Posts by ptruman

    Hi all


    Portainer 2.0 (CE) is now out - released in the last 48 hours.

    https://github.com/portainer/portainer/releases


    Upgrade is easy enough, but it has to be installed manually as OMVExtras currently points to Portainer V1 (and they've changed tags to avoid breakages). Assuming you've installed portainer V1 via OMVExtras then all you need to do (via the CLI) is :

    • docker stop portainer
    • docker rm portainer
    • docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce

    Then reload your GUI.


    The App Templates change changed format, so if you're using a template list (such as selfhostedpro) it will break the list (but not Portainer)

    You can upgrade the list yourself (https://github.com/SelfhostedP…hosted_templates/pull/178) until that's fixed.


    It's also now got Kubernetes support and a few other things. Nothing has (as yet) broken for me :)

    You either need to setup a macvlan to get your image on your local network, or run it in host mode and look at the port forwarding options.


    ip route (if you use it) would need to be set up two ways on your host box/router to get stuff from/to both networks.


    Have a look at the macvlan option on my blog post here - it might let you move your wireguard host to macvlan which would be on your own LAN :)


    https://site.gothtech.co.uk/ar…ainer-traefik-letsencrypt

    Why don't you put your certs on a volume and expose it to the container, then just restart the container nightly?

    I'm using Traefik for my certs and have a script to export them and put them in a shared location which is exposed to my containers that want copies locally (like OpenVPNAS)

    Hi all


    As I've mentioned on and off, I've recently migrated off my old HP N54L to an HP Gen8 Microserver - and upgraded to OpenMediaVault 5 (having used 3 & 4) at the same time.


    I wanted to leverage Docker a hell of a lot more - and when I found OMV5 came with Portainer, I went down a rabbit hole and pulled together this guide, as some of the other ones I found were missing some bits of useful info (Traefik config etc) or didn't pull it all together.


    It's not a short post, but I hope it's of use to some!


    https://site.gothtech.co.uk/ar…ainer-traefik-letsencrypt


    I'm migrating my V1 Google Site to V2, so articles will start coming across there shortly :)

    Stupid question, as my Google Fu is failing me - does "Hold Current Kernel" ensure it's not lost? Or prevent it from being used?

    (I presume the former?)


    I've got issues with 5.6.0 causing random NMIs, and 5.5.0 is rock solid so don't want to lose it. I've set 5.5.0 as default either way.

    Where have these configs moved to in OMV5? :)

    IRN : I'm moving to guacamole, behind traefik with oauth, but I still like ed25519, which (as yet) is only in libssh2, which needs 1.9, which isn't in debian buster by default (yet).

    Fun and games - have a read - is any of this related?


    Having installed OMV5 from ISO, I wasn't paying attention and ran "apt-get install ntp", which decided to uninstall openmediavault.

    I caught it just after I hit yes, but not before it took out the services and upset everything.

    Top/Obvious Tip - pay attention to what a package claims it will uninstall for you/don't install ntp (use an sntp docker image!)


    So, I've symlinked the services back to /lib/systemd and OMV started up again - and I re-ran the salt-setup/init system again as I had another problem - everything now looks fine, and reboots don't affect anything.


    I then got a prompt that kernel 5.6 was available. That installed, but I suffered two random restarts after a few hours, with my HP gen8 (microserver) iLO reporting two NMI events.


    I restarted and selected 5.5 in the boot menu, and it's continued being stable for a couple of days (with my various docker containers whirring away)


    Today, I've been informed by apt, that "openmediavault" has an update available, but:


    The following packages have been kept back:

    salt-common salt-minion


    Now, is that related to my having 5.6 installed but not booted? The OMV update installed fine but given OMV uses salt....

    Clues/pointers?


    Should I apt-get install them anyway?

    Hi


    I've just had two NMI faults (reboots) after OMV apt installed 5.5.6


    I've just rebooted into 5.5.0 to see if that stops being stupid, but I'm aware that I saw linux-image-amd64 was 'held' when it went to 5.6 I nudged it and marked it as auto installed - should I (or can I?) downgrade that as well as potentially uninstall 5.5.6?

