Thomas-Krenn-Wiki - New pages [en]

Installation of N8n

2026-06-19T06:10:54Z

Aranzinger:

'''n8n''' is a performant open-source platform for automatizing workflows. In contrast to cloud services such as Zapier or Make.com, n8n enables self-hostet operation, which allows you to maintain full control over your data, workflows, and costs.

This article describes four different self-contained methods ("paths") to install n8n on a local Linux server. Select the path that fits best to your use case and follow the steps from beginning to end.

== Requirements ==
=== General requirements (for all methods) ===
*'''Server:''' A physical server or a virtual machine.
*'''Resources:''' At least 1 vCPU and 2 GB RAM. 2+ vCPUs and 4+ GB RAM are recommended for productive use.
*'''User rights:''' You will require a user with <code>sudo</code>-rights.
*'''System updates:''' It is recommended to update the system in advance:
<pre>
sudo apt update && sudo apt upgrade -y
</pre>

=== Specific software (depending on the path) ===
*'''For path 1 & 2 (Docker / Docker Compose):''' Install the docker engine and the compose plugin via the '''official docker repositories'''.
<pre>
sudo apt-get remove docker docker-engine docker.io containerd runc && sudo apt-get autoremove -y
# 2. Set up Repository and install docker
sudo apt-get update && sudo apt-get install -y ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
# 3. Set permissions (crucial!)
sudo usermod -aG docker $USER
</pre>
'''Important:''' So that docker permissions work, you have to '''log out and log in''' or execute the command <code>newgrp docker</code> in your current shell.

*'''For path 3 (npm):''' Install Node.js (v18+) and the package manager npm.
<pre>
curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
sudo apt-get install -y nodejs
</pre>

*'''For path 4 (Proxmox):''' A functional Proxmox VE installation is required.

== Installation paths ==

=== Path 1: Docker (fast & simple for tests) ===
This method is ideal to test n8n fast and uncomplicated.

'''Step 1: Create data directory''' This steps avoids permission issues in the container.
<pre>
mkdir -p ~/.n8n
sudo chown -R $USER:$USER ~/.n8n
</pre>

'''Step 2: Start container'''
<pre>
docker run -d --rm --name n8n -p 5678:5678 -v ~/.n8n:/home/node/.n8n n8nio/n8n:latest
</pre>
n8n is available on <code>http://<Ihre-Server-IP>:5678</code>. You will see a security warning about "secure cookie".

'''Step 3: Resolve access issue''' You have two possibilities:
*'''A) Fast workaround (unsafe):''' Stop the old container (<code>docker stop n8n</code>) and restart it with additional environment variable.
This is only suitable for localhost testing!
<pre>
docker run -d --rm --name n8n -p 5678:5678 -v ~/.n8n:/home/node/.n8n -e "N8N_SECURE_COOKIE=false" n8nio/n8n:latest
</pre>

*'''B) Secure approach using Reverse Proxy (recommended):''' Set up a reverse proxy to run n8n over HTTPS using a domain.
:'''Detailed instructions: [[Installation of Reverse Proxy for n8n with Nginx Proxy Manager]]'''

---

=== Path 2: Docker Compose (recommended for productive use) ===
This method is a robust method and ideal for long-term use, as it clearly divides the data base and n8n.

'''Step 1: Create project directory and configuration file'''
<pre>
mkdir -p ~/n8n-produktiv
cd ~/n8n-produktiv
nano docker-compose.yml
</pre>

'''Step 2: Add content for <code>docker-compose.yml</code>'''
Replace the placeholders for the passwords.
<pre>
services:
n8n:
image: n8nio/n8n:latest
ports:
- "5678:5678"
restart: always
environment:
- DB_TYPE=postgresdb
- DB_POSTGRESDB_HOST=postgres
- DB_POSTGRESDB_PORT=5432
- DB_POSTGRESDB_DATABASE=n8n
- DB_POSTGRESDB_USER=n8n
- DB_POSTGRESDB_PASSWORD=IHR_N8N_DB_PASSWORT
- GENERIC_TIMEZONE=Europe/Berlin
volumes:
- n8n_data:/home/node/.n8n
depends_on:
- postgres
postgres:
image: postgres:14
restart: always
environment:
- POSTGRES_USER=n8n
- POSTGRES_PASSWORD=IHR_N8N_DB_PASSWORT
- POSTGRES_DB=n8n
volumes:
- postgres_data:/var/lib/postgresql/data
volumes:
n8n_data:
postgres_data:
</pre>

'''Step 3: Start container'''
<pre>
docker compose up -d
</pre>
As the port is only connected to 127.0.0.1, n8n is not directly accessible from outside. This is intentional.

'''Step 4: Enable access'''
You have two possibilities:
*'''A) Fast workaround (unsafe):''' Change the port assignment in the <code>docker-compose.yml</code> to <code>"5678:5678"</code> and add to the <code>environment</code>-block in n8n the line <code>- N8N_SECURE_COOKIE=false</code>. Restart with <code>docker compose up -d</code>.
This is only suitable for LAN-only test without external accessibility!

*'''B) Secure approach using Reverse Proxy (recommended): '''Set up a Reverse Proxy, that forwards the traffic to <code>127.0.0.1:5678</code>.
:'''Detailed instructions: [[Installation of Reverse Proxy for n8n with Nginx Proxy Manager]]'''

---

=== Path 3: npm (for developers) ===
This method installs n8n directly on the host system.

'''Step 1: Install n8n globally'''
The global installation requires administrator rights.
<pre>
sudo npm install -g n8n
</pre>

'''Step 2: Start n8n'''
Execute the command as normal user.
<pre>
n8n
</pre>
n8n is now available on <code>http://<Your<nowiki/>-Server-IP>:5678</code> and displays a safety warning. Terminate the process with <code>Strg+C</code>.

'''Step 3: Resolve access issue'''
You have two possibilities:
*'''A) Fast workaround (unsafe):''' Start n8n with a preceding environment variable.
Please note that this is only suitable for localhost tests!
<pre>
N8N_SECURE_COOKIE=false n8n
</pre>

*'''B) Secure approach with Reverse Proxy (recommended): '''Let n8n run in the background (for example with <code>pm2</code> oder <code>systemd</code>) and set up a Reverse Proxy in front of it.
:'''Detailed instructions: [[Installation of Reverse Proxy for n8n with Nginx Proxy Manager]]'''

---

=== Path 4: Proxmox Helper Scripts (LXC) ===
This method creates a dedicated, lean Linux container for n8n.

Attention: We do not recommend this for productive use!

'''Step 1: Execute installation script'''
Execute this command on the '''Proxmox-Host''' shell and follow the interactive dialogue.
<pre>
bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/n8n.sh)"
</pre>

'''Step 2: Test access'''
After the installation, the script outputs the IP address of the container. n8n is available on <code>http://<IP-des-LXC-Containers>:5678</code> and displays the safety warning.

'''Step 3: Resolve access issue'''
You have two possibilities:
*'''A) Fast workaround (unsafe):''' The environment variable must be configured directly in the container.
This is only suitable for LAN-tests without external availability!
<pre>
# 1. Verbinden Sie sich mit der Shell des n8n-Containers
ssh root@<IP-des-LXC-Containers>
# 2. Öffnen Sie die systemd-Service-Datei
nano /etc/systemd/system/n8n.service
# 3. Fügen Sie unter dem Abschnitt [Service] folgende Zeile hinzu:
Environment="N8N_SECURE_COOKIE=false"
# 4. Speichern, schließen und die Dienste neu laden/starten
systemctl daemon-reload && systemctl restart n8n
</pre>

*'''B) Secure approach with Reverse Proxy (recommended):''' Set up a Reverse Proxy on another server or in another container that forwards the traffic to <code>http://<IP-des-LXC-Containers>:5678</code>.
:'''Detailed instructions: [[Installation of Reverse Proxy for n8n with Nginx Proxy Manager]]'''

== Sources ==
* [https://docs.n8n.io/hosting/self-hosted/ n8n Documentation – Self‑Hosted] (en)
* [https://github.com/n8n-io/n8n n8n auf GitHub] (en)
* [https://tteck.github.io/Proxmox/ Proxmox VE Helper-Scripts von tteck] (en)

{{fmueller}}
{{Aranzinger}}
[[Category:Automation]]
[[Category:Artificial Intelligence]]
[[Category:Docker]]
[[Category:VMs/Containers]]
[[de:N8n installieren]]

Creation of Proxmox HA cluster

2026-06-18T10:12:06Z

Aranzinger: Created page with "This article describes the configuration of a '''High Availability Cluster''' or '''HA Cluster''' using three servers with '''Proxmox''' '''VE''' 8.2.2. In this example, Ceph is configured within the cluster as the data storage. ==Requirements for High Availability== Before configuring the HA cluster, it must be verified if all requirements are fulfilled: *3 server systems identical in design * all nodes must be located in the same system * date and time must be sy..."

This article describes the configuration of a '''High Availability Cluster''' or '''HA Cluster''' using three servers with '''Proxmox''' '''VE''' 8.2.2. In this example, [[Ceph]] is configured within the cluster as the data storage.

==Requirements for High Availability==
Before configuring the HA cluster, it must be verified if all requirements are fulfilled:
*3 server systems identical in design
* all nodes must be located in the same system
* date and time must be synchronized (NTP)
* SSH must be released for SSH on port 22

==Installation and configuration==
First, Proxmox must be installed on all 3 nodes. Please make sure that you have entered the correct host name and IP configuration.

=== Network configuration ===
After that, the network configuration of all nodes must be made. The following steps must be executed after the installation has been successful:<gallery>
file:Initiale Netzwerkkonfiguration.png|First, select the host name and click on '''[Network]'''. Next, you will see the initial network configuration, which can be adjusted according to your requirements.
file:Netzwerkkonfiguration PVE.png|After that, the changes are applied by clicking on '''[Apply]'''. This process must be repeated on the remaining nodes.
</gallery>

Now, the network configuration can be verified with a ping test. You can also test the ping with jumbo frames, if configured. The following command would test this with an MTU configured to 9000 bytes:<pre>
ping -M do -s 8972 [IP-Adresse]
</pre>

===Create Proxmox VE cluster===
The following steps must be executed to create the cluster:
<gallery>
file:Create PVE Cluster.png|Go to '''[Datacenter]''' '''[Cluster]''' and click on '''[Create Cluster]'''. Now, a pop-up appears where a '''Clustername''' and the '''Network''' are entered for the PVE-cluster. By clicking on '''[Create]''' , the cluster is created.
file:PVE Cluster Join Information .png|Now you can copy the join information by selecting the '''[Join Information]''' option and clicking '''[Copy Information]'''. This step is required for adding the remaining nodes.
file:PVE Cluster Join.png|To add the remaining nodes to the cluster, connect to their GUI and under '''[Datacenter]''' '''[Cluster]''', click '''[Join Cluster]'''. After that, the join information, the password and the network can be entered. By clicking on '''[Join 'Clustername'],''' the host is added. Repeat this process for the remaining servers.
file:PVE Cluster Final.png|The overview should look similar to this.
</gallery>

'''Hint for a cluster with a lot of nodes:''' For clusters with a large number of nodes (25 or more), enter all nodes in the local hosts file on each cluster node. Otherwise, it may come to high network traffic and stability problems.

===Add Ceph storage===
To create a Ceph storage for storing all data, the following steps must be performed:<gallery>
file:1 Ceph Installation.png|Select a node here and click on '''[Ceph]''' and '''[Install Ceph]''' to start the installation.
file:Ceph Network.png|After the installation has been completed, the '''Ceph-Network''' can be stated. In addition, you can also set the number of '''replicates''' here. Click on '''[Next]''' to complete the configuration. This process is repeated for all nodes.
file:Ceph MON MGR.png|Next, some services must be configured for Ceph. The first are the monitoring and management services. For this, click '''[Ceph],''' then '''[Monitor]''' and then '''[Create]''' in Monitor and Manager. In this example, one service is created per host.
file:Ceph MON MGR done.png|The result should look similar to this image.
file:Disk Wipe GPT.png|The HDDs/SSDs/NVMes must be prepared for the creation of the OSDs. To do this, delete them under '''[Disks]''' '''[Wipe Disk]''' and initialize them with GPT '''[Initialize Disk with GPT]'''. Repeat this with all data carriers.
file:Ceph OSD.png|Now, you can create the OSDs under '''[Ceph]''' '''[OSD]''' by clicking on '''[Create: OSD].''' Select the disk and a device class and confirm it by clicking on '''[Create]'''. This must be repeated for all data carriers.
file:MDS Erstellung.png|After creating the OSD, a Meta Data server can be created under '''[CephFS].''' These are required for CephFS. For this, click on '''[Create].''' In this example, a MDS host is created per host'''.'''
file:CephFS.png|You can now create CephFS by clicking '''[Create CephFS]'''. You can use the default values here.
file:Ceph Pool erstellen.png|Finally, a pool must be created to store all data from the VMs/CTs. For this, switch to '''[Pools]''' and click '''[Create]'''. Next, you must assign a pool name; you can also set a '''target ratio''' of '''0.9'''.
file:Ceph Health Status.png|Finally, you can check the Ceph dashboard, and everything should be showing as Healthy.
</gallery>

===Configuration High Availability ===
Now you can create the required virtual machines and containers on the cluster. To take advantage of the cluster's high availability, it is essential that the configured VMs/CTs are added to the HA. To set this up, follow the steps below:
<gallery>
file:Add VM to HA.png|Go to '''[Datacenter]''' and click on '''[HA]'''. You can now add the VM to HA by clicking '''[Add]'''. To do so, enter the VM ID and a request state, then confirm by clicking '''[Add]'''.
</gallery>

After all steps have been executed, the cluster is functional and your virtual instance is highly available.

{{Npauli}}
{{Tlindinger}}
{{Aranzinger}}
[[Category:Proxmox Administration]]
[[de:Proxmox HA Cluster erstellen]]

LVM basic configuration

2026-06-18T07:09:52Z

Aranzinger:

In the following article, the '''basic configuration''' of LVs is explained. The used system is a '''Ubuntu Server 10.4''' with the 2.6.32-24 kernel and the LVM-version 2.02.54(1) (2009-10-26). In the following, it is explained how to create '''partitions''' of '''''Physical Volumes''''' (PVs), a '''''Volume Group''''' (VG) and the '''''Logical Volumes''''' (LVs) built on top of them.

==Creating partitions==
First, the partitions for the PVs are created. The following points must be taken into account:

*[[Partition Alignment]]
**Switch display to sectors (Switch "-u")
**switch off DOS-compatible mode (Switch "-c")
*for later LVM management
**switch system ID of partition to "8e" (Switch "-t" bei fdisk)
After the changes, the partition table looks as follows:
<pre>
root@ubuntu:/home/tktest# fdisk -lu

Disk /dev/sda: 5368 MB, 5368709120 bytes
255 heads, 63 sectors/track, 652 cylinders, total 10485760 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00051afd

Device Boot Start End Blocks Id System
/dev/sda1 * 2048 9920511 4959232 83 Linux
Partition 1 does not end on cylinder boundary.
/dev/sda2 9922558 10483711 280577 5 Extended
Partition 2 does not end on cylinder boundary.
/dev/sda5 9922560 10483711 280576 82 Linux swap / Solaris

Disk /dev/sdb: 2147 MB, 2147483648 bytes
22 heads, 16 sectors/track, 11915 cylinders, total 4194304 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x1673663d

Device Boot Start End Blocks Id System
/dev/sdb1 2048 4194303 2096128 8e Linux LVM

Disk /dev/sdc: 2147 MB, 2147483648 bytes
22 heads, 16 sectors/track, 11915 cylinders, total 4194304 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xbd277faf

Device Boot Start End Blocks Id System
/dev/sdc1 2048 4194303 2096128 8e Linux LVM
</pre>
==Preparation of PVs==
PVs also include meta data for the administration of volumes (see also [[LVM basics]]). 255 sectors (á 512 byte) are created for the meta data by default. Among other things, a meta data area that is too small can result in, for example, the inability to create snapshots anymore: [[Fix LVM VG vgname metadata too large for circular buffer]]. Therefore, it will make sense to configure a larger meta data area. If you want to enlargen your meta data area, the parameter "--metadatasize" must be added to the command "pvcreate" and then select the desired size at:
<pre>
--metadatasize size
</pre>
After that, the partitions are initialized as PV.

