Thomas-Krenn-Wiki - New pages [en]

PCIe link lost

2026-05-21T11:16:45Z

Aranzinger: Created page with "On Linux systems, when using Intel I350 network chips, messages such as '''PCIe link lost''' may appear, followed by '''igb 0000:82:00.0 enp130s0f0: malformed Tx packet detected and dropped, LVMMC:0xffffffff'''. Therefore, the affected network interface does not work. As a solution, the Linux kernel parameter '''pcie_aspm.policy=performance''' or an updated BIOS with deactivated ASPM can be used. == Affected hardware and software == We have encountered this issue i..."

On [[Linux]] systems, when using Intel I350 network chips, messages such as '''PCIe link lost''' may appear, followed by '''igb 0000:82:00.0 enp130s0f0: malformed Tx packet detected and dropped, LVMMC:0xffffffff'''. Therefore, the affected network interface does not work. As a solution, the Linux kernel parameter '''pcie_aspm.policy=performance''' or an updated BIOS with deactivated ASPM can be used.

== Affected hardware and software ==
We have encountered this issue in isolated cases after several weeks of testing with the following components:
* ASUS RS500A-E11-RS12U with [[AMD EPYC 7003 Milan]] CPU (AMD EPYC 7543P) with Intel I350-AM2
** BIOS 0901
* [[Proxmox VE]] with kernel 5.15.35-1-pve

== Problem ==
Example 21.6.2022:
<pre>
Jun 21 00:53:43 PMX2 kernel: [568234.890225] igb 0000:82:00.0 enp130s0f0: PCIe link lost
Jun 21 00:53:43 PMX2 kernel: [568234.890714] ------------[ cut here ]------------
Jun 21 00:53:43 PMX2 kernel: [568234.891150] igb: Failed to read reg 0x40e8!
Jun 21 00:53:43 PMX2 kernel: [568234.891611] WARNING: CPU: 15 PID: 1607760 at drivers/net/ethernet/intel/igb/igb_main.c:747 igb_rd32.cold+0x3a/0x46 [igb]
Jun 21 00:53:43 PMX2 kernel: [568234.892059] Modules linked in: sch_ingress ebtable_filter ebtables ip_set ip6table_raw iptable_raw ip6table_filter ip6_tables iptable_filter bpfilter sctp ip6_udp_tunnel
udp_tunnel nf_tables bonding tls openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 softdog nfnetlink_log nfnetlink ipmi_ssif intel_rapl_msr intel_rapl_common amd64_edac edac_
mce_amd kvm_amd ast drm_vram_helper drm_ttm_helper kvm ttm drm_kms_helper cec irqbypass crct10dif_pclmul rc_core ghash_clmulni_intel aesni_intel fb_sys_fops crypto_simd cryptd rapl wmi_bmof efi_pstore pc
spkr acpi_ipmi syscopyarea cdc_ether sysfillrect usbnet sysimgblt joydev input_leds mii ipmi_si ccp ptdma k10temp ipmi_devintf ipmi_msghandler mac_hid vhost_net vhost vhost_iotlb tap ib_iser rdma_cm iw_c

Jun 21 00:53:43 PMX2 kernel: [568234.892098] zstd_compress hid_generic usbmouse usbkbd usbhid hid raid6_pq libcrc32c simplefb crc32_pclmul nvme nvme_core igb xhci_pci i2c_algo_bit ahci xhci_pci_renesas
dca libahci xhci_hcd i2c_piix4 bnxt_en wmi
Jun 21 00:53:43 PMX2 kernel: [568234.896894] CPU: 15 PID: 1607760 Comm: nload Tainted: P O 5.15.35-1-pve #1
Jun 21 00:53:43 PMX2 kernel: [568234.897392] Hardware name: ASUSTeK COMPUTER INC. RS500A-E11-RS12U/KMPA-U16 Series, BIOS 0901 12/03/2021
Jun 21 00:53:43 PMX2 kernel: [568234.897890] RIP: 0010:igb_rd32.cold+0x3a/0x46 [igb]
Jun 21 00:53:43 PMX2 kernel: [568234.898391] Code: c7 c6 94 23 3e c0 e8 ea e4 33 ed 48 8b bb 30 ff ff ff e8 5a 2c cc ec 84 c0 74 16 44 89 ee 48 c7 c7 60 30 3e c0 e8 b9 f2 2a ed <0f> 0b e9 b8 03 fe ff e9
cf 03 fe ff 0f b6 d0 be 00 00 04 00 48 c7
Jun 21 00:53:43 PMX2 kernel: [568234.899403] RSP: 0018:ffffbc9e812d3a98 EFLAGS: 00010282
Jun 21 00:53:43 PMX2 kernel: [568234.899906] RAX: 0000000000000000 RBX: ffff947b663fced0 RCX: ffff949a0e1e0588
Jun 21 00:53:43 PMX2 kernel: [568234.900414] RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff949a0e1e0580
Jun 21 00:53:43 PMX2 kernel: [568234.900915] RBP: ffffbc9e812d3ab0 R08: 0000000000000003 R09: 0000000000000001
Jun 21 00:53:43 PMX2 kernel: [568234.901411] R10: ffff947b7610c7c0 R11: ffffffffc0d410c0 R12: 00000000ffffffff
Jun 21 00:53:43 PMX2 kernel: [568234.901902] R13: 00000000000040e8 R14: 00000000000198e8 R15: 0000000003f1d080
Jun 21 00:53:43 PMX2 kernel: [568234.902389] FS: 00007f4cb056d740(0000) GS:ffff949a0e1c0000(0000) knlGS:0000000000000000
Jun 21 00:53:43 PMX2 kernel: [568234.902879] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 21 00:53:43 PMX2 kernel: [568234.903364] CR2: 00007f4f7bbf2670 CR3: 00000006414e8004 CR4: 0000000000770ee0
Jun 21 00:53:43 PMX2 kernel: [568234.903850] PKRU: 55555554
Jun 21 00:53:43 PMX2 kernel: [568234.904336] Call Trace:
Jun 21 00:53:43 PMX2 kernel: [568234.904808] <TASK>
Jun 21 00:53:43 PMX2 kernel: [568234.905275] igb_update_stats+0x4c0/0x880 [igb]
Jun 21 00:53:43 PMX2 kernel: [568234.905743] igb_get_stats64+0x30/0x80 [igb]
Jun 21 00:53:43 PMX2 kernel: [568234.906205] dev_get_stats+0x60/0xc0
Jun 21 00:53:43 PMX2 kernel: [568234.906663] netstat_show.constprop.0+0x57/0xb0
Jun 21 00:53:43 PMX2 kernel: [568234.907117] tx_dropped_show+0x16/0x20
Jun 21 00:53:43 PMX2 kernel: [568234.907564] dev_attr_show+0x1d/0x40
Jun 21 00:53:43 PMX2 kernel: [568234.908014] sysfs_kf_seq_show+0xa1/0x100
Jun 21 00:53:43 PMX2 kernel: [568234.908451] kernfs_seq_show+0x27/0x30
Jun 21 00:53:43 PMX2 kernel: [568234.908882] seq_read_iter+0x122/0x4b0
Jun 21 00:53:43 PMX2 kernel: [568234.909309] ? aa_file_perm+0x11e/0x570
Jun 21 00:53:43 PMX2 kernel: [568234.909732] kernfs_fop_read_iter+0x150/0x1b0
Jun 21 00:53:43 PMX2 kernel: [568234.910150] new_sync_read+0x110/0x1a0
Jun 21 00:53:43 PMX2 kernel: [568234.910564] vfs_read+0x100/0x1a0
Jun 21 00:53:43 PMX2 kernel: [568234.910970] ksys_read+0x67/0xe0
Jun 21 00:53:43 PMX2 kernel: [568234.911368] __x64_sys_read+0x1a/0x20
Jun 21 00:53:43 PMX2 kernel: [568234.911766] do_syscall_64+0x5c/0xc0
Jun 21 00:53:43 PMX2 kernel: [568234.912170] ? do_syscall_64+0x69/0xc0
Jun 21 00:53:43 PMX2 kernel: [568234.912560] ? do_syscall_64+0x69/0xc0
Jun 21 00:53:43 PMX2 kernel: [568234.912944] ? syscall_exit_to_user_mode+0x27/0x50
Jun 21 00:53:43 PMX2 kernel: [568234.913330] ? __x64_sys_read+0x1a/0x20
Jun 21 00:53:43 PMX2 kernel: [568234.913706] ? do_syscall_64+0x69/0xc0
Jun 21 00:53:43 PMX2 kernel: [568234.914073] ? syscall_exit_to_user_mode+0x27/0x50
Jun 21 00:53:43 PMX2 kernel: [568234.914431] ? do_syscall_64+0x69/0xc0
Jun 21 00:53:43 PMX2 kernel: [568234.914777] ? __x64_sys_close+0x12/0x40
Jun 21 00:53:43 PMX2 kernel: [568234.915112] ? do_syscall_64+0x69/0xc0
Jun 21 00:53:43 PMX2 kernel: [568234.915436] ? do_syscall_64+0x69/0xc0
Jun 21 00:53:43 PMX2 kernel: [568234.915745] ? do_syscall_64+0x69/0xc0
Jun 21 00:53:43 PMX2 kernel: [568234.916052] ? asm_sysvec_apic_timer_interrupt+0xa/0x20
Jun 21 00:53:43 PMX2 kernel: [568234.916342] entry_SYSCALL_64_after_hwframe+0x44/0xae
Jun 21 00:53:43 PMX2 kernel: [568234.916623] RIP: 0033:0x7f4cb0666e8e
Jun 21 00:53:43 PMX2 kernel: [568234.916890] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 6e 18 0a 00 e8 89 e8 01 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a
c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
Jun 21 00:53:43 PMX2 kernel: [568234.917444] RSP: 002b:00007ffe81260f78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
Jun 21 00:53:43 PMX2 kernel: [568234.917719] RAX: ffffffffffffffda RBX: 0000000000001fff RCX: 00007f4cb0666e8e
Jun 21 00:53:43 PMX2 kernel: [568234.917988] RDX: 0000000000001fff RSI: 000055e09cb3adf0 RDI: 0000000000000003
Jun 21 00:53:43 PMX2 kernel: [568234.918250] RBP: 000055e09cb3adf0 R08: 0000000000000000 R09: 00007f4cb0736be0
Jun 21 00:53:43 PMX2 kernel: [568234.918508] R10: 0000000001000000 R11: 0000000000000246 R12: 0000000000001fff
Jun 21 00:53:43 PMX2 kernel: [568234.918764] R13: 00007ffe81261118 R14: 000055e09bc21398 R15: 000055e09bc21370
Jun 21 00:53:43 PMX2 kernel: [568234.919020] </TASK>
Jun 21 00:53:43 PMX2 kernel: [568234.919272] ---[ end trace e754faf722c4d59f ]---
Jun 21 00:53:43 PMX2 kernel: [568234.919529] igb 0000:82:00.0 enp130s0f0: malformed Tx packet detected and dropped, LVMMC:0xffffffff
Jun 21 00:53:43 PMX2 kernel: [568234.919586] igb 0000:82:00.1 enp130s0f1: PCIe link lost
Jun 21 00:53:43 PMX2 kernel: [568234.920381] ------------[ cut here ]------------
Jun 21 00:53:43 PMX2 kernel: [568234.920832] igb: Failed to read reg 0xc030!
Jun 21 00:53:43 PMX2 kernel: [568234.921292] WARNING: CPU: 47 PID: 1607760 at drivers/net/ethernet/intel/igb/igb_main.c:747 igb_rd32.cold+0x3a/0x46 [igb]
Jun 21 00:53:43 PMX2 kernel: [568234.921782] Modules linked in: sch_ingress ebtable_filter ebtables ip_set ip6table_raw iptable_raw ip6table_filter ip6_tables iptable_filter bpfilter sctp ip6_udp_tunnel
udp_tunnel nf_tables bonding tls openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 softdog nfnetlink_log nfnetlink ipmi_ssif intel_rapl_msr intel_rapl_common amd64_edac edac_
mce_amd kvm_amd ast drm_vram_helper drm_ttm_helper kvm ttm drm_kms_helper cec irqbypass crct10dif_pclmul rc_core ghash_clmulni_intel aesni_intel fb_sys_fops crypto_simd cryptd rapl wmi_bmof efi_pstore pc
spkr acpi_ipmi syscopyarea cdc_ether sysfillrect usbnet sysimgblt joydev input_leds mii ipmi_si ccp ptdma k10temp ipmi_devintf ipmi_msghandler mac_hid vhost_net vhost vhost_iotlb tap ib_iser rdma_cm iw_c
m ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi drm sunrpc ip_tables x_tables autofs4 zfs(PO) zunicode(PO) zzstd(O) zlua(O) zavl(PO) icp(PO) zcommon(PO) znvpair(PO) spl(O) btrfs blak
e2b_generic xor
</pre>

Beispiel 26.6.2022:
<pre>
[...]
Jun 26 18:46:36 PMX2 kernel: [1064607.600707] igb 0000:82:00.0 enp130s0f0: malformed Tx packet detected and dropped, LVMMC:0xffffffff
Jun 26 18:46:37 PMX2 kernel: [1064608.624690] igb 0000:82:00.1 enp130s0f1: malformed Tx packet detected and dropped, LVMMC:0xffffffff
[...]
</pre>

== Possible solutions ==

=== Updated BIOS ===
The new BIOS version 1301 (Milan, 2023/03/15) deactivates ASPM on all PCIe ports (<cite>Disable ASPM on all PCIe ports.</cite>) and resolves the problem.

=== Kernel parameter ===
Alternatively, as a workaround, the PCIe ASPM policy can be set to performance using the following kernel boot parameter:<pre>sed -i '$ s/$/ pcie_aspm.policy=performance/' /etc/kernel/cmdline</pre>
On systemd-boot-systems, this command adds the parameter to the /etc/kernel/cmdline file. On Proxmox systems, a refresh of the Proxmox boot tool must be performed after changing the file:
<pre>proxmox-boot-tool refresh</pre>After a reboot, it can be verified if the parameters are active using <pre>cat /proc/cmdline</pre>

== More information ==
* [https://access.redhat.com/solutions/2190691 igb "malformed Tx packet detected and dropped, LVMMC" message] (access.redhat.com, 05.03.2016)
* [https://access.redhat.com/solutions/6753701 Intel I350 NIC with igb logs "Refused to change power state" and "PCIe link lost"] (access.redhat.com, Updated February 23 2022)
* [https://patchwork.ozlabs.org/project/netdev/patch/1406207604-31653-6-git-send-email-jeffrey.t.kirsher@intel.com/ igb: Add message when malformed packets detected by hw] (patchwork.ozlabs.org, 24.07.2014)
* [https://community.zyxel.com/en/discussion/2574/degraded-gigabit-problem-with-gs1200-8 Degraded Gigabit problem with GS1200-8] (community.zyxel.com, April 2019)

== References ==
<references />

{{Wfischer}}
{{Jsterr}}
{{Aranzinger}}
[[Category:Linux]]
[[Category:Proxmox Troubleshooting]]
[[de:PCIe link lost]]

MegaRAID 9341-4i Debian 11 DMAR DRHD handling fault status reg 3

2026-05-21T07:09:47Z

Aranzinger: Created page with "After installing Debian 11 on a system with MegaRAID 9341-4i RAID controller, messages such as '''AVAGO EFI SAS Driver is Unhealthy''' may appear during the boot process and '''DMAR: DRHD: handling fault status reg 3''' in the system log. In this article, we explain how to solve this problem by using the kernel parameter '''intel_iommu=on iommu=pt'''. == Description of problem == After installing Debian 11, the following problems appear on a system with MegaRAI..."

After installing [[Debian]] 11 on a system with [[MegaRAID 9341-4i RAID controller]], messages such as '''AVAGO EFI SAS Driver is Unhealthy''' may appear during the boot process and '''DMAR: DRHD: handling fault status reg 3''' in the system log. In this article, we explain how to solve this problem by using the kernel parameter '''intel_iommu=on iommu=pt'''.

== Description of problem ==
After installing Debian 11, the following problems appear on a system with MegaRAID 9341-4i RAID controller:
* Message during boot process:
*: [[Avago EFI SAS Driver is Unhealthy]]
* Message in the BIOS:
*: '''L2/L3 Cache error was detected on the RAID controller. Please contact technical support to resolve this issue. Press 'X' to continue or else power off the system, replace the controller and reboot.'''
* Error message in Syslog:
*: '''DMAR: DRHD: handling fault status reg 3'''

Error message in Syslog explained in detail:
<pre>
[ 44.978734] megasas: 07.714.04.00-rc1
[ 44.979059] megaraid_sas 0000:02:00.0: BAR:0x1 BAR's base_addr(phys):0x0000000091300000 mapped virt_addr:0x00000000e2c49ffb
[ 44.979061] megaraid_sas 0000:02:00.0: FW now in Ready state
[ 44.979061] megaraid_sas 0000:02:00.0: 63 bit DMA mask and 32 bit consistent mask
[ 44.979181] megaraid_sas 0000:02:00.0: firmware supports msix : (96)
[ 44.979388] megaraid_sas 0000:02:00.0: requested/available msix 13/13
[ 44.979389] megaraid_sas 0000:02:00.0: current msix/online cpus : (13/12)
[ 44.979390] megaraid_sas 0000:02:00.0: RDPQ mode : (disabled)
[ 44.979391] megaraid_sas 0000:02:00.0: Current firmware supports maximum commands: 272 LDIO threshold: 237
[ 44.979425] megaraid_sas 0000:02:00.0: Configured max firmware commands: 271
[ 44.979686] megaraid_sas 0000:02:00.0: Performance mode :Latency
[ 44.979687] megaraid_sas 0000:02:00.0: FW supports sync cache : Yes
[ 44.979688] megaraid_sas 0000:02:00.0: megasas_disable_intr_fusion is called outbound_intr_mask:0x40000009
[ 45.235288] DMAR: DRHD: handling fault status reg 3
[ 45.235366] DMAR: [DMA Write] Request device [02:00.0] PASID ffffffff fault addr 3ffb0000 [fault reason 05] PTE Write access is not set
[ 45.236414] DMAR: DRHD: handling fault status reg 3
[ 45.236492] DMAR: [DMA Read] Request device [02:00.0] PASID ffffffff fault addr 3ffb0000 [fault reason 06] PTE Read access is not set
[ 46.289908] DMAR: DRHD: handling fault status reg 3
[ 46.289986] DMAR: [DMA Read] Request device [02:00.0] PASID ffffffff fault addr 3ffb0000 [fault reason 06] PTE Read access is not set
[ 47.353019] DMAR: DRHD: handling fault status reg 3
[ 50.542825] dmar_fault: 8 callbacks suppressed ...
[ 291.968323] dmar_fault: 5 callbacks suppressed
[ 291.968327] DMAR: DRHD: handling fault status reg 3
[ 291.973328] DMAR: [DMA Read] Request device [02:00.0] PASID ffffffff fault addr 3ffb0000 [fault reason 06] PTE Read access is not set
[ 293.031635] DMAR: DRHD: handling fault status reg 3
[ 293.034716] DMAR: [DMA Read] Request device [02:00.0] PASID ffffffff fault addr 3ffb0000 [fault reason 06] PTE Read access is not set
[ 294.094631] DMAR: DRHD: handling fault status reg 3
[ 294.098574] DMAR: [DMA Read] Request device [02:00.0] PASID ffffffff fault addr 3ffb0000 [fault reason 06] PTE Read access is not set
[ 295.157716] DMAR: DRHD: handling fault status reg 3
[ 296.988718] megaraid_sas 0000:02:00.0: Init cmd return status FAILED for SCSI host 9
[ 296.994525] megaraid_sas 0000:02:00.0: Failed from megasas_init_fw 6460
</pre>

== Affected systems ==
The problem appeared with the following hardware/software.

Hardware:
* Supermicro mainboard X11SCH-LN4F
* MegaRAID 9341-4i RAID controller

Software:
* Debian 11 with Linux kernel 5.10.0-11, megaraid_sas module version (via Debian) 07.714.04.00-r, even the latest Broadcom module (07.719.04.00) does not resolve the problem.

When using Debian 10 with Linux kernel 4.19.0-18, megaraid_sas module version 07.706.03.00-rc1, the poblem does not appear.

== Cause ==
The error message ''DMAR: DRHD: handling fault status reg 3'' indicates a problem in combination with the IOMMU. The terms have the following meanings:<ref>[https://www.intel.com/content/dam/develop/external/us/en/documents/intel-whitepaper-using-iommu-for-dma-protection-in-uefi-820238.pdf A Tour Beyond BIOS: Using IOMMU for DMA Protection in UEFI Firmware] (www.intel.com)</ref><ref>[https://www.kernel.org/doc/Documentation/Intel-IOMMU.txt Linux IOMMU Support] (www.kernel.org/doc)</ref>
* DMAR = DMA Remapping Reporting
* DRHD = DMA Remapping Hardware Unit Definition

== Solution ==
To solve the issue, the Intel IOMMU functions must be activated in the Linux kernel and the IOMMU must be set to pass-through mode.

For this, the following parameter (via /etc/default/grub) must be set:
* intel_iommu=on iommu=pt

== More information ==
* [https://bbs.archlinux.org/viewtopic.php?pid=1738979#p1738979 (SOLVED) "kernel: DMAR: DRHD: handling fault status reg 3"] (bbs.archlinux.org, 29.09.2017)
* [https://forum.proxmox.com/threads/raid-controller-9341-8i.88667/ raid controller 9341-8i] (forum.proxmox.com, 04.05.2021)

== References ==
<references />

{{Wfischer}}
{{Aranzinger}}
[[Category:Debian]][[Category:LSI]]
[[de:MegaRAID 9341-4i Debian 11 DMAR DRHD handling fault status reg 3]]

Debian 11 installation with DMAR DRHD handling fault status reg 3 error message

2026-05-21T05:56:09Z

Aranzinger: Created page with "When installing Debian 11 on systems with a MegaRAID 9341-4i RAID controller, it may come to error messages such as '''AVAGO EFI SAS Driver is Unhealthy''' during the starting process and '''DMAR: DRHD: handling fault status reg 3 '' when starting the operating system. In this article, we show how to install Debian 11 by using the kernel parameters '''intel_iommu=on''' and '''iommu=pt'''. == Error message in the BIOS, during boot process and installation == In this ca..."

When installing Debian 11 on systems with a MegaRAID 9341-4i RAID controller, it may come to error messages such as '''AVAGO EFI SAS Driver is Unhealthy''' during the starting process and '''DMAR: DRHD: handling fault status reg 3 '' when starting the operating system. In this article, we show how to install Debian 11 by using the kernel parameters '''intel_iommu=on''' and '''iommu=pt'''.

== Error message in the BIOS, during boot process and installation ==
In this case, the installation was performed on a Supermicro mainboard X11SCH-LN4F and on a MegaRAID 9341-4i RAID controller, as both of these components lead to this error message in combination.
This case is described in detail in the following article: [[MegaRAID 9341-4i Debian 11 DMAR DRHD handling fault status reg 3]]

'''Three types of errors that occur'''
<gallery>
file:BootPostUnhealty.png|Error message of the controller in the postscreen - '''AVAGO EFI SAS Driver is unhealthy'''
file:Fehler1.png|Error message encountered when booting from the boot medium '''DMAR: DRHD: handling fault status reg 3'''
file:Fehler2.png|Error in the Debian installer during hard drive selection: the RAID is not displayed
</gallery>

== Solution ==
To solve the problem, the Intel IOMMU functions must be set to pass-through in the Linux kernel.

The following kernel parameters must be set for this:intel_iommu=on iommu=pt

These parameters must be set three times
# in the Debian installer
# after booting in the GRUB
# in the OS under /etc/default/grub

=== 1) Changes made during installation using the Debian installer ===
'''For a UEFi installation'''
<gallery>
file:Install1.png| With "E" for Edit Selection, the boot entry can be changed
file:Install2.png| Here, the third line must be edited '''"linux /install.amd/vmlinuz vga=788 --- quiet"'''
file:Install3.png| '''"--- quiet"''' must be replaced by '''"intel_iommu=on iommu=pt"'''
</gallery>

'''For a LEGACY installation'''

<gallery>
file:Legacy1.png| In legacy mode, the boot entry can be edited via '''tab-key'''
file:Legacy2-tabdruecken.png|edit '''"linux /install.amd/vmlinuz vga=788 --- quiet"'''
file:Legacy3-dannenter.png| '''"--- quiet"''' must be replaced by '''"intel_iommu=on iommu=pt"'''
</gallery>

'''The Raid is now displayed'''
<gallery>
file:Install4.png| The Raid is now displayed and can be selected for the installation
</gallery>

=== 2) Changes after installation in the GRUB ===
<gallery>
file:Nachinstall1.png| After installation, edit the boot entry via "E"
file:Nachinstall2.png| The third-to-last line '''linux /boot/vmlinuz-5-10.0-17...... ro quiet''' must be edited.
file:Nachinstall3.png|'''"quiet"''' must be replaced by '''"intel_iommu=on iommu=pt"'''
</gallery>

=== 3) Changes in OS ===
<gallery>
file:Grub0.png| Navigate to the '''/etc/default''' directory
file:Grub1.png| Edit '''grub''' with, for example, nano
file:Grub2.png|'''GRUB_CMBLINE_LINUX_DEFAULT="intel_iommu=on iommu=pt"'''
file:Grubupdate2.png|Update GRUB using'''"su -"''' and '''"update-grub"'''
</gallery>

After the parameters have been set and the update-grub command has been performed, they will now be executed every time the system starts up, ensuring that the RAID controller and the RAID array are detected correctly.

== More information ==
* [https://bbs.archlinux.org/viewtopic.php?pid=1738979#p1738979 (SOLVED) "kernel: DMAR: DRHD: handling fault status reg 3"] (bbs.archlinux.org, 29.09.2017)
* [https://forum.proxmox.com/threads/raid-controller-9341-8i.88667/ raid controller 9341-8i] (forum.proxmox.com, 04.05.2021)
* [https://www.linux-kvm.org/page/How_to_assign_devices_with_VT-d_in_KVM How to assign devices with VT-d in KVM] (www.linux-kvm.org 25.6.2016)
* [https://gist.github.com/davesilva/445276f9157e7cb3a4f6ed2fe852b340 Setting up KVM with GPU passthrough in Debian Buster ] (gist.github.com 13.08.2020)

== References ==
# [https://www.intel.com/content/dam/develop/external/us/en/documents/intel-whitepaper-using-iommu-for-dma-protection-in-uefi-820238.pdf A Tour Beyond BIOS: Using IOMMU for DMA Protection in UEFI Firmware ] (www.intel.com)
# [https://www.kernel.org/doc/Documentation/Intel-IOMMU.txt Linux IOMMU Support ] (www.kernel.org/doc)

{{Ldirr}}
{{Aranzinger}}

{{Consultinglink|campaign=Thomas-Krenn Windows Admin Center (WAC) Extension}}
[[Category:Debian]][[Category:LSI]]
[[de:Debian 11 Installation bei Fehlermeldung DMAR DRHD handling fault status reg 3]]

Security advisories on Intel products 2026.2 IPU

2026-05-20T07:39:55Z

Aranzinger:

In '''2026''', Intel published new security advisories as part of the IPU 2026.2 on different Intel products. Some of these security advisories require '''firmware updates'''.

In this article, you will find an excerpt and hints on these security advisories as well as information on where to find updates for Thomas-Krenn products.

== Affected systems ==

* Intel Xeon processors
* Intel Core processors
* Intel Atom processors
* Intel Pentium processors
* Intel Celeron processors

== Security advisories ==
In the following, you will find security advisories on the firmware that has been published by Intel.

{| class="wikitable"
|- style="background-color: #EFEFEF; font-weight: bold;"
! align="center" |Intel security advisory
! align="center" |Title
! align="center" |Affected systems
|-
|align=center | [https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01393.html INTEL-SA-01393]
|align=center | 2026.1 IPU, UEFI Reference Firmware Advisory
| rowspan="35" align="left" | (see Intel-SA)
|-
|align=center | [https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01420.html INTEL-SA-01420]
|align=center | 2026.2 IPU - Intel® Processor Firmware Advisory
|-
|align=center | [https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01413.html INTEL-SA-01413]
|align=center | UEFI Reference Firmware Advisory
|-
|align=center | [https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01425.html INTEL-SA-01425]
|align=center | Intel® Slim Bootloader Advisory
|}

== Updates for Thomas-Krenn products ==
Updates on the corresponding system can be found in the <tklink type="sitex" id="440">download area of Thomas-Krenn</tklink>. The updates in the download area have been tested by us to guarantee the stability and compatibility of our systems.

If you require the latest version for your system and it is not yet available in our download area, you can get it at [https://www.asus.com/de/support/download-center/ Asus] , [https://www.supermicro.com/en/support/resources/downloadcenter/swdownload Supermicro] or [https://www.gigabyte.com/de/Support/Consumer/Download Gigabyte]

== More information ==
* [https://www.intel.com/content/www/us/en/security-center/default.html Security Center] (www.intel.com)
* [https://www.supermicro.com/en/support/security_Intel_IPU2026.2 Intel Platform Update (IPU) Update 2026.2 May 2026] (www.supermicro.com)
* [https://www.supermicro.com/en/support/security_Intel_IPU2026.1_part2 Intel Platform Update (IPU) Update 2026.1 Part 2, May 2026] (www.supermicro.com)
{{Thomas-Krenn.AG}}
{{Aranzinger}}
[[Category:Intel]]
[[de:Sicherheitshinweise zu Intel Produkten 2026.2 IPU]]

AMD Security Vulnerabilities - May 2026

2026-05-20T05:53:03Z

Aranzinger: Created page with "On '''May 12th, 2026''', AMD published the security bulletins '''AMD-SB-3030''' <ref>[https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3030.html AMD EPYC and AMD EPYC Embedded Series Processor Vulnerabilities – May 2026] (www.amd.com/en/resources/product-security)</ref>, '''AMD-SB-4017'''<ref>[https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4017.html AMD Athlon, AMD Ryzen, and AMD Ryzen Embedded Series Processor Vulnerabilities – Ma..."

On '''May 12th, 2026''', AMD published the security bulletins '''AMD-SB-3030''' <ref>[https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3030.html AMD EPYC and AMD EPYC Embedded Series Processor Vulnerabilities – May 2026] (www.amd.com/en/resources/product-security)</ref>, '''AMD-SB-4017'''<ref>[https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4017.html AMD Athlon, AMD Ryzen, and AMD Ryzen Embedded Series Processor Vulnerabilities – May 2026] (www.amd.com/en/resources/product-security)</ref> and '''AMD-SB-7052'''<ref>[https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7052.html CPU OP Cache Corruption - May 2026] (www.amd.com/en/resources/product-security)</ref> with one security vulnerability each. This article includes tables listing measures to address the security vulnerabilities.

== Affected systems ==

'''AMD Threadripper systems:'''

* systems with AMD Ryzen Threadripper PRO 3000WX processors
* systems with AMD Ryzen Threadripper 7000 / PRO 7000WX processors
* systems with AMD Ryzen Threadripper 9000 / PRO 9000WX processors

'''AMD EPYC systems:'''

* systems with "Zen 4" [[AMD EPYC 4004 Raphael]] processors
* systems with "Zen 2" [[AMD EPYC 7002 Rome]] processors
* systems with "Zen 3" [[AMD EPYC 7003 Milan]] processors
* systems with "Zen 4" [[AMD EPYC 9004 Genoa and Bergamo]] & 8004 Siena processors
* systems with "Zen 5" [[AMD EPYC 9005 Turin]] processors

== Solution ==

Here is a table listing the relevant CVEs and corrective measures for the respective EPYC generation, if available.

