I was banging my head against the wall with SMB authentication errors logging into a fresh install of OMV7 from MacOS.
It seems for some reason the user password hadn't been synchronised between the linux and SMB user.
sudo smbpasswd -a usernameThis fixed my problem.
I want to restrict access to the ports to a specific set of IPs. It seems the only way I could probably do this with OMV webui is to set up the container to use host networking.
ZitatUncomplicated Firewall (ufw) is a frontend that ships with Debian and Ubuntu, and it lets you manage firewall rules. Docker and ufw use iptables in ways that make them incompatible with each other.
When you publish a container’s ports using Docker, traffic to and from that container gets diverted before it goes through the ufw firewall settings. Docker routes container traffic in the
nattable, which means that packets are diverted before it reaches theINPUTandOUTPUTchains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
Packet filtering and firewalls
Seems this is a Docker limitation that OMV can't get around (at least insofar as only the INPUT and OUTPUT chains can be manipulated through the WebUI).
I've been trying to set up the firewall inside OMV, and I've been mostly successful at restricting access as I want.
BUT I can't seem to restrict access to Docker containers running on the server using the rules in the OMV6 user interface.
My iptables are below, and my guess is that Docker's rules are taking precedence over OMV's rules. Specifically, I wanted to restrict access to port 3000 and 3001, and even if I drop all the traffic in the OMV UI, the port remains open.
The rules below should block all traffic to ports 3000/3001, according to the first block (which is what I'd configured in OMV), but then later you can see that docker allows those ports.
Have I hit a limitation of the OMV webui, or am I missing something here? Or is there a way I can configure the docker containers differently?
sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:853
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8088
ACCEPT tcp -- 10.0.0.10 0.0.0.0/0 tcp dpt:2049
ACCEPT udp -- 10.0.0.10 0.0.0.0/0 udp dpt:2049
ACCEPT tcp -- 10.0.0.10 0.0.0.0/0 tcp dpt:111
ACCEPT udp -- 10.0.0.10 0.0.0.0/0 udp dpt:111
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
ts-forward all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (6 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.20.0.2 tcp dpt:3000
ACCEPT tcp -- 0.0.0.0/0 172.20.0.2 tcp dpt:853
ACCEPT tcp -- 0.0.0.0/0 172.20.0.2 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 172.20.0.2 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 172.22.0.2 tcp dpt:3001
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (6 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain ts-forward (1 references)
target prot opt source destination
MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x40000/0xff0000
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x40000/0xff0000
DROP all -- 100.64.0.0/10 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain ts-input (0 references)
target prot opt source destination
ACCEPT all -- 100.74.72.50 0.0.0.0/0
RETURN all -- 100.115.92.0/23 0.0.0.0/0
DROP all -- 100.64.0.0/10 0.0.0.0/0 I had to do this to get it working:
If I tried to modify the NFS versions without disabling / rebooting, I continued to get errors.
apt-mark hold armbian-firmware is what you should have done. Selecting packages has caused more problems because it will list all packages with an update. If you select a package that is replaced by another and the package replacing it, the update will break.
If I was using the CLI, I assume?
The simplest solution then may just be to reword the dialog?
"All packages will be upgraded. Are you sure you want to proceed?"
If that's correct, then you shouldn't be able to select the items in the list.
If you select them, it says at the bottom of the list "X of Y items selected", which gives the impression the button will act only on the selected items (per normal UX standards).
I'd suggest disabling the ability to select items in the list. As I said, this bricked my OS, which wasn't ideal.
Gabe
When I go to System -> Update Management -> Updates it shows me a list of packages that can be upgraded.
The items in the list can be selected / highlighted.
I selected the 3 (of 4) packages I wanted to upgrade, and clicked the upgrade button (the down arrow with a line below). All 4 of the packages were upgraded, one of which was a firmware that bricked my installation (which is why I didn't want to install it in the first place).