<pre>
root@ubuntu:~# pvcreate /dev/sdb1
Physical volume "/dev/sdb1" successfully created
root@ubuntu:~# pvcreate /dev/sdc1
Physical volume "/dev/sdc1" successfully created
</pre>
The commands "pvs" and "pvdisplay" offer a variety of possibilities to display the current status of the PVs.
<pre>
root@ubuntu:~# pvs
PV VG Fmt Attr PSize PFree
/dev/sdb1 lvm2 -- 2.00g 2.00g
/dev/sdc1 lvm2 -- 2.00g 2.00g
</pre>

==Creating a VG==
The PVs, that have been created before, are now summarized to a VG.
<pre>
root@ubuntu:~# vgcreate vg00 /dev/sdb1 /dev/sdc1
Volume group "vg00" successfully created
</pre>
The "pvdisplay" now shows that a VG was created with the PVs:
<pre>
root@ubuntu:~# pvdisplay
--- Physical volume ---
PV Name /dev/sdb1
VG Name vg00
PV Size 2.00 GiB / not usable 3.00 MiB
Allocatable yes
PE Size 4.00 MiB
Total PE 511
Free PE 511
Allocated PE 0
PV UUID fl9ipM-bhhQ-V46G-2iH3-R3yZ-9DsN-JbRmY9

--- Physical volume ---
PV Name /dev/sdc1
VG Name vg00
PV Size 2.00 GiB / not usable 3.00 MiB
Allocatable yes
PE Size 4.00 MiB
Total PE 511
Free PE 511
Allocated PE 0
PV UUID d1iY5L-ac3F-W5Sz-zyaE-uaT3-f66r-I3831o
</pre>
vgdisplay also shows information on VG:
<pre>
root@ubuntu:~# vgdisplay
--- Volume group ---
VG Name vg00
System ID
Format lvm2
Metadata Areas 2
Metadata Sequence No 1
VG Access read/write
VG Status resizable
MAX LV 0
Cur LV 0
Open LV 0
Max PV 0
Cur PV 2
Act PV 2
VG Size 3.99 GiB
PE Size 4.00 MiB
Total PE 1022
Alloc PE / Size 0 / 0
Free PE / Size 1022 / 3.99 GiB
VG UUID YTEj9f-9LCT-EOP5-JBEA-YHSz-c0R1-TMzVmy
</pre>
What stands out here is, that the PE size is 4.00 MiB. Since the lvm2-format, the number of PEs is not limited anymore. According to the Man page of vgcreate, a high number of PEs can slow down the tools. However, the number of pEs does not have influence on the I/O-performance of the Logical Volumes. If you want to change the PE-size, add the parameter to "vgcreate"
<pre>
-s, --physicalextentsize PhysicalExtentSize
</pre>
==Creating LVs==

There are different possibilities to specify the size of the LV to be created. However, all LVs require the parameter "-l" or "-L".
*size specification in, for example, Gigabyte:
<pre>
lvcreate -n data -L1G vg00
</pre>
*Percentage of available storage in the VG:
<pre>
lvcreate -n data -l100%VG vg00
</pre>
*Percentage of free storage in the VG:
<pre>
lvcreate -n data -l100%FREE vg00
</pre>
The example in progress is continued by dividing the VG into two equally sized LVs:
<pre>
root@ubuntu:~# lvcreate -n data -l50%VG vg00
Logical volume "data" created
root@ubuntu:~# lvcreate -n data1 -l100%FREE vg00
Logical volume "data1" created
</pre>
Now, the status of the Logical Volume can be taken into consideration:
<pre>
root@ubuntu:~# lvdisplay
--- Logical volume ---
LV Name /dev/vg00/data
VG Name vg00
LV UUID S1btrq-zQZQ-h9oU-2VE6-UNoT-hkqB-Fpv7pG
LV Write Access read/write
LV Status available
# open 0
LV Size 2.00 GiB
Current LE 511
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 252:0

--- Logical volume ---
LV Name /dev/vg00/data1
VG Name vg00
LV UUID Syaml9-d1Ax-RYTs-tSZy-vEyq-yzqW-VoOddZ
LV Write Access read/write
LV Status available
# open 0
LV Size 2.00 GiB
Current LE 511
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 252:1
</pre>
==Creating file system==
Now, the LVs can be formatted with a file system and mounted afterwards:
<pre>
mkfs.ext4 /dev/vg00/data
mkdir data
mount /dev/vg00/data data
</pre>
==Removing LV==
If a LV should be removed, it can be removed via lvremove command:
<pre>
root@ubuntu:~# lvremove /dev/vg00/data_snap
Do you really want to remove active logical volume data_snap? [y/n]: y
Logical volume "data_snap" successfully removed
</pre>
The LV data_snap does no longer appear as an LV. However, the underlying partition is still listed as a PV:
<pre>
--- Physical volume ---
PV Name /dev/sde1
VG Name vg00
PV Size 2.00 GiB / not usable 3.00 MiB
Allocatable yes
PE Size 4.00 MiB
Total PE 511
Free PE 511
Allocated PE 0
PV UUID lKEW15-1YHu-dikC-S0Pm-72UJ-UMPg-fgiW0Y
</pre>
If the partition should be released completely, the PV must be removed from the VG first:
<pre>
root@ubuntu:~# vgreduce vg00 /dev/sde1
Removed "/dev/sde1" from volume group "vg00"
root@ubuntu:~# pvdisplay
"/dev/sde1" is a new physical volume of "2.00 GiB"
--- NEW Physical volume ---
PV Name /dev/sde1
VG Name
PV Size 2.00 GiB
Allocatable NO
PE Size 0
Total PE 0
Free PE 0
Allocated PE 0
PV UUID lKEW15-1YHu-dikC-S0Pm-72UJ-UMPg-fgiW0Y
</pre>
Now, the PV can be also deleted completely to reformat, for example, the hard drive:
<pre>
root@ubuntu:~# pvremove /dev/sde1
Labels on physical volume "/dev/sde1" successfully wiped
</pre>

{{Gschoenberger}}
{{Aranzinger}}
[[Category:LVM]]
[[de:LVM Grundkonfiguration]]

Linux performance analysis in 60 seconds

2026-06-17T13:17:30Z

Aranzinger:

When a critical '''performance issue''' arises on a [[Linux]] server, there is often little time to analyze the problem in detail. Brendan Gregg, computer performance analyst and kernel engineer, describes in a blog posting and in a video, '''which Linux commands he uses for the performance analysis in the first 60 seconds'''.

== Commands for performance analysis ==
The following commands are recommended by Brendan Gregg:<ref>[http://techblog.netflix.com/2015/11/linux-performance-analysis-in-60s.html Linux Performance Analysis in 60,000 Milliseconds] (techblog.netflix.com, 30.11.2015)</ref>
<pre>
uptime
dmesg | tail
vmstat 1
mpstat -P ALL 1
pidstat 1
iostat -xz 1
free -m
sar -n DEV 1
sar -n TCP,ETCP 1
top
</pre>

More information on these commands can be found in the following articles:
* vmstat: [[Linux Performance Measurements using vmstat]]
* mpstat: [[Linux CPU performance measurements with mpstat]]
* iostat: [[Linux I/O Performance measurements with iostat]]
* free: [[Linux Page Cache Basics]]
* sar: [[Collect and report Linux System Activity Information with sar]]
* top: [[Linux-tool top]]

== Video ==
In this video, Brendan Gregg shows how to execute these commands in 60 seconds:<ref>[http://www.brendangregg.com/blog/2015-12-03/linux-perf-60s-video.html Linux Performance Analysis in 60s (video)] (www.brendangregg.com/blog, 03.12.2015)</ref>

{{#widget:YouTube|id=ZdVpKx6Wmc8}}

== References ==
<references />

{{Wfischer}}
{{Aranzinger}}
[[Category:Linux Performance]]
[[de:Linux Performance Analyse in 60 Sekunden]]

Docker basics - the most important terms

2026-06-17T12:17:57Z

Aranzinger: Created page with "This article provides an introduction in Docker and shows useful terms, which can be useful when using Docker and Docker containers: <pre> # Start container docker container run <IMAGENAME> starts a container based on an image (Example: checkmk/check-mk-raw:2.2.0-latest) # List containers (active) docker ps displays a list of all containers that are currently active # List containers (all) docker ps -all displays all containers on the system including those that ha..."

This article provides an introduction in Docker and shows useful terms, which can be useful when using Docker and Docker containers:

<pre>
# Start container
docker container run <IMAGENAME> starts a container based on an image (Example: checkmk/check-mk-raw:2.2.0-latest)

# List containers (active)
docker ps displays a list of all containers that are currently active

# List containers (all)
docker ps -all displays all containers on the system including those that have been stopped.

# Stop container
docker stop <CONTAINER-NAME> stops a container

# Reboot container
docker restart <CONTAINER-NAME> restarts a Docker container

# Delete container
docker remove <CONTAINER-NAME> deletes a container

# Display container volume
docker volume ls displays all created container volumes

# Delete container volume
docker volume rm <VOLUME-NAME> - deletes a named volume

# Execute container shell command in container
docker exec <CONTAINER-NAME> <COMMAND> executes the command and displays the output on its own terminal (locally)

# Open the interactive full shell in the container (interactive terminal)
docker exec -it <CONTAINER-NAME> bash

# Display container logs:
docker container logs <CONTAINER-NAME>
</pre>

{{jsterr}}
{{Aranzinger}}
[[Category:Docker]]
[[de:Docker Grundlagen - die wichtigsten Befehle]]

Measuring TCP and UDP Network Performance with iperf

2026-06-17T08:44:44Z

Aranzinger:

'''iperf''', the open-source tool, allows to measure the maximum TCP and UDP network bandwidth. It is an alternative for netperf<ref>[http://www.netperf.org/ Netperf] (www.netperf.org)</ref>.

== Installation ==
Iperf is already included in the Debian and Ubuntu repository, which means that an installation is easy possible via <code>apt-get install iperf</code>.

For RHEL and CentOS, the package is available in the EPEL<ref>[http://dl.fedoraproject.org/pub/epel/6/x86_64/repoview/iperf.html IPerf Paket aus EPEL Repository] (download.fedora.redhat.com)</ref> repository.

Alternatively, the source code can be downloaded from the IPerf website <ref>[http://sourceforge.net/projects/iperf/files/ IPerf] (sourceforge.net)</ref>.

== Use ==
Iperf works according to the client-sever model, which means that the iperf daemon must be started first on a server and then connects to the iperf client. Client and server are included in the same binary. When entering the IP address for the client, be sure to select the one associated with the network interface you want to test.

=== Measure TCP performance ===
In this case, the TCP performance of a 1 GBit network card is measured.

Server1:
<pre>
[root@server1 ~]# iperf -s
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 85.3 KByte (default)
------------------------------------------------------------
[ 4] local 192.168.255.1 port 5001 connected with 192.168.255.2 port 39838
[ ID] Interval Transfer Bandwidth
[ 4] 0.0-10.0 sec 1.10 GBytes 941 Mbits/sec
</pre>

Server2:
<pre>
[root@server2 ~]# iperf -c 192.168.255.1
------------------------------------------------------------
Client connecting to 192.168.255.1, TCP port 5001
TCP window size: 16.0 KByte (default)
------------------------------------------------------------
[ 3] local 192.168.255.2 port 39838 connected with 192.168.255.1 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 1.10 GBytes 944 Mbits/sec
</pre>

=== Measure UDP performance ===
The UDP performance is measured on the same system. In this case, the used bandwidth (-b) must be stated. The default here is only 1 MBit per second.

Server1:
<pre>
[root@server1 ~]# iperf -s -u
------------------------------------------------------------
Server listening on UDP port 5001
Receiving 1470 byte datagrams
UDP buffer size: 126 KByte (default)
------------------------------------------------------------
[ 3] local 192.168.255.1 port 5001 connected with 192.168.255.2 port 40612
[ ID] Interval Transfer Bandwidth Jitter Lost/Total Datagrams
[ 3] 0.0-10.0 sec 889 MBytes 746 Mbits/sec 0.065 ms 621/634707 (0.098%)
[ 3] 0.0-10.0 sec 1 datagrams received out-of-order
</pre>

Server2:
<pre>
[root@server2 ~]# iperf -c 192.168.255.1 -u -b 1000M
------------------------------------------------------------
Client connecting to 192.168.255.1, UDP port 5001
Sending 1470 byte datagrams
UDP buffer size: 126 KByte (default)
------------------------------------------------------------
[ 3] local 192.168.255.2 port 40612 connected with 192.168.255.1 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 890 MBytes 746 Mbits/sec
[ 3] Sent 634708 datagrams
[ 3] Server Report:
[ 3] 0.0-10.0 sec 889 MBytes 746 Mbits/sec 0.065 ms 621/634707 (0.098%)
[ 3] 0.0-10.0 sec 1 datagrams received out-of-order
</pre>

== Hints for 10G/40G tests ==
When testing 40 Gbit/s connections, it is possible that an individual CPU-core can become a bottleneck. In this case, it is recommended that several parallel tests are operated on different ports.

More information on this topic can be found, for example, on the following pages:
* [https://fasterdata.es.net/host-tuning/linux/100g-tuning/ 40G/100G Tuning] (fasterdata.es.net)
* [https://fasterdata.es.net/performance-testing/network-troubleshooting-tools/iperf/multi-stream-iperf3/ iperf3 at 40Gbps and above] (fasterdata.es.net)
* [https://calomel.org/network_performance.html Network Tuning and Performance: a simple guide to enhancing network speeds] (calomel.org)

== References ==
<references/>

{{Cmitasch}}
{{Aranzinger}}
[[Category:Linux Networking]]
[[Category:Linux Performance]]
[[de:TCP und UDP Netzwerk Performance mit iperf messen]]

Permanently Change the Root Data Directory in Docker

2026-06-17T05:40:20Z

Aranzinger: Created page with "This article explains how to permanently switch the default root data directory <code>/var/lib/docker/</code> to a different directory. == Background information == The <code>/var/lib/docker</code> directory stores all images, volumes from Docker and can grow significantly depending on how many containers are used. The directory is structured as follows:<pre> root@js-checkmk-02:/var/lib/docker# ls buildkit containers engine-id image network overlay2 plugins runt..."

This article explains how to permanently switch the default root data directory <code>/var/lib/docker/</code> to a different directory.

== Background information ==
The <code>/var/lib/docker</code> directory stores all images, volumes from Docker and can grow significantly depending on how many containers are used. The directory is structured as follows:<pre>
root@js-checkmk-02:/var/lib/docker# ls
buildkit containers engine-id image network overlay2 plugins runtimes swarm tmp volumes</pre> You can see that it is used if you, for example, verify the status with df -h:

<pre>root@js-checkmk-02:/var/lib/docker# df -h
Filesystem Size Used Avail Use% Mounted on
udev 3.9G 0 3.9G 0% /dev
tmpfs 794M 684K 794M 1% /run
/dev/sda1 47G 3.8G 41G 9% /
tmpfs 3.9G 0 3.9G 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
/dev/sda15 124M 12M 113M 10% /boot/efi
tmpfs 794M 0 794M 0% /run/user/0
tmpfs 794M 0 794M 0% /run/user/1000
overlay 47G 3.8G 41G 9% /var/lib/docker/overlay2/a6a4203cef42815c7187f584436e5eb9dff385e3ca9c92d597a38806b9dc255d/merged
</pre>

== Configuration ==
First, <code>docker</code> must be stopped, which has immediately influence on all active containers. In addition, we install the tool <code>rsync</code>.<pre>
root@js-checkmk-02:/# systemctl stop docker && apt install rsync
</pre>After this, it must be communicated to Docker where to find the new data root:

<pre># Create directory if it has not been created yet
root@js-checkmk-02:/# mkdir -p /root/docker/root

# Daemon-Datei anlegen in /etc/docker
root@js-checkmk-02:/# nano /etc/docker/daemon.json

# Please add the following into the file, then adjust your path and store it. In this example, we change it to /root/docker/root

{
"data-root": "/root/docker/root"

}
</pre>Next, the whole content of the old docker-root-directory is copied into the new data-root-directory and then the old <code>/var/lib/docker</code> directory is renamed to <code>/var/lib/docker.old</code>.

<pre>rsync -aP /var/lib/docker/ "/root/docker/root"
cp -rp /var/lib/docker/* "/root/docker/root"
mv /var/lib/docker /var/lib/docker.old
</pre>
After that, Docker can be restarted and it should be verified if all containers still function:<pre>
systemctl start docker
</pre>If everything functions, the old data-root-directory can be deleted:<pre>
rm -rf /var/lib/docker.old</pre>

{{jsterr}}
{{Aranzinger}}
[[Category:Docker]]
[[de:Root Data Directory in Docker dauerhaft ändern]]

Checkmk RAW Edition - Docker Container Installation

2026-06-16T11:51:57Z

Aranzinger: Created page with "These instructions show how to install and start the free RAW-edition on a Debian server. == Installation == The installation of Docker on a server is a requirement (see Docker installation on Debian 12). == Container (custom parameter) == Please note: We will provide the default password shortly so that you can log in right away. Otherwise, you may have trouble logging in. Please note that you have to change the following parameters: * <code>-p 8006:5000</cod..."