'''AMD EPYC 4004 Raphael'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2024-36315 CVE-2024-36315]
| align="center" |5.7 (medium)
| align="center" |ComboAM5PI_1.0.0.a (2024-09-11)
ComboAM5PI_1.1.0.3c (2024-09-11)

ComboAM5PI_1.2.0.3 (2024-09-11)
|-
|}

'''AMD EPYC 7002 Rome'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''Correction'''
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-54518 CVE-2025-54518]
| align="center" |7.3 (high)
| align="center" |OS update
|-
|}

'''AMD EPYC 7003 Milan:'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
!TCB‑value for SNP-certification
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-61971 CVE-2025-61971]
| align="center" |5.9 (medium)
| align="center" |MilanPI 1.0.0.J (2025-12-15)
| align="center" |TCB[SNP]>=0x1D
|-
|}

'''AMD EPYC 8004 Siena:'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
!Microcode
!TCB‑value for SNP-certification
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2024-36315 CVE-2024-36315]
| align="center" |5.7 (medium)
| align="center" |GenoaPI 1.0.0.E (2024-12-18)
| align="center" |A2: 0AA00216
| align="center" |N/A
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-61971 CVE-2025-61971]
| align="center" |5.9 (medium)
| align="center" |Genoa++_1.0.0.H (2025-12-15)
| align="center" |N/A
| align="center" |TCB[BL]>=0xC
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-61972 CVE-2025-61972]
| align="center" |8.5 (high)
| align="center" | Genoa++_1.0.0.H (2025-12-15)
| align="center" |N/A
| align="center" |TCB[BL]>=0xC
|-
|}

'''AMD EPYC 9004 Genoa:'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
!Microcode
!TCB‑value for SNP-certification
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2024-36315 CVE-2024-36315]
| align="center" |5.7 (medium)
| align="center" |GenoaPI 1.0.0.E (2024-12-18)
| align="center" |A2: 0x0AA00219
B1: 0x0A101154

B2: 0x0A10124F
| align="center" |N/A
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-61971 CVE-2025-61971]
| align="center" |5.9 (medium)
| align="center" |Genoa++_1.0.0.H (2025-12-15)
| align="center" |N/A
| align="center" |TCB[BL]>=0xC
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-61972 CVE-2025-61972]
| align="center" |8.5 (high)
| align="center" | Genoa++_1.0.0.H (2025-12-15)
| align="center" |N/A
| align="center" |TCB[BL]>=0xC
|-
|}

'''AMD EPYC 9005 Turin / Turin Dense'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
!TCB‑value for SNP-certification
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-61971 CVE-2025-61971]
| align="center" |5.9 (medium)
| align="center" |TurinPI_1.0.0.8 (2025-11-26)
| align="center" |TCB[TEE]>=0x2
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-61972 CVE-2025-61972]
| align="center" |8.5 (high)
| align="center" |TurinPI_1.0.0.8 (2025-11-26)
| align="center" |TCB[TEE]>=0x2
|-
|}

'''AMD Ryzen Threadripper PRO 3000WX'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2021-46747 CVE-2021-46747]
| align="center" |7.1 (high)
| align="center" |CastlePeakWSPI-sWRX8 1.0.0.9 (2022-01-20)
ChagallWSPI-sWRX8 1.0.0.2 (2022-01-20)
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-48516 CVE-2025-48516]
| align="center" |6.9 (medium)
| align="center" |no specific plans
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2021-26380 CVE-2021-26380]
| align="center" |1.8 (low)
| align="center" |ChagallWSPI-sWRX8 1.0.0.2 (2022-01-20)
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-54518 CVE-2025-54518]
| align="center" |7.3 (high)
| align="center" |ChagallWSPI-sWRX8-1.0.0.D (11-04-2025)
CastlePeakWSPI-sWRX8 1.0.0.I (10-17-2025)
|-
|}

'''AMD Ryzen Threadripper 7000 / PRO 7000WX'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2026-0438 CVE-2026-0438]
| align="center" |5.4 (medium)
| align="center" |ShimadaPeakPI-SP6 1.0.0.1c (2025-10-21)
StormPeakPI-SP6 1.0.0.1m (2025-12-01)

StormPeakPI-SP6_1.1.0.0k (2025-12-01)
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-48516 CVE-2025-48516]
| align="center" |6.9 (medium)
| align="center" |ShimadaPeakPI-SP6 1.0.0.1b (2025-08-04)
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2024-36345 CVE-2024-36345]
| align="center" |4.6 (medium)
| align="center" |StormPeakPI-SP6 1.1.0.0k (2025-12-01)
StormPeakPI-SP6 1.0.0.1m (2025-12-01)
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2024-36343 CVE-2024-36343]
| align="center" |4.6 (medium)
| align="center" |StormPeakPI-SP6 1.1.0.0k (2025-12-01)
StormPeakPI-SP6 1.0.0.1m (2025-12-01)
|-
|}

'''AMD Ryzen Threadripper 9000 / PRO 9000WX'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2026-0438 CVE-2026-0438]
| align="center" |5.4 (medium)
| align="center" |ShimadaPeakPI-SP6 1.0.0.1c (2025-10-21)
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-48516 CVE-2025-48516]
| align="center" |6.9 (medium)
| align="center" |ShimadaPeakPI-SP6 1.0.0.1b (2025-08-04)
|-
|}

Supermicro security bulletins were published for security vulnerabilities. A list with BIOS-versions for the respective mainboards, to close the gaps, is also included. In the following, there is an excerpt from this table, in which all mainboards are listed that are offered by Thomas Krenn: <ref>[https://www.supermicro.com/en/support/security_center#!advisories Supermicro Security Center] (www.supermicro.com)</ref>

{| class="wikitable"
|+
!AMD motherboard
! align="center" |'''BIOS version'''
|-
| align="center" |H12SSW-iN/NT
| align="center" |3.6
|-
| align="center" |H12SSL-i/C/CT/NT
| align="center" |3.6
|-
| align="center" |H12DSi-N6/NT6
| align="center" |3.6
|-
| align="center" |H13SSW
| align="center" |3.8
|-
| align="center" |H13SSL-N/NC
| align="center" |3.8
|}

=== Updates for Thomas-Krenn products ===
Updates on the corresponding system can be found in the <tklink type="sitex" id="440">download area of Thomas-Krenn</tklink>. The versions in the download area have been tested to guarantee the stability and compatibility of our systems.

If you require the latest version for your system and it is not yet available in our download area, you can get it at [https://www.asus.com/de/support/download-center/ Asus] or [https://www.supermicro.com/en/support/resources/downloadcenter/swdownload Supermicro].

== References ==
<references/>

{{Thomas-Krenn.AG}}
{{Aranzinger}}
[[Category:AMD Safety Information]]
[[de:AMD Sicherheitslücken - Mai 2026]]

NIC bonding on Debian

2026-05-15T08:25:59Z

Aranzinger: Created page with "==Different kinds of bonding== * mode=0 (balance-rr) * mode=1 (active-backup) * mode=2 (balance-xor) * mode=3 (broadcast) * mode=4 (802.3ad) (see also Link Aggregation and LACP basics) * mode=5 (balance-tlb) * mode=6 (balance-alb) == Install packages == apt-get install ifenslave-2.6 == Configuration Debian 5.0 Lenny and newer == In this example, we explain a configuration with mode 4 (802.3ad). For the link aggregation, we use: * eth0 and * eth1 <code>/etc..."

==Different kinds of bonding==

* mode=0 (balance-rr)
* mode=1 (active-backup)
* mode=2 (balance-xor)
* mode=3 (broadcast)
* mode=4 (802.3ad) (see also [[Link Aggregation and LACP basics]])
* mode=5 (balance-tlb)
* mode=6 (balance-alb)

== Install packages ==
apt-get install ifenslave-2.6

== Configuration Debian 5.0 Lenny and newer ==
In this example, we explain a configuration with mode 4 (802.3ad).

For the link aggregation, we use:
* eth0 and
* eth1

<code>/etc/network/interfaces</code> contains the following configuration:
<pre>
auto lo bond0

iface bond0 inet static
address 10.10.10.174
netmask 255.255.255.0
network 10.10.10.0
gateway 10.10.10.1
slaves eth0 eth1
bond_mode 802.3ad
</pre>

As remote station, we use the switch of an Intel modular server. Eth0 and eth1 of the server are connected to the LAN-ports 1 and 2 on the modular server switch. Both LAN-ports are configured for the link aggregation. Details on this can be found in the articles [[Link Aggregation for the Modular Server]] and [[Link Aggregation Load Balancing Test Modular Server Switch]].

== Configuration Debian 4.0 Etch ==

=== Adjustment of /etc/network/interfaces ===
iface bond0 inet static
address 192.168.0.9
netmask 255.255.255.0
network 192.168.0.0
gateway 192.168.0.1
up /sbin/ifenslave bond0 eth0 eth1
down /sbin/ifenslave -d bond0 eth0 eth1

=== Editing of /etc/modprobe.d/arch/i386 file ===
Add the following line there:

alias bond0 bonding
options bonding mode=5 miimon=100 downdelay=200 updelay=200

=== Restart networking ===
/etc/init.d/networking restart

=== How does bonding work with mode=5 ===
The incoming traffic is received only from the active slave. Outgoing traffic is distributed across both slaves based on their respective loads.

== Further links ==
* http://wiki.debian.org/Bonding
* [http://www.dodgenet.de/Software/bonding.html Bonding Modi auf www.dodgenet.de]
* [http://www.linuxfoundation.org/en/Net:Bonding Ausführliche Anleitung zum Bonding auf www.linuxfoundation.org]

{{Aranzinger}}
[[Category:Debian]]
[[pl:NIC Bonding w Debianie]]
[[de:NIC Bonding unter Debian]]

Reset IPMI password

2026-05-15T05:42:40Z

Aranzinger: Created page with "This article describes how to reset the '''password''' of an '''IPMI module'''. Please note that on Supermicro systems, the maximum password length is effectively 19 characters when setting a new password (The array length is 20 characters and the string is NULL-terminated, leaving 19 characters available). <ref>[https://www.supermicro.com/support/faqs/faq.cfm?faq=16778 What is the maximum password length for IPMI?] (Supermicro FAQ 16778)</ref> ==Resetting the password..."

This article describes how to reset the '''password''' of an '''IPMI module'''. Please note that on Supermicro systems, the maximum password length is effectively 19 characters when setting a new password (The array length is 20 characters and the string is NULL-terminated, leaving 19 characters available). <ref>[https://www.supermicro.com/support/faqs/faq.cfm?faq=16778 What is the maximum password length for IPMI?] (Supermicro FAQ 16778)</ref>

==Resetting the password using the impicfg tool on Supermicro systems==

The IPMI password can be reset by restoring the IPMI to its factory defaults. Please note that with many IPMI versions, particularly older ones, the network settings are also reset! Therefore, it is recommended to note or save the network settings before the reset. All steps, that are required, can be performed with the command line tool ipmicfg. This tool is available for Windows as well as for Linux operating systems.

In the following, the recommended process is explained:

===Step 1: Reading out the current network configuration===

<pre>
root@(none):~# ipmicfg -m
IP=10.10.10.183 MAC=00:25:90:19:78:5A
root@(none):~# ipmicfg -k
Net Mask=255.255.255.0
root@(none):~# ipmicfg -g
IP=10.10.10.1
</pre>

===Step 2: Reset to factory defaults===

<pre>
root@(none):~# ipmicfg -fd
Reset to the factory default completed!
</pre>

===Step 3: Verify network settings and adjust as needed===

<pre>
root@(none):~# ipmicfg -m
IP=10.10.10.183 MAC=00:25:90:19:78:5A
root@(none):~# ipmicfg -k
Net Mask=255.255.255.0
root@(none):~# ipmicfg -g
IP=10.10.10.1
</pre>

If these network settings are not correct anymore, the settings must be reset to the original values.

<pre>
root@(none):~# ipmicfg -m 10.10.10.183
IP=10.10.10.183
root@(none):~# ipmicfg -k 255.255.255.0
Net Mask=255.255.255.0
root@(none):~# ipmicfg -g 10.10.10.1
Gateway IP=10.10.10.1
</pre>

===Default IPMI password===
'''Hint:''' Since the end of 2019, Supermicro creates an individual password per IPMI interface for X10- and X11-mainboards. Please follow the instructions on the stickers on the mainboards or system.

User: ADMIN

Password: ADMIN

===Download link for ipmicfg===
* [ftp://ftp.supermicro.com/utility/IPMICFG/ ipmicfg für DOS/Linux/Windows]

==Resetting password using ipmitool on a Linux server==

The IPMI password can be changed by using <code>ipmitool user set password <userid></code>. Here is the general syntax for <code>ipmitool user</code>:
<pre>
[root@sr2500 ~]# ipmitool user
User Commands: summary [<channel number>]
list [<channel number>]
set name <user id> <username>
set password <user id> [<password>]
disable <user id>
enable <user id>
priv <user id> <privilege level> [<channel number>]
test <user id> <16|20> [<password]>

[root@sr2500 ~]#
</pre>
In the article [[Configuring IPMI under Linux using ipmitool]], there is an example for the SR2500 server.

==Resetting the whole module using the DOS-tool for Supermicro IPMI modules==

Content of Readme.txt

Please boot from a bootable floppy disk then run A:\>defaultp.exe (bzw. erasedat20.exe)

Attention! IPNMAC must then be executed, as the IPMI module is reset to factory defaults!

=== Download link ===

* [https://www.thomas-krenn.com/redx_tools/mb_download.php/mid.070084079082053073121049051113056061/IPMI_config_tools.zip IPMI_config_tools.zip] (contains IPnMAC)

== References ==
<references />

{{Aranzinger}}
[[Category:IPMI]]
[[pl:Przywrócenie domyślnego hasła w IPMI]]
[[de:IPMI Passwort zurücksetzen]]

Reading the Fortron TwinsPro FSP900 DUAL power supply under Linux

2026-05-11T13:17:06Z

Aranzinger: Created page with "1st image: Fortron TwinsPro FSP 900 DUAL '''Fortron TwinsPro FSP900 Dual power supply''' does not provide a native way to read data from the power supply when used with Linux on a server motherboard. However, the data can still be analyzed using Linux's built-in tools. == Problem == Fortron provides only a Windows port as standard, allowing users to monitor the power supply using..."

[[File:TwinsPro900W.png|alt=Abb. 1: Forton TwinsPro FSP 900 DUAL|thumb|300x300px|1st image: Fortron TwinsPro FSP 900 DUAL ]]
'''Fortron TwinsPro FSP900 Dual power supply''' does not provide a native way to read data from the power supply when used with [[Linux]] on a server motherboard. However, the data can still be analyzed using Linux's built-in tools.

== Problem ==
Fortron provides only a Windows port as standard, allowing users to monitor the power supply using the company's proprietary software, FSP Guardian.

If you want to use the power supply on a server motherboard running a Linux server operating system, the manufacturer does not provide the means to read the data. A PMBus interface is also missing.

The following section will therefore explain how to retrieve the data using existing tools in modern Linux environments:
* Configuration with board resources
* Connecting and testing the power supply unit
* Making available the kernelspace for monitoring functions
* Error checking

== Configuration ==
In the following, we configure the data readout with the help of <code>i2c-tools</code> and <code>lm-sensors</code> from a power supply by connecting it to a '''USB 2.0 header'''.

=== Testing environment ===
For the configuration, a system with Linux operating system is required. We test with an Ubuntu image:<syntaxhighlight lang="bash">

Linux custom-hw-image 5.15.0-97-generic #107-Ubuntu SMP Wed Feb 7 13:26:48 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

</syntaxhighlight>

== Configuration ==

=== Package installation ===

Install <code>i2c-tools</code> and <code>lm-sensors</code>:<syntaxhighlight lang="shell-session">
root@custom-hw-image:~# apt install i2c-tools lm-sensors
</syntaxhighlight>

=== Hardware detection ===
So that the data can be read out, the device must be detected correctly and integrated. Verify first, if the power supply is connected via USB 2.0 header:<syntaxhighlight lang="shell-session">root@custom-hw-image:~# lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 003: ID 10c4:ea90 Silicon Labs CP2112 HID I2C Bridge
Bus 001 Device 002: ID 046d:c31c Logitech, Inc. Keyboard K120
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub</syntaxhighlight>The searched power supply unit '''device 003 on bus 001''' has been detected correctly. Now verify, on which bus the bridge is integrated via I2C:

<syntaxhighlight lang="shell-session">

root@custom-hw-image:~# i2cdetect -l
i2c-0 smbus SMBus I801 adapter at efa0 SMBus adapter
i2c-1 i2c Synopsys DesignWare I2C adapter I2C adapter
i2c-2 i2c Synopsys DesignWare I2C adapter I2C adapter
i2c-3 i2c Synopsys DesignWare I2C adapter I2C adapter
i2c-4 i2c Synopsys DesignWare I2C adapter I2C adapter
i2c-5 i2c Synopsys DesignWare I2C adapter I2C adapter
i2c-6 i2c CP2112 SMBus Bridge on hidraw2 I2C adapter
</syntaxhighlight>

Here, the '''SMBus bridge''' has been found on '''bus i2c-6'''.

=== Reading out bus ===

You can now read out the I2C-bus on this address:<syntaxhighlight lang="shell-session">

root@custom-hw-image:~# i2cdetect -y 6
Warning: Can't use SMBus Quick Write command, will skip some addresses
0 1 2 3 4 5 6 7 8 9 a b c d e f
00:
10:
20:
30: -- -- -- -- -- -- -- --
40:
50: 50 51 -- -- -- -- 56 -- 58 59 -- -- -- -- -- --
60:
70:

</syntaxhighlight>Here, both power supply units are detected on the addresses '''0x58''' and '''0x59'''. To check, if the manufacturer name is correct:<syntaxhighlight lang="shell-session">root@custom-hw-image:~# i2cget -y 6 0x58 0x99 i 8
0x09 0x46 0x53 0x50 0x2d 0x47 0x52 0x4f
root@custom-hw-image:~# printf "\x09\x46\x53\x50\x2d\x47\x52\x4f\n"
FSP-GRO</syntaxhighlight>The voltage can be read out for the verification. <syntaxhighlight lang="shell-session">
root@custom-hw-image:~# i2cget -y 6 0x58 0x8B w
0x1879

</syntaxhighlight>This value must be converted and expressed in volts. The manufacturer uses a '''direct scaling'''. The voltage can be therefore '''calculated linearly''':

<math>(1879)_{16} \widehat{=} (6265)_{10} \widehat{=} \frac{6265}{2^9} = \frac{6265}{512} \approx 12,236 V</math>

== Integration of ports in kernelspace ==
[[File:Fortron_SP900_readout_DUAL_Linux.png|alt=Abb. 2: Detailed evaluation of the power supplies|thumb|365x365px|2nd image: Detailed evaluation of the power supplies]]
With the following commands, you can add both power supply ports to the kernelspace:<syntaxhighlight lang="shell-session">
root@custom-hw-image:~# echo pmbus 0x58 | sudo tee /sys/bus/i2c/devices/i2c-6/new_device
pmbus 0x58
root@custom-hw-image:~# echo pmbus 0x59 | sudo tee /sys/bus/i2c/devices/i2c-6/new_device
pmbus 0x59
</syntaxhighlight>Verify the successful integration:

<syntaxhighlight lang="shell-session">

root@custom-hw-image:~# i2cdetect -y 6
Warning: Can't use SMBus Quick Write command, will skip some addresses
0 1 2 3 4 5 6 7 8 9 a b c d e f
00:
10:
20:
30: -- -- -- -- -- -- -- --
40:
50: 50 51 -- -- -- -- 56 -- UU UU -- -- -- -- -- --
60:
70:

</syntaxhighlight>

The two power supplies cannot be accessed directly via I2C because they are now fully integrated into the kernel-space "UU (Upper Unit)".

Both power supplies can be completely read out with <code>lm-sensors</code> (for the output, take a look at the ''second image''):<syntaxhighlight lang="shell-session">
root@custom-hw-image:~# sensors
</syntaxhighlight>

== Error checking ==

Finally, you can simulate an error scenario.
Here, the IEC power plug from '''power supply 1''' (3rd image):
[[File:Psu failure ps1.png|none|thumb|957x957px|3rd image: Error simulation]]
{{wseifert}}
{{Aranzinger}}
[[de:Fortron TwinsPro FSP900 DUAL Netzteil unter Linux auslesen]]

AIC backplane firmware- and MFG-update via serial console

2026-05-06T09:07:48Z

Aranzinger:

This article describes how to '''update''' the '''AIC backplane firmware''' and '''MFG''' using a '''serial console connection'''.

== Hardware requirements ==
[[file:4HE AIC Gehäuse XE1-4BT00-05 backsideMarked.jpg|alt=Back side of a 4U AIC chassis XE1-4BT00-05|thumb|353x353px|Backside of a 4U AIC chassis XE1-4BT00-05. AUX-ports are highlighted. The upper port is connected to the frontal 24-bay backplane.]]

The following two cables are needed:
<gallery widths="250" heights="250">
file:SerialCableAux.jpeg|alternativtext=Serial cable with 3,5-mm auxiliary connector (male)|1.: Serial cable with 3,5-mm auxiliary connector (male)
file:SerialCableAuxJEXP UART.JPG|2.: AUX to JEXP_UART adapter. This is included in the accessories for a Thomas Krenn server or is already pre-installed in the system.
</gallery>

A secondary system (for example a laptop or neighboring server) is recommended for the flashing procedure.

=== Connection between backplane and secondary system ===
The JEXP_UART-header on the backplane consists of six pins. However, only the upper three pins are needed for flashing.[[file:BackplaneMarkiert.JPG.jpg|alt=4HE AIC Backplane, JEXP_UART header highlighted|thumb|714x714px|Example of a backplane with highlighted JEXP_UART-header |none]]
[[file:JEXP UART Header pluggedIn.jpg|alt=Connected JEXP_UART-Header, top view|thumb|A connected JEXP_UART cable. (top view) Cable colors from left to right: red, black, yellow|none]]

The other end must be connected to the secondary system via serial port.

[[file:SerialCableConnected.jpg|alt=Serial cable connected to the second system|none|thumb|Serial cable connected to the secondary system]]

== Establishing a connection ==
Programs such as '''PuTTY''' or '''ExtraPutty''' are required to establish a connection. Due to its expanded data transfer options, '''ExtraPuTTY''' is highly recommended.

The following parameters need to be set:
{| class="wikitable"
! Parameter
! Value
|-
| Speed (baudrate)
| 38400
|-
| Data Bits
| 8
|-
| Stop Bits
| 1
|-
| Parity
| none
|-
| Flow Control
| none
|}

<gallery widths="250" heights="250">
file:PuttySettings.png|Settings for establishing a connection with the backplane in ExtraPuTTY
file:SessionOffen.png|Live session. After clicking the Enter-key, 'cmd >' should appear.
</gallery>

=== Checking active firmware / MFG ===
The commands '''rev''' and '''showmfg''' can be used to check the installed firmware and MFG versions.

<gallery widths="250" heights="250">
file:Rev.png|'''The rev command''' displays the current firmware version.
file:Showmfg.png|'''The showmfg command''' displays the currently installed MFG version.
</gallery>

== Flashing the backplane ==

=== Precautions ===
To ensure that the backplane is functioning properly and that there are no hardware defects or similar issues, you should run a few commands and check the results before actually flashing the device.<gallery widths="250" heights="250">
file:Sensor.png|The '''sensor''' command can be used to get information about temperature, connected fans or voltage.
file:Phyinfo.png|The '''phyinfo''' displays information about the connected storage devices (none are installed in the screenshot).
file:Counters.png|With the '''counters''' command, different error counter values are displayed. The values nvWrdCnt, DispErrCnt, LossSyncCnt and RstSeqFailCnt need to be 0. If this is not the case, '''counters reset''' can be used to reset all values. Then execute the '''counters''' command again. If the values are not zero, it is likely that there is a defect. <ref name=":0">[https://www.aicipc.com/image/images/psg/EOB%20Backplane%20Check-up%20via%20Serial%20console.pdf EOB Backplane Check-up via Serial console]</ref>
</gallery>

=== Firmware update<ref name=":0" /> ===
<gallery widths="250" heights="250">
file:Fdl 0 0.png|'''The fdl 0 0''' command sets the backplane into update mode. It now expects a firmware file.
file:FileTransfer.png|alternativtext=Xmodem Transfer|The Xmodem protocol is to be used for file transfer. In ExtraPuTTY, this can be done via 'File Transfer → Xmodem → Send'
file:FirmweareFile.png|alternativtext=select firmware file|Afterwards, select the desired firmware file.
file:Datenuebertragung.png|Upload and flash procedure starts automatically.
file:Transferdone.png|Once the process is complete, the message "Upload successful" appears.
</gallery>

=== MFG-update<ref name=":0" /> ===
Updating the MFG works similar to the firmware.

<gallery widths="250" heights="250">
file:Fdl 83 0.png|The update is started with the '''fdl 83 0''' command.
file:Mfg file.png|Select the correct mfg-file.
file:Mfg transfer.png|Data transfer begins.
</gallery>

=== After the updates ===
If no storage devices are connected to any backplane, the update can be completed by executing the '''reset''' command.[[file:Reset.png|alt=Reset command|thumb|'''The reset command''' reboots the backplane.|none]]'''Attention!''' If the '''reset''' command is executed while data storage devices with an active RAID array are connected to the backplane, this may cause the RAID to degrade or fail completely.

[[file:NeueFW.png|alt=new firmware active|thumb|The new firmware and MFG is now active on the backplane. |none]]
== References ==
<references />

{{Swolf}}
[[Category:Server-Hardware]]
[[de:AIC Backplane Firmware- und MFG-Update via serielle Konsole]]

Internet-Speed-Test with LibreSpeed

2026-04-29T09:17:03Z

Aranzinger: Created page with "There are websites for testing the own '''internet speed''' offered by a lot of providers. The most services of this kind collect '''multiple local data''' in such tests, which is why they are '''not without risk from a data protection perspective'''. The open source alternative '''LibreSpeed''' offers a data-efficient alternative. == Data collection of conventional speedtest-alternatives == Traditional providers of internet speed testing services collect a large amoun..."

There are websites for testing the own '''internet speed''' offered by a lot of providers. The most services of this kind collect '''multiple local data''' in such tests, which is why they are '''not without risk from a data protection perspective'''. The open source alternative '''LibreSpeed''' offers a data-efficient alternative.

== Data collection of conventional speedtest-alternatives ==
Traditional providers of internet speed testing services collect a large amount of data from their own networks, own devices and from the applications on it. In connection with the aquisition of Ookla (operator of Speedtest and Downdetector), the international consulting firm, Accenture, announced that '''more than 1,000 attributes''' are queried per test in March 2026.<ref name=accenture>[https://newsroom.accenture.com/news/2026/accenture-to-acquire-ookla-to-strengthen-network-intelligence-and-experience-with-data-and-ai-for-enterprises Accenture to Acquire Ookla to Strengthen Network Intelligence and Experience with Data and AI For Enterprises] (newsroom.accenture.com, 03.03.2026) <cite>As AI scales, the insights captured at the '''network, device, and application layers''' are essential to enhance fraud prevention in banking, smart home analytics in utilities, and traffic optimization in retail. Ookla’s platform, which captures '''more than 1,000 attributes per test''', provides the foundation for these insights.</cite></ref>

<gallery>
File:Accenture-Newsroom-2026-03-03.png|When it acquired Ookla, Accenture announced that more than 1,000 attributes are collected from the user by Speedtest or Downdetecor.
File:Speedtest.png|Always active at speedtest.net: more than 500 partners can, for example, use the cookie information to identify end devices.
</gallery>

== LibreSpeed ==
LibreSpeed works data-efficient. on [https://librespeed.org/ LibreSpeed.org], no data is collected:
<gallery>
File:LibreSpeed-Website.png|Example of a test from a fiber-optic connection in Austria.
File:LibreSpeed-Anbieter.png|Selection of LibreSpeed servers.
</gallery>

Optionally, LibreSpeed servers can, if they are operated by the company itself, store the following data:<ref>[https://github.com/librespeed/speedtest/blob/master/results/stats.php#L103 stats.php Quellcode] (github.com/librespeed/speedtest)</ref>
* Test ID
* Date and time
* IP and ISP Info
* Download speed
* Upload speed
* Ping
* Jitter
* Log
* Extra info

[https://librespeed.org/ LibreSpeed.org] had not enabled this feature as of April 29, 2026, however.

== LibreSpeed App for Android ==
The LibreSpeed app for Android is available in the F-Droid store (Autor Federico Dossenda).<ref>[https://f-droid.org/en/packages/com.dosse.speedtest/ LibreSpeed F-Droid] (f-droid.org/en/packages)</ref> Attention: Only use this app; there are others in the Google Play Store that have intentionally built in numerous trackers.

<gallery>
File:LibreSpeed-App-01-App-Lounge.png|LibreSpeed Privacy Rating in App Lounge by /e/OS.
File:LibreSpeed-App-02-Trackers.png|Tracker-Report (0 Tracker)<ref>[https://reports.exodus-privacy.eu.org/de/reports/com.dosse.speedtest/latest/ Report for LibreSpeed] (reports.exodus-privacy.eu.org)</ref> for LibreSpeed from Exodus-Privacy<ref>[https://exodus-privacy.eu.org/en/page/who/ Exodus Privacy - Who we are] (exodus-privacy.eu.org)</ref> (French non-Profit).
File:LibreSpeed-App-03-Test.png|LibreSpeed App Home.
File:LibreSpeed-App-04-Privacy-Policy.png|LibreSpeed App Privacy Policy.
File:LibreSpeed-App-05-Test-Result.png|LibreSpeed sample result for an LTE connection in Austria.
</gallery>

== Alternatives ==
The Federal Network Agency's broadband measurement is equally data-efficient:
* https://www.breitbandmessung.de/

== More information ==
* [https://www.theregister.com/2026/03/03/accenture_buys_ookla_downdetector_ziff_davis/ Accenture down to buy Downdetector as part of $1.2 billion deal] (theregister.com, 03.03.2026)
* [https://arstechnica.com/information-technology/2026/03/downdetector-speedtest-sold-to-it-service-provider-accenture-in-1-2b-deal/ Downdetector, Speedtest sold to IT service-provider Accenture in $1.2B deal] (arstechnica.com, 03.03.2026)
* [https://www.reddit.com/r/xprivo/comments/1rmalpy/news_librespeed_opensource_alternative_made_in/ (News) Librespeed - Open-Source Alternative Made in Europe: Downdetector and Speedtest sold to Accenture for $1.2 billion] (www.reddit.com, 2026)

== References ==
<references />

{{Wfischer}}
{{Aranzinger}}
[[Category: Data Protection]]
[[de:Internet-Speed-Test mit LibreSpeed]]

TKMI Settings

2026-04-29T07:28:32Z

Aranzinger: Created page with "== Menu == {| class="wikitable" style="width:100%;" | style="width:240px; text-align:center;" | overview | '''Overview''' Overview of the settings available in the TKMI. |} == System and basic configuration == {| class="wikitable" style="width:100%;" | style="width:240px; text-align:center;" | configure date and time | '''Date & Time''' The '''date, time and time synchronizat..."