Suggestions:
- Do not allow users to select items in the list of packages if that selection has no effect
- OR, upgrade only the items the user has selected
Thanks
Gabe
I reinstalled from the script and the problem went away. Thanks!
Ha! I can forgive the pixelation for retro charm.
I get the following pixelation happening when I login. I have changed the settings on MacOS to use magnified pointers FWIW.
I suspect there's a graceful way to handle this with different pointer sizes (though I'm not sure why use a custom progress pointer?)...
Sidenote: the device is running Armbian 21.08.3 Bullseye with Linux 5.10.60-meson64
Since I updated to 6.0-34 (Shaitan) I've been getting the following error:
/etc/cron.daily/openmediavault-cron-apt:
cat: write error: No space left on device
cat: write error: No space left on device
cat: write error: No space left on device
cat: write error: No space left on device
cat: write error: No space left on device
cat: write error: No space left on deviceWhen I check the drive status I can see there is no space issue (/dev/mmcblk0p1 is my OS / boot drive):
df -H
Filesystem Size Used Avail Use% Mounted on
udev 1.6G 0 1.6G 0% /dev
tmpfs 401M 15M 386M 4% /run
/dev/mmcblk0p1 16G 8.4G 7.0G 55% /
tmpfs 2.1G 0 2.1G 0% /dev/shm
tmpfs 5.3M 4.1k 5.3M 1% /run/lock
/dev/md0 6.0T 2.2T 3.9T 36% /srv/dev-disk-by-uuid-42e5e537-02b1-42d3-98d3-602339b07afe
tmpfs 2.1G 0 2.1G 0% /tmp
/dev/zram1 51M 50M 0 100% /var/logIf I reboot the device and run apt upgrade I don't get any error.
I've been using OMV6 for about 6 weeks now, through several upgrades.
Thoughts?
Thanks geaves, does that mean the installation guide in the OMV 6 documentation is incorrect? It doesn't mention using the install script.
Hi,
I'm installing OMV6 on Armbian Bullseye on an OrangePi One Plus.
I followed these command line instructions here:
https://openmediavault.readthe…stallation/on_debian.html
I was able to install succesfully on an Odroid HC4, but the OrangePi is generating an error on this command:
apt-get --yes --auto-remove --show-upgraded \
--allow-downgrades --allow-change-held-packages \
--no-install-recommends \
--option DPkg::Options::="--force-confdef" \
--option DPkg::Options::="--force-confold" \
install openmediavault-keyring openmediavaultResults in the following error:
The following packages have unmet dependencies:
php-pam : Depends: phpapi-20180731 but it is not installable
E: Unable to correct problems, you have held broken packages.I've looked through the forums and on Github and can't find anything to help me here.
It seems the missing package is a Debian Buster package, but isn't available in Bullseye.
Any suggestions?
I want to try to move away from email notifications, and I've just realised that there's no way to set up alternative notification systems WITHOUT email notifications.
I'd like to suggest that the notification system be re-imagined to allow the adding of a set of "profiles" which could be redirected to any service based on specific criteria (e.g. integrate something like https://github.com/caronc/apprise).
For example:
I want all messages to be sent to Slack on #channel1
I want WARN messages to be sent to Signal and Email (as well as Slack on #channel1)
I want DISK FULL messages to be sent to Slack on #channel2
I know there's the facility for adding scripts in /usr/share/openmediavault/notification/sink.d/ but this is somewhat technical.
Thanks!
Gabe
Ok thanks.
votdev - I hope you consider this for v6.0 - as it's an ongoing (though admittedly small) annoyance.
ryecoaaron Thanks for the reply.
Why does it ask me to confirm to close the tab only on some pages?
If I have made no configuration changes (i.e. logged in and clicked only on the left-hand navigation):
- I get (unpredictably) a pop-up when I close the browser tab on the Dashboard
- I always get a pop-up when I close the browser tab on the Users
- I never get a pop-up when I close the browser tab on Disks
Can you explain the intent a bit more?