These instructions show how to install and start the free RAW-edition on a [[Debian]] server.

== Installation ==
The installation of Docker on a server is a requirement (see [[Docker installation on Debian 12]]).

== Container (custom parameter) ==
Please note: We will provide the default password shortly so that you can log in right away. Otherwise, you may have trouble logging in. Please note that you have to change the following parameters:

* <code>-p 8006:5000</code> (This is the port for accessing the Web-UI, default is usually 8080:5000)
* <code>-p 8007:8000</code> (This is the port for the agent communication, default is usually 8000:8000)
* <code>-e CMK_PASSWORD='relation'</code> (The password for the Web-UI user cmkadmin is set here)
* <code>-e MAIL_RELAY_HOST='mail.thomas-krenn.com'</code> (Please state your mail server if it can be used as relay host)
<pre>

root@js-checkmk-02:/home/tk# docker container run -dit -p 8006:5000 -p 8007:8000 --tmpfs /opt/omd/sites/cmk/tmp:uid=1000,gid=1000 -v monitoring:/omd/sites --name monitoring -v /etc/localtime:/etc/localtime:ro -e CMK_PASSWORD='relation' -e MAIL_RELAY_HOST='mail.thomas-krenn.com' --restart always checkmk/check-mk-raw:2.2.0-latest

Unable to find image 'checkmk/check-mk-raw:2.2.0-latest' locally
2.2.0-latest: Pulling from checkmk/check-mk-raw
125a6e411906: Pull complete
1a8b24f9c661: Pull complete
e005a80d7504: Pull complete
727db143e9a5: Pull complete
1c9d1984857d: Pull complete
6261e32c9473: Pull complete
Digest: sha256:c75927b694b02fbd748c48f1aa9469964f3c003757ebbd01c17e21daaeb08b20
Status: Downloaded newer image for checkmk/check-mk-raw:2.2.0-latest
23a12948f6b3d3a8bb0ed1808a9e4aef6f4183509c14b34de8b84175e7a12a00

</pre>

It is searched for the container image online, which will be downloaded. After that, the container will start immediately. You can verify with <code>docker ps</code> if everything has functioned:

<pre>
root@js-checkmk-01:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
756a5156e143 checkmk/check-mk-raw:2.2.0-latest "/docker-entrypoint.…" 29 seconds ago Up 28 seconds (health: starting) 6557/tcp, 0.0.0.0:8000->8000/tcp, :::8000->8000/tcp, 0.0.0.0:8080->5000/tcp, :::8080->5000/tcp monitoring
</pre>

== Webinterface ==
You can test the Web-UI with <code>http://IP-DES-DOCKER-SERVERS:8006</code>. Here, we used custom port 8006.

== Login data ==
You can log in using the following data in the login screen. Please note that the password is the one you set when you first started the container!

* User: cmkadmin
* Password: relation

{{jsterr}}
{{Aranzinger}}
[[Category:Docker]]
[[Category:Monitoring]]
[[de:Checkmk RAW Edition - Docker Container Installation]]

Proxmox Backup Server No Subscription Update Repository

2026-06-16T09:08:21Z

Aranzinger: Created page with "Proxmox Backup Server offers subscriptions for productive systems with which you can still get support from Proxmox for tested updates. For certain test systems, you may not want to purchase a subscription. The company, Thomas-Krenn.AG, recommends using Proxmox Proxmox Backup Server Support Subscriptions for productive systems. Proxmox Backup Server subscriptions are the only way to fund and support the ongoing development of Proxmox VE and Proxmox PBS. If you still..."

Proxmox Backup Server offers subscriptions for productive systems with which you can still get support from Proxmox for tested updates. For certain test systems, you may not want to purchase a subscription. The company, Thomas-Krenn.AG, recommends using Proxmox [[Proxmox Backup Server Support Subscriptions]] for productive systems. Proxmox Backup Server subscriptions are the only way to fund and support the ongoing development of Proxmox VE and Proxmox PBS. If you still want to use a no-subscription repository, the following error appears after default-installation if you want to start a PBS upgrade via
<pre>
apt update && apt dist-upgrade
</pre>

<pre>
E: Failed to fetch https://enterprise.proxmox.com/debian/pbs/dists/buster/InRelease 401 Unauthorized [IP: 212.224.xxx.xxx 443]
E: The repository 'https://enterprise.proxmox.com/debian/pbs buster InRelease' is not signed.
</pre>

To switch to the pbs-no-subscription repository, you need to edit the repository file:
<pre>
nano /etc/apt/sources.list.d/pbs-enterprise.list
</pre>
and copy the following content into the file or make the following changes. Here, the enterprise repository was commented out and the no-subscription repository was added (Note that, unlike the enterprise repository, the no-subscription repository does not use https)

<pre>
# deb https://enterprise.proxmox.com/debian/pbs buster pbs-enterprise
deb http://download.proxmox.com/debian/pbs buster pbs-no-subscription
</pre>

After completing these steps, the update process also functions without subscription.

{{Jsterr}}
{{Aranzinger}}
[[Category:Proxmox Backupserver]]
[[de:Proxmox Backup Server No Subscription Update Repository]]

Secure SSH login with 2 factor authentication

2026-06-11T10:08:07Z

Aranzinger: /* Configuration */

A SSH shell belongs to the essential management tools on Linux based servers. This shell is already well covered by using certificate based login methods only and by deactivating root logins.
Furthermore, an additional registration step can be added, for example a one-time password, with a second factor. This further enhances security, as a successful login now relies on something you have (the certificate) and something you know (the one-time password). This article shows how to secure '''the SSH login with Google Authenticator as second factor''' on an '''Ubuntu Server 18.04 LTS'''.

== Preparatory measures ==
First, configure certificate-based authentication on your Ubuntu Server 18.04 LTS system using a [[OpenSSH Public Key Authentifizierung unter Ubuntu|OpenSSH Public Key]].

== libpam-google-authenticator ==
The following paragraph provides an insight into the Google Authenticator PAM-module and shows the installation and configuration.

=== Integration ===
The two-factor authentication is connected as PAM module ((Pluggable Authentication Module) to the operating system.

=== Installation ===
The installation of the PAM module from Google Authenticator can be made on Debian and Ubuntu via apt. It is contained in the official package sources.

<code>$ sudo apt install libpam-google-authenticator</code>

=== Compatibility ===
The authentication via PAM module is compatible with a variety of system services. A lot of steps can therefore be further secured using Google Authenticator. The list command applied to the /etc/pam.d/ directory returns the services and tools currently supported in a base installation of Ubuntu 18.04 LTS Server.

<pre>
$ ls -m /etc/pam.d/
atd, chfn, chpasswd, chsh, common-account, common-auth, common-password,
common-session, common-session-noninteractive, cron, login, newusers, other,
passwd, polkit-1, runuser, runuser-l, sshd, su, sudo, systemd-user, vmtoolsd
</pre>

=== Configuration ===
After the PAM module has been installed, it can be presented, initialized and configured as follows:

# Execute Google Authenticator on the console:
#: $ google-authenticator
# Do you want authentication tokens to be time-based (y/n)
#: y, this is used to generate TOTP tokens (time-based one-time password)
#: n, this generates HOTP tokens (counter-based one-time passwords)
#: In this case, the TOTP method is used
# Now, a QR-code is displayed on the SSH-console
#: Scan this code with a compatible app on your smartphone
#: Copy and store the keys listed below safely.
#: With the ''emergency scratch codes,'' the login can be performed without OTP
# Update the ''.google_authenticator'' file with this information.
#: For this, type ''y''.
# Confirm all other questions with ''y'' or with ''n'' if you want to use different settings.

== Integration into SSH-login ==
The Google Authenticator PAM module is fully configured. Now, these services, such as the SSH daemon, can be adjusted to enable a two-factor authentication through it.

'''Important hint:''' If the following configuration is made via SSH session, be sure to keep the current session open and test it in parallel with a second session. If the SSH daemon is misconfigured, you will no longer be able to log in.

=== Adjustments in /etc/pam.d/sshd ===
Open the /etc/pam.d/sshd file with an editor. Comment out the line ''@include common-''auth and add the line for Google Authenticator below it. Store and close the file afterwards.

<pre>
[...]
# Standard Un*x authentication.
#@include common-auth
[...]
# Google Authenticator
auth required pam_google_authenticator.so
</pre>

=== Adjust sshd_config ===
In the configuration file ''/etc/ssh/sshd_config'', you can now set '''ChallengeResponseAuthentication''' to ''yes''.
<pre>
[...]
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes
[...]
</pre>

Also, check that UsePAM is set to yes and add the following line below it: '''AuthenticationMethods'''. In this example, an authentication is accepted via public key and one-time password.<ref>[http://manpages.ubuntu.com/manpages/bionic/man5/sshd_config.5.html sshd_config — OpenSSH SSH daemon configuration file] (manpages.ubuntu.com)</ref>

<pre>
[...]
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive
[...]
</pre>

=== Restart SSH daemon ===
Now, you can restart the SSH daemon to activate the configuration.

<pre>$ sudo systemctl restart sshd.service</pre>

=== Login process ===
The following screenshots show the login process of an SSH shell with activated two-factor authentication by Google Authenticator.
<gallery>
File:Ubuntu-Bionic-SSH-Login-01.png|Start the SSH session. You will now be asked for the time-based one-time password. Open your app and enter the six-digit numeric code.
File:Ubuntu-Bionic-SSH-Login-02.png|After entering TOTP, the login is made on the Ubuntu server 18.04 LTS system.
</gallery>

== References ==
<references />

{{Tniedermeier}}
{{Aranzinger}}
[[Category:SSH]]
[[de:SSH-Login mit 2-Faktor-Authentifizierung absichern]]

Restrict executable SSH-commands via authorized keys

2026-06-11T07:56:38Z

Aranzinger: Created page with " The '''OpenSSH''' secure shell server allows a secure and encrypted remote access on Linux and Unix systems. On the server side, the '''authorized_keys''' file in the ''.ssh'' folder is primarily used for configuring a SSH public key authentication under Ubuntu. Normally, a user is granted '''full access''' on the system, on which the authentication was set up. In some cases, such as automatized backup processes, it is useful that the access is restricted to just a..."

The '''OpenSSH''' secure shell server allows a secure and encrypted remote access on Linux and Unix systems. On the server side, the '''authorized_keys''' file in the ''.ssh'' folder is primarily used for configuring a [[SSH public key authentication under Ubuntu]]. Normally, a user is granted '''full access''' on the system, on which the authentication was set up. In some cases, such as automatized backup processes, it is useful that the access is restricted to just a few, or even just a single '''command'''. The successful configuration steps are explained in this article.

== Purpose ==
The restriction of executable commands via SSH is mainly used for automatized backups. The dedicated backup users mostly have a private key without key phrase to execute automated backups. On the backup destination server, the public key of the user is added to the ''authorized_keys'' file so that this user can connect without entering a password.

Strictly speaking, from this point on, the user would actually have full access to the backup server, even though, for example, the "rsync" command is always used.

A command restriction for the user avoids that if the private key is compromised, the backup server is automatically compromised as well. As the user is restricted to a command in the ''authorized_keys'' file, it is not allowed to execute another command or to establish a terminal session via SSH.

== Restrict to a single command in authorized_keys ==
The '''/~/.ssh/authorized_keys''' file contains the public key of the user that is allowed to connect. (see also [[SSH public key authentication under Ubuntu]]):
<source lang="bash">
:~$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCj98R[...]
</source>
To restrict the user to a single command, the parameter '''command=''' is entered before the key. After that, whenever an attempt is made to establish an SSH connection, only this command will be executed, even if, for example, a different command was provided.<ref name="sshdef">[http://oreilly.com/catalog/sshtdg/chapter/ch08.html Per-Account Server Configuration] (oreilly.com)</ref> In the following example, the user ''dailybackup'' is restricted to the ''date'' command for demonstration purposes.
For this, the ''command=date'' parameter is defined on the SSH-server:
<source lang="bash">
:~$ cat .ssh/authorized_keys
command="date" ssh-rsa AAAA[...]
</source>
From the client computer that connects to the server via SSH, the only command the user can then execute is ''date'':
<source lang="bash">
:~$ ssh dailybackup@192.168.56.105
Wed Apr 30 14:46:53 CEST 2014
Connection to 192.168.56.105 closed.
:~$ ssh dailybackup@192.168.56.105 "tail /etc/passwd"
Wed Apr 30 14:47:02 CEST 2014
</source>

== Analyse executed command on SSH-server ==
The analysis, which command must be entered in ''authorized_keys'', is made easier by the environment variable ''$SSH_ORIGINAL_COMMAND'':
<source lang="bash">
command="/bin/echo You invoked: $SSH_ORIGINAL_COMMAND" ssh-rsa AAAAB[..]
</source>
When a command is issued from the client, the command executed on the server is then displayed for analysis purposes:
<source lang="bash">
:~$ ssh dailybackup@192.168.56.105 tail /etc/passwd
You invoked: tail /etc/passwd
</source>

Some commands, for example ''rsync'', lead to an error message when used with the above ''command''. By taking a roundabout route using a script on the SSH server, the command, that was executed, can be also accessed: <ref name="sshdef" />
<source lang="bash">
:~$ vi logssh.sh
#!/bin/sh
if [ -n "$SSH_ORIGINAL_COMMAND" ]
then
echo "`/bin/date`: $SSH_ORIGINAL_COMMAND" >> $HOME/ssh-command-log
exec $SSH_ORIGINAL_COMMAND
fi
:~$ vi .ssh/authorized_keys
command="/home/dailybackup/logssh.sh" ssh-rsa AAAAB3N[...]
</source>
The client then calls up rsync:
<source lang="bash">
:~/tmp$ rsync -avz test.txt dailybackup@192.168.56.105:/home/dailybackup
sending incremental file list
[...]
</source>
The command executed via SSH appears in the log file on the SSH server. This command can be used again via ''command='' for restrictions:
<source lang="bash">
:~$ cat ssh-command-log
Wed Apr 30 15:10:54 CEST 2014: rsync --server -vlogDtprze.iLsf . /home/dailybackup
</source>

'''Hint:''' For problems with output redirection, <code>exec</code> can be used instead of <code>eval</code>

== Restrict multiple commands in authorized_keys ==
In general, it is possible via additional scripts to allow multiple commands for a key pair.

However, for maximum security, it is easier to generate a private key pair for every desired command and to safe the corresponding command.

== References ==
<references />

{{Gschoenberger}}
{{Aranzinger}}
[[Category:SSH]]
[[de:Ausführbare SSH-Kommandos per authorized keys einschränken]]

OpenSSH public key authentication fails

2026-06-11T06:25:36Z

Aranzinger: Created page with "This article describes how to resolve issues with SSH authentication using public key authentication. In the article SSH key login, it is explained how to set up public key authentication in general. == Server-side problems == In most cases, the reason why public key authentication is not working can be found in the file and directory permissions. The home directory on the server as well as the sub-directory .ssh is not allowed to have writing right..."

This article describes how to resolve issues with SSH authentication using public key authentication. In the article [[SSH Key Login|SSH key login]], it is explained how to set up public key authentication in general.

== Server-side problems ==
In most cases, the reason why public key authentication is not working can be found in the file and directory permissions. The home directory on the server as well as the sub-directory .ssh is not allowed to have writing rights for group and other. Furthermore, the file <code>authorized_keys</code> must be accessible only to the owner.

To set the rights correctly, log in to the server with the user for whom the SSH authentication should function.
<pre>
chmod go-w $HOME $HOME/.ssh
chmod 600 $HOME/.ssh/authorized_keys
chown `whoami` $HOME/.ssh/authorized_keys
</pre>

If this is not possible, you can alternatively deactivate the right verification of the server. The following option must be entered in the <code>/etc/ssh/sshd_config</code> file:
StrictModes no

Another error source can be the wrong settings in <code>/etc/ssh/sshd_config</code>. Here is an extract of options that can influence the public key authentication:
* AuthorizedKeysFile
* PreferredAuthentications
* PubkeyAuthentication

More settings can be found in the '''man sshd_config''' manpage.

== Client-sided problems ==
Alternatively, there may still be issues on the client side, that is, on the computer from which the SSH connection is initiated.

If the file rights are set open for the private key, the following error message is displayed by the SSH client:
<pre>
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0777 for 'xyz' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: xyz
Permission denied (publickey,gssapi-with-mic).
</pre>

In this case, the private key is ignored. Set the rights correctly using the following command:
chmod 600 $HOME/.ssh/<Keyname>

Another possible error source could be a wrong setting in <code>.ssh/config</code> or <code>/etc/ssh/ssh_config</code>. An excerpt of possible options that may affect public key authentication, can be found here:
* PreferredAuthentications
* PubkeyAuthentication

All settings can be found in the '''man ssh_config''' manpage.