== Menu ==
{| class="wikitable" style="width:100%;"
| style="width:240px; text-align:center;" | [[file:TKMI-Settings_overview.png|220px|overview]]
| '''Overview''' 
Overview of the settings available in the TKMI.
|}

== System and basic configuration ==

{| class="wikitable" style="width:100%;"
| style="width:240px; text-align:center;" | [[file:TKMI-Settings_date_time.png|220px|configure date and time]]
| '''Date & Time''' 
The '''date, time and time synchronization''' of the BMC is configured including NTP.
|-
| style="text-align:center;" | [[file:TKMI-Settings_network_settings.png|220px|network configuration]]
| '''Network settings''' 
The '''BMC''' '''network settings''' are determined, for example IP-address, gateway, VLAN and DNS.
|-
| style="text-align:center;" | [[file:TKMI-Settings_services.png|220px|service settings]]
| '''Services''' 
'''BMC-services''' such as Web, SSH, KVM or SNMP are activated or deactivated.
|-
| style="text-align:center;" | [[file:TKMI-Settings_ipmi_interfaces.png|220px|IPMI interfaces]]
| '''IPMI interfaces''' 
The '''IPMI-interfaces''' are configured here.
|-
| style="text-align:center;" | [[file:TKMI-Settings_identify_led.png|220px|Identify LED]]
| '''Identify LED''' 
The '''Identify-LED''' of the system can be controlled here.
|-
| style="text-align:center;" | [[file:TKMI-Settings_fan_control.png|220px|fan control]]
| '''Fan control''' 
The '''fan control''' can be configured here.
|}

== User, registration and safety ==

{| class="wikitable" style="width:100%;"
| style="width:240px; text-align:center;" | [[file:TKMI-Settings_user_management.png|220px|Benutzerverwaltung]]
| '''User Management''' User accounts and permissions are managed in '''the User Management.'''
|-
| style="text-align:center;" | [[file:TKMI-Settings_external_user_services.png|220px|Externe Authentifizierung]]
| '''External User Services''' 
This section is used to integrate external '''authentication services''' such as LDAP or Active Directory.
|-
| style="text-align:center;" | [[file:TKMI-Settings_pam_order.png|220px|Authentifizierungsreihenfolge]]
| '''PAM order settings''' 
This is where the '''order of the authentication methods''' is defined.
|-
| style="text-align:center;" | [[file:TKMI-Settings_ssl_settings.png|220px|SSL Zertifikate]]
| '''SSL settings''' 
This section covers '''SSL- and certificate management'''.
|-
| style="text-align:center;" | [[file:TKMI-Settings_system_firewall.png|220px|Firewall Einstellungen]]
| '''System firewall''' 
The access on the BMC can be restricted via '''integrated firewall'''.
|}

== Logging, notification and events ==

{| class="wikitable" style="width:100%;"
| style="width:240px; text-align:center;" | [[file:TKMI-Settings_log_settings.png|220px|Log Einstellungen]]
| '''Log settings''' 
This section is where you configure settings for '''system and audit logs'''.
|-
| style="text-align:center;" | [[file:TKMI-Settings_platform_event_filters.png|220px|Platform Event Filter]]
| '''Platform Event Filter''' 
The '''Platform Event Filter''' enables automated actions in response to hardware events, such as sending SNMP traps.
|-
| style="text-align:center;" | [[file:TKMI-Settings_smtp_settings.png|220px|SMTP Konfiguration]]
| '''SMTP settings'''
 This is where the settings '''for sending emails''' are configured.
|-
| style="text-align:center;" | [[file:TKMI-Settings_bsod.png|220px|Captured BSOD Übersicht]]
| '''Captured BSOD''' 
This section displays any '''blue screen errors''' in a Windows system that have been detected and logged by the BMC.
|}

== Remote-console and media ==

{| class="wikitable" style="width:100%;"
| style="width:240px; text-align:center;" | [[file:TKMI-Settings_kvm_mouse_settings.png|220px|KVM Maus Einstellungen]]
| '''KVM mouse settings''' 
Here, the settings for the '''mouse control''' can be configured in the '''remote KVM console'''.
|-
| style="text-align:center;" | [[file:TKMI-Settings_media_redirection.png|220px|Virtuelle Medien]]
| '''Media redirection settings''' 
This section provides options on '''virtual media redirection''', for example, for mounting ISO files via the KVM console.
|-
| style="text-align:center;" | [[file:TKMI-Settings_video_recording.png|220px|KVM Aufzeichnung]]
| '''Video recording''' 
This section provides functions for '''recording remote KVM sessions'''.
|}

== Storage and administration ==

{| class="wikitable" style="width:100%;"
| style="width:240px; text-align:center;" | [[file:TKMI-Settings_raid_management.png|220px|RAID Verwaltung]]
| '''RAID Management''' 
This is where supported '''RAID-functions''' are administrated.
|}

== More articles ==
* [[TKMI overview]]
* [[How to activate and configure SNMP in TKMI]]

{{Azillner}}
{{Aranzinger}}
[[Category:Thomas-Krenn Management Interface]]
[[de:TKMI Settings]]

TKMI Remote Control

2026-04-29T05:39:13Z

Aranzinger:

The [[TKMI overview|TKMI]] provides '''remote control''' functions for remote operation '''and direct interaction with the system.''' These include, in particular, the remote KVM console as well as additional control and management options.

In the following, the individual sections are explained.

== Overview ==
[[File:TKMI-Remote-Control_overview.png|alt=Remote Control Menu|thumb|220x220px|Remote Control Menu ]]

This section provides '''access to the remote KVM console (H5Viewer)''' as well as '''Serial over LAN (SOL)''' for direct system integration.

== Remote KVM console ==
[[File:TKMI-Remote-Control_console.png|alt=Remote KVM console|thumb|220x220px|Remote KVM console]]

The system can be '''completely controlled remotely''' via H5Viewer including BIOS/UEFI-access and operating system interaction.

'''Functions within the remote console:'''
* '''Video''' – Control '''video output''' functions such as pause, refresh or turning the display on/off
* '''Mouse''' – Configuring '''mouse control''', for example between absolute and relative mode
* '''Options''' – Adjustment of '''display quality, zoom level and colour depth''' of the remote session
* '''Keyboard''' – Selecting the '''keyboard layout''' for the remote session
* '''Send Keys''' – Allows to '''send shortcuts''' such as <code>Ctrl+Alt+Del</code> to the system
* '''Video Record''' – function for recording the '''remote KVM session'''
* '''Power -''' Direct '''control of system''' (Restart, Shutdown, Power Cycle)
* '''Active Users''' – Display of active users currently accessing the remote console

== Serial Over LAN (SOL) ==
[[File:TKMI-Remote-Control-Serialconsole.png|alt=Serial over LAN|thumb|220x220px|Serial over LAN ]]
This allows the access on the '''serial console of the system via network''', particularly for diagnostic and troubleshooting purposes.

{{Azillner}}
{{Aranzinger}}
[[de:TKMI Remote Control]]

How to activate and configure SNMP in TKMI

2026-04-21T05:06:13Z

Aranzinger: Created page with "This article describes how to activate and configure the ''' SNMP-access''' for an user in the TKMI (Thomas-Krenn Management Interface) == Prerequisites == * A compatible TKMI or Thomas-Krenn server * Access to the TKMI/IPMI-websurface * Valid user login data with administrative rights == User administration == So that SNMP can be used, the access must be activated for a user in the TKMI..."

This article describes how to activate and configure the '''[[SNMP_basics | SNMP-access]]''' for an user in the [[TKMI overview | TKMI (Thomas-Krenn Management Interface)]]

== Prerequisites ==
* A compatible TKMI or Thomas-Krenn server
* Access to the TKMI/IPMI-websurface
* Valid user login data with administrative rights

== User administration ==

So that [[SNMP_Grundlagen | SNMP]] can be used, the access must be activated for a user in the [[Übersicht_TKMI | TKMI]].

<gallery mode="nolines" widths="300" heights="300">
TKMI-SNMP-User_Login.png|Log in to the TKMI web interface with a valid username (for example ''admin'').
TKMI-SNMP-Dashboard.png|After logging in, go to '''Settings''' in the left-hand menu.
TKMI-SNMP-Settings.png|In the '''Settings''' section, open the '''User Management''' option.
TKMI-SNMP-User_Management.png|Select the user for whom you want to enable SNMP.
TKMI-SNMP-User_Logged_In_Password.png|Enter your current password in the '''Logged-In Password''' field to confirm.
TKMI-SNMP-User_SNMP_Activate.png|In the lower section, enable '''SNMP Access''' and configure the desired SNMP parameters.
</gallery>

After the configuration, the changes must be saved with '''Save'''.

== MIB browser ==

For the verification of the SNMP-availability and to read out values, a MIB browser can be used.

In this example, the iReasoning MIB browser is used.

<gallery mode="nolines" widths="100" heights="100">
Download.png| iReasoning MIB browser [https://www.ireasoning.com/mibbrowser.shtml download]
</gallery>

== Establish connection to TKMI ==

After activation of the SNMP in TKMI, the connection can be tested as follows:

<gallery mode="nolines" widths="300" heights="300">
TKMI-SNMP_MIB_Browser.png|Enter the TKMI's IP address in the '''Address''' field. Click '''Advanced...''' to access the advanced SNMP settings.
TKMI-SNMP-MIB_Browser_Settings.png|In the advanced settings, select '''SNMP Version 3''' and enter the login access data.
TKMI-SNMP-MIB_Browser_Test.png|Once configured, you can run a query by clicking '''Go'''. Successful results are displayed in the '''Result Table'''.
</gallery>

== Important settings (SNMPv3) ==

For a successful connection, the following parameters must comply with the set values in TKMI:

* '''Address:''' IP-address of TKMI
* '''Port:''' 161
* '''SNMP Version:''' 3
* '''User:''' Corresponds to the user configured in the TKMI
* '''Security Level:''' authPriv
* '''Auth Algorithm:''' for example SHA256
* '''Auth Password:''' set authentication password
* '''Privacy Algorithm:''' for example DES
* '''Privacy Password:''' set encryption password

'''Hint:'''
If there are discrepancies in the username, password, or algorithms, no SNMP responses will be returned.

== Test query ==

For a simple function test, the following OID can be used:

* '''1.3.6.1.2.1.1.1.0''' (sysDescr)

If the connection is successful, a system description of the TKMI is displayed in the '''Result Table'''.

== Troubleshooting ==

If the SNMP-access does not function:

* '''SNMP Access not activated'''
* '''Wrong access data / community'''
* '''Firewall blocks SNMP (Port 161/UDP)'''
* '''Incorrect OID specified'''
* '''SNMP-version does not comply'''

{{Azillner}}
{{Aranzinger}}
[[Category:IPMI]]
[[de:SNMP im TKMI aktivieren und konfigurieren]]

AMD Security Vulnerabilities - April 2026

2026-04-20T09:14:47Z

Aranzinger: Created page with "On '''April 14th''', '''2026''', AMD published '''AMD-SB-7054''' Security Bulletins <ref>[https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7054.html Incorrect use of LocateProtocol Service of the EFI_BOOT_Services table in SMI Handler – April 2026] (www.amd.com/en/resources/product-security)</ref>, '''AMD-SB-3034'''<ref>[https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3034.html SEV-SNP Routing Misconfiguration – April 2026] (www.amd..."

On '''April 14th''', '''2026''', AMD published '''AMD-SB-7054''' Security Bulletins <ref>[https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7054.html Incorrect use of LocateProtocol Service of the EFI_BOOT_Services table in SMI Handler – April 2026] (www.amd.com/en/resources/product-security)</ref>, '''AMD-SB-3034'''<ref>[https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3034.html SEV-SNP Routing Misconfiguration – April 2026] (www.amd.com/en/resources/product-security)</ref> and '''AMD-SB-3016'''<ref>[https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3016.html IOMMU Write Buffer Vulnerability – April 2026] (www.amd.com/en/resources/product-security)</ref> containing a security vulnerability each. This article contains tables listing measures to address the security vulnerabilities.

== Affected systems ==

'''AMD Threadripper systems:'''

* systems with AMD Ryzen Threadripper PRO 3000WX processors
* systems with AMD Ryzen Threadripper PRO 5000WX processors
* systems with AMD Ryzen Threadripper 7000 / PRO 7000WX processors
* systems with AMD Ryzen Threadripper 9000 / PRO 9000WX processors

'''AMD EPYC systems:'''

* systems with "Zen 4" [[AMD EPYC 4004 Raphael]] processors
* systems with "Zen 2" [[AMD EPYC 7002 Rome]] processors
* systems with "Zen 3" [[AMD EPYC 7003 Milan]] processors
* systems with "Zen 4" [[AMD EPYC 9004 Genoa und Bergamo]] & 8004 Siena processors
* systems with "Zen 5" [[AMD EPYC 9005 Turin]] processors

== Solution for the problem ==

Here is a table listing the relevant CVEs and corrective measures for each EPYC generation, where available.

'''AMD EPYC 4004 Raphael'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-54502 CVE-2025-54502]
| align="center" |7.1 (high)
| align="center" |ComboAM5PI 1.0.0.d (2025-11-12)
|-
|}

'''AMD EPYC 7002 Rome'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-54502 CVE-2025-54502]
| align="center" |7.1 (high)
| align="center" |RomePI 1.0.0.P (2025-11-04)
|-
|}

'''AMD EPYC 7003 Milan:'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
!SEV FW
!TCB‑Wert for SEV‑certification
!TCB‑Wert for SNP‑certification
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-54502 CVE-2025-54502]
| align="center" |7.1 (high)
| align="center" |MilanPI 1.0.0.J (2025-12-15)
| align="center" |N/A
| align="center" |N/A
| align="center" |N/A
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-54510 CVE-2025-54510]
| align="center" |5.9 (medium)
| align="center" |MilanPI 1.0.0.J (2025-12-15)
| align="center" |N/A
| align="center" |TCB[SNP]>=0x1D
mitigation bit = 4
| align="center" |N/A
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2023-20585 CVE-2023-20585]
| align="center" |5.6 (medium)
| align="center" | MilanPI 1.0.0.H (2025-09-04) + OS update
| align="center" | SEV FW 1.37.23 + OS update
| align="center" |N/A
| align="center" |TCB[SNP]>=0x1B
|-
|}

'''AMD EPYC 8004 Siena:'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
!SEV FW
!TCB‑Wert for SEV‑certification
!TCB‑Wert for SNP‑certification
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-54502 CVE-2025-54502]
| align="center" |7.1 (high)
| align="center" |GenoaPI 1.0.0.H (2025-12-15)
| align="center" |N/A
| align="center" |N/A
| align="center" |N/A
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-54510 CVE-2025-54510]
| align="center" |5.9 (medium)
| align="center" |GenoaPI 1.0.0.H (2025-12-15)
| align="center" |N/A
| align="center" |TCB[SNP]>=0x1C
| align="center" |N/A
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2023-20585 CVE-2023-20585]
| align="center" |5.6 (Mittel)
| align="center" | GenoaPI_1.0.0.G (2025-06-27) + OS update
| align="center" | SEV FW 1.37.31 + OS update
| align="center" |N/A
| align="center" |TCB[SNP]>=0x1B
|-
|}

'''AMD EPYC 9004 Genoa:'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
!SEV FW
!TCB‑Wert für die SEV‑certification
!TCB‑Wert für die SNP‑certification
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-54502 CVE-2025-54502]
| align="center" |7.1 (high)
| align="center" |GenoaPI 1.0.0.H (2025-12-15)
| align="center" |N/A
| align="center" |N/A
| align="center" |N/A
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-54510 CVE-2025-54510]
| align="center" |5.9 (medium)
| align="center" |GenoaPI 1.0.0.H (2025-12-15)
| align="center" |N/A
| align="center" |TCB[SNP]>=0x1C
| align="center" |N/A
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2023-20585 CVE-2023-20585]
| align="center" |5.6 (medium)
| align="center" | GenoaPI_1.0.0.G (2025-06-27) + OS update
| align="center" | SEV FW 1.37.31 + OS update
| align="center" |N/A
| align="center" |TCB[SNP]>=0x1B
|-
|}

'''AMD EPYC 9005 Turin / Turin Dense'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
!SEV FW
!TCB‑Wert für die SEV‑certification
!TCB‑Wert für die SNP‑certification
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-54502 CVE-2025-54502]
| align="center" |7.1 (high)
| align="center" |TurinPI 1.0.0.9 (2025-12-31)
| align="center" |N/A
| align="center" |N/A
| align="center" |N/A
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-54510 CVE-2025-54510]
| align="center" |5.9 (medium)
| align="center" |TurinPI 1.0.0.8 (2025-11-26)
| align="center" |N/A
| align="center" |TCB[SNP]>=0x5
| align="center" |N/A
|-
|}

'''Table from [https://www.cve.org/CVERecord?id=CVE-2025-54502 CVE-2025-54502] affected Threadripper processors:'''

{| class="wikitable"
|+
!CPU
! align="center" |'''AGESA version'''
|-
| align="center" |AMD Ryzen Threadripper PRO 3000WX
| align="center" |ChagallWSPI-sWRX8 1.0.0.D (2025-11-04)
CastlePeakWSPI-sWRX8 1.0.0.I (2025-10-17)
|-
| align="center" |AMD Ryzen Threadripper PRO 5000WX
| align="center" |ChagallWSPI-sWRX8 1.0.0.D (2025-11-04)
|-
| align="center" |AMD Ryzen Threadripper 7000
| align="center" |ShimadaPeakPI-SP6 1.0.0.1c (2025-10-21)
|-
| align="center" |AMD Ryzen Threadripper PRO 7000WX
| align="center" |ShimadaPeakPI-SP6 1.0.0.1c (2025-10-21)
StormPeakPI-SP6 1.0.0.1m (2025-12-01)

StormPeakPI-SP6_1.1.0.0k (2025-12-01)
|-
| align="center" |AMD Ryzen Threadripper 9000
| align="center" |ShimadaPeakPI-SP6 1.0.0.1c (2025-10-21)
|-
| align="center" |AMD Ryzen Threadripper PRO 9000WX
| align="center" |ShimadaPeakPI-SP6 1.0.0.1c (2025-10-21)
|-
|}

Supermicro Security Bulletins were published on security vulnerabilities. A list with BIOS-versions of the respective mainboards, to close the gaps, is also included. Below is an extract from this table, which lists all the motherboards available from Thomas-Krenn: <ref>[https://www.supermicro.com/en/support/security_center#!advisories Supermicro Security Center] (www.supermicro.com)</ref>

{| class="wikitable"
|+
!AMD motherboard
! align="center" |'''BIOS version'''
|-
| align="center" |H12SSW-iN/NT
| align="center" |3.6
|-
| align="center" |H12SSL-i/C/CT/NT
| align="center" |3.6
|-
| align="center" |H12DSi-N6/NT6
| align="center" |3.6
|-
| align="center" |H13SSW
| align="center" |3.9
|-
| align="center" |H13SSL-N/NC
| align="center" |3.9
|}

=== Updates on Thomas-Krenn products ===
Updates on the respective system can be found in the <tklink type="sitex" id="440"> Thomas-Krenn download area</tklink>.
The versions in the download area have been tested by us to guarantee the stability and compatibility of our systems.

If you require the latest version for your system and it is not yet available in our download area, you can get it at [https://www.asus.com/de/support/download-center/ Asus] or [https://www.supermicro.com/en/support/resources/downloadcenter/swdownload Supermicro].

== References ==
<references/>

{{Thomas-Krenn.AG}}
{{Aranzinger}}
[[Category:AMD Safety Information]]
[[de:AMD Sicherheitslücken - April 2026]]

Windows Secure Boot certificate expiry

2026-04-17T08:13:04Z

Aranzinger: /* Which certificates are affected? */

In this article, we explain how to read out the secure boot certificate.

The previous certificates have been issued in 2011 which expire this year.

== Which certificates are affected? ==
Definitions:

* '''KEK:''' Key Enrollment Key
* '''CA:''' Certificate Authority
* '''DB:''' Secure Boot Signature Database
* '''DBX:''' Secure Boot Revoked Signature Database

{| class="wikitable"
|+Summary table
!Expiring certificates
!Expiry date
!New certificate
!Location
!Purpose
|-
|'''Microsoft Corporation KEK CA 2011'''
|June 2026
|Microsoft Corporation KEK 2K CA 2023
|Stored in KEK
|Signes updates for DB and DBX.
|-
|'''Microsoft Windows Production PCA 2011'''
|October 2026
|Windows UEFI CA 2023
|Stored in data base
|Used for signing of the Windows boot loader.
|-
|'''Microsoft UEFI CA 2011''*'''''
|June 2026
|Microsoft UEFI CA 2023
|Stored in data base
|Signs boot loaders from third-party providers and EFI applications.
|-
|'''Microsoft UEFI CA 2011''*'''''
|June 2026
|Microsoft Option ROM UEFI CA 2023
|Stored in data base
|Signs third-party Option ROMs
|}
<nowiki>*</nowiki>During the renewal of the Microsoft Corporation UEFI CA 2011 certificate, two certificates separate the bootloader signature from the Option ROM signature.

This enables precise control over the system trust. Systems, that trust Option-ROMs, can, for example, add the Microsoft option ROM UEFI CA 2023 without granting a trusted status to third-party bootloaders.

== What happens if my certificate expires? ==

Windows starts and functions as usual. Updates can still be downloaded and installed.

However, updates cannot be installed for the early boot process. This concerns the Windows Boot Manager, Secure Boot data base and Revocation lists or fixes for new discovered boot level vulnerabilities.

These effects reduce the protection of the devices against impending dangers, which rely on Secure Boot, such as BitLocker Hardening or third-party bootloaders.

== How do I verify my certificates ==

The validity of the installed certificates can be checked using the Windows Security app.

'''Windows-Security> Equipment Safety > Safe Start'''

There are three possible scenarios.

=== Scenario 1: Everything is completely updated (green tick) ===
All certificate updates were applied.

=== Scenario 2: No update has been installed yet (yellow warning symbol) ===
Automatic updates are not available. The hardware manufacturer must be contacted.

=== Scenario 3: Action is required (Red X) ===
The device cannot receive required updates.

If a Windows Update is missing, this menu option may not display any information about the certificates.

In this case, the certificate can be read out manually with a workaround.

With the following powershell command, the certificates can be stored as .bin in any location.<syntaxhighlight lang="powershell">
$var = Get-SecureBootUEFI -Name db; [System.IO.File]::WriteAllBytes("C:\Users\Administrator\Documents\db.bin", $var.Bytes)
</syntaxhighlight>This path can be customized as required.

After this, the db.bin file must be divided on a Linux system (for example WSL) with the efitools.<syntaxhighlight lang="bash">
sudo apt update && apt install efitools
sudo sig-list-to-certs db.bin cert
</syntaxhighlight>

Now, 5 certificates have been created in the current directory: cert-0.der cert-1.der cert-2.der cert-3.der cert-4.der

The content of these certificates can be read out with Openssl.<syntaxhighlight lang="bash">
openssl x509 -in cert-0.der -inform DER -text -noout
</syntaxhighlight>
The file name "cert-0.der" must be adapted to the respective certificate.

The line Validity is important. If this line displays the following value, the certificate expires in June 2026:

Validity

Not Before: Jun 27 21:22:45 2011 GMT

Not After : Jun 27 21:32:45 2026 GMT

==How do I update my certificates? ==

There are multiple ways to update the certificate. The simplest and best method is to update the BIOS, as the hardware manufacturer has already incorporated the new certificates.

== References ==

* [https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e Windows Secure Boot certificate expiration and CA updates] (support.microsoft.com)
* [https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11#14-signature-databases-db-and-dbx Windows Secure Boot Key Creation and Management Guidance] (learn.microsoft.com)
* [https://support.microsoft.com/en-us/topic/it-admin-guide-secure-boot-certificate-update-status-in-the-windows-security-app-fb8e2121-4402-433b-af8b-623760951fdb IT admin guide: Secure Boot certificate update status in the Windows Security app] (support.microsoft.com)

{{Bstockinger}}
{{Aranzinger}}
[[Category:Windows]]
[[de:Windows Secure Boot Zertifikat Ende der Gültigkeit]]

Activation of Q-Feeds webinterface and licenses

2026-04-16T08:54:06Z

Aranzinger: Created page with "Q-Feeds, the cybersecurity plugin, provides a Cloud platform with a variety of information. With this, licenses can be added to the own account and tokens can be created for devices such as OPNsense-firewalls. This article shows how to '''add a license''' and '''create a token for your firewall''' in the '''Q-Feeds Threat Intelligence Platform v2.3'''. {{#widget:Imagebox-left|link={{#tklink:type=sitex|id=21563|linkonly=1}}|image=/de/wikiDE/images/8/84/Q-Feeds-Sh..."

[[Q-Feeds]], the cybersecurity plugin, provides a Cloud platform with a variety of information. With this, licenses can be added to the own account and tokens can be created for devices such as [[OPNsense]]-firewalls. This article shows how to '''add a license''' and '''create a token for your firewall''' in the '''Q-Feeds Threat Intelligence Platform v2.3'''.

{{#widget:Imagebox-left|link={{#tklink:type=sitex|id=21563|linkonly=1}}|image=/de/wikiDE/images/8/84/Q-Feeds-Shopbanner.png|text=Click here for our Q-Feeds licenses in the Thomas-Krenn online shop|campaign=Activate Q-Feeds webinterface and license}}
{{#widget:SitexBox|link={{#tklink:type=sitex|id=21563|linkonly=1}}|text=Click here for our Q-Feeds licenses in the Thomas-Krenn online shop|campaign=Activate Q-Feeds webinterface and license}}

== Cloud platform login ==
Log in to tip.qfeeds.com, or create a new account.

:[[File:Q-Feeds-Webinterface-001.png|300px]]

== Q-Feeds dashboard ==
Now, the dashboard is displayed after the login.

:[[File:Q-Feeds-Webinterface-002.png|300px]]

== Add and administrate license ==
This paragraph shows how to activate a license and add it to your account.

<gallery>
File:Q-Feeds-Webinterface-003.png|Click on your ''account name'' in the top right-hand corner, then select ''Licenses''.
File:Q-Feeds-Webinterface-004.png|Then click on the ''Activate License'' button in the top-right corner. A menu will then appear; enter the licence key and click on ''Activate License''.
File:Q-Feeds-Webinterface-005.png|The license has been added and is now active.
</gallery>

== Create API key for terminal devices such as OPNsense firewalls ==
This paragraph shows how to create API keys for your OPNsense firewalls. Such a key is required for the Q-Feeds plugin on the OPNsense firewall.

<gallery>
File:Q-Feeds-Webinterface-006.png|In the dashboard, click on ''Account Settings'' in the bottom-left corner, then click on the ''API KEYS'' tab. You can now add a key using the ''Add API Key'' button. Enter a description and select a valid licence in the ''Assign License'' field. Click on ''Save Key''.
File:Q-Feeds-Webinterface-007.png|The API token appears. Copy it and paste it into the OPNsense firewall using the Q-Feeds plugin.
</gallery>

{{Tniedermeier}}
{{Aranzinger}}
[[Category:Q-Feeds]]
[[de:Q-Feeds Webinterface und Lizenz aktivieren]]

Q-Feeds Connect Installation under OPNsense 26.1

2026-04-09T08:35:20Z

Aranzinger: Created page with "The Open Source Firewall OPNsense can be enhanced by integrating Q-Feeds firewall blocklists and DNS filter rules with the latest threat intelligence. This article shows how to install '''Q-Feeds Connect plugin and how to create firewall rules''' and '''Unbound DNS filter rules''' under '''OPNsense 26.1'''. {{#widget:Imagebox-left|link={{#tklink:type=sitex|id=21563|linkonly=1}}|image=/de/wikiDE/images/8/84/Q-Feeds-Shopbanner.png|text=Click here for our Q-Feeds Conne..."

The Open Source Firewall [[OPNsense]] can be enhanced by integrating Q-Feeds firewall blocklists and DNS filter rules with the latest threat intelligence. This article shows how to install '''Q-Feeds Connect plugin and how to create firewall rules''' and '''Unbound DNS filter rules''' under '''OPNsense 26.1'''.

{{#widget:Imagebox-left|link={{#tklink:type=sitex|id=21563|linkonly=1}}|image=/de/wikiDE/images/8/84/Q-Feeds-Shopbanner.png|text=Click here for our Q-Feeds Connect licenses in the Thomas-Krenn online shop|campaign=Q-Feeds Connect installation under OPNsense 26.1 }}
{{#widget:SitexBox|link={{#tklink:type=sitex|id=21563|linkonly=1}}|text=Click here for our Q-Feeds Connect licenses in the Thomas-Krenn online shop|campaign=Q-Feeds Connect Einrichtung unter OPNsense 26.1}}

== Q-Feeds Connect plugin ==
The Q-Feeds Connect plugin can be installed as Plugin at OPNsense.

=== Installation of plugin ===
<gallery>
File:OPNsense-Q-Feeds-001.png|Go to ''System → Firmware → Plugins''.
File:OPNsense-Q-Feeds-002.png|The "os-q-feeds-connector" plugin is maintained in the OPNsense repository and can be installed directly. To install it, click on the '''+'''.
File:OPNsense-Q-Feeds-003.png|Q-Feeds Connect has been installed.
File:OPNsense-Q-Feeds-004.png|Click on the button to reload the browser.
</gallery>

=== Configuration of plugin ===
The plugin has been installed and the configuration can now be made.
<gallery>
File:OPNsense-Q-Feeds-005.png|Click on the new menu option ''Security''.
File:OPNsense-Q-Feeds-006.png|After this, go to ''Q-Feeds Connect''.
File:OPNsense-Q-Feeds-007.png|The settings are configured in the Settings tab.
File:OPNsense-Q-Feeds-008.png|State you API-key. Set the box next to '''Register domain feeds''', to activate the Unbound DNS blocklists from Q-Feeds. After this, click on ''Apply''.
File:OPNsense-Q-Feeds-009.png|In the '''Feeds''' tab, the loaded IP-addresses and domain names are listed.
File:OPNsense-Q-Feeds-010.png|Events tab.
</gallery>

=== Firewall Maximum Table Entries adjustments ===
The maximum number of Firewall Maximum Table Entries can be adjusted optionally.

<gallery>
File:OPNsense-Q-Feeds-011.png|Switch to the menu ''Firewall → Settings → Advanced'' and scroll to '''Firewall Maximum Table Entries'''. Adjust the default value if necessary.
File:OPNsense-Q-Feeds-012.png|The current number of entries can be considered in the menu ''Firewall → Aliases''.
File:OPNsense-Q-Feeds-013.png|A Q-Feeds Alias has been created.
</gallery>

== Q-Feeds firewall rule configuration ==
After installation and configuration of the plugin, the firewall rules can be set. In this example, the Q-Feeds blocklist is activated on the LAN and WAN interface.

=== Block rule for outbound traffic on the LAN interface ===
For a LAN interface, a suitable rule would be one that blocks all incoming LAN traffic destined for addresses included in the block list.

<gallery>
File:OPNsense-Q-Feeds-029.png|Go to the menu Firewall → Rules [new] and click on the '''+'''.
File:OPNsense-Q-Feeds-030.png|State a description and assign the '''LAN''' interface to the rule.
File:OPNsense-Q-Feeds-031.png|Select ''Block on Action.''
File:OPNsense-Q-Feeds-032.png|Destination is the Alias '''__qfeeds_malware_ip'''.
File:OPNsense-Q-Feeds-033.png|Click on ''Save''.
File:OPNsense-Q-Feeds-034.png|Activate the checkbox before the new rule and click on the arrow at Allow from LAN rule. Therefore, the block rule is processed before the allow rule.
File:OPNsense-Q-Feeds-035.png|Click on '''Apply'''.
</gallery>

=== Block rule for incoming traffic on the WAN interface ===
For a WAN interface, a suitable rule would be one that blocks all incoming WAN traffic from source IP addresses included in the Q-Feeds blocklist.

<gallery>
File:OPNsense-Q-Feeds-036.png|Go to the menu Firewall → Rules [new] and click on the '''+'''.
File:OPNsense-Q-Feeds-037.png|State a description and assign the '''WAN''' interface to the rule.
File:OPNsense-Q-Feeds-038.png|On Action, select ''Block''.
File:OPNsense-Q-Feeds-039.png|Alias is the source '''__qfeeds_malware_ip'''.
File:OPNsense-Q-Feeds-040.png|Click on ''Save''.
File:OPNsense-Q-Feeds-041.png|Tick the box next to the new rule and click the arrow next to the Allow from WAN net rule. Therefore, the block rule is processed before the allow rule.
File:OPNsense-Q-Feeds-042.png|Click on '''Apply'''.
</gallery>

== More settings on Unbound DNS ==
With Q-Feeds Plus (only OSINT) and Premium (OSINT and Paid), DNS requests can be filtered with the Unbound DNS. The DNS filter rule are activated automatically.
<gallery>
File:OPNsense-Q-Feeds-027.png|You can activate the Unbound DNS reporting. Click on ''Reporting → Settings'' and allow the local collection of statistics on Unbound. Click on ''Save''.
File:OPNsense-Q-Feeds-028.png|The size of the blocklist is now displayed.
</gallery>

{{Tniedermeier}}
{{Aranzinger}}
[[Category:Q-Feeds]]
[[de:Q-Feeds Connect Einrichtung unter OPNsense 26.1]]

Q-Feeds Versions: Feature Comparison

2026-04-08T08:12:15Z

Aranzinger: Created page with "Next-Generation-Firewalls (NGFWs) are important tools to protect networks. You can filter DNS and web traffic using external dynamic lists of threat indicators, known as Indicators of Compromise (IoCs). Q-Feeds provides dynamic and updated lists of these IoCs that were specifically designed for use with security controls such as NGFWs. By adding Q-Feeds as a plugin to OPNsense firewalls, you can enhance protection against new and emerging threats. This means that OPN..."

Next-Generation-Firewalls (NGFWs) are important tools to protect networks. You can filter DNS and web traffic using external dynamic lists of threat indicators, known as Indicators of Compromise (IoCs). Q-Feeds provides dynamic and updated lists of these IoCs that were specifically designed for use with security controls such as NGFWs. By adding Q-Feeds as a plugin to [[OPNsense]] firewalls, you can enhance protection against new and emerging threats. This means that OPNsense can stay up to date with the latest threat intelligence to filter out malicious traffic. This article shows '''different Q-Feeds licenses''' with its features '''presented in a table for comparison'''.

{{#widget:Imagebox-left|link={{#tklink:type=sitex|id=21563|linkonly=1}}|image=/de/wikiDE/images/8/84/Q-Feeds-Shopbanner.png|text=Click here to view Q-Feeds Connect licenses in the Thomas-Krenn online shop|campaign=Q-Feeds Versions: Feature Comparison}}
{{#widget:SitexBox|link={{#tklink:type=sitex|id=21563|linkonly=1}}|text=Click here to view Q-Feeds Connect licenses in the Thomas-Krenn online shop|campaign=Q-Feeds Versions: Feature Comparison}}

== Q-Feeds versions ==
This table shows three Q-Feeds licenses with its features and differences.

