklists which are actually very good and always up to date, and it can be configured so as to not interfere with LAN traffic at all, or use a segment of the LAN that would be safe/allowed in. I'm a CISSP and CFHI and the fact remains that with containers and VMs that *are* accessible from the web, the step up from an exploit in any of them is fairly easy; once you're in, you pretty much can do everything from unraid. The fact that its entire GUI and terminal are fully rooted makes that kind of worrying. Really, implementing CSF/LFD into Unraid would not be so hard, and it could for example allow its LAN-IP to be accessible from the world without much danger, or from dockers and vms. I currently use OpenVPN for LAN-level access, but with proper TLS/SSL implemented in the GUI having direct access isn't such a big security hurdle to overcome. Just sayin'. I've just changed ssh config of the Unraid slackware core into something more useful to me using much of this advice. I'll open a non-standard port from the WAN to this ssh keybased login, I've disabled password access entirely that way and it's a lot quicker than first having to setup a VPN. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.