== Sources: ==
* http://www.openssh.org/faq.html#3.14

{{Cmitasch}}
{{Aranzinger}}
[[Category:SSH]]
[[de:OpenSSH Public Key Authentication schlägt fehl]]

AMD Security Vulnerabilities - June 2026

2026-06-10T12:16:49Z

Aranzinger: Created page with "On '''June 9th, 2026''', AMD published the security bulletins '''AMD-SB-3039'''<ref>[https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3039.html ASP non-Coherent Memory Access – June 2026] (www.amd.com/en/resources/product-security)</ref> and '''AMD-SB-9025'''<ref>[https://www.amd.com/en/resources/product-security/bulletin/amd-sb-9025.html AMD uProf Vulnerabilities – June 2026] (www.amd.com/en/resources/product-security)</ref> for security vulnerabili..."

On '''June 9th, 2026''', AMD published the security bulletins '''AMD-SB-3039'''<ref>[https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3039.html ASP non-Coherent Memory Access – June 2026] (www.amd.com/en/resources/product-security)</ref> and '''AMD-SB-9025'''<ref>[https://www.amd.com/en/resources/product-security/bulletin/amd-sb-9025.html AMD uProf Vulnerabilities – June 2026] (www.amd.com/en/resources/product-security)</ref> for security vulnerabilities.

== Information ==
'''AMD-SB-3039''': This is a malicious hypervisor that can undermine the integrity protection mechanisms of AMD Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP), by forcing AMD Security Processor (ASP) to work with the system storage without cache coherence. According to the publication, system settings controlled by the hypervisor enable the reconfiguration of the interaction between the storage requirements of the ASP and the CPU-cache. By disabling coherence, the ASP can read stale data from the DRAM when copying pages and updating the associated metadata, causing the guest to lose the most recent updates in the CPU cache. This could potentially undermine the integrity warranties of the SEV-SNP for guests and could cause data corruption.

'''AMD-SB-9025''': The vulnerability could allow a local attacker with user privileges to write to memory assigned by the kernel. AMD confirms that the issue occurs because from the driver creating a shared-section object with a NULL security descriptor and exposing kernel pointers in shared memory, which could allow an attacker to write to kernel-allocated memory and potentially cause a system crash or a denial-of-service condition.

== Affected systems ==

Here is a table listing the affected processors.

===== AMD EPYC™ Processors =====
{| class="wikitable"
|Product
|Mitigation
|-
|AMD EPYC™ 8004 Series Processors
|GenoaPI
1.0.0.H
|-
|AMD EPYC™ 9004 Series Processors
|GenoaPI
1.0.0.H
|-
|AMD EPYC™ 9005 Series Processors
|TurinPI

1.0.0.8
|-
|AMD EPYC™ Embedded 8004 Series Processors
|EmbGenoaPI-SP5

1.0.0.D
|-
|AMD EPYC™ Embedded 9004 Series Processors

(formerly codenamed "Genoa")
|EmbGenoaPI-SP5

1.0.0.D
|-
|AMD EPYC™ Embedded 9004 Series Processors

(formerly codenamed "Bergamo")
|EmbGenoaPI-SP5

1.0.0.D
|-
|AMD EPYC™ Embedded 9005 Series Processors
|EmbeddedTurinPI_SP5

1004
|}

{| class="wikitable"
| align="center" |CVE
| align="center" |CVSS Score
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2026-54509 CVE-2025-54509]
| align="center" |4.0 (Medium)
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2026-0466 CVE-2026-0466]
| align="center" |6.8 (Medium)
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2026-28237 CVE-2026-28237]
| align="center" |6.8 (Medium)
|}

In the following, there is an extract of this table in which all Supermicro mainboards are included that are offered by Thomas-Krenn:<ref>[https://www.supermicro.com/en/support/security_AMD-SB-3027 AMD Security Bulletin AMD-SB-3027, January 2027] (www.supermicro.com)</ref>

{| class="wikitable"
|+
!AMD motherboard
! align="center" |'''BIOS version'''
|-
| align="center" |H13SSW
| align="center" |3.8
|-
| align="center" |H13SSL-N/NT
| align="center" |3.8
|}

=== Updates for Thomas-Krenn products ===
Updates on the corresponding system can be found in the <tklink type="sitex" id="440">download area of Thomas-Krenn</tklink>.
The updates in the download area have been tested by us to guarantee the stability and compatibility of our systems.

If you require the latest version for your system and it is not yet available in our download area, you can get it at
[https://www.asus.com/de/support/download-center/ Asus], [https://www.supermicro.com/en/support/resources/downloadcenter/swdownload Supermicro] or [https://www.gigabyte.com/de/Support/Consumer/Download Gigabyte]

== References ==
<references/>

== More information ==
* [https://www.supermicro.com/en/support/security_AMD-SB-3027 AMD Security Bulletin AMD-SB-3039] (supermicro.com, Juni 2026)

{{Thomas-Krenn.AG}}
{{Aranzinger}}
[[Category:AMD Safety Information]]
[[de:AMD Sicherheitslücken - Juni 2026]]

Slow SSH login due to DNS timeout

2026-06-10T08:52:47Z

Aranzinger: Created page with "This article describes solutions for when an '''SSH login is slow'''. ==Problem== It takes approximately 10 seconds when you log in to a Linux system via SSH until the password prompt appears. After this, the SSH session functions completely normal. ==Background== The SSH server tries to make a reverse DNS lookup for the IP from which the SSH connection is established. If there is no functioning configured DNS (for example a wrong registered IP for the DNS server in /..."

This article describes solutions for when an '''SSH login is slow'''.

==Problem==
It takes approximately 10 seconds when you log in to a Linux system via SSH until the password prompt appears. After this, the SSH session functions completely normal.

==Background==
The SSH server tries to make a reverse DNS lookup for the IP from which the SSH connection is established. If there is no functioning configured DNS (for example a wrong registered IP for the DNS server in /etc/resolv.conf), it takes 10 seconds until the timeout is reached for the reverse DNS lookup. Then, the password prompt appears.

In the following, information on the use of <code>ssh -v</code> (verbose mode) is listed:
<pre>
[admin@tpw admin]$ ssh -v root@192.168.1.154
OpenSSH_5.1p1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.1.154 [192.168.1.154] port 22.
debug1: Connection established.
debug1: identity file /home/admin/.ssh/identity type -1
debug1: identity file /home/admin/.ssh/id_rsa type -1
debug1: identity file /home/admin/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.1.154' is known and matches the RSA host key.
debug1: Found key in /home/admin/.ssh/known_hosts:153
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
</pre>
Now, it takes ten minutes until it continues:
<pre>
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/admin/.ssh/identity
debug1: Trying private key: /home/admin/.ssh/id_rsa
debug1: Trying private key: /home/admin/.ssh/id_dsa
debug1: Next authentication method: password
root@192.168.1.154's password:
</pre>
After entering the password, it continues:
<pre>
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.utf8
Linux debian5 2.6.9-023stab048.6-smp #1 SMP Mon Nov 17 18:41:14 MSK 2008 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jun 17 13:20:19 2009 from 192.168.1.52
debian5:~#
</pre>

==Solution==
On the target system, either add the IP address of the computer from which the connection is being established to /etc/hosts, or make sure that the DNS configuration on the target system is working properly.

===Enter IP in /etc/hosts===
The IP can be, for example, entered in /etc/hosts as follows:
<pre>
root@debian5:/# echo "192.168.1.52 laptop" >> /etc/hosts
root@debian5:/# cat /etc/hosts
127.0.0.1 debian5 localhost localhost.localdomain

::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
192.168.1.52 laptop
root@debian5:/#
</pre>

===Verify DNS configuration===
In the example, an incorrect DNS server was configured on the Debian 5 target system. The configuration was corected as follows:
<pre>
root@debian5:/# cat /etc/resolv.conf
nameserver 10.10.18.1
root@debian5:/# echo "nameserver 192.168.1.254" > /etc/resolv.conf
root@debian5:/# cat /etc/resolv.conf
nameserver 192.168.1.254
root@debian5:/#
</pre>

==More information==
* [http://www.macosxhints.com/article.php?story=20050329185832952 macosxhints.com: A possible fix for slow SSH connections ]

{{Wfischer}}
{{Aranzinger}}
[[Category:SSH]]
[[pl:Logowanie przez ssh powolne przez DNS Timeout]]
[[de:SSH Login langsam durch DNS Timeout]]

OpenSSH configuration

2026-06-10T06:30:22Z

Aranzinger: Created page with "The following configuration describes advanced OpenSSH configurations that can be expaned as needed. If you have more interesting contents, kindly send us a message. An overview of all server-side SSH configuration options can be found in the manpage of sshd_config. man sshd_config === Conditional configuration with "Match" === "Match", the configuration option, allows a global configuration (for example in <code>/etc/ssh/sshd_config</code>) to ove..."

The following configuration describes advanced OpenSSH configurations that can be expaned as needed. If you have more interesting contents, kindly send us a [[Special:contact|message]].

An overview of all server-side SSH configuration options can be found in the manpage of sshd_config.
man sshd_config

=== Conditional configuration with "Match" ===
"Match", the configuration option, allows a global configuration (for example in <code>/etc/ssh/sshd_config</code>) to overwrite one that is conditional. The following conditions are possible:
* User
* Group
* Host
* Address[

Here is an example for a configuration in /etc/ssh/sshd_config:
<pre>
PasswordAuthentication no
...

Match User admin
PasswordAuthentication yes
</pre>

In this case, the password authentication is deactivated globally. However, it was subsequently enabled for the "admin" user using a MATCH statement.

In general, "Match" is only for one option allowed:

AllowAgentForwarding, AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand, GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication, KbdInteractiveAuthentication, KerberosAuthentication, MaxAuthTries, MaxSessions, PasswordAuthentication, PermitEmptyPasswords, PermitOpen, PermitRootLogin, PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, X11Forwarding und X11UseLocalHost

=== VPN with OpenSSH ===
OpenSSH offers from version 4.3 the opportunity to set up a VPN tunnel. This creates a tun device on both the local and remote sides. As soon as it has been configured, the VPN can be used.

The "uml-utilities" package must be installed in advance on Ubuntu/Debian. This comes with the '''tunctl''' binary.

The SSH sever configuration '''sshd_config''' must be expanded by the following options:
PermitRootLogin yes
PermitTunnel yes

A tunnel can be set up with the option '''"-w"''':
ssh -w 0:0 1.2.3.4

After this, a "tun0" interface should be visible on both sides. An IP address must then be assigned to it.

You may need to enable IP forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward

For long-term VPN use, we recommend the use of [[OpenVPN with Pre-shared Key|OpenVPN]], which is much easier to configure and automate.

More information can be found here: https://help.ubuntu.com/community/SSH_VPN

{{Cmitasch}}
{{Aranzinger}}
[[Category:SSH]]
[[de:OpenSSH Konfiguration]]

Samba-server basics

2026-06-09T11:35:50Z

Aranzinger: Created page with "A '''Samba-Server''' helps with the integration of '''Windows- and Unix/Linux computers'''.<ref>[http://www.oreilly.de/german/freebooks/samba2ger/ch01.html#936841 Samba, 2. Auflage] www.oreilly.de</ref> '''Files''' can be, for example, exchanged or '''printers''' can be shared. The name Samba comes from the SMB protocol ('''''Server Message Block'''''), which is used for network-based data exchange on Windows. These days, people are increasingly referring to the "'''''Co..."

A '''Samba-Server''' helps with the integration of '''Windows- and Unix/Linux computers'''.<ref>[http://www.oreilly.de/german/freebooks/samba2ger/ch01.html#936841 Samba, 2. Auflage] www.oreilly.de</ref> '''Files''' can be, for example, exchanged or '''printers''' can be shared. The name Samba comes from the SMB protocol ('''''Server Message Block'''''), which is used for network-based data exchange on Windows. These days, people are increasingly referring to the "'''''Common Internet File System'''''" (CIFS) instead of SMB. CIFS is a further development of SMB and was developed by Microsoft.<ref>[http://msdn.microsoft.com/en-us/library/aa365233%28v=vs.85%29.aspx SMB and CIFS overview] (msdn.microsoft.com)</ref>

A free online book by O'Reilly provides detailed information about Samba/CIFS in German. It is available at [http://www.oreilly.de/german/freebooks/samba2ger/ Oreilly Samba 2nd edition]. Furthermore, the Samba community provides a detailed documentation about Samba: [https://help.ubuntu.com/community/Samba Samba Community]. This article presents the basics of working with a Samba server that is set up on '''Ubuntu 10.04 LTS'''.

__TOC__
== Server ==
=== Installation ===
The Samba package <ref>[http://packages.ubuntu.com/lucid/samba Samba Package] (packages.ubuntu.com)</ref> is installed on the server so that a file and print server can be set up.
<source lang="bash">
apt-get install samba
</source>

=== Configuration ===
The central configuration file is located at
<source lang="bash">
sudo vi /etc/samba/smb.conf
</source>
The corresponding man page provides a range of information on how to configure the Samba server using this file:
<source lang="bash">
man smb.conf
</source>
The file is divided into several parts. The global section ([global]) includes basic settings that may be followed by other sections on the release of resources.

As the first step in the configuration, comment out the following line in the "Authentication" section:
<source lang="bash">
# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
security = user
</source>
Due to these security measures, an existing user account on the server is required to access the Samba shares.<ref>[https://help.ubuntu.com/10.04/serverguide/C/samba-fileprint-security.html Samba Security] (help.ubuntu.com)</ref>

==== Network interfaces ====
If your server possesses multiple network interfaces, it may be that the smb-server is connected to the wrong interface. To do this, the line
<source lang="bash">
interfaces = 192.168.1.1/24
</source>
can be added to the "[global]" area of smb.conf. In this example, the SMB server listens on the address range in the 192.168.1.1/24 network.<ref>http://tldp.org/HOWTO/SMB-HOWTO-6.html</ref>

==== Add smb password ====
The following command creates a smb-password for the existing user "smbuser". It is important that this step is performed for an existing user, as every smb-user needs a valid account on the server. The password you set can be used later to access the SMB share:
<source lang="bash">
sudo smbpasswd -a smbuser
</source>
As the smb-password does not have to comply with the password of the actual account, it can definitely time-consuming to administrate different passwords. On Ubuntu, the "libpam-smbpass" package exists, which can be used to keep Linux and smb passwords synchronized.

So that the changes are effective, the server must reload the configuration:
<source lang="bash">
sudo service smbd reload
</source>
Zuvor können die modifizierten Einstellungen auch auf ihre Korrektheit geprüft werden:
<source lang="bash">
testparm /etc/samba/smb.conf
</source>

=== Add a resource ===
In the following configuration example, the home directories of the smb-users are released. In the first step, a new resource is added to the "smb.conf" file:
<source lang="bash">
sudo vi /etc/samba/smb.conf
</source>
The following paragraph is commented out:
<source lang="bash">
# Un-comment the following (and tweak the other settings below to suit)
# to enable the default home directory shares. This will share each
# user's home directory as \\server\username
[homes]
comment = Home Directories
browseable = yes
</source>
Now, the home-directories are available for all users, which means that the users can access each other´s directories (provided, of course, that an SMB password has been set and the user therefore has access to the SMB server). The parameter "browseable" allows Windows users to browse the Samba share using Windows Explorer.
To be more restrictive with home directories, the following line can be commented out:
<source lang="bash">
# By default, \\server\username shares can be connected to by anyone
# with access to the samba server. Un-comment the following parameter
# to make sure that only "username" can connect to \\server\username
# This might need tweaking when using external authentication schemes
valid users = %S
</source>
Then, for example, the user "tktest" will no longer be able to access the home directory of "smbuser" (from clients perspective):
<source lang="bash">
sudo mount -t smbfs //192.168.56.101/smbuser /media/ -o username=tktest
Password:
mount error(13): Permission denied
</source>
Further security measures are presented, for example, on [https://help.ubuntu.com/10.04/serverguide/C/samba-fileprint-security.html Samba Security] (help.ubuntu.com) or [http://samba.org/samba/docs/man/Samba-HOWTO-Collection/securing-samba.html Securing samba] (samba.org).

== Client ==
=== Installation ===
The following package is required for the access on the smb-server on the client:
<source lang="bash">
sudo apt-get install smbfs smbclient
</source>
With the smbclient, an initial connection test can be started:
<source lang="bash">
smbclient -U smbuser -L 192.168.56.101
</source>

=== Mounting of smb share ===
With the mount command, the smb directory can be integrated locally:
<source lang="bash">
sudo mount -t cifs //192.168.56.101/smbuser /media/ -o username=smbuser
</source>
After this command, the smb-directory will be accessible at "/media/

== References ==
<references />

{{Aranzinger}}
[[Category:Ubuntu]]
[[de:Samba-Server Grundlagen]]

Supermicro BMC Security Advisories June 2026

2026-06-09T05:30:51Z

Aranzinger: Created page with "In '''June 2026''', Supermicro published security advisories for the BMC-firmware of its mainboards. This security vulnerability requires a '''firmware update'''. In this article, you will find information on this security advisory and where to find updates on Thomas-Krenn products. == Security advisories == {| class="wikitable" |- style="background-color: #EFEFEF; font-weight: bold;" ! align="center" |CVE ! align="center" |Risk potential: ! align="center" |Title |-..."