{| class="wikitable"
|+Q-Feeds Versionen Eigenschaften und Unterschiede
!
!Feature
!Community Edition
!Plus
!Premium
|-
| rowspan="8" |Services
|Active Support
!style="background-color:#FFCCCC;" align="center"|-
!style="background-color:#CCFFCC;" align="center"|✔
!style="background-color:#CCFFCC;" align="center"|✔
|-
|Easy Integration
!style="background-color:#CCFFCC;" align="center"|✔
!style="background-color:#CCFFCC;" align="center"|✔
!style="background-color:#CCFFCC;" align="center"|✔
|-
|Curated data
!style="background-color:#CCFFCC;" align="center"|✔
!style="background-color:#CCFFCC;" align="center"|✔
!style="background-color:#CCFFCC;" align="center"|✔
|-
|Update frequency
|delayed by 7 days
|delayed by 4 hours
|every 20 minutes
|-
|IoC (indicators of compromise) lookup
!style="background-color:#FFCCCC;" align="center"|-
!style="background-color:#CCFFCC;" align="center"|✔
!style="background-color:#CCFFCC;" align="center"|✔
|-
|[https://qfeeds.com/external-attack-surface-management-easm/?srsltid=AfmBOooV-Qo_q4fAO0jWsdbrFjMqRpUGMmKDZnZBOSFYMCfDXFBnFI5U EASM (External Attack Service Management)]
!style="background-color:#FFCCCC;" align="center"|-
|1 scan per week
|1 scan per day
|-
|[https://qfeeds.com/darkweb-monitoring/?srsltid=AfmBOoo6ZXk6TLFtXnFutk_4XD-mwwPRO-pHzSWMI2N9L7yr8Fqd66dz Dark web monitoring]
!style="background-color:#FFCCCC;" align="center"|-
!style="background-color:#CCFFCC;" align="center"|✔
!style="background-color:#CCFFCC;" align="center"|✔
|-
|[https://qfeeds.com/brand-protection-phishing-detection/?srsltid=AfmBOoqTwqgD2DpEVUpBH_8nQ6JstPjBqgQjxcaOqeHBh0uPE07wC1Ed Brand Protection]
!style="background-color:#FFCCCC;" align="center"|-
!style="background-color:#FFCCCC;" align="center"|-
!style="background-color:#CCFFCC;" align="center"|✔
|-
| rowspan="2" |OSINT (Open-Source Intelligence)
|IP
!style="background-color:#CCFFCC;" align="center"|✔
!style="background-color:#CCFFCC;" align="center"|✔
!style="background-color:#CCFFCC;" align="center"|✔
|-
|DNS
!style="background-color:#CCFFCC;" align="center"|✔
!style="background-color:#CCFFCC;" align="center"|✔
!style="background-color:#CCFFCC;" align="center"|✔
|-
| rowspan="2" |Paid
|IP
!style="background-color:#FFCCCC;" align="center"|-
!style="background-color:#CCFFCC;" align="center"|✔
!style="background-color:#CCFFCC;" align="center"|✔
|-
|DNS
!style="background-color:#FFCCCC;" align="center"|-
!style="background-color:#FFCCCC;" align="center"|-
!style="background-color:#CCFFCC;" align="center"|✔
|}

{{Tniedermeier}}
{{Aranzinger}}
[[Category:Q-Feeds]]
[[de:Q-Feeds Versionen Featurevergleich]]

Cloud Computing Concepts

2026-04-02T08:24:19Z

Aranzinger: Created page with "The term '''Cloud'''—actually cloud computing—is a term for various concepts related to the delivery of IT services. These can be broadly divided into three categories and classified using the cloud computing stack. This article provides an overview of these concepts. == Cloud Computing Stack == file:Cloud Computing Stack.jpg|250px|thumb|right|Cloud Computing Stack.<ref>[http://oracle-help.com/oracle-cloud/..."

The term '''Cloud'''—actually [[:Category:Cloud Computing|cloud computing]]—is a term for various concepts related to the delivery of IT services. These can be broadly divided into three categories and classified using the [[#Cloud Computing Stack|cloud computing stack]]. This article provides an overview of these concepts.

== Cloud Computing Stack ==
[[file:Cloud Computing Stack.jpg|250px|thumb|right|Cloud Computing Stack.<ref>[http://oracle-help.com/oracle-cloud/cloud-computing-stack-saas-paas-iaas/ WHAT IS CLOUD COMPUTING STACK (SAAS, PAAS, IAAS)] (oracle-help.com)</ref>]]
This section describes the various cloud concepts using the cloud computing stack. The cloud computing stack illustrates these concepts through the components of externally managed services that are hosted services.

=== Infrastructure as a Service (IaaS) ===
In this concept, the server infrastructure is managed by the cloud service provider (CSP). All components (CPU, [[RAM Basics|RAM]], storage, network) are already virtualized and can be freely allocated by the user. The user has full control over resource usage, meaning that CPU cores, RAM, and storage can be adjusted at any time as needed. Since the infrastructure is a virtualized environment and is typically designed to be redundant, it is impossible to determine on which hardware within a data center the infrastructure is currently running (exceptions are [[Virtual Location|Virtual Locations]]—not to be confused with [[Virtual Private Cloud|VPCs]]).

The user is solely responsible for the maintenance and support of all software, including the operating system (this also includes proper licensing).

Many service providers operate multiple data centers, giving users the ability to choose the geographic location of their data.

==== Benefits ====
Since IaaS allows for the rapid migration of virtual machines and applications without refactoring<ref>[https://de.wikipedia.org/wiki/Refactoring Refactoring] (de.wikipedia.org) </ref> (see also [[Lift and Shift Migration|Lift & Shift]]), it is a particularly good option for time-critical IT migrations to the cloud (for example, when discontinuing colocation in a data center). Using an IaaS platform can also be worthwhile for purpose-specific applications that do not require 24-hour operation.

=== Platform as a Service (PaaS) ===
In addition to the infrastructure, this cloud concept also provides the operating system and runtime environment. As a user, you are only responsible for managing the data within the applications. Specifically, this means that a database pre-installed by the service provider (MySQL, Oracle, Postgres, etc.) is used to develop and deploy your own applications. One advantage for developers is that performance can be scaled dynamically.

Unlike IaaS, there is no longer a need to create a virtual environment.

==== Benefits ====

This approach is particularly beneficial for web developers—such as those in the e-commerce sector or other service providers—as it allows them to focus on application development.

=== Software as a Service (SaaS) ===
SaaS is arguably the best-known model for online services. This is because it has also found its way into the consumer market and is used on a regular basis.

With SaaS, the entire stack—from the hardware to the finished application—is provided as a ready-made solution.

==== Benefits ====
SaaS offerings are a resource-efficient alternative, as they eliminate the need for personnel and time to manage hardware and software.

== More information ==
* [https://www.isbn-suchen.de/search.php?q=978-3-446-46184-0 IT-Management Guide: Concepts, Methods, Solutions and Resources for practical use] (ISBN 978-3-446-46184-0, 7. revised edition (9. März 2020)), Chapter 7: Cloud Computing
* [https://www.linkedin.com/pulse/20140730172610-9679881-pizza-as-a-service/ Pizza as a Service] (linkedin.com/pulse, Albert Barron, 30.07.2014)

== References ==
<references />

{{Sbohn}}
{{Aranzinger}}
[[Category:Cloud Computing]]
[[de:Cloud Computing Konzepte]]

Boot-Device Replacement - Change of Proxmox ZFS Mirror Disk

2026-03-26T12:45:09Z

Aranzinger: Created page with "These instructions describe the '''change of a boot device''' in a '''Proxmox VE (PVE) host system''' '''with ZFS-mirror'''. This change is necessary, when a disk is damaged or has failed in the compound. In this article, it is explained what to do after a system hard drive failure. Options for different boot-loaders ("GRUB" or "systemd-boot") are explained. Furthermore, it is explained how to change a hard drive within a PVE so that the used mirror is completely ''o..."

These instructions describe the '''change of a boot device''' in a '''[[Proxmox VE]] (PVE) host system''' '''with ZFS-mirror'''. This change is necessary, when a disk is damaged or has failed in the compound. In this article, it is explained what to do after a system hard drive failure. Options for different boot-loaders ("GRUB" or "systemd-boot") are explained. Furthermore, it is explained how to change a hard drive within a PVE so that the used mirror is completely ''online,'' and ''healthy'' and that the redundancy of the operating system is recreated.

{{#widget:Imagebox-left|link={{#tklink:type=sitex|id=19702|linkonly=1}}|image=/de/wikiDE/images/d/d5/Ceph-hci-proxmox-3.png|text=Buy Proxmox optimized servers|campaign=Buy Proxmox Servers}}
{{#widget:SitexBox|link={{#tklink:type=sitex|id=19702|linkonly=1}}|text=Buy Proxmox optimized servers|campaign=campaign=Buy Proxmox Servers}}

== Recommendation - Test environment ==
All described steps can be previously performed in a test environment. For this, create a '''virtual machine in Proxmox VE''' and install PVE on a ZFS RAID-1.

Therefore, you gain experience in this process and lower the risk for your productive system.

== Instructions ==
This paragraph summarizes the commands that are necessary for changing your data carrier and its influence on your system in brief.

'''Attention: It is highly recommended to read the detailed instructions if it is your first time performing this process or are still inexperienced in administering Proxmox VE systems!'''

#Identify the faulty storage device and change it.
#Copy partition layout of the ''healthy'' disk on the ''exchange'' disk (and randomize the GUID)
#Find the ZFS partition using the volume ID (<code>Solaris /usr & Apple ZFS</code>)
#Copy partition of the ''new'' disk into the ''zpool''
#Finalize exchange with <code>proxmox-boot-tool</code>
Once you have completed all the steps correctly, your ZFS will be "online", "healthy", and "boot-safe" again.

== Identify failed data carrier ==
First, you need to identify the failed disk and its name in your PVE system. This can be made, for example, with the <code>lsblk</code> command.

=== Before failure ===
After installation, two boot disks are available (''sda'' and ''sdb''):
<pre>
root@pve-virtual-01:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 100G 0 disk
├─sda1 8:1 0 1007K 0 part
├─sda2 8:2 0 512M 0 part
└─sda3 8:3 0 99.5G 0 part
sdb 8:16 0 100G 0 disk
├─sdb1 8:17 0 1007K 0 part
├─sdb2 8:18 0 512M 0 part
└─sdb3 8:19 0 99.5G 0 part
</pre>

=== After failure ===
In this test scenario, the ''sda'' hard drive has failed. It is missing in the <code>lsblk</code> output after the failure:
<pre>
root@pve-virtual-01:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sdb 8:16 0 100G 0 disk
├─sdb1 8:17 0 1007K 0 part
├─sdb2 8:18 0 512M 0 part
└─sdb3 8:19 0 99.5G 0 part
</pre>

'''Important''': When replacing a data storage device, the descriptions may change. '''Always verify the exact name immediately after replacing the damaged storage device with a new one!''' A faulty specification of the name could irreparably damage your system in the next steps.

== Copy partition layout ==
This information can be always found in the current Proxmox VE documentation. <ref>[https://pve.proxmox.com/pve-docs/pve-admin-guide.html#chapter_zfs ZFS on Linux] (pve.proxmox.com) Abschnitt ''Changing a failed device'' im Unterkapitel 3.8.5.</ref>
<pre>
# sgdisk <healthy bootable device> -R <new device>
# sgdisk -G <new device>
# zpool replace -f <pool> <old zfs partition> <new zfs partition>
</pre>

The new data carrier is in the system and does not have a partition layout yet. However, we require the partitions so that the system can boot properly and that we can provide two technically identic data carriers for the ZFS:
<pre>
root@pve-virtual-01:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 100G 0 disk
sdb 8:16 0 100G 0 disk
├─sdb1 8:17 0 1007K 0 part
├─sdb2 8:18 0 512M 0 part
└─sdb3 8:19 0 99.5G 0 part
</pre>

We now copy the partition layout from the ''healthy'' data carrier to the ''new'' data carrier.
{| {{Prettytable}} cellspacing="0" style="margin: 1em 1em 1em 0; background: #f9f9f9; border: 1px #a0a0a0 solid; border-collapse: collapse; " rules="all"
| Please note once again that you MUST first identify the correct device name (''device-name'') using (''Device-Name'') with <code>lsblk</code>. Otherwise, you risk ending up with a broken Proxmox VE system, as the partition layout of the "new" disk might be accidentally replicated to the "healthy" disk. This would result in the system being unable to boot at all, forcing you to perform a clean install.
|-
|}
<pre>
root@pve-virtual-01:~# sgdisk /dev/sdb -R /dev/sda
The operation has completed successfully.

root@pve-virtual-01:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 100G 0 disk
├─sda1 8:1 0 1007K 0 part
├─sda2 8:2 0 512M 0 part
└─sda3 8:3 0 99.5G 0 part
sdb 8:16 0 100G 0 disk
├─sdb1 8:17 0 1007K 0 part
├─sdb2 8:18 0 512M 0 part
└─sdb3 8:19 0 99.5G 0 part
</pre>

Since we copied the layout to the new disk, the disk and partitions now have the same GUIDs. That is why we still need to randomize them:
<pre>
root@pve-virtual-01:~# sgdisk -G /dev/sda
The operation has completed successfully.
</pre>

== Find out disk ID (by-id) ==
To replace the volume correctly in ZFS, we need to determine the ID of the new volume. In this case, we are looking for the volume associated with the device name sda.
<pre>
root@pve:~# ls -l /dev/disk/by-id/*

lrwxrwxrwx 1 root root 9 Mar 16 15:11 /dev/disk/by-id/ata-QEMU_DVD-ROM_QM00003 -> ../../sr0
lrwxrwxrwx 1 root root 9 Mar 16 15:11 /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0 -> ../../sda
lrwxrwxrwx 1 root root 10 Mar 16 15:11 /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part1 -> ../../sda1
lrwxrwxrwx 1 root root 10 Mar 16 15:11 /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part2 -> ../../sda2
lrwxrwxrwx 1 root root 10 Mar 16 15:11 /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part3 -> ../../sda3
lrwxrwxrwx 1 root root 9 Mar 16 15:11 /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1 -> ../../sdb
lrwxrwxrwx 1 root root 10 Mar 16 15:11 /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part1 -> ../../sdb1
lrwxrwxrwx 1 root root 10 Mar 16 15:11 /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part2 -> ../../sdb2
lrwxrwxrwx 1 root root 10 Mar 16 15:11 /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part3 -> ../../sdb3
</pre>

PVE always creates dedicated partitions for ''boot, EFI,'' and ''ZFS'' on storage devices:
<pre>
root@pve:~# fdisk -l /dev/sda

Disk /dev/sda: 32 GiB, 34359738368 bytes, 67108864 sectors
Disk model: QEMU HARDDISK
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 7D6423DE-2A9C-4B8D-A272-C7B28E1452D9

Device Start End Sectors Size Type
/dev/sda1 34 2047 2014 1007K BIOS boot
/dev/sda2 2048 1050623 1048576 512M EFI System
/dev/sda3 1050624 67108830 66058207 31.5G Solaris /usr & Apple ZFS
</pre>

In this case, we require the device-ID (''by-id'') from the ''/dev/sda3.'' partition, which is as follows:
/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part3

== Switch ZFS data carrier ==
First, we verify the ZFS pool status. Here, we see that the failed hard drive is not available anymore in the system and previously had the ID ''/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part3.''
<pre>
root@pve-virtual-01:~# zpool status -v
pool: rpool
state: DEGRADED
status: One or more devices could not be used because the label is missing or
invalid. Sufficient replicas exist for the pool to continue
functioning in a degraded state.
action: Replace the device using 'zpool replace'.
see: http://zfsonlinux.org/msg/ZFS-8000-4J
scan: none requested
config:

NAME STATE READ WRITE CKSUM
rpool DEGRADED 0 0 0
mirror-0 DEGRADED 0 0 0
15467202543801207082 UNAVAIL 0 0 0 was /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part3
scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part3 ONLINE 0 0 0
</pre>

Now, we change the data carriers.

'''Important:''' In this example, our new hard drive has the same ID as the old one. This will not be the case in your actual scenario. Please follow the syntax:

<pre>root@pve-virtual-01:~# zpool replace -f rpool /dev/disk/by-id/ID-ALTE-FESTPLATTE /dev/disk/by-id/ID-NEUE-FESTPLATTE
</pre>
In our example:
<pre>
root@pve-virtual-01:~# zpool replace -f rpool /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part3 /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part3
</pre>

The exchange is now complete. Now, you can verify if the RAID-1 (''ZFS-Mirror'') is '''online''' and '''healthy''' again:
<pre>
root@pve-virtual-01:~# zpool status -v
pool: rpool
state: ONLINE
scan: resilvered 998M in 0 days 00:00:08 with 0 errors on Tue Mar 16 12:16:34 2021
config:

NAME STATE READ WRITE CKSUM
rpool ONLINE 0 0 0
mirror-0 ONLINE 0 0 0
scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part3 ONLINE 0 0 0
scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part3 ONLINE 0 0 0
</pre>

== Finalize disk exchange ==
Finally, there are a few steps left to ensure that the system is stable after a reboot and fully functional.

Now, you have to perform the following steps with the ''proxmox-boot-tool'':

* First, you need to find out the disk ID as described in the step [[Boot-Device Replacement - Replacing a Proxmox ZFS Mirror Disk#Find out disk ID (by-id)|Find out disk ID (by-id)]]—but this time, you need to find the '''ID of the second partition''', since this is always used for the '''EFI system'''.
* When you have found out the ID (in this case ''/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part2),'', you can execute the following commands:
<pre>root@pve:~# proxmox-boot-tool format /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part2

UUID="" SIZE="536870912" FSTYPE="" PARTTYPE="c12a7328-f81f-11d2-ba4b-00a0c93ec93b" PKNAME="sdb" MOUNTPOINT=""
Formatting '/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part2' as vfat..
mkfs.fat 4.2 (2021-01-31)
Done.

root@pve:~# proxmox-boot-tool init /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part2

Re-executing '/usr/sbin/proxmox-boot-tool' in new private mount namespace..
UUID="FD52-5CAE" SIZE="536870912" FSTYPE="vfat" PARTTYPE="c12a7328-f81f-11d2-ba4b-00a0c93ec93b" PKNAME="sdb" MOUNTPOINT=""
Mounting '/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part2' on '/var/tmp/espmounts/FD52-5CAE'.
Installing systemd-boot..
Created "/var/tmp/espmounts/FD52-5CAE/EFI/systemd".
Created "/var/tmp/espmounts/FD52-5CAE/EFI/BOOT".
Created "/var/tmp/espmounts/FD52-5CAE/loader".
Created "/var/tmp/espmounts/FD52-5CAE/loader/entries".
Created "/var/tmp/espmounts/FD52-5CAE/EFI/Linux".
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" to "/var/tmp/espmounts/FD52-5CAE/EFI/systemd/systemd-bootx64.efi".
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" to "/var/tmp/espmounts/FD52-5CAE/EFI/BOOT/BOOTX64.EFI".
Random seed file /var/tmp/espmounts/FD52-5CAE/loader/random-seed successfully written (512 bytes).
Not installing system token, since we are running in a virtualized environment.
Created EFI boot entry "Linux Boot Manager".
Configuring systemd-boot..
Unmounting '/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part2'.
Adding '/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part2' to list of synced ESPs..
Refreshing kernels and initrds..
Running hook script 'proxmox-auto-removal'..
Running hook script 'zz-proxmox-boot'..
Copying and configuring kernels on /dev/disk/by-uuid/5D2E-4BFB
Copying kernel and creating boot-entry for 5.15.30-2-pve
WARN: /dev/disk/by-uuid/5D2F-103F does not exist - clean '/etc/kernel/proxmox-boot-uuids'! - skipping
Copying and configuring kernels on /dev/disk/by-uuid/FD52-5CAE
Copying kernel and creating boot-entry for 5.15.30-2-pve

root@pve:~# proxmox-boot-tool status

Re-executing '/usr/sbin/proxmox-boot-tool' in new private mount namespace..
System currently booted with uefi
5D2E-4BFB is configured with: uefi (versions: 5.15.30-2-pve)
WARN: /dev/disk/by-uuid/5D2F-103F does not exist - clean '/etc/kernel/proxmox-boot-uuids'! - skipping
FD52-5CAE is configured with: uefi (versions: 5.15.30-2-pve)

root@pve:~# proxmox-boot-tool refresh

Running hook script 'proxmox-auto-removal'..
Running hook script 'zz-proxmox-boot'..
Re-executing '/etc/kernel/postinst.d/zz-proxmox-boot' in new private mount namespace..
Copying and configuring kernels on /dev/disk/by-uuid/5D2E-4BFB
Copying kernel and creating boot-entry for 5.15.30-2-pve
WARN: /dev/disk/by-uuid/5D2F-103F does not exist - clean '/etc/kernel/proxmox-boot-uuids'! - skipping
Copying and configuring kernels on /dev/disk/by-uuid/FD52-5CAE
Copying kernel and creating boot-entry for 5.15.30-2-pve

root@pve:~# proxmox-boot-tool clean

Checking whether ESP '5D2E-4BFB' exists.. Found!
Checking whether ESP '5D2F-103F' exists.. Not found!
Checking whether ESP 'FD52-5CAE' exists.. Found!
Sorting and removing duplicate ESPs..

root@pve:~# proxmox-boot-tool status

Re-executing '/usr/sbin/proxmox-boot-tool' in new private mount namespace..
System currently booted with uefi
5D2E-4BFB is configured with: uefi (versions: 5.15.30-2-pve)
FD52-5CAE is configured with: uefi (versions: 5.15.30-2-pve)</pre>

After that, the system has been successfully rebooted and is now fully redundant and secure again.

== References ==
<references />

{{Jsterr}}
{{Aranzinger}}
[[Category:Proxmox Administration]]
[[de:Boot-Device Replacement - Proxmox ZFS Mirror Disk austauschen]]

Backup and restore under Debian 13 with Proxmox Backup Client

2026-03-25T12:55:01Z

Pstreifinger:

This article describes how to back up a '''Debian 13''' system with the help of '''Proxmox Backup Clients''' on a Proxmox Backup server.

== Initial situation ==
For the performance, a '''Proxmox Backup Server''' and a '''Debian 13''' system, that you want to back up, is required.

If you '''did not install a PBS yet''', you will find the instructions for the installation here: [[Proxmox Backup Server Installation]].

== Proxmox Backup Client ==
In this paragraph, the '''Proxmox Backup Client''' is installed and configured on a Debian 13 system.

The whole installation is performed as '''root user'''. With the following command, you can log in as root-user: <pre>su</pre>

=== Add repository ===
First, the '''repository''' must be configured for the ''Proxmox Backup Client''. For this, the ''proxmox-backup-client.list'' file must be created with the following command:
<pre>sudo nano /etc/apt/sources.list.d/proxmox-backup-client.list</pre>
The following content must be added to this file:
<pre>deb http://download.proxmox.com/debian/pbs-client trixie main</pre>
Next, the '''Repository-GPG-Key''' must be imported. Proxmox uses for every Debian version another GPG-key. For Debian version 13, the GPG-key for Trixie is required:
<pre>wget -qO - https://enterprise.proxmox.com/debian/proxmox-release-trixie.gpg | sudo tee /etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg >/dev/null</pre>

=== Installation ===
After installing the ''Proxmox Backup Client'' repository, all package lists must be updated:<pre>
sudo apt update</pre>
Now, you can install ''Proxmox Backup Client'':
<pre>sudo apt install proxmox-backup-client</pre>

=== Connect to PBS ===
After successful installation of the client, you can connect to the Proxmox Backup server with the following command:
<pre>proxmox-backup-client login --repository <user>@<pam>@<ipadresse>:<datastore></pre>
The following adjustments must be made:
* <code><user></code>: Enter the PBS username; we recommend using an alternative account with the necessary permissions rather than the root account
* <code><pam></code>: Enter the realm required when logging in to PBS here (usually this is '''pam''')
* <code><ipaddress></code>: Enter the IP address of the Proxmox Backup server here
* <code><datastore></code>: Specify the name of the datastore where the backups should be stored
* '''The entry could look like this: "backup@pam@10.26.33.11:zfs-pool".'''
Accept the fingerprint and enter the password in the PBS.

Now, the Backup Client is installed on your Debian system.

== Perform backup ==

=== Type of security ===
To back up a file or a path, run the following command:
<pre>proxmox-backup-client backup etc.pxar:/(directory or file that should be secured) --repository <user>@<pam>@<ipadresse>:<datastore></pre>
If you want to back up the whole system, you require this command:
<pre>proxmox-backup-client backup etc.pxar:/ --repository <user>@<pam>@<ipadresse>:<datastore></pre>
After you have performed one of these commands, the backup should now be displayed in the datastore of the Proxmox Backup server.

=== Display in the shell ===
You can display the backups in the Debian shell:<pre>proxmox-backup-client snapshots --repository <user>@<pam>@<ipadresse>:<datastore></pre>
Sample output:<pre>
┌──────────────────────────────────┬───────┬───────────────────────────────────┐
│ snapshot │ size │ files │
╞══════════════════════════════════╪═══════╪═══════════════════════════════════╡
│ host/debian/2026-03-11T11:33:16Z │ 728 B │ catalog.pcat1 etc.pxar index.json │
└──────────────────────────────────┴───────┴───────────────────────────────────┘
</pre>

== Restore ==
For the recreation of your data, perform the following command:<pre>proxmox-backup-client restore <Backup Name> etc.pxar <destination directory> --repository <user>@<pam>@<ipaddress>:<datastore></pre>
* <code><Backup Name></code>: Enter the complete name of the backup
* <code><Destination Directory></code>: Enter the destination directory for the restore here
* <code><user>, <pam>, <ipaddress>, <datastore></code>: These should be selected as specified for connection to PBS

=== Example ===
The following values are used for the example:

* '''Backup name''': <code>host/debian/2026-03-11T11:33:16Z</code>
* '''Destination directory''': <code>/home</code>
* '''user''': <code>backup</code>
* '''pam''': <code>pam</code>
* '''ip-address''': <code>10.21.0.50</code>
* '''datastore''': <code>backup_ssd</code>

This results in the following command:<pre>proxmox-backup-client restore host/debian/2026-03-11T11:33:16Z etc.pxar /home --repository backup@pam@10.21.0.50:backup_ssd</pre>

== Cron job ==
You can also automate your backups using a '''cron job'''.

=== Create script ===
First, you have to create the file <code>/usr/local/sbin/debian-backup.sh</code>:
<pre>nano /usr/local/sbin/debian-backup.sh</pre>
Create the following script (select the values enclosed in <code><></code> according to your settings):
<pre>#!/bin/bash
set -euo pipefail

export PBS_REPOSITORY="<user>@<pam>@<IPaddress>:<Datastore>"
export PBS_PASSWORD="<Password>"

proxmox-backup-client backup \
home.pxar:/<directory></pre>
Then make the script executable:
<pre>chmod +x debian-backup.sh</pre>

=== Installation and configuration of Cron ===
Next, '''Cron''' must be installed with the following commands:
<pre>sudo apt update

sudo apt install cron
</pre>
Create '''Cron''' file:
<pre>
sudo crontab -e
</pre>
If you want to back up your data every day at 3:30 a.m., add the following text to the file:
<pre>
30 3 * * * /usr/local/sbin/debian-backup.sh
</pre>
The exact instructions for creating or changing Cron jobs can be found in the article https://wiki.ubuntuusers.de/Cron/ .

{{Pstreifinger}}
{{Aranzinger}}
[[de:Backup und Restore unter Debian 13 mit Proxmox Backup Client]]

VirtualBox

2026-03-25T05:43:31Z

Aranzinger: Created page with "'''VirtualBox''' is a virtualization solution from Oracle. VirtualBox was originally developed by Innotek, which was later acquired by Sun Microsystems. In 2010, Oracle acquired Sun, including VirtualBox. VirtualBox runs on Windows, Linux, Mac OS and Solaris. == General information == * Documentation: http://www.virtualbox.org/manual/UserManual.html == Versions == === VirtualBox 6.1 === * Most important new features (excerpt) in version 6.1: ** Now supports importi..."

'''VirtualBox''' is a virtualization solution from Oracle. VirtualBox was originally developed by Innotek, which was later acquired by Sun Microsystems. In 2010, Oracle acquired Sun, including VirtualBox.

VirtualBox runs on Windows, Linux, Mac OS and Solaris.