    Hello :)

    I've just spun up a new HP Microserver with OMV 5 Usul, and hit this exact problem.

    I am using 5.5.2-1 from the website ISO, and SSH was broken nicely for me until I ran the chmod, so the fix may not be applying?


    Jun 11 11:47:37 openmediavault sshd[13466]: Authentication refused: bad ownership or modes for directory /


    uname -a reports


    Linux openmediavault.citadel 5.5.0-0.bpo.2-amd64 #1 SMP Debian 5.5.17-1~bpo10+1 (2020-04-23) x86_64 GNU/Linux

    Crashplan have just introduced a set of mandatory exclusions on both file extensions AND folder locations.
    Anything deemed as operating system related (i.e. /srv - where the OMV3 data drive gets mounted) is no longer backed up.


    Reddit /r/Crashplan has various posts of "Where are my backups?" from people, and I've now started the transition to Backblaze via Duplicati (install plugin, go...)


    I will add that on OMV4, the /sharedfolders folder is not excluded - so you can switch backup src location to that folder and it will work - but your file extensions might still be subjected to exclusion (i.e. any .vmdk files are now excluded and so forth).


    Hopefully this saves some of you a headache :)


    (Mods : depending on your view, this might want a sticky or post in a "higher?" announcement forum - I'm not sure who may be using Crashplan here - but one other guy on Reddit is clearly also an OMV user) :)

    Those are the pointers I was after, ta.


    Re: changing port, I have - but if you check out shodan.io - you will find that your machine (if exposed) has probably been fingerprinted, so all a port change does is stop drive-by scripted attacks. Anyone running nmap/fingerprinting will find the ssh service and what protocols it's willing to deal with. Fail2ban does help but as it's not saving to a DB it resets on any reboot and some clustered hacks just rotate to another IP


    Also, having had two passwords lost (and confirmed on haveibeenpwned.com) I don't want to leave any exposed service down to just user/pass - so Google/OTP helps there.


    I've got another layer on top of that which arguably makes it more secure, but that's away from the OMV box :)

    Basically this


    From the GUI - denying root login, enabling compression and enabling PubKeyAuthentication (which are all retained)


    Then:

    • Installing Google Authenticator (for OpenVPN AS also)
    • Generating an appropriate account Google Auth file
    • Removing/commenting out

      • HostKey /etc/ssh/ssh_host_rsa_key
      • HostKey /etc/ssh/ssh_host_dsa_key
      • HostKey /etc/ssh/ssh_host_ecdsa_key
    • Adding the lines:

      • HostKey /etc/ssh/ssh_host_ed25519_key
      • ChallengeResponseAuthentication yes
      • Banner /etc/issue.net
    • Amending the line:

      • LoginGraceTimer (change from 120 to 60)
    • Editing issue.net appropriately with message of choice
    • Then running
    Code
    cp /etc/ssh/moduli /etc/ssh/moduli.orig
    ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null
    ssh-keygen -G /etc/ssh/moduli.all -b 4096
    ssh-keygen -T /etc/ssh/moduli.safe -f /etc/ssh/moduli.all
    awk '$5 >= 3071' /etc/ssh/moduli.all > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli
    rm /etc/ssh/moduli.all
    systemctl restart sshd


    I've generated (and been using) an ed25519 key with PuttyGen.


    That basically gives me the best possible cypherset (removing legacy ones) 3 factor auth (public/private key with appropriate username in cert, Google Auth code, plus account password matching the underlying Debian account) and regenerates custom moduli files (removing unsafe/lower value ones) and regens the system keys.

    Where does OMV hide it's default sshd_config, or what script does it run on save config?
    I'm hardening my config manually, but if I touch any thing in OMV, it resets it - and re-includes lines I've removed.
    Adding NEW lines via OMV is fine, but I can't "occlude" stuff from there. Ideally I'd like to use the GUI but so far have to avoid it - unless I can fudge it's defaults :)