In '''June 2026''', Supermicro published security advisories for the BMC-firmware of its mainboards. This security vulnerability requires a '''firmware update'''.

In this article, you will find information on this security advisory and where to find updates on Thomas-Krenn products.

== Security advisories ==
{| class="wikitable"
|- style="background-color: #EFEFEF; font-weight: bold;"
! align="center" |CVE
! align="center" |Risk potential:
! align="center" |Title
|-
|align="center" | [https://www.cve.org/CVERecord?id=CVE-2026-3820 CVE-2026-3820]
| align="center" | 7.2 (high)
| align="center" | '''Command-Injection''' (The security vulnerability allows an attacker to get administrator rights and to manipulate the SMTP service configuration. This could cause the system to execute unintended commands when calling processes)
|-
|}

== Updates for Thomas-Krenn products ==
Updates on the corresponding system can be found in the <tklink type="sitex" id="440">download area of Thomas-Krenn</tklink>.
The updates in the download are have been tested by us to guarantee the stability and compatibility of our systems.

If you require the latest version for your system and it is not yet available in our download area, you will find it at [https://www.asus.com/de/support/download-center/ Asus] or [https://www.supermicro.com/en/support/resources/downloadcenter/swdownload Supermicro].

== More information ==
* [https://www.supermicro.com/en/support/security_BMC_IPMI_Jun_2026 Vulnerabilities in Supermicro BMC firmware, June 2026]
{{Thomas-Krenn.AG}}
{{Aranzinger}}
[[Category: Server Hardware]]
[[de:Supermicro BMC Sicherheitshinweise Juni 2026]]

Samba Sharing with Authentication

2026-06-08T13:06:35Z

Aranzinger: Created page with "As a supplement to a basic Samba share, this article shows you how to set up a username- and password-based Samba share using a Debian 8-based system. Ubuntu 16.04 as well as Windows 10 is used as client software to test the connection. Information on the fundamental and unrestricted release can be found in the article Simple Samba Shares in Debian. == Installation and configuration on Debian server == The following paragraphs show the required configuration..."

As a supplement to a basic Samba share, this article shows you how to set up a username- and password-based Samba share using a [[Debian]] 8-based system. [[Ubuntu]] 16.04 as well as Windows 10 is used as client software to test the connection. Information on the fundamental and unrestricted release can be found in the article [[Simple Samba Shares in Debian]].

== Installation and configuration on Debian server ==
The following paragraphs show the required configuration steps on a Debian server to set up the Samba server. The shared folder can then be mounted using a Linux-based or Windows-based client.

=== Installation of the Samba service ===
The [[Simple Samba Sharing on Debian#Installation of Samba service|Installation of Samba service]] and the basic [[Einfache Samba Freigabe unter Debian#Konfiguration|configuration]] is done in the same way as for the article [[Simple Samba Shares in Debian]].

=== User-restricted configuration ===
This configuration example shows how to do a '''SMB-Share with authentication'''. To do this, a user named "smbuser" is created on the Debian system, and a ''restricted'' share entry is added to the ''smb.conf'' configuration file.

# Create SMB-user
#:<pre>$ sudo useradd -s /bin/false smbuser</pre>
# Set password
#:<pre>$ sudo smbpasswd -a smbuser</pre>
# Entry in the ''smb.conf'' file:
<pre>
[global]
workgroup = smb
security = user
map to guest = never

[homes]
comment = Home Directories
browsable = no
read only = no
create mode = 0750

[restricted]
valid users = smbuser
#We restrict the acces on the ''smbuser'' user
#valid users = @smbusers
#Alternatively, it can also be restricted to one user group.
path = /media/storage2/
public = no
writable = yes
comment = smb restricted share
printable = no
guest ok = no
create mask = 0600
directory mask = 0700
</pre>

This configuration uses the example mountpoint ''/media/storage2''.
To restrict access to the shared folder as much as possible, this ''/media/storage2'' mountpoint is assigned to the ''smbuser'' user and equipped with the directory rights 700 so that this user (and root) receives reading and writing rights.

: <pre>$sudo chown -R smbuser:smbuser /media/storage2</pre>
: <pre>$sudo chmod 700 /media/storage2</pre>

=== Restart Samba ===
To apply the configuration, you have to restart the Samba service. This is made on Debian 8 with ''systemd''.

: <pre>$ sudo systemctl restart smbd.service</pre>

== Mounting of release ==
After the Samba server has been configured and restarted completely, the created share can now be used by clients. This is explained in the following sections using an Ubuntu 16.04 and a Windows 10 client.

=== On a Linux-based client ===
The '''cifs-utils''' package is used in all current Linux-based distributions. Up to and including [[Ubuntu]] 12.04, the old '''smbfs''' package could be used.<ref>[https://wiki.ubuntuusers.de/Samba_Client_cifs/ Samba Client cifs] (wiki.ubuntuusers.de)</ref>

: <pre>$ apt-get install cifs-utils</pre>

The Samba user ''smbuser'', as configured on the Debian system, is used, and you will be prompted for the password.
<pre>
$ sudo mount -t cifs //<IP-des-Samba-Servers>/restricted /media/tniedermeier/test -o user=smbuser
Password for smbuser@//<IP-des-Samba-Servers>/restricted: ********
</pre>

Further information on mounted releases can be received using the "mount" command in the terminal.

=== On a Windows 10 client ===
The share can be connected to a Windows 10 client as explained in the following section. There are multiple opportunities to establish a connection.

You can connect to the network drive using the following command in the command prompt:<ref>[https://technet.microsoft.com/en-us/en-en/library/gg651155(v=ws.11).aspx Net use] (technet.microsoft.com)</ref>
:<code>C:\Users\tniedermeier>net use <Laufwerksbuchstabe>: \\<IP-des-Samba-Servers>\restricted /user:smbuser <Passwort></code>

Alternatively, you can also connect the network drive using file explorer, as explained in the following steps:
<gallery>
File:samba-windows10-authentifizierung-001.png|'''Step 1:''' Click right on "Network" in the left-hand menu of the file explorer, then click left on the context menu option "Map network drive".
File:samba-windows10-authentifizierung-002.png|'''Step 2:''' Select an available drive letter and type the path to the shared folder in the "Folder" field, for example ''\\<IP-des-Samba-Servers>\restricted''. After this, click on ''Finish''.
File:samba-windows10-authentifizierung-003.png|The network drive has been started successfully. Its content is now displayed in the explorer.
File:samba-windows10-authentifizierung-004.png|The new connected network drive ''restricted'' is now displayed in the left hand menu of the explorer.
</gallery>

If you want to access the release without assigning a drive letter to it, you can also simply type the network path directly into the address bar in the explorer:
: <code>\\<IP-des-Samba-Servers>\restricted</code>

== References ==
<references />

{{Tniedermeier}}
{{Aranzinger}}
[[Category:Debian]]
[[de:Samba Freigabe mit Authentifizierung]]
[[pl:Udostępnienie w Sambie z uwierzytelnieniem]]

Secure SSH login on Debian with fail2ban

2026-06-05T08:26:17Z

Aranzinger: Created page with "'''fail2ban''', which is a tool written in Python, pursues the target to secure server services against DoS attacks. It verifies log files according to predefined patterns and temporarily blocks the relevant IP addresses if access attempts fail repeatedly. This article explains how to secure a Debian based server with fail2ban. The used version from fail2ban is '''1.0.2-2''' on '''Debian 12'''. ==Problem== When executing the command "journalctl -u ssh", multiple failed..."

'''fail2ban''', which is a tool written in Python, pursues the target to secure server services against DoS attacks. It verifies log files according to predefined patterns and temporarily blocks the relevant IP addresses if access attempts fail repeatedly. This article explains how to secure a Debian based server with fail2ban. The used version from fail2ban is '''1.0.2-2''' on '''Debian 12'''.

==Problem==
When executing the command "journalctl -u ssh", multiple failed login attempts appear with the protocol SSH that were not written by you.

<pre>
Feb 19 09:21:15 servername sshd[22796]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.207.xx.xx user=root
Feb 19 09:21:17 servername sshd[22796]: Failed password for root from 218.207.xx.xx port 22 ssh2
</pre>

==Explanation==
* The removed user (accidentally) used the wrong server IP and accidentally tried to log in to your server. The number of login attempts is usually low here.
* You are the victim of a Brute Force attack, which automatically attempts to log in using the root user and various passwords (for example from so-called dictionary files). The number of login attempts is noticeably high here.

==Solution==
Secure your SSH login with the fail2ban tool, [[Prohibit SSH root login on Debian]] or only login with [[SSH public key authentication under Ubuntu]].

==What is fail2ban==
fail2ban is a tool written in Python that secures different server services against unauthorized access.
In the configuration example below, an IP address is blocked for one hour after 4 failed login attempts for SSH have occurred.
==Installation of fail2ban==
<pre lang="bash">
sudo apt install fail2ban
</pre>
==Configuration of fail2ban==
In the ''/etc/fail2ban/'' folder, you will find the global configuration file ''jail.conf''. However, this file cannot be edited, since it is overwritten every time the package is updated. The own configuration can be made in the
"jail.local".
<pre>
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local>
</pre>
Hierzu kopieren Sie die "jail.conf" nach "jail.local".
<pre lang="bash">
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
</pre>

Verify the settings on your local IP address of your server. The duration for which an IP address should be blocked is increased to an hour in our example and the number of blocks to be created is reduced to 3. Similarly, the Banaction must be changed from "iptables" to "nftables" when configuring. This configuration must be made in the following section of the ''jail.local'' file:

<pre>
[...]
[DEFAULT]

#
# MISCELLANEOUS OPTIONS
#

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8

# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime = 3600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

[...]

banaction = nftables-multiport
banaction_allports = nftables-allports
</pre>
You can adjust the parameters for individual services (as here in the SSH daemon article) separately.

Now, in the section for the SSH daemon in your own ''jail.local'' configuration file (which you copied earlier), add the necessary parameters to monitor it via fail2ban:

<pre>
[...]
#
# SSH servers
#

[sshd]

enabled = true
port = ssh
# filter = sshd
logpath = %(sshd_log)s
backend = systemd
maxretry = 4
[...]
</pre>

After this, restart fail2ban so that the changes are applied.

<code>sudo systemctl restart fail2ban.service</code>

{{Thomas-Krenn.AG}}
{{Aranzinger}}
[[Category:Debian]]
[[Category:SSH]]
[[pl:Zabezpieczenie loginu SSH w Debianie z fail2ban]]
[[de:SSH Login unter Debian mit fail2ban absichern]]

Prohibit SSH root login on Debian

2026-06-05T05:25:36Z

Aranzinger: /* Further securing of the SSH server */

If you want to prohibit the direct SSH root login on Debian, you will need at least one additional user to the root user, who is authorized to log in to the server. With this user, you can switch to the root account.

'''ATTENTION:''' If you did not create any other users, you will log yourself out of the system!

== PermitRootLogin no ==

Edit the /etc/ssh/sshd_config file and set
PermitRootLogin yes

on
PermitRootLogin no

After this, restart the SSH service
/etc/init.d/ssh restart (alternatively: service ssh restart)

Now, the root user is not allowed to log into the system directly. You have to log in as usual with a user account and then switch with
su

to the root account.

== AllowGroups ==

You can also use the AllowGroups parameter to restrict which users are allowed to log in via SSH.

Excerpt from the <code>man sshd_config</code>:
:<cite>AllowGroups</cite>
::<cite>This keyword can be followed by a list of group name patterns, separated by spaces. If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.</cite>

To create a group named sshusers and add a user to that group, execute the following commands as the root user:
addgroup --system sshusers
adduser xyz sshusers

After this, configure the following options in /etc/ssh/sshd_config:
LoginGraceTime 30
AllowGroups sshusers
PermitRootLogin no
StrictModes yes

Then restart the SSH service
/etc/init.d/ssh restart

== Further securing of the SSH server ==
More information on securing a SSH server can be found in the following articles:
* [[Securing SSH Login on Debian with fail2ban]]
* [[SSH Key Login]]
{{Aranzinger}}
[[Category:Debian]][[Category:Linux]]
[[de:SSH Root Login unter Debian verbieten]]

Raspi-firmware: missing /boot/firmware, did you forget to mount it

2026-06-03T12:41:35Z

Aranzinger:

When installing [[Debian]] 12.0 using the live image, the raspi-firmware package will be also installed. However, this is not required on x86 systems and should therefore be deinstalled. If raspi-firmware is present, however, it causes the following error when installing a kernel update: '''raspi-firmware: missing /boot/firmware, did you forget to mount it?'''.

== Problem ==
Debian 12.0 was installed via live image. When attempting to install updates using '''sudo apt dist-upgrade''', the following error occurs:
<pre>
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-6.1.0-10-amd64
raspi-firmware: missing /boot/firmware, did you forget to mount it?
run-parts: /etc/initramfs/post-update.d//z50-raspi-firmware exited with return code 1
run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1
dpkg: error processing package linux-image-6.1.0-10-amd64 (--configure):
installed linux-image-6.1.0-10-amd64 package post-installation script subprocess returned error exit status 1
</pre>

It is no longer possible to deinstall raspi-firmware without first performing some preparatory steps. The deinstallation will fail otherwise.

== Solution ==
First, the new kernel must be deinstalled. Remove raspi-firmware and reinstall linux-image-amd64. After this, updates are possible without problems:
# '''sudo apt purge linux-image-6.1.0-10-amd64'''
#: This will remove two packages: ''The following packages will be REMOVED: linux-image-6.1.0-10-amd64* linux-image-amd64*'' '''sudo apt purge raspi-firmware'''
# '''sudo apt install linux-image-amd64'''
#: This will reinstall both packages due to their dependencies: ''The following NEW packages will be installed: linux-image-6.1.0-10-amd64 linux-image-amd64''

== More information ==
* [https://forums.debian.net/viewtopic.php?t=154857 Errors while updating system or install new packages Debian 12 (Solved sort of)] (forums.debian.net, 12.06.2023)
* [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035382 Bookworm amd64 live install ISO RC1 and RC2 install pointless raspi-firmware package] (bugs.debian.org)
* [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035783 raspi-firmware: unowned files after purge (policy 6.8, 10.8): /boot/firmware/fixup*.dat, /boot/firmware/start*.elf, /boot/firmware/bootcode.bin] (bugs.debian.org)

{{Wfischer}}
{{Aranzinger}}
[[Category:Debian]]
[[de:Raspi-firmware: missing /boot/firmware, did you forget to mount it]]

Setup Postfix in Debian

2026-05-29T06:24:32Z

Aranzinger: Created page with "'''Postfix''' is a widely used mail server, or more specifically, an MTA ([http://de.wikipedia.org/wiki/Mail_Transfer_Agent Mail Transfer Agent]). In this article, we describe how to install Postfix on Debian Lenny 5.0. In this example, we use a test server (lists.wefi.net). Replace this name with the name of your server. == Install package == The Postfix installation must be started on the command line as follows: apt-get install postfix Debian provides a note that..."

'''Postfix''' is a widely used mail server, or more specifically, an MTA ([http://de.wikipedia.org/wiki/Mail_Transfer_Agent Mail Transfer Agent]). In this article, we describe how to install Postfix on Debian Lenny 5.0. In this example, we use a test server (lists.wefi.net). Replace this name with the name of your server.