== General information ==
* Documentation: http://www.virtualbox.org/manual/UserManual.html

== Versions ==
=== VirtualBox 6.1 ===
* Most important new features (excerpt) in version 6.1:
** Now supports importing a VM from Oracle Cloud Infrastructure
** Enhanced support for exporting a VM to Oracle Cloud Infrastructure
** Supports nested hardware virtualization for Intel CPUs
** Supports Linux kernel 5.4 for Linux based guests
* Complete changelogs: https://www.virtualbox.org/wiki/Changelog

=== VirtualBox 6.0 ===
* Most important renewals (excerpt) in version 6.0:
** Support of export for virtual machines in the Oracle Cloud Infrastructure
** Improved user interface
** Improved support of HiDPI monitors
** New file manager supports copying files between host and guest
** Large update of 3D graphic support for Windows guests
** Hyper-V as fallback option for Windows hosts
** Support for Linux kernel 4.20 for Linux-based guests
* Complete changelogs: https://www.virtualbox.org/wiki/Changelog
* More information:
** [https://www.heise.de/ix/meldung/VirtualBox-6-0-mit-vielen-punktuellen-Verbesserungen-4255869.html VirtualBox 6.0 with lots of selective improvements] (heise.de, 19.12.2018)

=== VirtualBox 5.2 ===
* Most important renewals (excerpt) in version 5.2:
** VM export to Oracle Cloud (OPC)
** Unattended operating system installation in the guest system
** Revised graphical user interface
* Complete changelogs:https://www.virtualbox.org/wiki/Changelog
* More information:
** [https://www.heise.de/ix/meldung/Inklusive-Upload-in-die-Oracle-Cloud-VirtualBox-5-2-freigegeben-3866366.html Includes upload to the Oracle-Cloud: VirtualBox 5.2 released] (heise.de, 20.10.2017)

=== VirtualBox 5.1 ===
* Most important renewals (excerpt) in version 5.1:
** Improved performance through a new implementation for APIC and I/O-APIC
** Debugging Windows guests using Hyper-V paravirtualization
** Graphical user interface fully migrated to Qt5
** Higher performance and faster access times through passive API event listener
** Better support for Python 3
** NVMHCI-compatible storage-controller enables the emulation of NVMe devices
* Complete changelogs: https://www.virtualbox.org/wiki/Changelog
* More information:
** [http://www.heise.de/ix/meldung/Virtualization-software-VirtualBox-5-1-relies-on-Qt5-3265361.html Virtualization software: VirtualBox 5.1 relies on Qt5] (heise.de, 13.07.2016)

=== VirtualBox 5.0 ===
* Most important renewals (excerpt) in version 5.0:
** USB 3.0 support
** Improved Drag&Drop
** Disk-Image encryption
* Complete changelogs: https://www.virtualbox.org/wiki/Changelog
* More information: ** [http://www.heise.de/newsticker/meldung/Virtualisierungssoftware-VirtualBox-5-0-vorgestellt-USB-3-0-Support-und-bessere-Performance-2747850.html Virtualization software VirtualBox 5.0 presented: USB-3.0-support and better performance] (heise.de, 10.07.2015)

=== VirtualBox 4.3 ===
* Important renewals (excerpt) from in 4.3:
** New NAT network mode ([[Netzwerkkonfiguration in VirtualBox#NAT Service|NAT Service]]) that allows guest systems to communicate with one another
** Support of Windows 8.1, Windows Server 2012 R2 and OS X 10.9 "Mavericks"
** Windows 8.1 Touch Device input assistance
** Faster 3D effects on Ubuntu or Fedora Linux guest systems
** IPv6 is available in bridged, host, internal, and new NAT modes
* Complete changelogs: https://www.virtualbox.org/wiki/Changelog
* More information:
** [http://www.admin-magazin.de/News/Virtualbox-4.3-verbessert-Netzwerk-Funktionalitaet VirtualBox 4.3 improves network functionality] (ADMIN Magazine, 16.10.2013)
** [http://www.heise.de/open/meldung/VirtualBox-4-3-unterstuetzt-Multitouch-1979845.html VirtualBox 4.3 supports Multitouch] (heise open, 15.10.2013)

=== VirtualBox 4.2 ===
* Most important renewals (excerpt) in version 4.2:
** Support for Windows 8 and OS X 10.8 "Mountain Lion"
* Complete changelogs: http://www.virtualbox.org/wiki/Changelog-4.2
* More information:
** [http://www.heise.de/open/meldung/VirtualBox-4-2-unterstuetzt-Windows-8-und-Mountain-Lion-1707785.html VirtualBox 4.2 supports Windows 8 and Mountain Lion] (heise open, 13.09.2012)

=== VirtualBox 4.1 ===
* Most important renewals (in part) in version 4.1:
** Cloning support: vull clones can be created via GUI and VBoxManage, linked clones via VBoxManage
** GUI: new/extended wizards for creating new virtual disks or for copying virtual disks
** Memory limit on 64-bit hosts now 1 TB
** Experimental support for PCI passthrough on Linux hosts
** Windows guest systems: experimental WDDM graphic driver with Windows Aero and Direct3D support
** Network: new connection mode ''Generic Driver''
** New network mode ''UDP tunnel'': allows the connection of VMs that run on different hosts
** Experimental support for SATA HDD Hotplugging with VBoxManage
* Complete changelogs: http://www.virtualbox.org/wiki/Changelog-4.1
* More information:
** [http://www.heise.de/open/meldung/Oracle-veroeffentlicht-VirtualBox-4-1-1281936.html Oracle publishes VirtualBox 4.1] (heise open, 19.07.2011)
** [http://virtualization.info/en/news/2011/07/release-oracle-virtualbox-4-1-0.html Release: Oracle VirtualBox 4.1.0] (virtualization.info)

=== VirtualBox 4.0 ===
* Current maintenance release: [http://blogs.oracle.com/virtualization/entry/oracle_vm_virtualbox_4_02 4.0.12 (2011-07-15)]
* Most important renewals (in part) from version 4.0:
** Extension packs for expansions
** New settings and disk file format
** New GUI (VirtualBox Manager)
** Improved OVF support
* Possible limitation of CPU time and I/O bandwidth of a VM
* Support for asynchronem I/O für iSCSI, VMDK, VHD and Parallels Image files
** Support for multiple screens in Linux and Solaris guests with X.Org servers from version 1.3
* Complete changelogs: http://www.virtualbox.org/wiki/Changelog-4.0
* More information:
** [http://virtualization.info/en/news/2010/12/release-oracle-vm-virtualbox-4-0.html Release: Oracle VM VirtualBox 4.0] (virtualization.info)

=== VirtualBox 3.2 ===
* Most important renewals (in part):
** [http://www.virtualbox.org/manual/ch04.html#guestadd-balloon Memory Ballooning] (only on 64-Bit hosts)
** CPU hot-plug for Linux (hot-add and hot-remove) and some Windows guests (only hot-add)
** LsiLogic SAS controller emulation
* Complete changelogs: http://www.virtualbox.org/wiki/Changelog-3.2
* More information:
** [http://virtualization.info/en/news/2010/12/release-oracle-vm-virtualbox-version-3-2-12.html Release: Oracle VM VirtualBox 3.2.12] (virtualization.info)
** [http://virtualization.info/en/news/2010/10/release-oracle-vm-virtualbox-3-2-10.html Release: Oracle VM VirtualBox 3.2.10] (virtualization.info)
** [http://virtualization.info/en/news/2010/08/release-oracle-virtualbox-3-2-8.html Release: Oracle VM VirtualBox 3.2.8] (virtualization.info)
** [http://virtualization.info/en/news/2010/06/release-oracle-vm-virtualbox-3-2-6.html Release: Oracle VM VirtualBox 3.2.6] (virtualization.info)
** [http://virtualization.info/en/news/2010/06/release-oracle-vm-virtualbox-3-2-4.html Release: Oracle VM VirtualBox 3.2.4] (virtualization.info)
** [http://virtualization.info/en/news/2010/06/release-oracle-vm-virtualbox-3-2-2.html Release: Oracle VM VirtualBox 3.2.2] (virtualization.info)
** [http://virtualization.info/en/news/2010/05/release-oracle-vm-virtualbox-3-2.html Release: Oracle VM VirtualBox 3.2] (virtualization.info)

=== VirtualBox 3.1 ===
* Complete changelogs: http://www.virtualbox.org/wiki/Changelog-3.1

=== VirtualBox 3.0 ===
* Complete changelogs: http://www.virtualbox.org/wiki/Changelog-3.0

== More information ==
* http://de.wikipedia.org/wiki/VirtualBox

{{Wfischer}}
{{Aranzinger}}
[[de:VirtualBox]]
[[Category:VirtualBox]]
[[Category:Review 2023 Q3]]

Advantech Industry Firewall server

2026-03-24T12:03:04Z

Aranzinger:

For the operation of an open source firewall such as [[OPNsense]], a multiple number of different server systems is suitable. In this article, we present Advantech Industry Firewall systems that were tested with OPNsense at Thomas-Krenn.

{{#widget:Imagebox-left|link={{#tklink:type=sitex|id=20777|linkonly=1}}|image=/de/wikiDE/images/0/0f/OPNsense-Shopbanner.png|text=Click here for our OPNsense Industry Firewalls in the Thomas-Krenn online shop|campaign=Advantech Industry Firewall Server }}
{{#widget:SitexBox|link={{#tklink:type=sitex|id=20777|linkonly=1}}|text=Click here for our OPNsense Industry Firewalls in the Thomas-Krenn online shop|campaign=Advantech Industrie Firewall Server }}

== Firewall optimized Advantech systems ==
The following chart shows Advantech systems that were tested with OPNsense at Thomas-Krenn:

{| class="wikitable"
|- style="background-color: #EFEFEF;text-align:center;"
! Server
! <tklink type="sitex" id="20756">UNO-2271G V2</tklink> 
[[File:UNO-2271G V2.png|100px]]
! <tklink type="sitex" id="20804">FWA-1012VC-4CA1S</tklink> 
[[File:FWA-1012VC.png|100px]]
! <tklink type="sitex" id="20803">FWA-1012VC-8CA1S</tklink> 
[[File:FWA-1012VC.png|100px]]
! <tklink type="sitex" id="20805">FWA-1112VC-4CA1S</tklink> 
[[File:FWA-1112VC-4CA1S.jpg|100px]]
! <tklink type="sitex" id="20802">FWA-2012-16A1S</tklink> 
[[File:FWA-2012-16A1S.png|100px]]
! <tklink type="sitex" id="21233">FWA-1214LRI-4CA1R</tklink> 
[[File:FWA-1214.png|100px]]
! <tklink type="sitex" id="21233">FWA-1214FRI-8CA1R</tklink> 
[[File:FWA-1214.png|100px]]
! <tklink type="sitex" id="21123">FWA-3034</tklink> 
[[File:FWA-3034.jpg|100px]]
! <tklink type="sitex" id="21073">FWA-5072-00A1R</tklink> 
[[File:FWA-5072-00A1R.png|100px]]
|-
| Special features
| valign=top |
* fanless
* 2 NICs
* optional 2 additional NICs (2x i350)
| valign=top |
* 4 NICs
* 2 SFP
* Intel QAT
| valign=top |
* 6 NICs
* 2 SFP
* Intel QAT
| valign=top |
* 6 NICs
* 2 SFP+
* 10 Gbit
* Intel QAT
* high temperature range
| valign=top |
* 6 NICs
* Intel QAT
* 1x NMC
| valign=top |
* 4 cores (Atom x7433RE)
* 4 NICs
| valign=top |
*8 cores (Atom x7835RE)
*4 NICs
* 2 SFP (FWA-1214FRI-8CA1R)
| valign="top" |
* Front I/O
* 8x 2,5 Gbit onboard
* 2x 10 Gbit onboard
* 1x NMC
* red. NT
| valign=top |
* Front I/O
* 4x NMC
* red. NT
|-
| Mainboard
| align="center" | UNO-2271G-N221AE
| align="center" | FWA-1012VC 4-Core
| align="center" | FWA-1012VC 8-Core
| align="center" | Advantech Mainboard FWA-1112VC
| align="center" | Advantech Mainboard FWA-2012
| align="center" | Advantech Mainboard FWA-1214
| align="center" | Advantech Mainboard FWA-1214
| align="center" | Advantech Mainboard FWA-3034
| align="center" | Advantech Mainboard FWA-5072-00A1R
|-
| CPU 
: Taktfrequenz
: Cores / Threads
: AES-NI Instructions
| align="center" | [https://ark.intel.com/content/www/de/de/ark/products/214754/intel-celeron-processor-n6210-1-5m-cache-up-to-2-60-ghz.html Celeron N6210] 
: 1,2 GHz
: 2 / 2
: yes
| align="center" | [https://www.intel.de/content/www/de/de/products/sku/97937/intel-atom-processor-c3558-8m-cache-up-to-2-20-ghz/specifications.html Atom C3558] 
: 2,2 GHz
: 4 / 4
: yes
| align="center" | [https://www.intel.de/content/www/de/de/products/sku/97926/intel-atom-processor-c3758-16m-cache-up-to-2-20-ghz/specifications.html Atom C3758] 
: 2,2 GHz
: 8 / 8
: yes
| align="center" | [https://www.intel.de/content/www/de/de/products/sku/97937/intel-atom-processor-c3558-8m-cache-up-to-2-20-ghz/specifications.html Atom C3558] 
: 2,2 GHz
: 4 / 4
: yes
| align="center" | [https://www.intel.de/content/www/de/de/products/sku/97927/intel-atom-processor-c3958-16m-cache-up-to-2-0-ghz/specifications.html Atom C3958] 
: 2,0 GHz
: 16 /16
: yes
| align="center" | [https://www.intel.de/content/www/de/de/products/sku/236967/intel-atom-x7433re-processor-6m-cache-up-to-3-40-ghz/specifications.html Atom x7433RE] 
: 3,4 GHz
: 4 / 4
: yes
| align="center" | [https://www.intel.de/content/www/de/de/products/sku/236968/intel-atom-x7835re-processor-6m-cache-up-to-3-60-ghz/specifications.html Atom x7835RE] 
: 3,6 GHz
: 8 / 8
: yes
| align="center" | [https://www.intel.de/content/www/de/de/products/sku/232105/intel-core-i313100te-processor-12m-cache-up-to-4-10-ghz/specifications.html Core i3-13100TE] - [https://www.intel.de/content/www/de/de/products/sku/132219/intel-core-i712700e-processor-25m-cache-up-to-4-80-ghz/specifications.html Core i7-12700E] 
: 4,1 - 5,1 GHz
: 8 / 8 - 12 / 20
: yes
| align="center" | [https://www.intel.de/content/www/de/de/products/sku/236636/intel-xeon-silver-4509y-processor-22-5m-cache-2-60-ghz/specifications.html Xeon Silver 4509Y] - [https://www.intel.de/content/www/de/de/products/sku/237250/intel-xeon-platinum-8580-processor-300m-cache-2-00-ghz/specifications.html Xeon Platinum 8580] 
: 2,0 - 3,9 GHz
: 8 / 16 - 60 / 120
: yes
|-
| RAM
| align="center" | 2 - 8 GB
| align="center" | 8 - 32 GB
| align="center" | 8 - 32 GB
| align="center" | 8 - 32 GB
| align="center" | 8 - 32 GB
| align="center" | 8 GB
| align="center" | 8 GB
| align="center" | 8 - 64 GB
| align="center" | 16 - 1024 GB
|-
| Disk (SATA)
| align="center" | -
| align="center" | -
| align="center" | -
| align="center" | -
| align="center" | -
| align="center" | -
| align="center" | -
| align="center" | 2
| align="center" | 2
|-
| Disk (NVMe and other)
|
* 32 GB eMMC onboard
* 1 mSATA
|
* 1 SATA M.2 2280
|
* 1 SATA M.2 2242/2280
| align="center" |
* 1 SATA M.2 2280
| align="center" |
* 1 SATA M.2 2280
| align="center" |
* 64GB M.2 SATA SSD 2242 onboard
| align="center" |
* 64GB M.2 SATA SSD 2242 onboard
| align="center" | 1 SATA/NVMe M.2 2280
| align="center" | 2 SATA/NVMe M.2 2280
|-
| NICs 1 Gbit (contained)
| align="center" | 2
(2x i211)
| align="center" | 6
(4x RJ45, 2x SFP)
| align="center" | 8
(6x RJ45, 2x SFP)
| align="center" | 4
(2x i211, 2x X553 L)
| align="center" | 6
(6x RJ45)
| align="center" | 4
(4x RJ45)
| align="center" | 6
(4x RJ45 und 2x SFP)
| align="center" | 2
(2x SFP)
| align="center" | 2
(2x RJ45)
|-
|NICs 2,5 Gbit (contained)
| align="center" | -
| align="center" | -
| align="center" | -
| align="center" | -
| align="center" | -
| align="center" | -
| align="center" | -
| align="center" | 8
(8x i226-LM)
| align="center" | -
|-
| NICs 10 Gbit (contained)
| align="center" | -
| align="center" | -
| align="center" | -
| align="center" | 2
(2x X553 N)
| align="center" | -
| align="center" | -
| align="center" | -
| align="center" | 2
(2x X710)
| align="center" | -
|-
| NICs 25 Gbit (contained)
| align="center" | -
| align="center" | -
| align="center" | -
| align="center" | -
| align="center" | -
| align="center" | -
| align="center" | -
| align="center" | -
| align="center" | -
|}

{{Tniedermeier}}
{{Aranzinger}}
[[de:Advantech Industrie Firewall Server]]

Overview of virtualization technologies

2026-03-24T11:24:55Z

Aranzinger: Created page with "== Technologies == === Hardware emulation === In hardware emulation, all hardware components (CPU, chipset, I/O cards, etc.) are emulated. The CPU emulation translates hardware instructions from the emulated to the native CPU (for example emulation of PowerPC, ARM, SPARC, MIPS, ... on x86). This results in significant overhead and, consequently, a loss of performance. Guest operation systems can be operated without adjustments. Examples for hardware emulation: * [ht..."

== Technologies ==

=== Hardware emulation ===
In hardware emulation, all hardware components (CPU, chipset, I/O cards, etc.) are emulated. The CPU emulation translates hardware instructions from the emulated to the native CPU (for example emulation of PowerPC, ARM, SPARC, MIPS, ... on x86). This results in significant overhead and, consequently, a loss of performance.

Guest operation systems can be operated without adjustments.

Examples for hardware emulation:
* [http://bochs.sourceforge.net/ Bochs]
* [http://fabrice.bellard.free.fr/qemu/ QEMU]
* [http://pearpc.sourceforge.net/ PearPC]
* [http://de.wikipedia.org/wiki/Windows_Virtual_PC#Virtual_PC_f.C3.BCr_Mac Windows Virtual PC for Mac (PPC)] (no longer supported)

=== Hardware virtualization ===
Similar to hardware emulation, numerous hardware components are emulated (chipset, I/O cards,...) However, the CPU is not emulated, but some CPU instructions are intercepted and adjusted. Therefore, only the CPU architecture can be used in the guest systems, which is also available physically in the host systems. However, performance is significantly higher than with hardware emulation.

Guest operating systems can be operated without adjustments.

Examples for hardware virtualization:
* [[VMware vSphere 5.5]], [http://www.vmware.com/products/workstation VMware Workstation]
* [[Microsoft Hyper-V]]
* [[VirtualBox]]
* [http://www.xenproject.org/ XEN] starting with version 3 and using Hardware Virtual Machine (HVM), requires an Intel VT/AMD-V CPU

=== Paravirtualization ===
In paravirtualization, no hardware emulation takes place. The host offers instead a special API for hardware access. In the guest systems, only the CPU architecture can be used that is also available in the host system physically.

Guest systems (kernel) must be adapted, but the ABI (Application Binary Interface) remains unchanged.

Example:
* XEN
* VMware vSphere (paravirtualized device drivers, and previously also paravirtualized CPUs with VMI)<ref>[http://blogs.vmware.com/guestosguide/2009/09/vmi-retirement.html Update: Support for guest OS paravirtualization using VMware VMI to be retired from new products in 2010-2011] (blogs.vmware.com, 22.09.2009)</ref>

=== Operating system virtualization / container ===
There is also no emulation. There is only one kernel for host and guest system. Therefore, the guest operating system can only be the same operating system as the one running on the host (for example Linux on Linux, different distributions are possible). This technology has a low overhead, as no emulation takes place and syscalls pass through only one kernel, not two. Guest systems can be started within seconds.

Examples:
* [[Linux Containers LXC]]
* [http://openvz.org/ OpenVZ]
* [http://linux-vserver.org/ Linux-VServer]
* [http://www.oracle.com/technetwork/server-storage/solaris/containers-169727.html Solaris Containers]
* [http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html FreeBSD Jails]

== More information ==
* [http://de.wikipedia.org/wiki/Virtualisierung_(Informatik) Virtualisierung (Informatik)] (de.wikipedia.org)
* [http://www.tecchannel.de/server/virtualisierung/2076934/ab_wann_lohnt_sich_virtualisierung_fuer_kmus/ Wann lohnt sich Virtualisierung für kleine und mittelständische Unternehmen?] (tecchannel.de, 13.01.2015)

== References ==
<references />

{{Fhettenbach}}
{{Aranzinger}}
[[Category:Virtualization]]
[[pl:Przegląd technologii wirtualizacji]]
[[de:Virtualisierungstechnologien im Überblick]]

OPNsense FAQ

2026-03-23T11:47:11Z

Aranzinger: Created page with "In this article, you will find answers on frequently asked questions about the Open Source firewall OPNsense. {{#widget:Imagebox-left|link={{#tklink:type=sitex|id=19293|linkonly=1}}|image=/de/wikiDE/images/0/0f/OPNsense-Shopbanner.png|text=Click here for our OPNsense firewalls in the Thomas-Krenn online shop|campaign=OPNsense FAQs }} {{#widget:SitexBox|link={{#tklink:type=sitex|id=19293|linkonly=1}}|text=Click here for our OPNsense firewalls in the Thomas-Krenn onli..."

In this article, you will find answers on frequently asked questions about the Open Source firewall [[OPNsense]].

{{#widget:Imagebox-left|link={{#tklink:type=sitex|id=19293|linkonly=1}}|image=/de/wikiDE/images/0/0f/OPNsense-Shopbanner.png|text=Click here for our OPNsense firewalls in the Thomas-Krenn online shop|campaign=OPNsense FAQs }}
{{#widget:SitexBox|link={{#tklink:type=sitex|id=19293|linkonly=1}}|text=Click here for our OPNsense firewalls in the Thomas-Krenn online shop|campaign=OPNsense FAQs}}

== FAQ ==
This paragraph lists answers on different questions about OPNsense.

# Which servers are suitable for OPNsense?
#* You will find compatible and tested servers in the Thomas-Krenn online shop in the area <tklink type="sitex" id="19293">OPNsense Firewalls.</tklink>
# Where can I find an overview about the most important data of Thomas-Krenn devices that are compatible with OPNsense?
#* [[Low Energy Systems (LES) Firewall Server]]
#* [[Intel based Thomas-Krenn Firewall Server]]
#* [[AMD based Thomas-Krenn Firewall Server]]
# Where can I find performance data on different Thomas-Krenn firewall servers?
#* The article [[Thomas-Krenn OPNsense Firewall Performance]] shows the systems tested on performance.
#* Additional systems are being added on an ongoing basis.
# The category [[:Category:OPNsense|OPNsense]] can be found in the Thomas-Krenn-Wiki.
#* Webinars on the OPNsense topic can be found on our Thomas-Krenn Youtube channel: [https://www.youtube.com/user/ThomasKrenn/videos ThomasKrenn]
#* In our company blog TKmag, there is also a lot of information on OPNsense: [https://www.thomas-krenn.com/de/tkmag/ TKmag | The expert magazine covering servers, storage, virtualization, and more.]
# How are network cables properly connected? Standard WAN and LAN port assignments
#* The article [[Thomas-Krenn OPNsense Firewalls network interfaces]] shows the correct cabling.
# How can additional interfaces be configured in the OPNsense web interface?
#* The article [[OPNsense add interface]] shows the required steps.
# How to install OPNsense?
#* Information can be found in the article [[Install OPNsense]].
# How to perform the basic configuration?
#* [[Install OPNsense#Configuration|Basic configuration after installation]]
# How to secure the configuration?
#* The configuration can be secured as[[OPNsense_installieren#Konfiguration_sichern| XML file]].
#* The XML-file can be encrypted, too.
# How to recreate the configuration.
#* Option 1: Via the web interface under System -> Configuration -> Backups, under the "Restore" heading.
#* Option 2: Via the [[OPNsense Konfiguration wiederherstellen|console of the OPNsense firewall]].
# Which OPNsense version ist the current version?
#* Information on the releases with the most important renewals can be found in the article [[OPNsense]].
# What options does OPNsense offer for VPN connections?
#* With an OPNsense firewall, you can set up VPNs using [[OpenVPN]], IPsec, and [[WireGuard]] (via plugin), among others; additional VPN technologies can also be added as plugins, just like WireGuard.
#* The VPN-techniques can be used for site-to-site and also for Roadwarrior.
#* [[OPNsense OpenVPN für Road Warrior einrichten|Setup for OPNsense OpenVPN for Road Warrior]]
#* [[Installation of OPNsense OpenVPN instances site-to-site]]
#* [[OPNsense_OpenVPN_Performance_Tests#OpenVPN_Einstellungen|OpenVPN Site-to-Site settings]] between two OPNsense firewalls
#* [[OPNsense WireGuard VPN for Road Warrior configuration]]
#* [[OPNsense OpenVPN performance tests and results]]
#* [[OPNsense_IPsec_Performance_Tests#IPsec_Einstellungen|IPsec Site-to-Site settings]] between two OPNsense firewalls
#* A concrete configuration recommendation for a IPsec Roadwarrior configuration does not exist. It is important to always take the end device into account. A Windows 10 client requires different settings than an Android or iOS device.
# Are Chelsio, Mellanox, and Broadcom network cards supported by OPNsense?
#* Yes, but the driver must be activated manually: [[OPNsense Chelsio Mellanox Broadcom Netzwerkkarten-Treiber aktivieren|Activation of OPNsense Chelsio Mellanox Broadcom network cards driver]]
#* '''Hint:''' Broadcom cards are activated automatically with the release of the OPNsense 24.7 version.
# Is it possible to connect two OPNsense firewalls to form a cluster?
#* Yes, you will also find an article on how to [[OPNsense HA Cluster configuration]].
#* [[OPNsense_HA_Cluster_einrichten#Anforderungen|Requirements for hardware]]
# The dashboard of the OPNsense firewall shows no CPU temperatures.
#* There is an article on how to [[CPU Temperaturen in OPNsense anzeigen|Display CPU temperatures in OPNsense]]

== Selection of suitable hardware ==
When making your selection, please keep the following points in mind:
* Location (fanless system for office or 19" rack server)
* Front-IO system or classic rack server
* One or two power supplies
* Number of required 1 GBit, 10 GBit or >25 Gbit network interfaces
* Required CPU performance
** OpenVPN: high-clock-speed CPU, for example Xeon-E or Xeon Silver: <tklink type="sitex" id="20460">RI1101-SMXEFH</tklink>
** IPsec VPN Tunnel: If you need a throughput of 1 Gbps or more, choose a Xeon-E CPU or Xeon Silver: <tklink type="sitex" id="20460">RI1101-SMXEFH</tklink>
** Proxy: Number of cores is more important than clock speed
* Required size of RAM
** Operation of firewall with basic funtions and VPN services: 4GB RAM (50 or more users: 8 GB RAM)
** In addition with Intrusion Detection (IDS), Intrusion Prevention (IPS) or Proxy: 8GB RAM (50 or more users: 16GB RAM)
** When operating Zenarmor: 16GB RAM (250 or more users: 32GB RAM)
* Hardware compatibility with the firewall solution's operating system ([[FreeBSD]] for OPNsense or pfSense, [[Linux]] for ipFire)
* Recommendation of manufacturer, see for example [[Hardwareanforderungen OPNsense|Hardware requirements for OPNsense]]

== Commissioning of Pre-Installed OPNsense firewalls ==
You can also purchase pre-installed OPNsense firewalls from Thomas-Krenn.
In the article [[Inbetriebnahme vorinstallierter Thomas-Krenn OPNsense Firewalls|Commissioning of pre-installed Thomas-Krenn OPNsense firewalls]], you will find information how to properly set up and further configure pre-installed systems.

== OPNsense Business Edition ==
In this paragraph, you will find important information on OPNsense Business edition.

# Which additional functions are offered by the OPNsense business edition?
#* Information on [[OPNsense Business Edition]]
# Where can I buy the OPNsense Business Edition subscription?
#* You can add the Business Edition subscription to your order when purchasing an OPNsense-compatible server.
#* You can also buy Business Edition subscriptions separately via <tklink type="configurator" detail="configurator" id=27314 />
# How can I activate OPNsense Business Edition?
#* The Business Edition can be easily activated using the activation key after purchasing a subscription: [[Activate OPNsense Business Edition license]]
# Is there a specific timeline for when the new OPNsense Business Edition will be released?
#* Yes, on April 12, 2021, a time table has been defined that is valid for all future business edition releases. It is now published every April and October as a separate issue.<ref>[https://forum.opnsense.org/index.php?
topic=22602.msg OPNsense business edition 21.4 released] (forum.opnsense.org)</ref>
#* Be sure to check the OPNsense interface regularly for available updates.
# Is there a notification when the business edition subscription expires or is there a function to extend it automatically.
#* No, this fuction is not available. The subscriptions expire automatically.
#* In the OPNsense dashboard, you will find an entry called ''Licensed until DATE'' in the '''System Information''' widget in the '''Version''' line.
# What happens, when you forget to extend the Business Edition? Will updates still work?
#* Of course, you can always switch back to the regular OPNsense update mirror and continue to receive updates through it.
# Is there a separate extension of the subscription and if so, how are they different?
#* No, there are no separate extensions of the subscription.
# Are two OPNsense Business Edition subscriptions required when using an HA cluster?
#* Yes, one subscription is required per machine.

== Questions from the Webinar Q&A: Open Source Firewall OPNsense (with m.a.x. it) (as of June 5, 2024) ==
Here, you will find all questions from the Q&A that have not been answered yet: Open Source Firewall OPNsense (mit m.a.x. it) listed with the answers:

# Are there experiences with updates of the community version?
#* Wait for the release upgrade to the .4 or .5 point release
#* There have been a lot of hotfix updates for the Community Edition lately, as issues have kept cropping up.
#* In a corporate environment, it’s best to use the OPNsense Business Edition, as this provides three major update packages per release instead of about 10.
# If not solved in the current version: Problems with DHCP-Relay over a site-to-site VPN-connection?
#* This should be possible with the Kea-DHCP.
# How suitable is the OPNsense firewall for the use of, for example, Sophos UTM solutions?
#* In general, a lot of functions can be represented with OPNsense and plugins.
#* It depends on the use application case, an additional software (for example Zenarmor) is required for some functions.
#* WLAN, SD-RED, Userportal and email quarantine is not available for OPNsense
# What are the general costs associated with purchase and operation?
#* The hardware costs depend on the size of the network, the desired throughput, and the required features (IDS/IPS or VPNs).
#** The cost of an OPNsense appliance starts at under 400 euros for a LES device; robust rack servers cost around 1,500 euros, but prices for a high-end HA cluster with two devices can exceed 10,000 euros. For a suitable sizing, it is best to directly contact our experts.
#** The price depends on a lot of factors, for example performant CPUs or additional network cards.
#* Software costs either free of charge with the Community Edition or 149 per year with the business edition.
#* Other ongoing costs include maintenance or support contracts; these costs vary depending on your needs.
# What resources are available for those new to the subject?
#* Webinars on the OPNsense topic, for example: [https://www.thomas-krenn.com/de/tkmag/webinare/opnsense-fuer-anwender-wie-sie-die-firewall-richtig-nutzen-und-absichern/ OPNsense for applicators – How to use and secure the firewall correctly]
#* [https://forum.opnsense.org/index.php OPNsense Forum]
#* [https://docs.opnsense.org/index.html OPNsense Documentation]
#* [https://www.zenarmor.com/docs/ Zenarmor User Guide]
#* Thomas-Krenn-Wiki category [[:Kategorie:OPNsense|OPNsense]]

== Questions from the OPNsense Q&A webinar - with m.a.x. it (as of March 25, 2021) ==
Here, you will find all questions that have not been answered yet from [https://www.thomas-krenn.com/de/tkmag/webinare/opnsense-qa-webinar/ Large OPNsense Q&A webinar – with m.a.x. it] listed with answers:

'''Questions about VPN topics'''

# Which setup is recommended if you want to connect '''10 sites with the same IP subnet''' per VPN? In the past, this was resolved in pfSense using a '''Transfer NAT''' network with OpenVPN certificates.
#* 10 locations on the same subnet—you shouldn't do that; alternatively, renumber them. Otherwise, it is also possible with NAT, but quite complicated. Our recommendation is to renew the subnets.
# What is the best practice when setting up a default gateway and multiple gateways for specific networks? Should you select the default gateway as the “IPv4 Upstream Gateway” for the interface? Or is it better to use auto-detect and then check the box for "Upstream Gateway" (or, depending on the version: "Default Gateway") under ''System -> Gateways -> Single''? What if you have multiple uplinks (System/Gateways/Group)? Do you then select the upstream gateway for all interfaces? And how do you specify which gateway OpnSense’s own services (WireGuard, OpenVPN, etc.) should use?
#* Allowing the upstream gateway on the interface enables true multi-WAN. PF rules are set so that a package so that a packet that comes in on Line B also goes out on that line. Upstream gateway checkbox in gateways simply means that this gateway can also be used as the default gateway if ''Default GW Switching'' is active in ''System -> Settings -> General''. For more details, feel free to ask about this on the OPNsense forum.
# How suitable is '''OPNsense as a central server for VPN road warriors''' for installations? Is there any way to automate the deployment of the client configuration here?
#* The OPNsense export feature can be accessed via the API, so you could write a script for it; there isn't anything off-the-shelf available at the moment.
# How to set a WireGuard connection as interface?
#* Once you have configured and enabled the WireGuard service, you can assign an interface to wg0, for example, in the Interfaces -> Assign Interfaces section.
# Is it possible to '''NAT for IPSec connections'''? For IPsec, no corresponding interface is available when selecting NAT rules.
#* Yes, you have to look for BINAT in the documentation. The company m.a.x. it has also sponsored the development for more P2 with NAT together with OPNsense 21.1.
# Is there the opportunity in '''IPsec''', to allocate SPD policies to several phase 2 tunnels? (source NAT, multiple internal nets)
#* Yes, this has been sponsored by m.a.x. it with OPNsense 21.1.
#* Is it known that '''WireGuard''' occasionally stops the traffic. Turning the service off and then back on will restore everything to normal.
#* Which '''plugins''' are a must have? Which client-VPN is advantageous for OPNsense? IPsec (Cisco-NCP-bintec-lancom), Wireguard or OpenVPN?
#* The fewer plugins, the better. OpenVPN is best for ClientVPN.

'''Questions on firewall topics'''

# Is there the option "were used" in the Firewall -> Alias section to find out, which rules are used by the '''Alias'''?
#* No, as soon as the firewall rules and NAT are migrated on API, it would be worth a feature request for OPNsense. This function is known by Cisco ASA and Sophos systems.
# Does an OPNsense-firewall help with a recent exchange attack?
#* No, that would be too late. The Nginx plugin has a WAF ( Web Application Firewall). In our opinion, however, that would not have worked here.
# How is an '''additional filter in the firewall live log''' activated?
#* In the firewall live log, an additional filter gets active, when it is created and added with +.
#'''Blocker for malicious hosts in the Internet''' can be set up on different levels. When and where should you use a blocker: DNS, pf-Rule, Suricata?
#* DNS blacklisting and the FireHOL is sufficient.
#'''Use OPNsense as a gateway''' to the Internet for specific applications and monitor data traffic: Create FW-rules with, for example, *.teamviewer.com? Evaluate data traffic and generate alerts?
#* *. DNS Alias does not work. For this, the proxy is needed.

'''Performance questions'''

# A '''performance comparison''' between pfSense and OPNsense (Internal firewalling without IPS to isolate/protect services yielded the following results: 3Gbit/s were reached with pfSense and 900Mbit with OPNsense. The tests have been performed on the identical hardware, each as a VMware VM. Have there been any improvements to OPNsense in the meantime?
#* Yes and no, pfSense uses better default settings. So, the settings in OPNsense need to be adjusted accordingly. However, one customer is achieving throughput speeds of 6 Gbps using a VMware VM (OPNsense 20.1)—could the problem actually be with the VM?