== Install package ==
The Postfix installation must be started on the command line as follows:
apt-get install postfix

Debian provides a note that Exim is removed and questions if you want to continue with the installation:
<pre>
lists:~# apt-get install postfix
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
procmail postfix-mysql postfix-pgsql postfix-ldap postfix-pcre sasl2-bin libsasl2-modules
resolvconf postfix-cdb ufw
The following packages will be REMOVED:
exim4 exim4-base exim4-config exim4-daemon-light
The following NEW packages will be installed:
postfix
0 upgraded, 1 newly installed, 4 to remove and 0 not upgraded.
Need to get 1224kB of archives.
After this operation, 1008kB disk space will be freed.
Do you want to continue [Y/n]? y
Get:1 http://http.at.debian.org lenny/main postfix 2.5.5-1.1 [1224kB]
Fetched 1224kB in 0s (6060kB/s)
Preconfiguring packages ...
</pre>

=== Package configuration ===
[[file:Postfix-Installation-unter-Debian-Lenny-01-tpye-of-mail-configuration.png|right|thumb|300px|Postfix Configuration: General type of mail configuration]]
In the first configuration step, we select '''Internet Site''' in this example. Select the corresponding entry depending on your individual requirements.
<pre>
Package configuration
┌───────────────────────────┤ Postfix Configuration ├───────────────────────────┐
│ Please select the mail server configuration type that best meets your needs. │
│ │
│ No configuration: │
│ Should be chosen to leave the current configuration unchanged. │
│ Internet site: │
│ Mail is sent and received directly using SMTP. │
│ Internet with smarthost: │
│ Mail is received directly using SMTP or by running a utility such │
│ as fetchmail. Outgoing mail is sent using a smarthost. │
│ Satellite system: │
│ All mail is sent to another machine, called a 'smarthost', for delivery. │
│ Local only: │
│ The only delivered mail is the mail for local users. There is no network. │
│ │
│ General type of mail configuration: │
│ │
│ No configuration │
│ Internet Site │
│ Internet with smarthost │
│ Satellite system │
│ Local only │
│ │
│ │
│ <Ok> <Cancel> │
│ │
└───────────────────────────────────────────────────────────────────────────────┘
</pre>

[[file:Postfix-Installation-unter-Debian-Lenny-02-system-mail-name.png|right|thumb|300px|Postfix Configuration: System mail name]]
In the second step, we state the mail name of the server. Since the example involves a mailing list server, here lists.wefi.net (the mail address, for example, is then mailingliste@lists.wefi.net):
<pre>
Package configuration

┌──────────────────────────────────┤ Postfix Configuration ├───────────────────────────────────┐
│ The "mail name" is the domain name used to "qualify" _ALL_ mail addresses without a domain │
│ name. This includes mail to and from <root>: please do not make your machine send out mail │
│ from root@example.org unless root@example.org has told you to. │
│ │
│ This name will also be used by other programs. It should be the single, fully qualified │
│ domain name (FQDN). │
│ │
│ Thus, if a mail address on the local host is foo@example.org, the correct value for this │
│ option would be example.org. │
│ │
│ System mail name: │
│ │
│ lists.wefi.net______________________________________________________________________________ │
│ │
│ <Ok> <Cancel> │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
</pre>

=== Completion of installation ===
<pre>
(Reading database ... 21540 files and directories currently installed.)
Removing exim4 ...
dpkg: exim4-config: dependency problems, but removing anyway as you request:
exim4-base depends on exim4-config (>= 4.30) | exim4-config-2; however:
Package exim4-config is to be removed.
Package exim4-config-2 is not installed.
Package exim4-config which provides exim4-config-2 is to be removed.
exim4-base depends on exim4-config (>= 4.30) | exim4-config-2; however:
Package exim4-config is to be removed.
Package exim4-config-2 is not installed.
Package exim4-config which provides exim4-config-2 is to be removed.
Removing exim4-config ...
dpkg: exim4-daemon-light: dependency problems, but removing anyway as you request:
bsd-mailx depends on exim4 | mail-transport-agent; however:
Package exim4 is not installed.
Package mail-transport-agent is not installed.
Package exim4-daemon-light which provides mail-transport-agent is to be removed.
Removing exim4-daemon-light ...
Stopping MTA: exim4_listener.
Removing exim4-base ...
Processing triggers for man-db ...
Selecting previously deselected package postfix.
(Reading database ... 21404 files and directories currently installed.)
Unpacking postfix (from .../postfix_2.5.5-1.1_i386.deb) ...
Processing triggers for man-db ...
Setting up postfix (2.5.5-1.1) ...
Adding group `postfix' (GID 108) ...
Done.
Adding system user `postfix' (UID 104) ...
Adding new user `postfix' (UID 104) with group `postfix' ...
Not creating home directory `/var/spool/postfix'.
Creating /etc/postfix/dynamicmaps.cf
Adding tcp map entry to /etc/postfix/dynamicmaps.cf
Adding group `postdrop' (GID 109) ...
Done.
setting myhostname: lists.wefi.net
setting alias maps
setting alias database
changing /etc/mailname to lists.wefi.net
setting myorigin
setting destinations: lists.wefi.net, localhost.wefi.net, , localhost
setting relayhost:
setting mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
setting mailbox_size_limit: 0
setting recipient_delimiter: +
setting inet_interfaces: all
WARNING: /etc/aliases exists, but does not have a root alias.

Postfix is now set up with a default configuration. If you need to make
changes, edit
/etc/postfix/main.cf (and others) as needed. To view Postfix configuration
values, see postconf(1).

After modifying main.cf, be sure to run '/etc/init.d/postfix reload'.

Running newaliases
Stopping Postfix Mail Transport Agent: postfix.
Starting Postfix Mail Transport Agent: postfix.
lists:~#
</pre>

=== Verification of mail delivery ===
You can verify with telnet (as described in [[Test TCP Port 25 (smtp) access with telnet]]) if the mail delivery functions:

<pre>
ubuntu@ubuntu:~$ telnet lists.wefi.net 25
Trying 80.66.32.103...
Connected to lists.wefi.net.
Escape character is '^]'.
220 lists.wefi.net ESMTP Postfix (Debian/GNU)
EHLO test.example.com
250-lists.wefi.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: test@example.com
250 2.1.0 Ok
RCPT TO: postmaster@lists.wefi.net
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: Test message

This is a test.

.
250 2.0.0 Ok: queued as 87D2CDE40A2
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
user@ubuntu:~$
</pre>

This message has now been delivered to the server:
<pre>
lists:~# mail
Mail version 8.1.2 01/15/2001. Type ? for help.
"/var/mail/root": 1 message 1 new
>N 1 test@example.com Tue Jun 1 10:00 16/545 Testnachricht
& 1
Message 1:
From test@example.com Tue Jun 1 10:00:49 2010
X-Original-To: postmaster@lists.wefi.net
Subject: Testnachricht
Date: Tue, 1 Jun 2010 10:00:08 +0200 (CEST)
From: test@example.com
To: undisclosed-recipients:;

This is a test.

& q
Saved 1 message in /root/mbox
lists:~#
</pre>

== More information ==
* [http://de.wikipedia.org/wiki/Postfix_%28Mail_Transfer_Agent%29 Postfix (Mail Transfer Agent)] (Wikipedia)
* [http://www.postfix.org/ Postfix Projekt Webseite]

{{Wfischer}}
{{Aranzinger}}
[[Category:Debian]]
[[de:Postfix unter Debian einrichten]]
[[pl:Konfiguracja Postfix-a w Debianie]]

Creating mailing lists in Mailman

2026-05-28T11:54:19Z

Aranzinger: /* Configuration parameter */

In this article, we explain how to '''create a new mailing list in Debian'''. We also present important configuration parameters. Information on installing Mailman can be found in the article [[Setup Mailman in Debian]].

== Create mailing list ==

A new mailing list can be created with the '''newlist''' command. Next, enter your email address. Mailman will use this address to send you email notifications in the future (for example, when new subscribers join the mailing list). Then, configure /etc/aliases as described:
<pre>
lists:~# newlist test-mailingliste
Enter the email of the person running the list: email@example.org
Initial test-mailingliste password:
To finish creating your mailing list, you must edit your /etc/aliases (or
equivalent) file by adding the following lines, and possibly running the
`newaliases' program:

## test-mailingliste mailing list
test-mailingliste: "|/var/lib/mailman/mail/mailman post test-mailingliste"
test-mailingliste-admin: "|/var/lib/mailman/mail/mailman admin test-mailingliste"
test-mailingliste-bounces: "|/var/lib/mailman/mail/mailman bounces test-mailingliste"
test-mailingliste-confirm: "|/var/lib/mailman/mail/mailman confirm test-mailingliste"
test-mailingliste-join: "|/var/lib/mailman/mail/mailman join test-mailingliste"
test-mailingliste-leave: "|/var/lib/mailman/mail/mailman leave test-mailingliste"
test-mailingliste-owner: "|/var/lib/mailman/mail/mailman owner test-mailingliste"
test-mailingliste-request: "|/var/lib/mailman/mail/mailman request test-mailingliste"
test-mailingliste-subscribe: "|/var/lib/mailman/mail/mailman subscribe test-mailingliste"
test-mailingliste-unsubscribe: "|/var/lib/mailman/mail/mailman unsubscribe test-mailingliste"

Hit enter to notify test-mailingliste owner...

lists:~# vi /etc/aliases
lists:~# tail -n 12 /etc/aliases

## test-mailingliste mailing list
test-mailingliste: "|/var/lib/mailman/mail/mailman post test-mailingliste"
test-mailingliste-admin: "|/var/lib/mailman/mail/mailman admin test-mailingliste"
test-mailingliste-bounces: "|/var/lib/mailman/mail/mailman bounces test-mailingliste"
test-mailingliste-confirm: "|/var/lib/mailman/mail/mailman confirm test-mailingliste"
test-mailingliste-join: "|/var/lib/mailman/mail/mailman join test-mailingliste"
test-mailingliste-leave: "|/var/lib/mailman/mail/mailman leave test-mailingliste"
test-mailingliste-owner: "|/var/lib/mailman/mail/mailman owner test-mailingliste"
test-mailingliste-request: "|/var/lib/mailman/mail/mailman request test-mailingliste"
test-mailingliste-subscribe: "|/var/lib/mailman/mail/mailman subscribe test-mailingliste"
test-mailingliste-unsubscribe: "|/var/lib/mailman/mail/mailman unsubscribe test-mailingliste"
lists:~# postalias /etc/aliases
lists:~#
</pre>

== Configuration parameter ==
Some important configuration parameters can be adjusted in the web interface:
* General options:
** '''real_name''': Name of mailing list.
** '''description''': A brief one-lined description.
** '''reply_goes_to_list''': Here, you can define where replies to postings should be sent (E-Mail Reply-To field). "This list" is often a good choice here. "Explicit address" is particularly useful for announcement mailing lists. In that case, you can use the '''reply_to_address''' option to specify, for example, a different mailing list as the Reply-To address, to which users can send their replies.
** '''host_name''': Hostname, at which the email address can be reached (just check this value).
* Privacy options:
** '''private_roster''': Specifies who can view the list of all mailing list subscribers. ''List members'' is the default setting, but ''List admin only'' is often the better choice.
* Privacy options: Sender filters:
** '''default_member_moderation''': Specifies whether posts from new members are moderated. This is useful, for example, for announcement mailing lists.

{{Wfischer}}
{{Aranzinger}}
[[Category:Debian]]
[[de:Mailinglisten unter Mailman erstellen]]
[[pl:Tworzenie list dyskusyjnych w Mailman-ie]]

Setup of Mailman in Debian

2026-05-22T08:10:39Z

Aranzinger: /* Completed installation */

'''GNU Mailman''' is a software for administrating mailing lists for free. In this article, we describe how to setup Mailman on Debian Lenny (Debian 5.0). At Thomas-Krenn, we use Mailman for mailing lists of the [[IPMI Sensor Monitoring Plugin]].

== Install MTA ==
For the operation of mailing lists with Mailman, the MTA (Mail Transfer Agent) is required. During the subsequent installation of Postfix, select '''Internet Site''' as the 'General type of mail configuration'.

Further information on the installation of Postfix can be found in the article [[Setup of Postfix on Debian]].

== Install Mailman ==

The Mailman can be installed using apt-get:

apt-get install mailman

<pre>
lists:~# apt-get install mailman
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
apache2 apache2-mpm-worker pwgen python-support ucf
Suggested packages:
spamassassin lynx listadmin
The following NEW packages will be installed:
apache2 apache2-mpm-worker mailman pwgen python-support ucf
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 9965kB of archives.
After this operation, 45.7MB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://http.at.debian.org lenny/main python-support 0.8.4lenny1 [28.4kB]
Get:2 http://http.at.debian.org lenny/main ucf 3.0016 [64.4kB]
Get:3 http://security.debian.org lenny/updates/main apache2-mpm-worker 2.2.9-10+lenny7 [242kB]
Get:4 http://http.at.debian.org lenny/main pwgen 2.06-1 [19.2kB]
Get:5 http://http.at.debian.org lenny/main mailman 1:2.1.11-11 [9566kB]
Get:6 http://security.debian.org lenny/updates/main apache2 2.2.9-10+lenny7 [45.4kB]
Fetched 9965kB in 1s (5665kB/s)
Preconfiguring packages ...
</pre>

=== Package configuration ===

==== Supported language ====
[[file:Mailman-Installation-unter-Debian-Lenny-01-languages-to-support.png|right|thumb|300px|Configuring mailman: Languages to support]]
The request on which language should be supported appears during installation:
<pre>
Package configuration

┌────────────────────────────────────┤ Configuring mailman ├────────────────────────────────────┐
│ For each supported language, Mailman stores default language specific texts in │
│ /etc/mailman/LANG/ giving them conffile like treatment with the help of ucf. This means │
│ approximately 150kB for each supported language on the root file system. │
│ │
│ If you need a different set of languages at a later time, just run dpkg-reconfigure mailman. │
│ │
│ NOTE: Languages enabled on existing mailing lists are forcibly re-enabled when deselected │
│ and mailman needs at least one language for displaying its messages. │
│ │
│ Languages to support: │
│ │
│ [ ] ar (Arabic) │
│ [ ] ca (Catalan) │
│ [ ] cs (Czech) ▒ │
│ [ ] da (Danish) ▒ │
│ [*] de (German) ▒ │
│ [*] en (English) ▒ │
│ [ ] es (Spanish) ▒ │
│ [ ] et (Estonian) ▒ │
│ [ ] eu (Basque) │
│ │
│ │
│ <Ok> │
│ │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
</pre>

==== Default language ====
[[file:Mailman-Installation-unter-Debian-Lenny-02-default-language-for-mailman.png|right|thumb|300px|Configuring mailman: Default language for Mailman]]
If you have choosen multiple languages, the default language can be determined:
<pre>
Package configuration
┌────────────────────────────────────┤ Configuring mailman ├────────────────────────────────────┐
│ The web page will be shown in this language, and in general, Mailman will use this language │
│ to communicate with the user. │
│ │
│ Default language for Mailman: │
│ │
│ de (German) │
│ en (English) │
│ │
│ │
│ <Ok> │
│ │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
</pre>

==== Note on further configuration steps ====
[[file:Mailman-Installation-unter-Debian-Lenny-03-missing-site-list.png|right|thumb|300px|Configuring mailman: Missing site list]]
Finally, here is a note regarding additional configuration steps that are required that must be performed manually after installation:
<pre>
Package configuration

┌────────────────────────────────────┤ Configuring mailman ├────────────────────────────────────┐
│ │
│ Missing site list │
│ │
│ Mailman needs a so-called "site list", which is the list from which password reminders and │
│ such are sent out from. This list needs to be created before mailman will start. │
│ │
│ To create the list, run "newlist mailman" and follow the instructions on-screen. Note that │
│ you also need to start mailman after that, using /etc/init.d/mailman start. │
│ │
│ <Ok> │
│ │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
</pre>

=== Completion of installation ===
<pre>
Selecting previously deselected package python-support.
(Reading database ... 21572 files and directories currently installed.)
Unpacking python-support (from .../python-support_0.8.4lenny1_all.deb) ...
Selecting previously deselected package apache2-mpm-worker.
Unpacking apache2-mpm-worker (from .../apache2-mpm-worker_2.2.9-10+lenny7_i386.deb) ...
Selecting previously deselected package apache2.
Unpacking apache2 (from .../apache2_2.2.9-10+lenny7_all.deb) ...
Selecting previously deselected package ucf.
Unpacking ucf (from .../archives/ucf_3.0016_all.deb) ...
Moving old data out of the way
Selecting previously deselected package pwgen.
Unpacking pwgen (from .../archives/pwgen_2.06-1_i386.deb) ...
Selecting previously deselected package mailman.
Unpacking mailman (from .../mailman_1%3a2.1.11-11_i386.deb) ...
Processing triggers for man-db ...
Setting up python-support (0.8.4lenny1) ...
Setting up apache2-mpm-worker (2.2.9-10+lenny7) ...
Starting web server: apache2.
Setting up apache2 (2.2.9-10+lenny7) ...
Setting up ucf (3.0016) ...
Setting up pwgen (2.06-1) ...
Setting up mailman (1:2.1.11-11) ...
Looking for enabled languages (this may take some time) ... done.
Installing site language en ............................................ done.
Configuring mailman for domain lists.wefi.net ...
Upgrading from version 0x0 to 0x2010bf0
getting rid of old source files
Site list for mailman missing (looking for list named 'mailman'). (warning).
Please create it; until then, mailman will refuse to start. (warning).
lists:~#
</pre>

== Further configuration ==

=== Verify configuration ===
The configuration file, /etc/mailman/mm_cfg.py, must be verified. It is important that all DEFAULT entries are correct:
<pre>
lists:~# grep DEFAULT /etc/mailman/mm_cfg.py
DEFAULT_MSG_FOOTER for an example."""
DEFAULT_URL_PATTERN = 'http://%s/cgi-bin/mailman/'
DEFAULT_EMAIL_HOST = 'lists.wefi.net'
DEFAULT_URL_HOST = 'lists.wefi.net'
add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST)
DEFAULT_SERVER_LANGUAGE = 'en'
DEFAULT_SEND_REMINDERS = 0
lists:~#
</pre>

=== newlist mailman ===

The so-called 'site list' can be created using
newlist mailman.
One of your addresses must be stated here as email address:
<pre>
lists:~# newlist mailman
Enter the email of the person running the list: email@example.org
Initial mailman password:
To finish creating your mailing list, you must edit your /etc/aliases (or
equivalent) file by adding the following lines, and possibly running the
`newaliases' program:

## mailman mailing list
mailman: "|/var/lib/mailman/mail/mailman post mailman"
mailman-admin: "|/var/lib/mailman/mail/mailman admin mailman"
mailman-bounces: "|/var/lib/mailman/mail/mailman bounces mailman"
mailman-confirm: "|/var/lib/mailman/mail/mailman confirm mailman"
mailman-join: "|/var/lib/mailman/mail/mailman join mailman"
mailman-leave: "|/var/lib/mailman/mail/mailman leave mailman"
mailman-owner: "|/var/lib/mailman/mail/mailman owner mailman"
mailman-request: "|/var/lib/mailman/mail/mailman request mailman"
mailman-subscribe: "|/var/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe: "|/var/lib/mailman/mail/mailman unsubscribe mailman"

Hit enter to notify mailman owner...

lists:~#
</pre>
'''Note:''' The message will not be sent to the specified email address until Mailman has been started.