'''General questions'''

# Is it possible to rebuild the '''webfilter reporting''' of a Sophos UTM with OPNsense?
#* Yes, but it would take a lot of effort; you're better off checking out the Sensei plugin.
# Is there a '''graphic mail log''' as with Sophos UTM?
#* Yes, Rspamd has a web console that can be accessed via port forwarding to localhost on port 11334.
# Is it possible to setup a watchdog function for OPNsense services via '''Monit'''? Is there a documentation on all relevant services?
#* Yes, but only manually. In the comprehensive OPNsense documentation covering all relevant services, you will also find a section on [https://docs.opnsense.org/manual/monit.html Monit].
# Is there something like a '''Packet Tracer Policy Lookup''' in OPNsense?
#* No, this is not available.
# When will '''ZFS as a file system option''' finally be available during installation?
#* Eventually with OPNsense 22.1.

'''Questions on high availability cluster'''

# In a '''HA-compound (currently 2 cores)''', Squid should always appear to the outside world with the same source IP, regardless of the node (VIP from a /27 net). How can this be configured?
#* This should function with outbound NAT.
# In a test setup, I set up two OPNsense firewalls in a VMware environment and created a high-availability cluster following the Thomas-Krenn instructions. "Disable preempt" has been activated. However, in the event of a failover (when a NIC is disconnected), only that one IP address is moved to Firewall 2, not all IP addresses. Is this the desired behaviour?
#* Never click on disable preempt! HA in VMware requires adjustments on ESX via CLI.

'''Hardware and hypervisor-related questions'''

# How can you determine whether a '''NIC is suitable for Suricata in IPS mode with VLANs''' (keyword: netmap)? The driver groups listed by FreeBSD are not really helpful (em, re, etc.). In practice, many NICs prove to be unstable.
#*This was explained in the webinar.
# Which procedure (also with regard to performance) would be more recommendable: VLANs on fewer NICs or for every VLAN an individual dedicated NIC?
#* This was explained in the webinar.
# Is OPNsense compatible with '''AMD Ryzen CPUs'''?
#* Yes, take a look at our AMD-based servers in the Thomas-Krenn online shop.
# Are there any experiences with '''OPNsense and VXLAN'''?
#* It's possible, but unfortunately we don't have any experience with it. It's usually done at the hypervisor level.
# How can I add '''multiple LAN interfaces in a virtual OPNsense environment?
#* Once they're added via the hypervisor, they'll also appear in the system. Attention: This messes up all existing interfaces, and they must be corrected via the console.

'''Questions on OPNsense Business Edition'''

# We operate a OPNsense-HA-cluster (V. 20.7.8) on a dedicated Thomas-Krenn hardware including an activated '''Business Edition'''. Should we already upgrade to version 21.x?
#* OPNsense 21.1 is not yet available for business edition users.
# What is next for '''centralized management of multiple OPNsense firewalls'''? As far as we know, this feature is only available in the Business Edition; I haven't used it yet. Is it useful, and what can you tell us about central management?
#* Only the LITE features, such as upgrades and the WebUI, are available. Policy rollouts are not supported.

{{Tniedermeier}}
{{Aranzinger}}
[[Category:OPNsense]]
[[de:OPNsense FAQs]]

Update Intel Microcode under VMware

2026-03-20T10:44:37Z

Aranzinger: Created page with "VMware regularly releases microcode updates for Intel CPUs for ESXi. After installing such updates, new Intel Microcode versions are installed during the starting process. In this article, we show how to '''verify the Microcode version''' on a server with VMware ESXi 6.7 and '''install newer microcode versions as needed'''. == Example of setup == In this example, we use the following setup: * Server with ASUS P10S-M Mainboard with BIOS version 4401 (notifica..."

VMware regularly releases microcode updates for Intel CPUs for ESXi. After installing such updates, new [[Intel Microcode]] versions are installed during the starting process. In this article, we show how to '''verify the Microcode version''' on a server with [[VMware ESXi 6.7]] and '''install newer microcode versions as needed'''.

== Example of setup ==
In this example, we use the following setup:
* Server with [[ASUS P10S-M Mainboard]] with BIOS version 4401 (notification: This example is not on the VMware HCL)
* VMware ESXi 6.7 (directly after installation, for now, without applying any patches)

The test was conducted on August 27, 2018, using the latest available BIOS, microcode, and software versions at that time. This clearly demonstrates how the latest security updates—both microcode and software updates—can be applied in security-critical environments.

== Read out BIOS version ==
First, verify the BIOS version:
<pre>
[root@localhost:~] esxcfg-info | grep -i bios
|----BIOS UUID................................................0x50 0xaa 0xab 0xc 0x5d 0x93 0x17 0x2c 0x39 0x7b 0x2c 0x4d 0x54 0x47 0xd 0xc1
|----BIOS Vendor..............................................American Megatrends Inc.
|----BIOS Version.............................................4401
|----BIOS ReleaseDate.........................................2018-03-05T00:00:00
|----BIOS Asset Tag...........................................To Be Filled By O.E.M.
|----Name............................................HardwareSMBIOSHeap
|----Group Name..........................HardwareSMBIOS
|----World Command Line.................................grep -i bios
|----Option Name........................................ignoreHwSMBIOSInfo
[root@localhost:~]
</pre>

If it is a Thomas-Krenn system, the latest BIOS version for the mainboard can be found in the [[BIOS security updates]] article. In this example, the latest BIOS-version available is already existing.

== Read out current Microcode version ==
[[File:Microcode-Update-Guidance-20180808-Page-12.png|thumb|right|In the Microcode Update Guidance dated August 8, 2018 (see [[Intel Microcode#Microcode Versions|Intel Microcode - Microcode Versions]]), Intel lists the new microcode version 0x8E is listed for the Xeon E3-1220 v6 processor used in this example.]]

The currently available Microcode version can be read out on the SSH shell with the '''vsish''' command:
<pre>
[root@localhost:~] vsish -e cat /hardware/cpu/cpuModelName
Intel(R) Xeon(R) CPU E3-1220 v6 @ 3.00GHz
[root@localhost:~] vsish -e cat /hardware/cpu/cpuList/0 | grep -i -E 'family|model|stepping|microcode|revision'
Family:6
Model:158
Stepping:9
Number of microcode updates:0
Original Revision:0x00000084
Current Revision:0x00000084
[root@localhost:~]
</pre>

In this example, the current Microcode version 0x84 is available.

Intel provides information on available Microcode versions in the ''Microcode Update Guidance'' document (see [[Intel Microcode#Microcode Versionen|Intel Microcode - Microcode versions]]). In this document, CPUs are listed by their [[CPUID]] (not by family/model/stepping). In the full output of the vsish cpuList command, the CPUID can be found in the "1:CPUID leaf" section under "EAX" (in this example, 0x906e9):
<pre>
[root@localhost:~] vsish -e cat /hardware/cpu/cpuList/0
CPU information {
Family:6
Model:158
Type:0
Stepping:9
[...]
CPUID:CPUID content {
0:CPUID leaf {
EAX:0x00000016
EBX:0x756e6547
ECX:0x6c65746e
EDX:0x49656e69
}
1:CPUID leaf {
EAX:0x000906e9
[...]
Number of microcode updates:0
Original Revision:0x00000084
Current Revision:0x00000084
[...]
</pre>

Alternatively, the CPUID can be determined in the following way based on Familiy/Model/Stepping:
# Note Family/Model/Stepping in Hex format. The /proc/cpuinfo file outputs the values in decimal format:
#* Family: 6 -> 0x6
#* Model: 158 -> 0x9e
#* Stepping: 9 -> 0x9
# The CPUID has the setup '''0FFM0FMS'''. Now work your way from the back to the front to determine the CPUID based on Family/Model/Stepping:
# S (Stepping) = 9
# M (last digit of the model number) before: e9
# F (Family) before = 6e9
# The digit 0 before = 06e9
# Model (penultimate digit of the model number) before that = '''906e9'''

When searching for "906e9" in the "Microcode Update Guidance" document dated August 8, 2018, the "New Production MCU Rev" column lists microcode version "0x8E". In this case, Intel is providing a newer microcode version than the one currently installed on the system.

=== Install patch ===
VMware provides Microcode updates together with other patches for download.

Install all available updates (as described in the article [[Update VMware ESXi]]). In this example, the ESXi670-201808402-BG update is contained, which contains the new Microcode.<ref>[https://kb.vmware.com/s/article/56538 VMware ESXi 6.7, Patch Release ESXi670-201808402-BG - Updates cpu-microcode VIB] (VMware aknowledge base article 56538)</ref>

=== Query microcode ===
Checking the microcode version after applying the patches and restarting the host shows the new microcode version 0x8E:
<pre>
[root@localhost:~] vsish -e cat /hardware/cpu/cpuList/0 | grep -i -E 'family|model|stepping|microcode|revision'
Family:6
Model:158
Stepping:9
Number of microcode updates:1
Original Revision:0x00000084
Current Revision:0x0000008e
</pre>

== References ==
<references />

== More information ==
* [https://blogs.vmware.com/vsphere/2015/05/using-esxi-6-0-cpu-microcode-loading-feature.html Using the ESXi 6.0 CPU Microcode Loading Feature] (blogs.vmware.com, 08.05.2015)

{{Wfischer}}
{{Aranzinger}}
[[Category:Intel]][[Category:VMware]]
[[pl:Aktualizacja mikrokodu firmy Intel w VMware]]
[[de:Intel Microcode unter VMware aktualisieren]]

Linkspeed configuration of Broadcom network cards

2026-03-17T13:17:10Z

Aranzinger:

When integrating Broadcom network cards in Linux distributions, the linkspeed may differ from the expected value. This value can be configured later with the help of '''firmware utility bnxtnvm'''.

This article describes the verification and configuration of the linkspeeds with the help of bnxtnvm/NICCLI.

Before you start, follow this article for the [[Activation of maintenance mode in Proxmox VE|Activation of maintenance mode in Proxmox VE]].
==Verification of linkspeed==
Due to the mixed operation of different linkspeeds, individual ports may be out of service. In a production environment, this manifests itself as missing connections and/or reduced network speeds, for example, when operating a server cluster with mesh cabling. All transceivers of the configured network card must be also removed.

'''Hint:''' Please note the [[Broadcom network cards|Compatibility of linkspeeds]]. Certain Broadcom cards support only certain or no mixed operations.

Here is an example for a defective issue: root@PMX1:~# ethtool enp67s0f0np0
Settings for enp67s0f0np0:
Supported ports: [ FIBRE ]
Supported link modes: 10000baseT/Full
25000baseCR/Full
Supported pause frame use: Symmetric Receive-only
Supports auto-negotiation: Yes
Supported FEC modes: RS BASER
'''Advertised link modes: 10000baseT/Full'''
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Advertised FEC modes: RS BASER
Speed: 10000Mb/s
Duplex: Full
Auto-negotiation: on
Port: Direct Attach Copper
PHYAD: 0
Transceiver: internal
Supports Wake-on: g
Wake-on: d
Current message level: 0x00002081 (8321)
drv tx_err hw
Link detected: yes
Under "Advertised link modes", only the speed is displayed (10 Gb/s), although the network card could run on 25 Gb/s.
== Linkspeed configuration with bnxtnvm==
'''Hint:''' If you are using a mesh network, you may need to disconnect the direct cabling of the systems to be configured before beginning the configuration process. The other systems can remain connected to each other.

To reach the desired and full functionality of the network cards, you must force the network cards to use the desired speed using bnxtnvm.

bnxtnvm can be downloaded in the [https://www.thomas-krenn.com/redx/tools/mb_download.php/ct.YuuHGw/mid.y9b3b4ba2bf7ab3b8/bnxtnvm.zip?utm_source=thomas-krenn.com&utm_medium=RSS-Feed&utm_content=Broadcom%20bnxtnvm%20Firmware%20Update%20Utility&utm_campaign=Downloads Thomas-Krenn download area] for your Windows systems or use the following commands on your Linux systems:<pre lang="bash" start="1">
wget https://www.thomaskrenn.com/redx/tools/mb_download.php/ct.YuuHGw/mid.y9b3b4ba2bf7ab3b8/bnxtnvm.zip &&
unzip bnxtnvm.zip &&
chmod +x bnxtnvm
</pre>Next, you'll need to enter a series of commands to adjust your system to the desired speed:
=== Reading configurable speeds ===
In the first step, the driver linkspeed IDs of the network card are required:
./bnxtnvm -dev=enp67s0f0np0 optionhelp=drv_link_speed
Issue:<pre lang="bash">d
Name : drv_link_speed
Description : Driver Link speed
Option Type : Multi Instance Type
Max Instance Indexes : 0 to 15
Valid values :
0 (Autoneg)
1 (1G)
2 (10G)
3 (25G)
4 (40G)
5 (50G)
6 (100G)
7 (200G_PAM4)
8 (50G_PAM4)
9 (100G_PAM4)
14 (5G)
15 (100M)
</pre>The linkspeed ID is required for the enforcement of the desired linkspeed.
===Configuration of linkspeed===
The linkspeed is now set with the help of the linkspeed ID:<pre lang="bash">
./bnxtnvm -dev=enp67s0f0np0 setoption=drv_link_speed:0#3

./bnxtnvm -dev=enp67s0f0np0 setoption=firmware_link_speed_d0:0#3

./bnxtnvm -dev=enp67s0f0np0 setoption=firmware_link_speed_d3:0#3
</pre>Explanation of the commands:
{| class="wikitable"
!Interface-ID||Option||Port|| Linkspeed-ID
|-
|enp67s0f0np0||drv_link_speed||0||3
|-
|enp67s0f0np0||firmware_link_speed_d0||0||3
|-
|enp67s0f0np0||firmware_link_speed_d3||0|| 3
|}The drv_link_speed, firmware_link_speed_d0 & firmware_link_speed_d3 have to be set for all ports.

The values correspond to the number of ports of the used network cards (for example 0, 1, 2 and 3 for a network card with 4 network ports).

With the linkspeed ID "3", a speed of 25 Gb/s is forced.

You will receive the following issue after performing the command:<pre lang="bash">
root@PMX1:~# ./bnxtnvm -dev=enp67s0f0np0 setoption=drv_link_speed:0#3
drv_link_speed is set successfully
Please reboot the system to apply the configuration
</pre>After entering the commands for all ports, a reboot of the system is necessary.

===Verification of changes===
Perform the following command to verify the state:<pre lang="bash">
./bnxtnvm -dev=enp67s0f0np0 device_info
</pre>The configuration has been performed correctly, when the '''FW image status''' outputs the value '''Operational''':
root@PMX1:~# ./bnxtnvm -dev=enp67s0f0np0 device_info

Device Interface Name : enp67s0f0np0
MACAddress : bc:97:e1:da:92:a0
Base MACAddress : BC:97:E1:DA:92:A0
Device Serial Number : P425G214400143FV
Chip Number : BCM57504
Part Number : BCM957504-P425G
Description : Broadcom NetXtreme-E Quad-port 25Gb Ethernet PCIe Adapter
PCI Vendor Id : 14e4
PCI Device Id : 1750
PCI Subsys Vendor Id : 14e4
PCI Subsys Device Id : 2100
PCI Device Name : 0000:01:00.0
Adapter Rev : 11
Active Package version : 224.1.102.0
Package version on NVM : 224.1.102.0
Firmware version : 224.0.159.0
Active NVM config version : 0.0.34
NVM config version : 0.0.34
Firmware Reset Counter : 0
Error Recovery Counter : 0
Crash Dump Timestamp : N/A
Reboot Required : No
Secure Boot : Enabled
Secure Firmware Update : Enabled
'''FW Image Status : Operational'''
Crash Dump Available in DDR : False
If this is not the case, the firmware of the network card must be synchronized additionally.
===Firmware sync===
Synchronizing the firmware will apply the entered link speed:<pre lang="bash">
./bnxtnvm -dev=enp67s0f0np0 fw_sync
</pre>

===Control with the help of ethtool===
The successful configuration can now be verified with the ethtool:root@PMX1:~# ethtool enp67f0np0
Settings for enp67f0np0:
Supported ports: [ FIBRE ]
Supported link modes: 10000baseT/Full
25000baseCR/Full
Supported pause frame use: Symmetric Receive-only
Supports auto-negotiation: Yes
Supported FEC modes: RS BASER
'''Advertised link modes: 25000baseCR/Full'''
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Advertised FEC modes: RS BASER
'''Speed: 25000Mb/s'''
Duplex: Full
Auto-negotiation: on
Port: Direct Attach Copper
PHYAD: 0
Transceiver: internal
Supports Wake-on: g
Wake-on: d
Current message level: 0x00002081 (8321)
drv tx_err hw
Link detected: yes

Finally, you can disable maintenance mode again and, if necessary, repeat this procedure for the remaining nodes.

==Linkspeed configuration with NICCLI==
'''Hint:''' In case of a mesh cabling, it may be necessary that you disconnect the direct cabling of the systems to be configured before beginning the configuration. The other systems can remain wired to each other. You also have to remove all transceivers of the configured network card.

To ensure that the network cards function as intended and at full capacity, you must use NICCLI to force them to operate at the desired speed.

===NICCLI installation===
To install NICCLI, follow these instructions: [[Installation NICCLI under Proxmox VE|Installation NICCLI]]

First, perform the following command to find out the assignment of the interface names and PCI-IDs:
root@PMX2:~# lshw -c network -businfo
Bus info Device Class Description
pci@0000:01:00.0 enp1s0f0np0 network BCM57508 NetXtreme-E 10Gb/25Gb/40Gb/50Gb/100Gb/200Gb Ethernet
pci@0000:01:00.1 enp1s0f1np1 network BCM57508 NetXtreme-E 10Gb/25Gb/40Gb/50Gb/100Gb/200Gb Ethernet
pci@0000:06:00.0 enp6s0f0 network I350 Gigabit Network Connection
pci@0000:06:00.1 enp6s0f1 network I350 Gigabit Network Connection
pci@0000:41:00.0 enp65s0f0np0 network BCM57416 NetXtreme-E Dual-Media 10G RDMA Ethernet Controller
pci@0000:41:00.1 enp65s0f1np1 network BCM57416 NetXtreme-E Dual-Media 10G RDMA Ethernet Controller
'''pci@0000:81:00.0 ens17f0np0 network BCM57504 NetXtreme-E 10Gb/25Gb/40Gb/50Gb/100Gb/200Gb Ethernet'''
pci@0000:81:00.1 ens17f1np1 network BCM57504 NetXtreme-E 10Gb/25Gb/40Gb/50Gb/100Gb/200Gb Ethernet
pci@0000:81:00.2 ens17f2np2 network BCM57504 NetXtreme-E 10Gb/25Gb/40Gb/50Gb/100Gb/200Gb Ethernet
pci@0000:81:00.3 ens17f3np3 network BCM57504 NetXtreme-E 10Gb/25Gb/40Gb/50Gb/100Gb/200Gb Ethernet
usb@1:1.3 enx42a65ce855c5 network Ethernet interface

Next, enter "niccli" in the CLI. After this, you have to select a port index. Select the index here that has the same PCI ID as the one selected above:
root@PMX2:~# niccli
/opt/niccli/niccli.x86_64: /lib/x86_64-linux-gnu/libnl-3.so.200: no version information available (required by /opt/niccli/niccli.x86_64)

-------------------------------------------------------------------------------
Scrutiny NIC CLI v229.0.150.0 - Broadcom Inc. (c) 2024 (Bld-79.52.33.102.16.0)
-------------------------------------------------------------------------------

BoardId MAC Address FwVersion PCIAddr Type Mode
1) BCM57508 84:16:0C:6F:16:90 226.0.145.1 0000:01:00.0 NIC PCI
2) BCM57508 84:16:0C:6F:16:90 226.0.145.1 0000:01:00.1 NIC PCI
3) BCM57416 00:62:0B:31:4A:F0 226.0.145.0 0000:41:00.0 NIC PCI
4) BCM57416 00:62:0B:31:4A:F1 226.0.145.0 0000:41:00.1 NIC PCI
'''5) BCM57504 00:62:0B:6F:00:8C 226.0.145.1 0000:81:00.0 NIC PCI'''
6) BCM57504 00:62:0B:6F:00:8C 226.0.145.1 0000:81:00.1 NIC PCI
7) BCM57504 00:62:0B:6F:00:8E 226.0.145.1 0000:81:00.2 NIC PCI
8) BCM57504 00:62:0B:6F:00:8E 226.0.145.1 0000:81:00.3 NIC PCI

Enter the target index to connect with : 5

=== Reading out configurable speeds ===

Now, you can read out the linkspeed ID for the desired port speed:<pre>
BCM57504> setoption -name firmware_link_speed_d0 -value ? -scope 0
ERROR: Invalid syntax.
Name : firmware_link_speed_d0
Description : This per-port option configures the speed setting when the device is in D0 mode.
The default speed is set to Autoneg. A 10GBaseT board only allows Autoneg.
Option Type : Multi Instance Type
Instance Indexes : 0 to 15
Valid values :
0 (Autoneg)
1 (1G)
2 (10G)
3 (25G)
4 (40G)
5 (50G)
6 (100G)
7 (200G_PAM4)
8 (50G_PAM4)
9 (100G_PAM4)
14 (2_5G)
15 (100M)
BCM57504>

</pre>
The linkspeed ID is required for the enforcement of the desired linkspeed.

=== Configuration of the linkspeed ===
This linkspeed ID must be entered in the following command under "-value ":<pre>
BCM57504> setoption -name firmware_link_speed_d0 -value 3 -scope 0
BCM57504> setoption -name firmware_link_speed_d0 -value 3 -scope 1
BCM57504> setoption -name firmware_link_speed_d0 -value 3 -scope 2
BCM57504> setoption -name firmware_link_speed_d0 -value 3 -scope 3
firmware_link_speed_d0 is set successfully
Please reboot the system to apply the configuration
</pre>
The same must be repeated for "firmware_link_speed_d3": <pre>
BCM57504> setoption -name firmware_link_speed_d3 -value 3 -scope 0
BCM57504> setoption -name firmware_link_speed_d3 -value 3 -scope 1
BCM57504> setoption -name firmware_link_speed_d3 -value 3 -scope 2
BCM57504> setoption -name firmware_link_speed_d3 -value 3 -scope 3
</pre>

Explanation of command:
{| class="wikitable"
! Option || Linkspeed-ID (value)|| Port (scope)
|-
| firmware_link_speed_d0|| 3|| 0-3
|-
| firmware_link_speed_d3|| 3|| 0-3
|}
The firmware_link_speed_d0 & firmware_link_speed_d3 options must be set for all ports.

The values correspond to the number of ports of the used network card (for example 0, 1, 2 and 3 for a network card with 4 network ports).

With the linkspeed ID "3", a speed of 25 Gb/s is forced.

After entering the commands for all ports, a reboot of the system is necessary.

=== Verification of changes ===
Enter "niccli" again in the CLI after the reboot and perform the following command:
BCM57504> device_info
Interface Name : ens17f0np0
MAC Address : 00:62:0B:6F:00:8C
Base MAC Address : 00:62:0B:6F:00:8C
Serial Number : N425G224200E5NFG
Part Number : BCM957504-N425G
PCI Address : 0000:81:00.0
Chip Number : BCM57504
Chip Name : THOR
Description : Broadcom NetXtreme E-Series Quad-port 25Gb SFP28 OCP 3.0 Ethernet Adapter
Active Package Name : 226.1.107.1
Firmware Name : PRIMATE_FW
Firmware Version : 226.0.145.1
RoCE Firmware Version : 226.0.145.0
HWRM Interface Spec : 1.10.2
Kong mailbox channel : Not Applicable
Active Package Version : 226.1.107.1
Package Version on NVM : 226.1.107.1
PCI Device ID : 0x1751
PCI Vendor ID : 0x14E4
PCI Revision ID : 0x11
PCI Component ID : 0x1751
PCI Subsys Device ID : 0x5425
PCI Subsys Vendor ID : 0x14E4
Active NVM config version : 0.0.37
NVM config version : 0.0.37
Reboot Required : No
Firmware Reset Counter : 0
Error Recovery Counter : 0
Crash Dump Timestamp : Not Available
Secure Boot : Enabled
Secure Firmware Update : Enabled
'''FW Image Status : Operational'''
Crash Dump Available in DDR : No
Verify, whether the value is set to "Operational". If this is not the case, you have to perform a firmware sync. Otherwise, the configuration has been successful.

=== Firmware sync ===
Synchronizing the firmware will apply the entered link speed:<pre>
BCM57504> fw_sync
</pre>

=== Control with the help of ethtool ===
Now, you can verify the configuration of the network card with ethtool:
root@PMX2:~# ethtool ens17f0np0
Settings for ens17f0np0:
Supported ports: [ FIBRE ]
Supported link modes: 10000baseT/Full
10000baseKX4/Full
10000baseKR/Full
25000baseCR/Full
25000baseKR/Full
25000baseSR/Full
10000baseCR/Full
10000baseSR/Full
10000baseLR/Full
Supported pause frame use: Symmetric Receive-only
Supports auto-negotiation: Yes
Supported FEC modes: RS BASER
'''Advertised link modes: 25000baseCR/Full'''
Advertised pause frame use: No
Advertised auto-negotiation: No
Advertised FEC modes: Not reported
'''Speed: 25000Mb/s'''
Duplex: Full
Auto-negotiation: off
Port: FIBRE
PHYAD: 0
Transceiver: internal
Supports Wake-on: g
Wake-on: d
Current message level: 0x00002081 (8321)
drv tx_err hw
Link detected: no

Finally, you can disable maintenance mode again and, if necessary, repeat this procedure for the remaining nodes.

{{Npauli}}
{{Aranzinger}}
[[Category:Network cards]]
[[Category:Proxmox Administration]]
[[de:Linkspeed-Konfiguration von Broadcom Netzwerkkarten]]

KeePassXC password manager

2026-03-16T12:13:56Z

Aranzinger: Created page with "'''KeePassXC''' is an open source password manager for Windows, Linux, BSD and Mac OS that uses the KeePass 2.x (.kdbx) data file format for safing passwords. Such a data file format can also be used with other systems, for example with KeePassDX (open source password manager for Android) when the file is copied there. == Safety == KeePassXC '''does not perform a synchronisation''' about cloud providers. '''All passwords remain on your own computer''' (unless..."

'''KeePassXC''' is an open source password manager for [[Windows]], [[Linux]], BSD and Mac OS that uses the KeePass 2.x (.kdbx) data file format for safing passwords. Such a data file format can also be used with other systems, for example with KeePassDX (open source password manager for Android) when the file is copied there.

== Safety ==
KeePassXC '''does not perform a synchronisation''' about cloud providers. '''All passwords remain on your own computer''' (unless you manually copy or sync the .kdbx database file, for example, to your smartphone).

Cloud-specific security vulnerabilities in cloud-based password managers, such as those published by ETH Zurich in February 2026 for three cloud solutions,<ref>[https://ethz.ch/de/news-und-veranstaltungen/eth-news/ news/2026/02/passwortmanager-offer-less-protection-than-promised.html Password managers offer less protection than promised] (ethz.ch, February 16, 2026)</ref> cannot occur due to the architecture.

Furthermore, the BSI also provides more information on the safety of passwort managers.<ref>[https://www.bsi.bund.de/DE/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Cyber-Sicherheitsempfehlungen/Accountschutz/Sichere-Passwoerter-erstellen/Passwort-Manager/passwort-manager_node.html Administrate passwords with a password manager] (www.bsi.bund.de)</ref>

== Installation ==
KeePassXC is available for download on the KeePassXC website.<ref>[https://keepassxc.org/download/ Download KeePassXC] (keepassxc.org)</ref> The installation is recommended via Flatpak package under Linux.

Under [[Linux Mint]], KeePassXC can be installed via software manager (select Flatpak (Flathub) as source):
:[[File:KeePassXC-Installation.png|300px]]

== Setup ==
The following screenshots show the setup of KeePassXC:
<gallery>
File:KeePassXC-01-Welcome-to-KeePassXC.png|Click on "Create Database".
File:KeePassXC-02-Create-new-database.png|Enter the database name and, optionally, a description.
File:KeePassXC-03-Encryption-settings.png|Leave the default database format as KDBX 4.
File:KeePassXC-04-Encryption-settings-advanced.png|Under "Advanced", you can change the encryption settings.
File:KeePassXC-05-Database-credentials.png|Set master password.
File:KeePassXC-05-Database-credentials-additional-protection.png|After clicking “Add additional protection...”, you can optionally configure a key file and a challenge-response mechanism.
File:KeePassXC-07-Save-database-as.png|Specify the file name and folder for the database file.
File:KeePassXC-08.png|The database has been created.
File:KeePassXC-09-Add-new-entry.png|Click the "+" button to create a new password entry.
File:KeePassXC-10-Entry.png|Entry
File:KeePassXC-11-Advanced.png|Advanced
File:KeePassXC-12-Icon.png|Icon
File:KeePassXC-13-Auto-Type.png|Auto-Type
File:KeePassXC-14-Properties.png|Properties
File:KeePassXC-15-Entry-OK.png|After setting all parameters, click "OK".
File:KeePassXC-16.png|The entry (for Mastodon in this example) has now been created.
File:KeePassXC-17-right-click.png|Right-clicking on the entry displays available actions
File:KeePassXC-18-unlock.png|When KeePassXC is closed and restarted, you must enter the master password.
File:KeePassXC-19.png|Once you enter the master password, the entries you created will be visible again.
</gallery>

== More information ==
* [https://keepassxc.org/ KeePassXC Password Manager] (keepassxc.org)
* [https://www.freiburg.linux.de/vortraege/FLUG-2025-Passkeys-With-KeePassXC.pdf Passkeys With KeePassXC - An Introduction] (www.freiburg.linux.de, 17.09.2025) Lecture by Janek Bevendorff (KeePassXC Maintainer) at the Freiburger Linux User Group.

== References ==
<references />

{{Wfischer}}
{{Aranzinger}}
[[Category:Linux]]
[[de:KeePassXC Passwortmanager]]

Supplement to safety instructions for Intel products 2026.1 IPU

2026-03-13T08:09:07Z

Aranzinger: Created page with "In March '''2026''', Intel published new security advisories for different Intel products with regard to IPU 2026. Some of these safety instructions require '''firmware updates'''. In this article, you will find an excerpt and hints on these security advisories as well as information on where to find updates for products from Thomas-Krenn. == Security advisories == In the following, you will find safety instructions on the firmware published by Intel. {| class="wiki..."

In March '''2026''', Intel published new security advisories for different Intel products with regard to IPU 2026. Some of these safety instructions require '''firmware updates'''.

In this article, you will find an excerpt and hints on these security advisories as well as information on where to find updates for products from Thomas-Krenn.

== Security advisories ==
In the following, you will find safety instructions on the firmware published by Intel.

{| class="wikitable"
|- style="background-color: #EFEFEF; font-weight: bold;"
! align="center" |Intel security advisory
! align="center" |title
! align="center" |affected systems
|-
|align=center | [https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01393.html INTEL-SA-01393]
|align=center | 2026.1 IPU, UEFI Reference Firmware Advisory
| rowspan="35" align="left" | (see Intel-SA)
|-
|align=center | [https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01234.html INTEL-SA-01234]
|align=center | 2025.3 IPU, UEFI Reference Firmware Advisory
|}

== Updates for Thomas-Krenn products ==
Updates on the corresponding system can be found in the <tklink type="sitex" id="440"> download area from Thomas-Krenn</tklink>.
The updates in the download area have been tested by us to guarantee the stability and compatibility of our systems.

If you require the latest version for your system and it is not yet available in our download area, you can get it at [https://www.asus.com/de/support/download-center/ Asus] , [https://www.supermicro.com/en/support/resources/downloadcenter/swdownload Supermicro] or [https://www.gigabyte.com/de/Support/Consumer/Download Gigabyte].

== More information ==
* [https://www.intel.com/content/www/us/en/security-center/default.html Security Center] (www.intel.com)

{{Thomas-Krenn.AG}}
{{Aranzinger}}
[[Category:Intel Safety Information]]
[[de:Ergänzung zu Sicherheitshinweise Intel Produkten 2026.1 IPU]]

Monitoring of a Proxmox cluster with checkmk

2026-03-12T08:57:44Z

Aranzinger: Created page with "This article explains how to monitor a Proxmox Ceph HCI cluster (3 nodes) and how to make the configuration. For the configuration of the Ceph-checks, please see the following article: Monitoring of a Proxmox VE Ceph Hosts with checkmk. '''Attention''': These instructions only function if you have a valid SSL-certificate and if the Proxmox nodes are soluble via DNS. For all other setups, there is the point "Monitoring without DNS and SSL". == Requirements ==..."