Now, the entries in /etc/aliases must be added and the command <code>postadmin /etc/aliases</code> must be executed (if you use Postfix as here in the example):
<pre>
lists:~# vi /etc/aliases
lists:~# cat /etc/aliases
# /etc/aliases
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root

## mailman mailing list
mailman: "|/var/lib/mailman/mail/mailman post mailman"
mailman-admin: "|/var/lib/mailman/mail/mailman admin mailman"
mailman-bounces: "|/var/lib/mailman/mail/mailman bounces mailman"
mailman-confirm: "|/var/lib/mailman/mail/mailman confirm mailman"
mailman-join: "|/var/lib/mailman/mail/mailman join mailman"
mailman-leave: "|/var/lib/mailman/mail/mailman leave mailman"
mailman-owner: "|/var/lib/mailman/mail/mailman owner mailman"
mailman-request: "|/var/lib/mailman/mail/mailman request mailman"
mailman-subscribe: "|/var/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe: "|/var/lib/mailman/mail/mailman unsubscribe mailman"

lists:~# postalias /etc/aliases
lists:~#
</pre>

=== Start Mailman ===
Now, start Mailman:
/etc/init.d/mailman start

=== Create mailing lists ===
Information on this topic can be found in the article [[Creation of mailing lists in Mailman]].

== More information ==
* http://de.wikipedia.org/wiki/GNU_Mailman
* http://library.linode.com/email/mailman/debian-5-lenny

{{Wfischer}}
{{Aranzinger}}
[[Category:Debian]]
[[pl:Mailman w Debianie]]
[[de:Mailman unter Debian einrichten]]

Setting up password authentication with Active Directory on Debian

2026-05-22T05:01:48Z

Aranzinger: Created page with "Central directory services such as OpenLDAP or Active Directory (AD) simplify the '''password management''' for administrator and user. With regard to Linux server, the aspect of the SSH '''authentication''' via AD is interesting. From an IT security perspective, this solution also has its advantages: * Administrators do not have to choose and administrate different passwords for every server. You can log in to the servers with the AD password. * The password change or d..."

Central directory services such as OpenLDAP or Active Directory (AD) simplify the '''password management''' for administrator and user. With regard to Linux server, the aspect of the SSH '''authentication''' via AD is interesting. From an IT security perspective, this solution also has its advantages:
* Administrators do not have to choose and administrate different passwords for every server. You can log in to the servers with the AD password.
* The password change or deactivation of an account can be made via AD.
* Central administrated root passwords do not have to be known by all administrators anymore.

The following article shows how to configure an in Debian 7 ''wheezy'' with '''libpam-ldapd''' via ''mod_pam'' with an AD. The authentication is not only valid for [[:Kategorie:SSH|SSH]] but also for all services that use PAM (like, for example, ''sudo'') after successful configuration. As the libpam-ldapd packages are also available for Ubuntu<ref>[http://packages.ubuntu.com/trusty/libpam-ldapd libpam-ldapd] (packages.ubuntu.com)</ref>, the instructions can be also used for Ubuntu.

__TOC__
== Requirements and purpose ==
The following information is required for the setup:
# The LDAP-URL of the AD server
# The search or Base DN in which the users are located.
# (recommended) A Bind DN, including a password, used to search the Active Directory or the base DN.
# For TLS
#* The certificate file for the encrypted communication (since passwords are transferred between the server and AD during authentication, an encrypted communication is highly recommended).
# The users, who want to sign up, '''must already exist''' on the server

In the following, the objectives of the instructions are listed:
* Password authentication of users via the passwords stored in AD.
* Other things like groups, home-paths or similar are '''not''' retrieved from the AD.
* The ''root'' user should be able to sign up with local passwords.

'''Attention: Changes to PAM module configurations may prevent you from logging in or authenticating. Always have a root terminal ready in case of an emergency!'''

== Testing connection to AD ==
First, the connection between server<->AD is tested. When using LDAP with START_TLS, the communication is made via port 389:
<pre>
# telnet ldap.example.com 389
Trying ...
Connected to ldap.example.com
Escape character is '^]'.
</pre>

After this, an actual LDAP query is made via ldapsearch (for an encrypted connection - parameter '-ZZ' -, the certificate must be configured in the ''/etc/ldap.conf'' file.):
<pre>
ldapsearch -x -H ldap://ldap.example.com -D "CN=Georg Schönberger,OU=Users,DC=example,DC=com" \
-b OU=Users,DC=example,DC=com -W -ZZ sAMAccountName=gschoenberger
</pre>

== Installation of libpam-ldapd ==
The central component on the Debian server forms the package [https://packages.debian.org/wheezy/libpam-ldapd libpam-ldapd] (packages.debian.org). With this package, the daemon [https://packages.debian.org/wheezy/nslcd nslcd] (packages.debian.org) is also installed that is responsible for the communication between server <-> AD.
<pre>
# apt-get install libpam-ldapd
[...]
The following NEW packages will be installed:
bind9-host geoip-database ldap-utils libbind9-80 libcap2 libdns88 libgeoip1 libisc84 libisccc80 libisccfg82
liblwres80 libnss-ldapd libpam-ldapd libxml2 nscd nslcd sgml-base xml-core
</pre>

<gallery>
Ldap-auth-configure-1.png|The LDAP-Url points to the host name of the AD-server.
Ldap-auth-configure-2.png|The search base is the part of the directory where users are located.
Ldap-auth-configure-3.png|If the AD is only used for the password authentication, the file ''nsswitch.conf'' does not have to be configured.
</gallery>

Those who want to perform the package configuration once again, to adjust values, must to call up
<pre>
# dpkg-reconfigure nslcd
</pre>

== Configuration of nslcd ==
The following map and filter entries, binddn and bindpw, and TLS options must be added to the ''/etc/nslcd.conf'' file:
<pre>
[...]
base ou=Users,dc=example,dc=com
map passwd uid sAMAccountName
filter passwd (objectClass=user)

# The LDAP protocol version to use.
ldap_version 3

# The DN to bind with for normal lookups.
binddn cn=reader,dc=example,dc=com
bindpw secret

[...]

# SSL options
ssl start_tls
tls_reqcert demand
tls_cacertfile /etc/ssl/certs/Example-com-cacert.pem
[...]
</pre>
The settings of the package installation that have been configured are located, as described above, in the ''/etc/nslcd.conf'' file.

== Configuration of pam_ldap ==
'''In general, the configuration of the package installation is suitable for an AD-authentication'''. However, users can authenticate themselves with the standard configuration per AD/LDAP as well as with local password. To disable local passwords for users other than "root", the following change must be made to the file ''/etc/pam.d/common-auth.conf''.

'''Attention:''' After this change, only the ''root'' user can use its local password. All other users rely on Active Directory and a working connection between the server and Active Directory:<ref>[http://pig.made-it.com/pam.html PAM Explanation] (pig.made-it.com)</ref>
<pre>
# vi /etc/pam.d/common-auth
[...]
auth sufficient pam_ldap.so minimum_uid=1000
auth requisite pam_succeed_if.so uid eq 0
auth sufficient pam_unix.so nullok_secure
# here's the fallback if no module succeeds
[...]
</pre>
After that, AD authentication will be sufficient for all users with a UID greater than 1000 to log in. Local passwords will no longer work!

The configuration of the AD authentication is completed after the steps described above.

== Error analysis ==
=== nslcd ===
The daemon ''nslcd'' provides a Debus mode for analyzing the LDAP authentication:
<pre>
# nslcd -d
nslcd: DEBUG: add_uri(ldap://ldap.example.com)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,2)
[...]
nslcd: accepting connections
</pre>
If the <code>-d</code> parameter is stated more often, the ''nslcd'' debug level increases.

The error message is a bit misleading
<pre>
DEBUG: failed to bind to LDAP server ldap://ldap.example.com: Invalid credentials: 80090308:
LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v23f0
</pre>
that also appears when a user account does not yet exist on the server.

=== pam_ldap ===
Those who want to adjust the pam-rules in the ''/etc/pam.d/common-auth.conf'' file, encounters the following error in the log file ‘’/var/log/auth.log'':
<pre>pam_succeed_if(sshd:auth): incomplete condition detected</pre>, when the terms for ''pam_succeed_if.so '' are not correct.<ref>[https://bugzilla.redhat.com/show_bug.cgi?id=594903 Insufficient error checking in pam_succeed_if] (bugzilla.redhat.com)</ref>

== References ==
<references />

{{Gschoenberger}}
{{Aranzinger}}
[[Category:Debian]]
[[de:Passwort-Authentifizierung mit Active Directory unter Debian einrichten]]

PCIe link lost

2026-05-21T11:16:45Z

Aranzinger: Created page with "On Linux systems, when using Intel I350 network chips, messages such as '''PCIe link lost''' may appear, followed by '''igb 0000:82:00.0 enp130s0f0: malformed Tx packet detected and dropped, LVMMC:0xffffffff'''. Therefore, the affected network interface does not work. As a solution, the Linux kernel parameter '''pcie_aspm.policy=performance''' or an updated BIOS with deactivated ASPM can be used. == Affected hardware and software == We have encountered this issue i..."

On [[Linux]] systems, when using Intel I350 network chips, messages such as '''PCIe link lost''' may appear, followed by '''igb 0000:82:00.0 enp130s0f0: malformed Tx packet detected and dropped, LVMMC:0xffffffff'''. Therefore, the affected network interface does not work. As a solution, the Linux kernel parameter '''pcie_aspm.policy=performance''' or an updated BIOS with deactivated ASPM can be used.

== Affected hardware and software ==
We have encountered this issue in isolated cases after several weeks of testing with the following components:
* ASUS RS500A-E11-RS12U with [[AMD EPYC 7003 Milan]] CPU (AMD EPYC 7543P) with Intel I350-AM2
** BIOS 0901
* [[Proxmox VE]] with kernel 5.15.35-1-pve

== Problem ==
Example 21.6.2022:
<pre>
Jun 21 00:53:43 PMX2 kernel: [568234.890225] igb 0000:82:00.0 enp130s0f0: PCIe link lost
Jun 21 00:53:43 PMX2 kernel: [568234.890714] ------------[ cut here ]------------
Jun 21 00:53:43 PMX2 kernel: [568234.891150] igb: Failed to read reg 0x40e8!
Jun 21 00:53:43 PMX2 kernel: [568234.891611] WARNING: CPU: 15 PID: 1607760 at drivers/net/ethernet/intel/igb/igb_main.c:747 igb_rd32.cold+0x3a/0x46 [igb]
Jun 21 00:53:43 PMX2 kernel: [568234.892059] Modules linked in: sch_ingress ebtable_filter ebtables ip_set ip6table_raw iptable_raw ip6table_filter ip6_tables iptable_filter bpfilter sctp ip6_udp_tunnel
udp_tunnel nf_tables bonding tls openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 softdog nfnetlink_log nfnetlink ipmi_ssif intel_rapl_msr intel_rapl_common amd64_edac edac_
mce_amd kvm_amd ast drm_vram_helper drm_ttm_helper kvm ttm drm_kms_helper cec irqbypass crct10dif_pclmul rc_core ghash_clmulni_intel aesni_intel fb_sys_fops crypto_simd cryptd rapl wmi_bmof efi_pstore pc
spkr acpi_ipmi syscopyarea cdc_ether sysfillrect usbnet sysimgblt joydev input_leds mii ipmi_si ccp ptdma k10temp ipmi_devintf ipmi_msghandler mac_hid vhost_net vhost vhost_iotlb tap ib_iser rdma_cm iw_c