This article explains how to monitor a Proxmox Ceph HCI cluster (3 nodes) and how to make the configuration. For the configuration of the Ceph-checks, please see the following article: [[Monitoring of a Proxmox VE Ceph Hosts with checkmk]].

'''Attention''': These instructions only function if you have a valid SSL-certificate and if the Proxmox nodes are soluble via DNS. For all other setups, there is the point "Monitoring without DNS and SSL".

== Requirements ==
To monitor a Proxmox VE cluster, the following components are needed with checkmk:

* an installed Linux server (Debian 12 preferred)
* a complete installation of the docker
* an operation-ready, functional checkMD-RAW container (free of charge)
* Proxmox nodes must be soluble via DNS
* Proxmox nodes need a valid SSL-certificate

== Proxmox configuration ==
So that checkmk can call up the data from Proxmox VE, a group and an associated user must be created and justified on <code>Datacenter</code>-level.

<gallery>
file:04 Permissions definieren checkmk.png|Create read-only group
file:04 Permissions definieren checkmk.png|Set group rights
file:03 checkmk user anlage.png|Create and assign user
</gallery>

== checkmk agent installation ==
This step must be performed for every host. So that the agent can registrate in checkmk, you first have to create the host in checkmk. Log in to the Web-UI in checkmk under <code>Setup -> Agents -> Linux</code>. You need the packaged-agent:<code>check-mk-agent_2.2.0p8-1_all.deb</code>. On the Proxmox host, you can install it as follows:<pre>

root@PMX4:~# wget http://10.2.1.180:8006/cmk/check_mk/agents/check-mk-agent_2.2.0p8-1_all.deb
root@PMX4:~# dpkg -i check-mk-agent_2.2.0p8-1_all.deb

</pre>

== Configuration in checkmk ==

=== Create Proxmox hosts ===
This step must be made for every host. In order for the agent to register in checkmk, we first need to create the host in checkmk. Log in to the Web-UI and you can add the Proxmox host under <code>Setup -> Hosts -> Add Host</code>. The following must be filled out:

* Basic settings -> Hostname: name or IP of the Proxmox host
* Monitoring agents -> Checkmk agent / API integrations: (API integrations if configured, else Checkmk agent)
* After saving with "Save & view folder", we configure the API integration using the special agent for Proxmox VE.

=== Deposit Proxmox user ===
Under setup, you can type in "Proxmox" and select "VM, Cloud, Container" with the sub-item Proxmox VE. With Add-Rule, you can create a rule. Here, it is important, that the following data is deposited:

* Username: deposit checkmk@pve
* Password: deposit relation
* Conditions -> select Explicit Conditions
* Explicit Hosts: All Proxmox nodes of the cluster created in checkmk must be selected here.

=== Deposit Proxmox cluster ===
* Setup -> Host -> Hosts > Add cluster
* Basic settings: host name: pve-cluster-01 (name of cluster) and node: add host to cluster
* Network address: IP address family: No IP
* Monitoring agents: Checkmk agent / API integrations: API integrations if configured, else Checkmk agent
* Safe

=== Configure clustered services ===
* Setup -> search for clustered -> Clusterd services
* Add Rule
* Conditions -> Explicit Hosts -> select nodes of PVE-cluster
* Services: Enter Interface fw in the first field and Interface tap in the second field.

== Registrate host at checkmk ==
If the agent is installed on the Proxmox core, you have to registrate the host in checkmk first. This must be performed for every server.
Please adapt the following parameters on the environment. Attention: We have changed the default port of the agent-receivers from 8000 to 8007.

* -- hostname <Name or IP of Proxmox Hosts>
* -- server <Name or IP + Port of checkmk-server>
<pre>
root@PMX4:/etc/check_mk# cmk-agent-ctl register --trust-cert --hostname hostname --server checkmkserver:8007 --site cmk --user cmkadmin

Please enter password for 'cmkadmin'
Registration complete.
</pre>

== Monitoring without DNS and SSL ==
[[File:01_Proxmox_Checks_(Without_Ceph).png|alt=Proxmox Cluster Checks without Ceph|thumb|Proxmox cluster checks without Ceph]]
These instructions only function if all hosts are reachable via DNS and if the SSL-certificates are valid! If you only want to have the checks with IP and without valid SSL-certificate, you have to do the following:

* create host in checkmk
* checkmk agent on Proxmox host
* registrate hosts with cmk-agent-ctl on checkmk-server
* service discovery in checkmk

If this is done, the basic checks are available.

 

== Source ==
* https://checkmk.com/de/blog/proxmox-monitoring

{{jsterr}}
{{Aranzinger}}
[[Category:Monitoring]]
[[Category:Monitoring (PVE)]]
[[de:Monitoring eines Proxmox Clusters mit checkmk]]

Windows installation on a RAID-compound

2026-03-09T12:07:58Z

Aranzinger: Created page with "In this article, you will find information on what to note when '''installing''' '''Windows desktop versions''' and '''Windows Server''' on a '''RAID''' to guarantee a smooth installation. ==Hardware and software== The following hardware and software is used as test environment: *Operating system: Windows Server 2022 Standard (desktop version) *Mainboard: Supermicro X12DPi-NT6 *CPU: Dual Intel Xeon Silver 4316 *RAM: 2x..."

In this article, you will find information on what to note when '''installing''' '''Windows desktop versions''' and '''Windows Server''' on a '''[[RAID]]''' to guarantee a smooth installation.

==Hardware and software==
The following hardware and software is used as test environment:

*Operating system: [[Windows Server 2022 Editionsunterschiede|Windows Server 2022 Standard]] (desktop version)
*Mainboard: Supermicro X12DPi-NT6
*CPU: Dual Intel Xeon Silver 4316
*RAM: 2x 64 GB ECC Registered (RDIMM) DDR4 2666 RAM 4 Rank
*[[RAID Controller]]
**[[MegaRAID 9500 Series Tri-Mode Storage Adapters|Broadcom MegaRAID 9560-8i SAS-SATA-NVMe]]
**[[Adaptec SmartRAID 3100 Controller|Microchip SmartRAID 3102-8i SAS-SATA]]
**[[Intel VROC (VMD NVMe RAID)]] Key (Raid 0,1,5,10)

==Installation preparation==
In the following, the preparations for the installation of a Windows operating system on a RAID compound are described.

===RAID creation and initialization===
First, a properly configured RAID is important. When creating the RAID, it should also be initialized.

Initializing a RAID overwrites several sectors of the virtual hard disk with zeros. If no initialization is performed, among other things, background tasks such as the consistency check, which checks the parities in RAID 5, 6, 50, and 60, cannot be performed later. For RAID 0, 1 and 10, a ''Fast Initialization'' is enough, where only the first and last sectors are overwritten. For RAID 5, 6, 50 and 60 is, however, a ''Full Initialization'' recommended, which overwrites all sectors with zeros and can therefore take several hours to days on larger hard drives (see also:[[MegaRAID Glossar|MegaRAID glossary]]).

In the following screenshots, the process for deleting, creating and initializing of a RAID for Broadcom, Adaptec and Intel VROC in UEFI-controller-BIOS is explained. If the RAID controller is not displayed in the BIOS, it is operated via [[#Legacy RAID|Legacy]]. Before you create a new RAID, you can delete the hard drive. This also deletes the existing RAID metadata on the hard disks and ensures smooth RAID creation.

====Broadcom MegaRAID====
In the following, the process for deleting, creating and initializing a Broadcom RAID under UEFI is explained.

<gallery widths="200" heights="180">
file:MegaRAID delete.jpg|Deleting a Broadcom RAID: In the mainboard BIOS under Advanced, you will find the controller BIOS. In this window, you must select the appropriate RAID under Virtual Drive Management in the Main Menu. The RAID can then be deleted under Operation in ''Delete Virtual Drive''.
file:MegaRAID Default Initialisierung.jpg|Creating a Broadcom RAID: In the ''Configuration Management'', which is also reachable under ''Main Menu, a new RAID can be created under'' ''Create Virtual Drive.'' After this, you have to select the hard drives, determine a RAID level and assign a name. With Broadcom controllers, you also have the option of performing a fast (almost) or complete (''full'') initialization under Default Initialization.
</gallery>

====Adaptec====
In the following gallery, it is explained how an Adaptec RAID is deleted and recreated under UEFI.

<gallery widths="200" heights="180">
file:Delete Logical Drives.jpg|Deleting an Adaptec RAIDS: First, open the controller BIOS in the mainboard BIOS under Advanced. Then delete the RAID by following these steps: Array Configuration --> Manage Arrays --> Array X --> List Logical Drives --> Logical Drive X --> Delete Logical Drive
file:Adaptec Array Config.jpg|Creating an Adaptec RAID: Array Configuration --> Create RAID --> Select hard drives --> RAID Level --> assign names and create RAID
</gallery>

====VROC====
In this gallery, the same process of deleting and recreating a VROC-RAID is explained.

<gallery widths="200" heights="180">
file:VROC Delete.jpg|Delete VROC RAID: To delete your RAID, you have to select the VROC-Controller under ''Advanced'' in the BIOS. After this, the RAID can be selected and deleted via ''Delete.''
file:VROC RAID erstellen.jpg|Creating a VROC RAID: You can create a VROC-RAID via ''Create RAID'' in the Controller BIOS. After this, the hard disk must be selected, a name and the RAID-level must be assigned.
</gallery>

===Boot mode===
Before the installation of the operating system can be started, the correct booting mode for the installation medium must be determined. There are two booting modes: '''UEFI''' and '''Legacy'''. The installation medium must be started in the same booting mode as for the RAID, as there may be complications with the installations.

The following table describes how to determine the mode of the controller:
{| class="wikitable"
|+
!UEFI
!Legacy
|-
|If the controller is operated with UEFI firmware, the controller BIOS can be found in the motherboard BIOS under ''Advanced''.
This is the case for both hardware RAIDs and onboard RAIDs (VROC). If the RAID has been configured here, it is a UEFI RAID.
|If the controller is addressed via legacy, the controller BIOS is not displayed in the mainboard BIOS.
The controller BIOS is now displayed when the server boots up and can be opened with a key combination. If the RAID was configured here, it is a legacy RAID.
|}

The following table shows the Legacy BIOS key combination:

{| class="wikitable"
!
!Broadcom
!Adaptec
!VROC/RST
|-
!'''Shortcut'''
|CTRL + R
|CTRL +A
|CTRL + I
|}

====Change of Legacy/UEFI====
The BIOS options specify whether each PCI slot on the motherboard is operated in legacy or UEFI mode. The mode can also be changed there.

In the case of Supermicro motherboards, this can be changed under the ''Advanced'' tab in the ''PCIe/PCI/PnP Configuration'' menu. All PCI slots are listed here in the format ''CPU SLOTX PCI-E ...'' and can be set individually to Legacy or EFI.

====Installationmedium Legace/UEFI====
If you have determined, in which mode the RAID has been created, the installation medium must be started in the same mode. If you get a notification after starting the installation medium, that it was started in the wrong mode, you have to recreate the medium with the right partition scheme ('''MBR for Legacy''' or '''GPT for UEFI'''): [[#Installationsmedium_mit_Rufus_erstellen|Create installation medium with Rufus.]]

In the BIOS under ''Save & Exit'', all possible boot media are displayed under ''Boot Override''.

[[file:BIOS Boot Override.jpg|frameless|400x400px]]

You can tell by the intention if the installation medium now starts via UEFI or Legacy.

'''UEFI:''' USB, Partition 2 (USB) - medium is started via UEFI.

'''No intention''': medium is started via Legacy.

If no UEFI or Legacy boot media is displayed, the ''Boot Mode'' can be changed to ''Legacy'', ''UEFI'' or ''Dual'' in the BIOS under ''Boot''.

===Use different ISO and medium===
Please make sure that an intact Windows ISO is used on an intact medium to guarantee a proper installation. It may come to installation cancellation or that the installation routine does not start when using corrupt Windows ISO-files.

If the installation does not start or if there are cancellations, the ISO should be downloaded or another ISO-file should be started. If problems still occur, the medium must be verified or changed.

===Create installation medium with Rufus===
Another source of errors during installation is the application used to create the installation medium. We recommend Rufus<ref>[https://rufus.ie/de/ Offizielle Homepage zum Programm Rufus]</ref>, as it is a small program and easy to understand. Currently, Rufus can only be used to create installation media for Windows, but according to the manufacturer, support for other operating systems is planned for the future.

You can download Rufus here: [https://rufus.ie/de/]

If you have started Rufus, select your USB stick under ''drive''. After this, you can add the desired ISO under ''choice''. Now, you have to select the ''partition scheme''. For a Legacy installation, you need MBR.

In this [[Windows UEFI Boot-Stick unter Windows erstellen|Wiki article]], it is explained, how to create an UEFI boot stick for Windows.

==Include driver during installation==
The respective drivers are needed for the installation of Windows for the used RAID controllers. If the created RAID is not displayed as a free drive in Windows Installer or if an error message is generated when attempting to install on it, these drivers may still be missing.

In this case, the respective drivers must be downloaded and included for the RAID controller. You will find the driver on our [https://www.thomas-krenn.com/de/download.html download page] or you can download it on the page of the manufacturer. After downloading, the archive, in which the driver is located, must be unpacked, copied to a USB stick and plugged into the server.

The following screenshots explain how to include the driver.

<gallery widths="200" heights="180">
file:Windowsinstaller Festplattenauswahl .jpg|First, open the window for selecting the driver via Load Driver.
file:Windowsinstaller Treiber suchen.jpg|In this window, you can open Explorer via Explorer. In Explorer, select the subfolder containing the driver on the USB stick and confirm.
file:Windows Treiber auswählen.jpg|Finally, the subfolder is searched for suitable drivers. When the driver is displayed, simply select it and confirm.
</gallery>

The RAID can then be selected as the installation location and the installation can be started then.

==References==
<references />

{{Slankl}}
{{Aranzinger}}
[[Category:Windows]]
[[de:Windows Installation auf einem RAID-Verbund]]

Qemu drive cache option

2026-03-06T08:06:46Z

Aranzinger:

'''Quick Emulator''' ('''QEMU''') is an Open Source emulator that emulates virtual hardware. QEMU can be used in combination with KVM and is used in this way in Proxmox. In this article, the QEMU drive option "cache" will be explained. The configuration of a QEMU drive contains the generation of a block driver node (backend) as well as a guest device.

== cache option ==
The option "cache" controls how the host cache is used for the access on block data.

The "cache" connection is a connection that determines the three options '''cache.direct''', '''cache.no-flush''' (both as in -blockdev) as well as '''cache.writeback''' (-device). The five cache modes writeback, none, writethrough, directsync and unsafe correspond to the following settings:<ref>[https://www.qemu.org/docs/master/system/qemu-manpage.html#hxtool-1 QEMU User Documentation (Manpage) - Block device options] (www.qemu.org/docs) <cite>cache is “none”, “writeback”, “unsafe”, “directsync” or “writethrough” and controls how the host cache is used to access block data. This is a shortcut that sets the cache.direct and cache.no-flush options (as in -blockdev), and additionally cache.writeback, which provides a default for the write-cache option of block guest devices (as in -device).</cite></ref>

{| class="wikitable"
|+
! colspan="2" |Cache
!-device options
! colspan="2" |-blockdev options
! colspan="3" |Notes<ref>[https://opendev.org/openstack/nova/commit/b9dc86d8d646472195070022ff7ae4c372bef4ca libvirt: Use 'writeback' QEMU cache mode when 'none' is not viable] (opendev.org/openstack/nova, 04.05.2019) <cite>The thing that makes 'writethrough' so safe against host crashes is that it never keeps data in a "write cache", but it calls fsync() after _every_ write. This is also what makes it horribly slow. But 'cache=none' doesn't do this and therefore doesn't provide this kind of safety. The guest OS must explicitly flush the cache in the right places to make sure data is safe on the disk. And OSes do that. 

So if 'cache=none' is safe enough for you, then 'cache=writeback' should be safe enough for you, too -- because both of them have the boolean 'cache.writeback=on'. The difference is only in 'cache.direct', but 'cache.direct=on' only bypasses the host kernel page cache and data could still sit in other caches that could be present between QEMU and the disk (such as commonly a volatile write cache on the disk itself).</cite></ref>
|-
!Name QEMU
!Name Proxmox VE GUI
!cache.writeback
!cache.direct
!cache.no-flush
! colspan="2" |Ensuring data integrity after a sudden host failure
!Writing performance
|-
|writeback
|Write back
! style="background-color:#CCFFCC;" align="center" |✔ (on)
! style="background-color:#FFCCCC;" align="center" |-
! style="background-color:#FFCCCC;" align="center" |-
| rowspan="2" |High, if the guest operating system/file system writes regularly the cache-content on the disk (flush). This is normally performed automatically by modern file systems. See also [[Ext4 Write Barriers]].
|Pagecache of host is used.
| rowspan="2" |high
|-
|none
|No cache
! style="background-color:#CCFFCC;" align="center" |✔ (on)
! style="background-color:#CCFFCC;" align="center" |✔ (on)
! style="background-color:#FFCCCC;" align="center" |-
|Pagecache of host is not used. However, data may still be stored in other caches (e.g., HDD cache). Therefore, the guest operating system must still perform regular flushes.
|-
|writethrough
|Write through
! style="background-color:#FFCCCC;" align="center" |-
! style="background-color:#FFCCCC;" align="center" |-
! style="background-color:#FFCCCC;" align="center" |-
| rowspan="2" |Very high, since QEMU with "writethrough" cache mode never stores data in a "write cache", but '''calls the fsync() function after each write operation'''.
|Pagecache of the host is used.
| rowspan="2" |low, as the fsync() function is called up after every writing process.
|-
|directsync
|Direct sync
! style="background-color:#FFCCCC;" align="center" |-
! style="background-color:#CCFFCC;" align="center" |✔ (on)
! style="background-color:#FFCCCC;" align="center" |-
|Pagecache des Hosts wird nicht verwendet.
|-
|unsafe
|Write back (unsafe)
! style="background-color:#CCFFCC;" align="center" |✔ (on)
! style="background-color:#FFCCCC;" align="center" |-
! style="background-color:#CCFFCC;" align="center" |✔ (on)
| style="background-color:#FFCCCC;" |No guarantee of data integrity! High risk of data loss!

This caching mode should only be used for temporary data, where data loss is not a problem. This mode can only be helpful for accelerating the guest installation. However, it should be absolutely switched to another caching mode in production environments.<ref>https://opendev.org/openstack/nova/src/commit/18a7dcb6e816e26e405259e981498f6a7bc71608/nova/conf/libvirt.py#L724</ref>
|Pagecache of host is used.
|highest
|}

The standard mode in QEMU is cache=writeback. In Proxmox VE, none (no cache) is used as standard.

=== cache.writeback ===
The mode '''cache.writeback=on''' is used by default. Data write operations are reported as completed as soon as the data is available in host pagecache. This is safe as long as your guest operating system ensures that the hard disk caches are emptied correctly if necessary. If your guest operating system does not proceed volatile hard disk writing caches correctly, your host or the power supply fails, it may come to data damages in your guest operating system.

For such guests, the use of cache.writeback=off should be taken into consideration. This means that the host pagecache is used for reading and writing data, but the writing notification is only then sent to the guest after QEMU made sure that every writing process has been emptied on the hard disk. Please note that this has a significant impact on the performance.<ref>[https://www.qemu.org/docs/master/system/qemu-manpage.html#hxtool-1 QEMU User Documentation (Manpage) - Block device options] (www.qemu.org/docs) <cite>By default, the cache.writeback=on mode is used. It will report data writes as completed as soon as the data is present in the host page cache. This is safe as long as your guest OS makes sure to correctly flush disk caches where needed. If your guest OS does not handle volatile disk write caches correctly and your host crashes or loses power, then the guest may experience data corruption. 
For such guests, you should consider using cache.writeback=off. This means that the host page cache will be used to read and write data, but write notification will be sent to the guest only after QEMU has made sure to flush each write to the disk. Be aware that this has a major impact on performance.</cite></ref>

{| class="wikitable"
|+
!Disk (settings Proxmox VE GUI)
!Request cache via
!Result at cache.writeback=on
!Result at cache.writeback=off
!Notes
|-
|IDE
| rowspan="2" |<nowiki>hdparm -I /dev/sdc | grep "Write cache"</nowiki>
| rowspan="2" |* Write cache
| rowspan="2" |Write cache (no asterisk in front of it)
| rowspan="2" |hdparm executes a ATA IDENTIFY DEVICE command, to request settings.
|-
|SATA
|-
|VirtIO Block
|cat /sys/block/vda/queue/write_cache
|write back
|write through
|The VirtIO block driver provides the information via sysfs.
|-
|SCSI
|sdparm --get=WCE /dev/sda
|WCE = 1
|WCE = 0
|sdparm performs a SCSI MODE SENSE command, to request settings. WCE stands for "Writeback Cache Enable".
|}

=== chache.direct ===
'''cache.direct=on''' bypasses the host pagecache. This is an attempt to execute the disk-I/O directly in the memory of the guest. QEMU may continue to perform a internal copy of the data.

=== cache.no-flush ===
QEMU announces that '''cache.no-flush''' ('''Attention - risk of data loss! - only use when data integrity is not important, for example in pure tests) never has to write data on the hard disk, but to safe everything in the cache. If something goes wrong, for example if your host does not have any power, the hard disk was accidentally disconnected or else, your image is likely to get useless.

== Tests ==
The following tests have been performed on a lvmthin volume. These only support raw (no qcow2).<ref>https://forum.proxmox.com/threads/proxmox-disks-changed-from-qcow-to-raw-after-migration.96007/#post-417101</ref> For background information on cache=none with qcow2, please refer to the article "Understanding QCOW2 Risks with QEMU cache=none in Proxmox".<ref>[https://kb.blockbridge.com/technote/proxmox-qemu-cache-none-qcow2/ Understanding QCOW2 Risks with QEMU cache=none in Proxmox] (kb.blockbridge.com)</ref>

With the [https://gist.github.com/3172656 diskchecker.pl Perl Skript], we have tested, if data gets lost during a power outage. You will find information on this script here:
http://brad.livejournal.com/2116715.html
{| class="wikitable"
|+Debian 13 VM with raw
!Cache settings
!diskchecker.pl results
|-
|Default (no cache)
|Total errors: 0
|-
|Write back (unsafe)
|Total errors: 2786
|-
|Write through
|Total errors: 0
|-
|Write back
|Total errors: 0
|-
|Direct sync
|Total errors: 0
|}

=== Default (No cache) ===
<pre>
tk@debian13-1:~$ ./diskchecker.pl -s 172.16.0.112 create test_file 1000
diskchecker: running 1 sec, 0.46% coverage of 1000 MB (293 writes; 293/s)
diskchecker: running 2 sec, 1.06% coverage of 1000 MB (684 writes; 342/s)
diskchecker: running 3 sec, 1.70% coverage of 1000 MB (1099 writes; 366/s)
diskchecker: running 4 sec, 2.33% coverage of 1000 MB (1507 writes; 376/s)
diskchecker: running 5 sec, 2.93% coverage of 1000 MB (1907 writes; 381/s)
diskchecker: running 6 sec, 3.58% coverage of 1000 MB (2326 writes; 387/s)
diskchecker: running 7 sec, 4.20% coverage of 1000 MB (2739 writes; 391/s)
diskchecker: running 8 sec, 4.81% coverage of 1000 MB (3152 writes; 394/s)
diskchecker: running 9 sec, 5.40% coverage of 1000 MB (3553 writes; 394/s)
diskchecker: running 10 sec, 6.03% coverage of 1000 MB (3976 writes; 397/s)
[...]
tk@debian13-1:~$ ./diskchecker.pl -s 172.16.0.112 verify test_file
verifying: 0.03%
verifying: 46.22%
verifying: 100.00%
Total errors: 0
tk@debian13-1:~$
</pre>

=== Write back (unsafe) ===
<pre>
tk@debian13-1:~$ ./diskchecker.pl -s 172.16.0.112 create test_file_unsafe 1000
diskchecker: running 1 sec, 0.45% coverage of 1000 MB (286 writes; 286/s)
diskchecker: running 2 sec, 1.22% coverage of 1000 MB (782 writes; 391/s)
diskchecker: running 3 sec, 2.06% coverage of 1000 MB (1328 writes; 442/s)
diskchecker: running 4 sec, 2.81% coverage of 1000 MB (1820 writes; 455/s)
diskchecker: running 5 sec, 3.55% coverage of 1000 MB (2306 writes; 461/s)
diskchecker: running 6 sec, 4.25% coverage of 1000 MB (2778 writes; 463/s)
diskchecker: running 7 sec, 5.04% coverage of 1000 MB (3302 writes; 471/s)
diskchecker: running 8 sec, 5.85% coverage of 1000 MB (3863 writes; 482/s)
diskchecker: running 9 sec, 6.73% coverage of 1000 MB (4466 writes; 496/s)
diskchecker: running 10 sec, 7.50% coverage of 1000 MB (4984 writes; 498/s)
[...]
tk@debian13-1:~$ ./diskchecker.pl -s 172.16.0.112 verify test_file_unsafe
verifying: 0.02%
Error at page 26, 4 seconds before end.
Error at page 34, 6 seconds before end.
Error at page 49, 3 seconds before end.
Error at page 123, 0 seconds before end.
Error at page 166, 0 seconds before end.
Error at page 167, 6 seconds before end.
Error at page 169, 1 seconds before end.
Error at page 199, 1 seconds before end.
Error at page 200, 2 seconds before end.
Error at page 214, 4 seconds before end.
[...]
verifying: 100.00%
Total errors: 2786
Histogram of seconds before end:
0 420
1 478
2 339
3 285
4 303
5 351
6 354
7 256
tk@debian13-1:~$
</pre>

=== Write through ===
<pre>
tk@debian13-1:~$ ./diskchecker.pl -s 172.16.0.112 create test_file_writethrough 1000
diskchecker: running 1 sec, 0.36% coverage of 1000 MB (234 writes; 234/s)
diskchecker: running 2 sec, 0.92% coverage of 1000 MB (587 writes; 293/s)
diskchecker: running 3 sec, 1.45% coverage of 1000 MB (929 writes; 309/s)
diskchecker: running 4 sec, 1.97% coverage of 1000 MB (1268 writes; 317/s)
diskchecker: running 5 sec, 2.49% coverage of 1000 MB (1612 writes; 322/s)
diskchecker: running 6 sec, 3.02% coverage of 1000 MB (1957 writes; 326/s)
diskchecker: running 7 sec, 3.53% coverage of 1000 MB (2295 writes; 327/s)
diskchecker: running 8 sec, 4.07% coverage of 1000 MB (2650 writes; 331/s)
diskchecker: running 9 sec, 4.57% coverage of 1000 MB (2989 writes; 332/s)
diskchecker: running 10 sec, 5.07% coverage of 1000 MB (3327 writes; 332/s)
[...]
tk@debian13-1:~$ ./diskchecker.pl -s 172.16.0.112 verify test_file_writethrough
verifying: 0.02%
verifying: 56.67%
verifying: 100.00%
Total errors: 0
tk@debian13-1:~$
</pre>

=== Write back ===
<pre>
tk@debian13-1:~$ ./diskchecker.pl -s 172.16.0.112 create test_file_writeback 1000
diskchecker: running 1 sec, 0.45% coverage of 1000 MB (289 writes; 289/s)
diskchecker: running 2 sec, 1.03% coverage of 1000 MB (671 writes; 335/s)
diskchecker: running 3 sec, 1.62% coverage of 1000 MB (1051 writes; 350/s)
diskchecker: running 4 sec, 2.21% coverage of 1000 MB (1438 writes; 359/s)
diskchecker: running 5 sec, 2.82% coverage of 1000 MB (1831 writes; 366/s)
diskchecker: running 6 sec, 3.40% coverage of 1000 MB (2224 writes; 370/s)
diskchecker: running 7 sec, 3.98% coverage of 1000 MB (2611 writes; 373/s)
diskchecker: running 8 sec, 4.56% coverage of 1000 MB (3005 writes; 375/s)
diskchecker: running 9 sec, 5.15% coverage of 1000 MB (3397 writes; 377/s)
diskchecker: running 10 sec, 5.73% coverage of 1000 MB (3788 writes; 378/s)
[...]
tk@debian13-1:~$ ./diskchecker.pl -s 172.16.0.112 verify test_file_writeback
verifying: 0.03%
verifying: 47.70%
verifying: 100.00%
Total errors: 0
tk@debian13-1:~$
</pre>

=== Direct sync ===
<pre>
tk@debian13-1:~$ ./diskchecker.pl -s 172.16.0.112 create test_file_directsync 1000
diskchecker: running 1 sec, 0.38% coverage of 1000 MB (246 writes; 246/s)
diskchecker: running 2 sec, 0.90% coverage of 1000 MB (579 writes; 289/s)
diskchecker: running 3 sec, 1.49% coverage of 1000 MB (960 writes; 320/s)
diskchecker: running 4 sec, 2.01% coverage of 1000 MB (1302 writes; 325/s)
diskchecker: running 5 sec, 2.53% coverage of 1000 MB (1643 writes; 328/s)
diskchecker: running 6 sec, 3.08% coverage of 1000 MB (2006 writes; 334/s)
diskchecker: running 7 sec, 3.61% coverage of 1000 MB (2363 writes; 337/s)
diskchecker: running 8 sec, 4.16% coverage of 1000 MB (2721 writes; 340/s)
diskchecker: running 9 sec, 4.74% coverage of 1000 MB (3108 writes; 345/s)
diskchecker: running 10 sec, 5.26% coverage of 1000 MB (3463 writes; 346/s)
[...]
tk@debian13-1:~$ ./diskchecker.pl -s 172.16.0.112 verify test_file_directsync
verifying: 0.01%
verifying: 57.56%
verifying: 100.00%
Total errors: 0
tk@debian13-1:~$
</pre>

== More information ==
* [https://events19.lfasiallc.com/wp-content/uploads/2017/11/Storage-Performance-Tuning-for-FAST-Virtual-Machines_Fam-Zheng.pdf Storage Performance Tuning for FAST! Virtual Machines]
* [https://documentation.suse.com/de-de/sles/12-SP5/html/SLES-all/cha-cachemodes.html Disk Cache Modes] (documentation.suse.com)

== References ==
<references />

{{Wfischer}}
{{Aranzinger}}
[[Category:Proxmox]]
[[de:Qemu drive cache Option]]

Ext4 Write Barriers

2026-03-05T13:18:38Z

Aranzinger: Created page with "''' Write barriers '''are used in the Linux kernel to ensure that data that has been written is actually written to a data carrier '''permanently '''before further new data is written. The use of write barriers ensures that even in the event of a sudden power failure,''' no data written via fsync() is lost. '''Write barriers force the''' correct sequence of journal-commits''' of the file system on the data carrier which allows volatile write caches to be used safely..."

''' Write barriers '''are used in the [[Linux]] kernel to ensure that data that has been written is actually written to a data carrier '''permanently '''before further new data is written. The use of write barriers ensures that even in the event of a sudden power failure,''' no data written via fsync() is lost. '''Write barriers force the''' correct sequence of journal-commits''' of the file system on the data carrier which allows volatile write caches to be used safely (but with some loss of performance).

== Function of write barriers ==
Write barriers are implemented via flushing the storage writing case '''before''' and '''after''' I/O operation. After '''writing a transaction''', the '''storage-cache is flushed''', the '''commit-block of the file system is written''' and the '''cache is emptied again'''. Therefore, it is ensured that:
* the data carrier (hard disk or SSD) contains all data
* no re-ordering of individual accesses has taken place

If barriers are activated, a fsync() call also triggers a storage-cache-flush. This guarantees that the file data is stored permanently on the hard disk even if a power failure occurs shortly after the return of fsync().

== Ext4 file system as example ==
The [[Ext4]] file system has been using write barriers since May 2008.<ref>[https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=571640cad3fda6475da45d91cf86076f1f86bd9b ext4: enable barriers by default] (git.kernel.org, 26.05.2008)</ref> This ensures that even with data carriers with volatile caches—e.g., hard disks with RAM caches—no data written using fsync() is lost, even in the event of a sudden power failure.

The activation of write barriers can lead to significant performance losses in some applications. In particular, applications that use fsync() intensively or that create or delete a lot of small files sometimes run significantly slower. <ref>[https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/storage_administration_guide/ch-writebarriers Chapter 22. Write Barriers] (docs.redhat.com, Storage Administration Guide RHEL 7) <cite>Enabling write barriers incurs a substantial performance penalty for some applications. Specifically, applications that use fsync() heavily or create and delete many small files will likely run much slower.</cite></ref> IF RAID-controllers with battery-backed cache or for example SSDs with [[SSD Power Loss Protection]] are used, the performance can be increased by deactivating write barriers without increasing the risk of data loss. <ref>[https://kb.techtaco.org/linux/postgresql/postgresql_file_system_tuning/#write-barrier-tuning PostgreSQL File System Tuning - Write Barrier Tuning] (kb.techtaco.org)</ref>However, this only applies if effective power loss protection is actually in place.
{| class="wikitable"
|+
!Test case
!HDD Western Digital WD5003ABYX
!Intel SSD with PLP
!Samsung SSD without PLP
|-
|barriers=1 (activated)
!style="background-color:#CCFFCC;" align="center"|no data loss
!style="background-color:#CCFFCC;" align="center"|no data loss
!style="background-color:#CCFFCC;" align="center"|no data loss
|-
|barriers=0 (deactivated)
!style="background-color:#FFCCCC;" align="center"|data loss
!style="background-color:#CCFFCC;" align="center"|no data loss
|no data loss (Attention: data loss still possible!)
|}

== Ext4 file system tests with diskchecker.pl ==
The following test has been performed with the [https://gist.github.com/3172656 diskchecker.pl Perl Script]. The test script uses two computers to check whether data can be lost in the event of a power failure. To do this, the script runs on two computers:
# On a logging computer: The script is in server mode.
# On the system to be tested: After the script has been started, the power supply is interrupted

The system to be tested is then infected again and restarted. The script is now executed again for verification purposes. Further background information on this script can be found here: http://brad.livejournal.com/2116715.html

=== Test with WD 500 GByte HDD ===
[[File:Western-Digital-WD5003ABYX-500GB-SATA-64MB-Cache.jpg|300px|thumb|right|Western Digital WD5003ABYX 500GB SATA HDD with 64MB Cache]]In this test, a Western Digital WD5003ABYX 500GB SATA HDD with 64MB cache is used.

==== barrier=1 (default) ====
<pre>root@pve:~# mount | grep sdc
/dev/sdc1 on /mnt/sdc-hdd type ext4 (rw,relatime)
root@pve:~# uname -a
Linux pve 6.17.2-1-pve #1 SMP PREEMPT_DYNAMIC PMX 6.17.2-1 (2025-10-21T11:55Z) x86_64 GNU/Linux
root@pve:/mnt/sdc-hdd# ./diskchecker.pl -s 172.16.0.112 create test-hdd-ext4-default 1000
diskchecker: running 1 sec, 0.02% coverage of 1000 MB (11 writes; 11/s)
diskchecker: running 2 sec, 0.05% coverage of 1000 MB (35 writes; 17/s)
diskchecker: running 3 sec, 0.09% coverage of 1000 MB (59 writes; 19/s)
diskchecker: running 4 sec, 0.13% coverage of 1000 MB (83 writes; 20/s)
diskchecker: running 5 sec, 0.17% coverage of 1000 MB (107 writes; 21/s)
diskchecker: running 6 sec, 0.20% coverage of 1000 MB (132 writes; 22/s)
diskchecker: running 7 sec, 0.24% coverage of 1000 MB (155 writes; 22/s)
diskchecker: running 8 sec, 0.28% coverage of 1000 MB (180 writes; 22/s)
diskchecker: running 9 sec, 0.32% coverage of 1000 MB (204 writes; 22/s)
diskchecker: running 10 sec, 0.36% coverage of 1000 MB (229 writes; 22/s)
diskchecker: running 11 sec, 0.39% coverage of 1000 MB (252 writes; 22/s)
diskchecker: running 12 sec, 0.43% coverage of 1000 MB (276 writes; 23/s)
diskchecker: running 13 sec, 0.47% coverage of 1000 MB (300 writes; 23/s)
diskchecker: running 14 sec, 0.50% coverage of 1000 MB (323 writes; 23/s)
diskchecker: running 15 sec, 0.54% coverage of 1000 MB (347 writes; 23/s)
diskchecker: running 16 sec, 0.58% coverage of 1000 MB (371 writes; 23/s)
diskchecker: running 17 sec, 0.62% coverage of 1000 MB (396 writes; 23/s)
diskchecker: running 18 sec, 0.66% coverage of 1000 MB (421 writes; 23/s)
diskchecker: running 19 sec, 0.69% coverage of 1000 MB (445 writes; 23/s)
client_loop: send disconnect: Broken pipe
werner@x390:~/bin$
werner@x390:~/bin$ ssh root@172.16.10.1
root@172.16.10.1's password:
Linux pve 6.17.2-1-pve #1 SMP PREEMPT_DYNAMIC PMX 6.17.2-1 (2025-10-21T11:55Z) x86_64
[...]
root@pve:~# mount /dev/sdc1 /mnt/sdc-hdd
root@pve:~# dmesg | tail -4
[ 38.545085] vmbr0: port 1(nic1) entered blocking state
[ 38.545091] vmbr0: port 1(nic1) entered forwarding state
[ 207.082732] EXT4-fs (sdc1): recovery complete
[ 207.101678] EXT4-fs (sdc1): mounted filesystem 8ac821f6-c372-415c-addd-855c3161ded9 r/w with ordered data mode. Quota mode: none.
root@pve:~# cd /mnt/sdc-hdd/
root@pve:/mnt/sdc-hdd# ./diskchecker.pl -s 172.16.0.112 verify test-hdd-ext4-default
verifying: 0.36%
verifying: 19.26%
verifying: 59.26%
verifying: 94.18%
verifying: 100.00%
Total errors: 0
root@pve:/mnt/sdc-hdd#</pre>

==== barrier=0 ====
<pre>
root@pve:~# mount -t ext4 -o barrier=0 /dev/sdc1 /mnt/sdc-hdd
root@pve:~# mount | grep sdc
/dev/sdc1 on /mnt/sdc-hdd type ext4 (rw,relatime,nobarrier)
root@pve:~# cd /mnt/sdc-hdd
root@pve:/mnt/sdc-hdd# ./diskchecker.pl -s 172.16.0.112 create test-hdd-ext4-nobarrier 1000
diskchecker: running 1 sec, 0.20% coverage of 1000 MB (129 writes; 129/s)
diskchecker: running 2 sec, 0.62% coverage of 1000 MB (394 writes; 197/s)
diskchecker: running 3 sec, 0.95% coverage of 1000 MB (608 writes; 202/s)
diskchecker: running 4 sec, 1.22% coverage of 1000 MB (782 writes; 195/s)
diskchecker: running 5 sec, 1.55% coverage of 1000 MB (998 writes; 199/s)
diskchecker: running 6 sec, 1.89% coverage of 1000 MB (1213 writes; 202/s)
diskchecker: running 7 sec, 2.13% coverage of 1000 MB (1377 writes; 196/s)
diskchecker: running 8 sec, 2.41% coverage of 1000 MB (1556 writes; 194/s)
diskchecker: running 9 sec, 2.74% coverage of 1000 MB (1774 writes; 197/s)
diskchecker: running 10 sec, 3.00% coverage of 1000 MB (1945 writes; 194/s)
diskchecker: running 11 sec, 3.31% coverage of 1000 MB (2146 writes; 195/s)
diskchecker: running 12 sec, 3.61% coverage of 1000 MB (2347 writes; 195/s)
diskchecker: running 13 sec, 3.90% coverage of 1000 MB (2542 writes; 195/s)
diskchecker: running 14 sec, 4.21% coverage of 1000 MB (2750 writes; 196/s)
diskchecker: running 15 sec, 4.54% coverage of 1000 MB (2967 writes; 197/s)
diskchecker: running 16 sec, 4.80% coverage of 1000 MB (3142 writes; 196/s)
diskchecker: running 17 sec, 5.09% coverage of 1000 MB (3336 writes; 196/s)
diskchecker: running 18 sec, 5.35% coverage of 1000 MB (3513 writes; 195/s)
diskchecker: running 19 sec, 5.65% coverage of 1000 MB (3713 writes; 195/s)
diskchecker: running 20 sec, 5.91% coverage of 1000 MB (3890 writes; 194/s)
diskchecker: running 21 sec, 6.21% coverage of 1000 MB (4091 writes; 194/s)
diskchecker: running 22 sec, 6.48% coverage of 1000 MB (4281 writes; 194/s)
diskchecker: running 23 sec, 6.72% coverage of 1000 MB (4449 writes; 193/s)
diskchecker: running 24 sec, 7.01% coverage of 1000 MB (4645 writes; 193/s)

</pre>

<pre>
client_loop: send disconnect: Broken pipe
werner@x390:~/bin$ ssh root@172.16.10.1
root@172.16.10.1's password:
Linux pve 6.17.2-1-pve #1 SMP PREEMPT_DYNAMIC PMX 6.17.2-1 (2025-10-21T11:55Z) x86_64
[...]
root@pve:~# mount -t ext4 -o barrier=0 /dev/sdc1 /mnt/sdc-hdd
root@pve:~# dmesg | tail -n 4
[ 38.535100] vmbr0: port 1(nic1) entered forwarding state
[ 324.430790] EXT4-fs (sdc1): barriers disabled
[ 327.063895] EXT4-fs (sdc1): recovery complete
[ 327.064076] EXT4-fs (sdc1): mounted filesystem 8ac821f6-c372-415c-addd-855c3161ded9 r/w with ordered data mode. Quota mode: none.
root@pve:~# cd /mnt/sdc-hdd
root@pve:/mnt/sdc-hdd# ./diskchecker.pl -s 172.16.0.112 verify test-hdd-ext4-nobarrier
verifying: 0.02%
Error at page 19, 2 seconds before end.
Error at page 303, 1 seconds before end.
Error at page 339, 0 seconds before end.
Error at page 511, 1 seconds before end.
Error at page 544, 0 seconds before end.
Error at page 681, 0 seconds before end.
Error at page 708, 2 seconds before end.
Error at page 1108, 1 seconds before end.
Error at page 1337, 0 seconds before end.
Error at page 1388, 0 seconds before end.
verifying: 2.22%
Error at page 1487, 0 seconds before end.
Error at page 1492, 0 seconds before end.
[...]
Error at page 63758, 0 seconds before end.
Error at page 63990, 1 seconds before end.
verifying: 100.00%
Total errors: 545
Histogram of seconds before end:
0 178
1 187
2 142
3 1
4 1
6 2
7 3
8 3
9 2
10 5
11 1
14 4
15 1
16 2
17 1
18 1
19 2
20 3
22 3
23 2
24 1
root@pve:/mnt/sdc-hdd#
</pre>

=== Test with SSD with PLP ===
In this example, a 80 GByte [[Intel DC S3500 Series SSD]] with [[SSD Power Loss Protection]] is used.

==== barrier=1 (default) ====
<pre>
root@pve:/mnt/sdc-ssd-with-plp# mount | grep sdc
/dev/sdc1 on /mnt/sdc-ssd-with-plp type ext4 (rw,relatime)
root@pve:/mnt/sdc-ssd-with-plp# ./diskchecker.pl -s 172.16.0.112 create test-ssd-ext4 1000
diskchecker: running 1 sec, 0.04% coverage of 1000 MB (28 writes; 28/s)
diskchecker: running 2 sec, 0.67% coverage of 1000 MB (427 writes; 213/s)
diskchecker: running 3 sec, 1.34% coverage of 1000 MB (859 writes; 286/s)
diskchecker: running 4 sec, 2.05% coverage of 1000 MB (1324 writes; 331/s)
diskchecker: running 5 sec, 2.71% coverage of 1000 MB (1758 writes; 351/s)
diskchecker: running 6 sec, 3.48% coverage of 1000 MB (2266 writes; 377/s)
diskchecker: running 7 sec, 4.24% coverage of 1000 MB (2775 writes; 396/s)
diskchecker: running 8 sec, 4.88% coverage of 1000 MB (3207 writes; 400/s)
diskchecker: running 9 sec, 5.53% coverage of 1000 MB (3652 writes; 405/s)
diskchecker: running 10 sec, 6.14% coverage of 1000 MB (4073 writes; 407/s)
diskchecker: running 11 sec, 6.76% coverage of 1000 MB (4492 writes; 408/s)
diskchecker: running 12 sec, 7.38% coverage of 1000 MB (4922 writes; 410/s)
diskchecker: running 13 sec, 7.98% coverage of 1000 MB (5344 writes; 411/s)
diskchecker: running 14 sec, 8.65% coverage of 1000 MB (5799 writes; 414/s)
diskchecker: running 15 sec, 9.25% coverage of 1000 MB (6229 writes; 415/s)
diskchecker: running 16 sec, 9.84% coverage of 1000 MB (6652 writes; 415/s)
diskchecker: running 17 sec, 10.47% coverage of 1000 MB (7103 writes; 417/s)
diskchecker: running 18 sec, 11.11% coverage of 1000 MB (7556 writes; 419/s)
diskchecker: running 19 sec, 11.71% coverage of 1000 MB (7974 writes; 419/s)
diskchecker: running 20 sec, 12.31% coverage of 1000 MB (8405 writes; 420/s)
diskchecker: running 21 sec, 12.91% coverage of 1000 MB (8847 writes; 421/s)
diskchecker: running 22 sec, 13.57% coverage of 1000 MB (9328 writes; 424/s)
diskchecker: running 23 sec, 14.18% coverage of 1000 MB (9767 writes; 424/s)
</pre>
<pre>
werner@x390:~/bin$ ssh root@172.16.10.1
root@172.16.10.1's password:
Linux pve 6.17.2-1-pve #1 SMP PREEMPT_DYNAMIC PMX 6.17.2-1 (2025-10-21T11:55Z) x86_64
[...]
root@pve:~# mount /dev/sdc1 /mnt/sdc-ssd-with-plp
root@pve:~# dmesg | tail -n 4
[ 38.515045] vmbr0: port 1(nic1) entered blocking state
[ 38.515052] vmbr0: port 1(nic1) entered forwarding state
[ 175.603062] EXT4-fs (sdc1): recovery complete
[ 175.603218] EXT4-fs (sdc1): mounted filesystem 2847a7c0-0a1e-4ab8-8a4b-7c2856dcf0a3 r/w with ordered data mode. Quota mode: none.
root@pve:~# cd /mnt/sdc-ssd-with-plp/
root@pve:/mnt/sdc-ssd-with-plp# ./diskchecker.pl -s 172.16.0.112 verify test-ssd-ext4
verifying: 0.00%
verifying: 28.12%
verifying: 85.80%
verifying: 100.00%
Total errors: 0
root@pve:/mnt/sdc-ssd-with-plp#
</pre>

==== barrier=0 ====
<pre>
root@pve:~# mount -t ext4 -o barrier=0 /dev/sdc1 /mnt/sdc-ssd-with-plp
root@pve:~# mount | grep sdc
/dev/sdc1 on /mnt/sdc-ssd-with-plp type ext4 (rw,relatime,nobarrier)
root@pve:~# cd /mnt/sdc-ssd-with-plp/
root@pve:/mnt/sdc-ssd-with-plp# ./diskchecker.pl -s 172.16.0.112 create test-ssd-ext4-nobarrier 1000
diskchecker: running 1 sec, 0.45% coverage of 1000 MB (289 writes; 289/s)
diskchecker: running 2 sec, 1.19% coverage of 1000 MB (768 writes; 384/s)
diskchecker: running 3 sec, 1.90% coverage of 1000 MB (1230 writes; 410/s)
diskchecker: running 4 sec, 2.65% coverage of 1000 MB (1721 writes; 430/s)
diskchecker: running 5 sec, 3.47% coverage of 1000 MB (2258 writes; 451/s)
diskchecker: running 6 sec, 4.20% coverage of 1000 MB (2743 writes; 457/s)
diskchecker: running 7 sec, 4.92% coverage of 1000 MB (3246 writes; 463/s)
diskchecker: running 8 sec, 5.72% coverage of 1000 MB (3783 writes; 472/s)
diskchecker: running 9 sec, 6.43% coverage of 1000 MB (4266 writes; 474/s)
diskchecker: running 10 sec, 7.15% coverage of 1000 MB (4756 writes; 475/s)
diskchecker: running 11 sec, 7.90% coverage of 1000 MB (5270 writes; 479/s)
diskchecker: running 12 sec, 8.60% coverage of 1000 MB (5758 writes; 479/s)
diskchecker: running 13 sec, 9.43% coverage of 1000 MB (6325 writes; 486/s)
diskchecker: running 14 sec, 10.17% coverage of 1000 MB (6862 writes; 490/s)
diskchecker: running 15 sec, 10.86% coverage of 1000 MB (7354 writes; 490/s)
diskchecker: running 16 sec, 11.57% coverage of 1000 MB (7870 writes; 491/s)
diskchecker: running 17 sec, 12.21% coverage of 1000 MB (8337 writes; 490/s)
diskchecker: running 18 sec, 12.88% coverage of 1000 MB (8821 writes; 490/s)
diskchecker: running 19 sec, 13.50% coverage of 1000 MB (9288 writes; 488/s)
diskchecker: running 20 sec, 14.15% coverage of 1000 MB (9755 writes; 487/s)
diskchecker: running 21 sec, 14.76% coverage of 1000 MB (10213 writes; 486/s)
diskchecker: running 22 sec, 15.45% coverage of 1000 MB (10719 writes; 487/s)
diskchecker: running 23 sec, 16.09% coverage of 1000 MB (11199 writes; 486/s)
diskchecker: running 24 sec, 16.71% coverage of 1000 MB (11681 writes; 486/s)
diskchecker: running 25 sec, 17.52% coverage of 1000 MB (12301 writes; 492/s)
</pre>

<pre>
root@pve:~# mount -t ext4 -o barrier=0 /dev/sdc1 /mnt/sdc-ssd-with-plp
root@pve:~# dmesg | tail -n 4
[ 38.503206] vmbr0: port 1(nic1) entered forwarding state
[ 128.406477] EXT4-fs (sdc1): barriers disabled
[ 129.953659] EXT4-fs (sdc1): recovery complete
[ 129.953789] EXT4-fs (sdc1): mounted filesystem 2847a7c0-0a1e-4ab8-8a4b-7c2856dcf0a3 r/w with ordered data mode. Quota mode: none.
root@pve:~# cd /mnt/sdc-ssd-with-plp
root@pve:/mnt/sdc-ssd-with-plp# ./diskchecker.pl -s 172.16.0.112 verify test-ssd-ext4-nobarrier
verifying: 0.00%
verifying: 29.52%
verifying: 77.96%
verifying: 100.00%
Total errors: 0
root@pve:/mnt/sdc-ssd-with-plp#
</pre>

=== Test with SSD without PLP ===
In this test, a 512 GByte Samsung 850 PRO SATA SSD is used.

==== barrier=1 (default) ====
<pre>
root@pve:~# mkfs.ext4 /dev/sdc1
mke2fs 1.47.2 (1-Jan-2025)
Discarding device blocks: done
Creating filesystem with 125026646 4k blocks and 31260672 inodes
Filesystem UUID: b1721738-9749-4b86-9d05-d380b0337316
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
102400000

Allocating group tables: done
Writing inode tables: done
Creating journal (262144 blocks): done
Writing superblocks and filesystem accounting information: done

root@pve:~# mkdir /mnt/sdc-ssd-without-plp
root@pve:~# mount /dev/sdc1 /mnt/sdc-ssd-without-plp
root@pve:~# cd /mnt/sdc-ssd-without-plp
root@pve:/mnt/sdc-ssd-without-plp# wget https://gist.githubusercontent.com/bradfitz/3172656/raw/301f516a4719b48cc9c133c4ba9c864ff8eaf056/diskchecker.pl
[...]
2026-02-27 11:34:15 (140 MB/s) - 'diskchecker.pl' saved [6702/6702]

root@pve:/mnt/sdc-ssd-without-plp# chmod +x diskchecker.pl
root@pve:/mnt/sdc-ssd-without-plp# sync
root@pve:/mnt/sdc-ssd-without-plp# ./diskchecker.pl -s 172.16.0.112 create test-ssd-noplp-ext4 1000
diskchecker: running 1 sec, 0.03% coverage of 1000 MB (22 writes; 22/s)
diskchecker: running 2 sec, 0.33% coverage of 1000 MB (214 writes; 107/s)
diskchecker: running 3 sec, 0.64% coverage of 1000 MB (408 writes; 136/s)
diskchecker: running 4 sec, 0.94% coverage of 1000 MB (603 writes; 150/s)
diskchecker: running 5 sec, 1.24% coverage of 1000 MB (803 writes; 160/s)
diskchecker: running 6 sec, 1.54% coverage of 1000 MB (993 writes; 165/s)
diskchecker: running 7 sec, 1.86% coverage of 1000 MB (1205 writes; 172/s)
diskchecker: running 8 sec, 2.16% coverage of 1000 MB (1399 writes; 174/s)
diskchecker: running 9 sec, 2.48% coverage of 1000 MB (1607 writes; 178/s)
diskchecker: running 10 sec, 2.79% coverage of 1000 MB (1810 writes; 181/s)
diskchecker: running 11 sec, 3.09% coverage of 1000 MB (2012 writes; 182/s)
diskchecker: running 12 sec, 3.40% coverage of 1000 MB (2216 writes; 184/s)
diskchecker: running 13 sec, 3.69% coverage of 1000 MB (2412 writes; 185/s)
diskchecker: running 14 sec, 3.99% coverage of 1000 MB (2615 writes; 186/s)
diskchecker: running 15 sec, 4.29% coverage of 1000 MB (2814 writes; 187/s)
diskchecker: running 16 sec, 4.60% coverage of 1000 MB (3018 writes; 188/s)
diskchecker: running 17 sec, 4.90% coverage of 1000 MB (3218 writes; 189/s)
diskchecker: running 18 sec, 5.20% coverage of 1000 MB (3425 writes; 190/s)
diskchecker: running 19 sec, 5.50% coverage of 1000 MB (3626 writes; 190/s)
diskchecker: running 20 sec, 5.79% coverage of 1000 MB (3828 writes; 191/s)
diskchecker: running 21 sec, 6.08% coverage of 1000 MB (4028 writes; 191/s)
diskchecker: running 22 sec, 6.36% coverage of 1000 MB (4214 writes; 191/s)
diskchecker: running 23 sec, 6.65% coverage of 1000 MB (4414 writes; 191/s)
diskchecker: running 24 sec, 6.94% coverage of 1000 MB (4617 writes; 192/s)
diskchecker: running 25 sec, 7.23% coverage of 1000 MB (4816 writes; 192/s)
diskchecker: running 26 sec, 7.52% coverage of 1000 MB (5020 writes; 193/s)
client_loop: send disconnect: Broken pipe
</pre>

<pre>
werner@x390:~/bin$ ssh root@172.16.10.1
root@172.16.10.1's password:
Linux pve 6.17.2-1-pve #1 SMP PREEMPT_DYNAMIC PMX 6.17.2-1 (2025-10-21T11:55Z) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb 27 11:32:14 2026 from 172.16.0.112
root@pve:~# mount /dev/sdc1 /mnt/sdc-ssd-without-plp
root@pve:~# dme
dmesg dmeventd
root@pve:~# dmesg | tail -n 4
[ 38.593080] vmbr0: port 1(nic1) entered blocking state
[ 38.593084] vmbr0: port 1(nic1) entered forwarding state
[ 88.513484] EXT4-fs (sdc1): recovery complete
[ 88.514141] EXT4-fs (sdc1): mounted filesystem b1721738-9749-4b86-9d05-d380b0337316 r/w with ordered data mode. Quota mode: none.
root@pve:~# cd /mnt/sdc-ssd-without-plp
root@pve:/mnt/sdc-ssd-without-plp# ./diskchecker.pl -s 172.16.0.112 verify test-ssd-noplp-ext4
verifying: 0.02%
verifying: 3.74%
verifying: 100.00%
Total errors: 0
root@pve:/mnt/sdc-ssd-without-plp#
</pre>

==== barrier=0 ====
<pre>
root@pve:~# mount -t ext4 -o barrier=0 /dev/sdc1 /mnt/sdc-ssd-without-plp
root@pve:~# mount | grep sdc
/dev/sdc1 on /mnt/sdc-ssd-without-plp type ext4 (rw,relatime,nobarrier)
root@pve:~# cd /mnt/sdc-ssd-without-plp
root@pve:/mnt/sdc-ssd-without-plp# ./diskchecker.pl -s 172.16.0.112 create test-ssd-noplp-ext4-nobarrier 1000
diskchecker: running 1 sec, 0.47% coverage of 1000 MB (303 writes; 303/s)
diskchecker: running 2 sec, 1.26% coverage of 1000 MB (814 writes; 407/s)
diskchecker: running 3 sec, 1.97% coverage of 1000 MB (1274 writes; 424/s)
diskchecker: running 4 sec, 2.75% coverage of 1000 MB (1783 writes; 445/s)
diskchecker: running 5 sec, 3.51% coverage of 1000 MB (2285 writes; 457/s)
diskchecker: running 6 sec, 4.34% coverage of 1000 MB (2835 writes; 472/s)
diskchecker: running 7 sec, 5.14% coverage of 1000 MB (3371 writes; 481/s)
diskchecker: running 8 sec, 5.90% coverage of 1000 MB (3883 writes; 485/s)
diskchecker: running 9 sec, 6.59% coverage of 1000 MB (4348 writes; 483/s)
diskchecker: running 10 sec, 7.26% coverage of 1000 MB (4809 writes; 480/s)
diskchecker: running 11 sec, 8.02% coverage of 1000 MB (5333 writes; 484/s)
diskchecker: running 12 sec, 8.75% coverage of 1000 MB (5843 writes; 486/s)
diskchecker: running 13 sec, 9.43% coverage of 1000 MB (6317 writes; 485/s)
diskchecker: running 14 sec, 10.12% coverage of 1000 MB (6805 writes; 486/s)
diskchecker: running 15 sec, 11.05% coverage of 1000 MB (7450 writes; 496/s)
diskchecker: running 16 sec, 11.70% coverage of 1000 MB (7912 writes; 494/s)
diskchecker: running 17 sec, 12.38% coverage of 1000 MB (8401 writes; 494/s)
diskchecker: running 18 sec, 12.99% coverage of 1000 MB (8862 writes; 492/s)
diskchecker: running 19 sec, 13.65% coverage of 1000 MB (9352 writes; 492/s)
diskchecker: running 20 sec, 14.29% coverage of 1000 MB (9822 writes; 491/s)
diskchecker: running 21 sec, 14.92% coverage of 1000 MB (10294 writes; 490/s)
diskchecker: running 22 sec, 15.55% coverage of 1000 MB (10761 writes; 489/s)
diskchecker: running 23 sec, 16.21% coverage of 1000 MB (11261 writes; 489/s)
diskchecker: running 24 sec, 16.82% coverage of 1000 MB (11741 writes; 489/s)
client_loop: send disconnect: Broken pipe
</pre>

<pre>
werner@x390:~/bin$ ssh root@172.16.10.1
root@172.16.10.1's password:
Linux pve 6.17.2-1-pve #1 SMP PREEMPT_DYNAMIC PMX 6.17.2-1 (2025-10-21T11:55Z) x86_64
[...]
root@pve:~# mount -t ext4 -o barrier=0 /dev/sdc1 /mnt/sdc-ssd-without-plp
root@pve:~# dmesg | tail -n 4
[ 38.959022] vmbr0: port 1(nic1) entered forwarding state
[ 322.860448] EXT4-fs (sdc1): barriers disabled
[ 323.915454] EXT4-fs (sdc1): recovery complete
[ 323.915513] EXT4-fs (sdc1): mounted filesystem b1721738-9749-4b86-9d05-d380b0337316 r/w with ordered data mode. Quota mode: none.
root@pve:~# cd /mnt/sdc-ssd-with
sdc-ssd-without-plp/ sdc-ssd-with-plp/
root@pve:~# cd /mnt/sdc-ssd-without-plp
root@pve:/mnt/sdc-ssd-without-plp# ./diskchecker.pl -s 172.16.0.112 verify test-ssd-noplp-ext4
test-ssd-noplp-ext4 test-ssd-noplp-ext4-nobarrier
root@pve:/mnt/sdc-ssd-without-plp# ./diskchecker.pl -s 172.16.0.112 verify test-ssd-noplp-ext4-nobarrier
verifying: 0.01%
verifying: 49.87%
verifying: 100.00%
Total errors: 0
root@pve:/mnt/sdc-ssd-without-plp#
</pre>

== More information ==
* [https://lwn.net/Articles/283161/ Barriers and journaling filesystems] (lwn.net, 21.05.2008)
* [https://docs.kernel.org/admin-guide/ext4.html ext4 General Information] (docs.kernel.org/admin-guide)
* https://web.archive.org/web/20200227164936/https://www.fibrevillage.com/storage/565-what-s-barriers-how-to-enable-disable-it-on-linux
* [https://www.linux-magazine.com/content/download/63318/487772/file/Write_Barriers.pdf IMPOSING ORDER: Working with write barriers and journaling filesystems] (Linux-Magazine Issue 78, May 2007)

== References ==
<references />

{{Wfischer}}
{{Aranzinger}}
[[Category:Linux]]
[[de:Ext4 Write Barriers]]

TKMI Logs & Reports

2026-03-03T11:22:10Z

Aranzinger: Created page with "The TKMI records different '''system reports'''. Every report is geared to a certain use. In the following, the reports are presented individually. == IPMI Event Log == TKMI IPMI & Event Log This report lists all recorded events chronologically in the ''Intelligent Platform Management Interface (IPMI)''. With the help of the filter settings, specific entries can be..."

The [[Overview TKMI|TKMI]] records different '''system reports'''. Every report is geared to a certain use. In the following, the reports are presented individually.

== IPMI Event Log ==
[[File:TKMI_Logs-Reports_IPMI-Event-Log.png|alt=TKMI IPMI & Event Log|thumb|153x153px|TKMI IPMI & Event Log]]
This report lists all recorded events chronologically in the ''Intelligent Platform Management Interface (IPMI)''.

With the help of the filter settings, specific entries can be searched:
* '''Filter by Date''': The displayed events are limited to a determined period.
* '''Filter by type''': The displayed events are determined to a specific event or sensors.

With the help of the ''Clear Event Logs'' button , the events recorded so far can be deleted.

With the help of the ''Download Event Logs'' button, the recorded events can be exported.

Furthermore, you will receive statistics on the number of monthly recorded events as a bar chart.
== Operation Log ==
[[File:TKMI_Logs-Reports_Operation-Log.png|alt=TKMI Operation Log|thumb|157x157px|TKMI Operation Log]]
This report lists all events, that concern the host-system, in chronological order.

The following options are available for presentation:

* '''Filter by Date''': Start and end times of the listed operations can be determined and enables restriction to specific time periods.
* '''Event Category''': Either ''Information'' or ''Warning'' logs can be displayed. The former contain simple status events, while the latter only list events associated with warnings.

With the help of the ''Clear Logs'' button, all available log entries will be deleted.

With the help of the ''Download Logs'' button, all available log entries can be downloaded. The entries are stored in <code>log</code> file format and packaged in a <code>tgz</code> archive.

== Audit Log ==
[[File:TKMI_Logs-Reports_Audit-Log.png|alt=TKMI Audit Log|thumb|154x154px|TKMI Audit Log]]
This report lists all events about the host system, which serve to ensure compliance, security, and problem solving.

In particular, the system reports contain the user ID and IP address of the actions performed.

The following options are available for display:

* '''Filter by Date''': Start and end time of the listed operations can be determined and enables restriction to specific time periods.

With the help of the ''Clear Logs'' button, all available log entries will be deleted.

With the help of the ''Download Logs'' button, all available log entries can be downloaded. The entries are stored in <code>log</code> file format and packaged in a <code>tgz</code>-archive.

== Video Log ==
[[File:TKMI_Logs-Reports_Video-Log.png|alt=TKMI Video Log|thumb|153x153px|TKMI Video Log]]
This report lists videos recorded by the host system. Settings for video triggers, recording quality, and storage location can be configured in [[TKMI Settings]].

The following options are available for display:

* '''Filter by Date''': Start and end time of listed operations can be determined and enables restriction to specific time periods.

With the help of the ''Clear Logs'' buttons, all available log entries will be deleted.

== SOL Video Log ==
[[File:TKMI_Logs-Reports_SOL-Video-Log.png|alt=TKMI Serial on LAN (SOL) Log|thumb|154x154px|TKMI Serial on LAN (SOL) Log]]
This report lists a video-file recorded via ''Serial over LAN''. Settings for video triggers, recording quality, and storage location can be configured in [[TKMI Settings]].

The following options are available for display:
* '''Filter by Date''': Start- and end time of listed operations can be determined and enables restriction to specific time periods.

With the help of the ''Clear Logs'' button, all available log entries will be deleted.

{{Sbohn}}
{{Aranzinger}}
[[Category:Thomas-Krenn Management Interface]]
[[de:TKMI Logs & Reports]]