Jun 21 00:53:43 PMX2 kernel: [568234.892098] zstd_compress hid_generic usbmouse usbkbd usbhid hid raid6_pq libcrc32c simplefb crc32_pclmul nvme nvme_core igb xhci_pci i2c_algo_bit ahci xhci_pci_renesas
dca libahci xhci_hcd i2c_piix4 bnxt_en wmi
Jun 21 00:53:43 PMX2 kernel: [568234.896894] CPU: 15 PID: 1607760 Comm: nload Tainted: P O 5.15.35-1-pve #1
Jun 21 00:53:43 PMX2 kernel: [568234.897392] Hardware name: ASUSTeK COMPUTER INC. RS500A-E11-RS12U/KMPA-U16 Series, BIOS 0901 12/03/2021
Jun 21 00:53:43 PMX2 kernel: [568234.897890] RIP: 0010:igb_rd32.cold+0x3a/0x46 [igb]
Jun 21 00:53:43 PMX2 kernel: [568234.898391] Code: c7 c6 94 23 3e c0 e8 ea e4 33 ed 48 8b bb 30 ff ff ff e8 5a 2c cc ec 84 c0 74 16 44 89 ee 48 c7 c7 60 30 3e c0 e8 b9 f2 2a ed <0f> 0b e9 b8 03 fe ff e9
cf 03 fe ff 0f b6 d0 be 00 00 04 00 48 c7
Jun 21 00:53:43 PMX2 kernel: [568234.899403] RSP: 0018:ffffbc9e812d3a98 EFLAGS: 00010282
Jun 21 00:53:43 PMX2 kernel: [568234.899906] RAX: 0000000000000000 RBX: ffff947b663fced0 RCX: ffff949a0e1e0588
Jun 21 00:53:43 PMX2 kernel: [568234.900414] RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff949a0e1e0580
Jun 21 00:53:43 PMX2 kernel: [568234.900915] RBP: ffffbc9e812d3ab0 R08: 0000000000000003 R09: 0000000000000001
Jun 21 00:53:43 PMX2 kernel: [568234.901411] R10: ffff947b7610c7c0 R11: ffffffffc0d410c0 R12: 00000000ffffffff
Jun 21 00:53:43 PMX2 kernel: [568234.901902] R13: 00000000000040e8 R14: 00000000000198e8 R15: 0000000003f1d080
Jun 21 00:53:43 PMX2 kernel: [568234.902389] FS: 00007f4cb056d740(0000) GS:ffff949a0e1c0000(0000) knlGS:0000000000000000
Jun 21 00:53:43 PMX2 kernel: [568234.902879] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 21 00:53:43 PMX2 kernel: [568234.903364] CR2: 00007f4f7bbf2670 CR3: 00000006414e8004 CR4: 0000000000770ee0
Jun 21 00:53:43 PMX2 kernel: [568234.903850] PKRU: 55555554
Jun 21 00:53:43 PMX2 kernel: [568234.904336] Call Trace:
Jun 21 00:53:43 PMX2 kernel: [568234.904808] <TASK>
Jun 21 00:53:43 PMX2 kernel: [568234.905275] igb_update_stats+0x4c0/0x880 [igb]
Jun 21 00:53:43 PMX2 kernel: [568234.905743] igb_get_stats64+0x30/0x80 [igb]
Jun 21 00:53:43 PMX2 kernel: [568234.906205] dev_get_stats+0x60/0xc0
Jun 21 00:53:43 PMX2 kernel: [568234.906663] netstat_show.constprop.0+0x57/0xb0
Jun 21 00:53:43 PMX2 kernel: [568234.907117] tx_dropped_show+0x16/0x20
Jun 21 00:53:43 PMX2 kernel: [568234.907564] dev_attr_show+0x1d/0x40
Jun 21 00:53:43 PMX2 kernel: [568234.908014] sysfs_kf_seq_show+0xa1/0x100
Jun 21 00:53:43 PMX2 kernel: [568234.908451] kernfs_seq_show+0x27/0x30
Jun 21 00:53:43 PMX2 kernel: [568234.908882] seq_read_iter+0x122/0x4b0
Jun 21 00:53:43 PMX2 kernel: [568234.909309] ? aa_file_perm+0x11e/0x570
Jun 21 00:53:43 PMX2 kernel: [568234.909732] kernfs_fop_read_iter+0x150/0x1b0
Jun 21 00:53:43 PMX2 kernel: [568234.910150] new_sync_read+0x110/0x1a0
Jun 21 00:53:43 PMX2 kernel: [568234.910564] vfs_read+0x100/0x1a0
Jun 21 00:53:43 PMX2 kernel: [568234.910970] ksys_read+0x67/0xe0
Jun 21 00:53:43 PMX2 kernel: [568234.911368] __x64_sys_read+0x1a/0x20
Jun 21 00:53:43 PMX2 kernel: [568234.911766] do_syscall_64+0x5c/0xc0
Jun 21 00:53:43 PMX2 kernel: [568234.912170] ? do_syscall_64+0x69/0xc0
Jun 21 00:53:43 PMX2 kernel: [568234.912560] ? do_syscall_64+0x69/0xc0
Jun 21 00:53:43 PMX2 kernel: [568234.912944] ? syscall_exit_to_user_mode+0x27/0x50
Jun 21 00:53:43 PMX2 kernel: [568234.913330] ? __x64_sys_read+0x1a/0x20
Jun 21 00:53:43 PMX2 kernel: [568234.913706] ? do_syscall_64+0x69/0xc0
Jun 21 00:53:43 PMX2 kernel: [568234.914073] ? syscall_exit_to_user_mode+0x27/0x50
Jun 21 00:53:43 PMX2 kernel: [568234.914431] ? do_syscall_64+0x69/0xc0
Jun 21 00:53:43 PMX2 kernel: [568234.914777] ? __x64_sys_close+0x12/0x40
Jun 21 00:53:43 PMX2 kernel: [568234.915112] ? do_syscall_64+0x69/0xc0
Jun 21 00:53:43 PMX2 kernel: [568234.915436] ? do_syscall_64+0x69/0xc0
Jun 21 00:53:43 PMX2 kernel: [568234.915745] ? do_syscall_64+0x69/0xc0
Jun 21 00:53:43 PMX2 kernel: [568234.916052] ? asm_sysvec_apic_timer_interrupt+0xa/0x20
Jun 21 00:53:43 PMX2 kernel: [568234.916342] entry_SYSCALL_64_after_hwframe+0x44/0xae
Jun 21 00:53:43 PMX2 kernel: [568234.916623] RIP: 0033:0x7f4cb0666e8e
Jun 21 00:53:43 PMX2 kernel: [568234.916890] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 6e 18 0a 00 e8 89 e8 01 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a
c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
Jun 21 00:53:43 PMX2 kernel: [568234.917444] RSP: 002b:00007ffe81260f78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
Jun 21 00:53:43 PMX2 kernel: [568234.917719] RAX: ffffffffffffffda RBX: 0000000000001fff RCX: 00007f4cb0666e8e
Jun 21 00:53:43 PMX2 kernel: [568234.917988] RDX: 0000000000001fff RSI: 000055e09cb3adf0 RDI: 0000000000000003
Jun 21 00:53:43 PMX2 kernel: [568234.918250] RBP: 000055e09cb3adf0 R08: 0000000000000000 R09: 00007f4cb0736be0
Jun 21 00:53:43 PMX2 kernel: [568234.918508] R10: 0000000001000000 R11: 0000000000000246 R12: 0000000000001fff
Jun 21 00:53:43 PMX2 kernel: [568234.918764] R13: 00007ffe81261118 R14: 000055e09bc21398 R15: 000055e09bc21370
Jun 21 00:53:43 PMX2 kernel: [568234.919020] </TASK>
Jun 21 00:53:43 PMX2 kernel: [568234.919272] ---[ end trace e754faf722c4d59f ]---
Jun 21 00:53:43 PMX2 kernel: [568234.919529] igb 0000:82:00.0 enp130s0f0: malformed Tx packet detected and dropped, LVMMC:0xffffffff
Jun 21 00:53:43 PMX2 kernel: [568234.919586] igb 0000:82:00.1 enp130s0f1: PCIe link lost
Jun 21 00:53:43 PMX2 kernel: [568234.920381] ------------[ cut here ]------------
Jun 21 00:53:43 PMX2 kernel: [568234.920832] igb: Failed to read reg 0xc030!
Jun 21 00:53:43 PMX2 kernel: [568234.921292] WARNING: CPU: 47 PID: 1607760 at drivers/net/ethernet/intel/igb/igb_main.c:747 igb_rd32.cold+0x3a/0x46 [igb]
Jun 21 00:53:43 PMX2 kernel: [568234.921782] Modules linked in: sch_ingress ebtable_filter ebtables ip_set ip6table_raw iptable_raw ip6table_filter ip6_tables iptable_filter bpfilter sctp ip6_udp_tunnel
udp_tunnel nf_tables bonding tls openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 softdog nfnetlink_log nfnetlink ipmi_ssif intel_rapl_msr intel_rapl_common amd64_edac edac_
mce_amd kvm_amd ast drm_vram_helper drm_ttm_helper kvm ttm drm_kms_helper cec irqbypass crct10dif_pclmul rc_core ghash_clmulni_intel aesni_intel fb_sys_fops crypto_simd cryptd rapl wmi_bmof efi_pstore pc
spkr acpi_ipmi syscopyarea cdc_ether sysfillrect usbnet sysimgblt joydev input_leds mii ipmi_si ccp ptdma k10temp ipmi_devintf ipmi_msghandler mac_hid vhost_net vhost vhost_iotlb tap ib_iser rdma_cm iw_c
m ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi drm sunrpc ip_tables x_tables autofs4 zfs(PO) zunicode(PO) zzstd(O) zlua(O) zavl(PO) icp(PO) zcommon(PO) znvpair(PO) spl(O) btrfs blak
e2b_generic xor
</pre>

Beispiel 26.6.2022:
<pre>
[...]
Jun 26 18:46:36 PMX2 kernel: [1064607.600707] igb 0000:82:00.0 enp130s0f0: malformed Tx packet detected and dropped, LVMMC:0xffffffff
Jun 26 18:46:37 PMX2 kernel: [1064608.624690] igb 0000:82:00.1 enp130s0f1: malformed Tx packet detected and dropped, LVMMC:0xffffffff
[...]
</pre>

== Possible solutions ==

=== Updated BIOS ===
The new BIOS version 1301 (Milan, 2023/03/15) deactivates ASPM on all PCIe ports (<cite>Disable ASPM on all PCIe ports.</cite>) and resolves the problem.

=== Kernel parameter ===
Alternatively, as a workaround, the PCIe ASPM policy can be set to performance using the following kernel boot parameter:<pre>sed -i '$ s/$/ pcie_aspm.policy=performance/' /etc/kernel/cmdline</pre>
On systemd-boot-systems, this command adds the parameter to the /etc/kernel/cmdline file. On Proxmox systems, a refresh of the Proxmox boot tool must be performed after changing the file:
<pre>proxmox-boot-tool refresh</pre>After a reboot, it can be verified if the parameters are active using <pre>cat /proc/cmdline</pre>

== More information ==
* [https://access.redhat.com/solutions/2190691 igb "malformed Tx packet detected and dropped, LVMMC" message] (access.redhat.com, 05.03.2016)
* [https://access.redhat.com/solutions/6753701 Intel I350 NIC with igb logs "Refused to change power state" and "PCIe link lost"] (access.redhat.com, Updated February 23 2022)
* [https://patchwork.ozlabs.org/project/netdev/patch/1406207604-31653-6-git-send-email-jeffrey.t.kirsher@intel.com/ igb: Add message when malformed packets detected by hw] (patchwork.ozlabs.org, 24.07.2014)
* [https://community.zyxel.com/en/discussion/2574/degraded-gigabit-problem-with-gs1200-8 Degraded Gigabit problem with GS1200-8] (community.zyxel.com, April 2019)

== References ==
<references />

{{Wfischer}}
{{Jsterr}}
{{Aranzinger}}
[[Category:Linux]]
[[Category:Proxmox Troubleshooting]]
[[de:PCIe link lost]]

MegaRAID 9341-4i Debian 11 DMAR DRHD handling fault status reg 3

2026-05-21T07:09:47Z

Aranzinger: Created page with "After installing Debian 11 on a system with MegaRAID 9341-4i RAID controller, messages such as '''AVAGO EFI SAS Driver is Unhealthy''' may appear during the boot process and '''DMAR: DRHD: handling fault status reg 3''' in the system log. In this article, we explain how to solve this problem by using the kernel parameter '''intel_iommu=on iommu=pt'''. == Description of problem == After installing Debian 11, the following problems appear on a system with MegaRAI..."

After installing [[Debian]] 11 on a system with [[MegaRAID 9341-4i RAID controller]], messages such as '''AVAGO EFI SAS Driver is Unhealthy''' may appear during the boot process and '''DMAR: DRHD: handling fault status reg 3''' in the system log. In this article, we explain how to solve this problem by using the kernel parameter '''intel_iommu=on iommu=pt'''.

== Description of problem ==
After installing Debian 11, the following problems appear on a system with MegaRAID 9341-4i RAID controller:
* Message during boot process:
*: [[Avago EFI SAS Driver is Unhealthy]]
* Message in the BIOS:
*: '''L2/L3 Cache error was detected on the RAID controller. Please contact technical support to resolve this issue. Press 'X' to continue or else power off the system, replace the controller and reboot.'''
* Error message in Syslog:
*: '''DMAR: DRHD: handling fault status reg 3'''

Error message in Syslog explained in detail:
<pre>
[ 44.978734] megasas: 07.714.04.00-rc1
[ 44.979059] megaraid_sas 0000:02:00.0: BAR:0x1 BAR's base_addr(phys):0x0000000091300000 mapped virt_addr:0x00000000e2c49ffb
[ 44.979061] megaraid_sas 0000:02:00.0: FW now in Ready state
[ 44.979061] megaraid_sas 0000:02:00.0: 63 bit DMA mask and 32 bit consistent mask
[ 44.979181] megaraid_sas 0000:02:00.0: firmware supports msix : (96)
[ 44.979388] megaraid_sas 0000:02:00.0: requested/available msix 13/13
[ 44.979389] megaraid_sas 0000:02:00.0: current msix/online cpus : (13/12)
[ 44.979390] megaraid_sas 0000:02:00.0: RDPQ mode : (disabled)
[ 44.979391] megaraid_sas 0000:02:00.0: Current firmware supports maximum commands: 272 LDIO threshold: 237
[ 44.979425] megaraid_sas 0000:02:00.0: Configured max firmware commands: 271
[ 44.979686] megaraid_sas 0000:02:00.0: Performance mode :Latency
[ 44.979687] megaraid_sas 0000:02:00.0: FW supports sync cache : Yes
[ 44.979688] megaraid_sas 0000:02:00.0: megasas_disable_intr_fusion is called outbound_intr_mask:0x40000009
[ 45.235288] DMAR: DRHD: handling fault status reg 3
[ 45.235366] DMAR: [DMA Write] Request device [02:00.0] PASID ffffffff fault addr 3ffb0000 [fault reason 05] PTE Write access is not set
[ 45.236414] DMAR: DRHD: handling fault status reg 3
[ 45.236492] DMAR: [DMA Read] Request device [02:00.0] PASID ffffffff fault addr 3ffb0000 [fault reason 06] PTE Read access is not set
[ 46.289908] DMAR: DRHD: handling fault status reg 3
[ 46.289986] DMAR: [DMA Read] Request device [02:00.0] PASID ffffffff fault addr 3ffb0000 [fault reason 06] PTE Read access is not set
[ 47.353019] DMAR: DRHD: handling fault status reg 3
[ 50.542825] dmar_fault: 8 callbacks suppressed ...
[ 291.968323] dmar_fault: 5 callbacks suppressed
[ 291.968327] DMAR: DRHD: handling fault status reg 3
[ 291.973328] DMAR: [DMA Read] Request device [02:00.0] PASID ffffffff fault addr 3ffb0000 [fault reason 06] PTE Read access is not set
[ 293.031635] DMAR: DRHD: handling fault status reg 3
[ 293.034716] DMAR: [DMA Read] Request device [02:00.0] PASID ffffffff fault addr 3ffb0000 [fault reason 06] PTE Read access is not set
[ 294.094631] DMAR: DRHD: handling fault status reg 3
[ 294.098574] DMAR: [DMA Read] Request device [02:00.0] PASID ffffffff fault addr 3ffb0000 [fault reason 06] PTE Read access is not set
[ 295.157716] DMAR: DRHD: handling fault status reg 3
[ 296.988718] megaraid_sas 0000:02:00.0: Init cmd return status FAILED for SCSI host 9
[ 296.994525] megaraid_sas 0000:02:00.0: Failed from megasas_init_fw 6460
</pre>

== Affected systems ==
The problem appeared with the following hardware/software.

Hardware:
* Supermicro mainboard X11SCH-LN4F
* MegaRAID 9341-4i RAID controller

Software:
* Debian 11 with Linux kernel 5.10.0-11, megaraid_sas module version (via Debian) 07.714.04.00-r, even the latest Broadcom module (07.719.04.00) does not resolve the problem.

When using Debian 10 with Linux kernel 4.19.0-18, megaraid_sas module version 07.706.03.00-rc1, the poblem does not appear.

== Cause ==
The error message ''DMAR: DRHD: handling fault status reg 3'' indicates a problem in combination with the IOMMU. The terms have the following meanings:<ref>[https://www.intel.com/content/dam/develop/external/us/en/documents/intel-whitepaper-using-iommu-for-dma-protection-in-uefi-820238.pdf A Tour Beyond BIOS: Using IOMMU for DMA Protection in UEFI Firmware] (www.intel.com)</ref><ref>[https://www.kernel.org/doc/Documentation/Intel-IOMMU.txt Linux IOMMU Support] (www.kernel.org/doc)</ref>
* DMAR = DMA Remapping Reporting
* DRHD = DMA Remapping Hardware Unit Definition

== Solution ==
To solve the issue, the Intel IOMMU functions must be activated in the Linux kernel and the IOMMU must be set to pass-through mode.

For this, the following parameter (via /etc/default/grub) must be set:
* intel_iommu=on iommu=pt

== More information ==
* [https://bbs.archlinux.org/viewtopic.php?pid=1738979#p1738979 (SOLVED) "kernel: DMAR: DRHD: handling fault status reg 3"] (bbs.archlinux.org, 29.09.2017)
* [https://forum.proxmox.com/threads/raid-controller-9341-8i.88667/ raid controller 9341-8i] (forum.proxmox.com, 04.05.2021)

== References ==
<references />

{{Wfischer}}
{{Aranzinger}}
[[Category:Debian]][[Category:LSI]]
[[de:MegaRAID 9341-4i Debian 11 DMAR DRHD handling fault status reg 3]]

Debian 11 installation with DMAR DRHD handling fault status reg 3 error message

2026-05-21T05:56:09Z

Aranzinger: Created page with "When installing Debian 11 on systems with a MegaRAID 9341-4i RAID controller, it may come to error messages such as '''AVAGO EFI SAS Driver is Unhealthy''' during the starting process and '''DMAR: DRHD: handling fault status reg 3 '' when starting the operating system. In this article, we show how to install Debian 11 by using the kernel parameters '''intel_iommu=on''' and '''iommu=pt'''. == Error message in the BIOS, during boot process and installation == In this ca..."

When installing Debian 11 on systems with a MegaRAID 9341-4i RAID controller, it may come to error messages such as '''AVAGO EFI SAS Driver is Unhealthy''' during the starting process and '''DMAR: DRHD: handling fault status reg 3 '' when starting the operating system. In this article, we show how to install Debian 11 by using the kernel parameters '''intel_iommu=on''' and '''iommu=pt'''.

== Error message in the BIOS, during boot process and installation ==
In this case, the installation was performed on a Supermicro mainboard X11SCH-LN4F and on a MegaRAID 9341-4i RAID controller, as both of these components lead to this error message in combination.
This case is described in detail in the following article: [[MegaRAID 9341-4i Debian 11 DMAR DRHD handling fault status reg 3]]

'''Three types of errors that occur'''
<gallery>
file:BootPostUnhealty.png|Error message of the controller in the postscreen - '''AVAGO EFI SAS Driver is unhealthy'''
file:Fehler1.png|Error message encountered when booting from the boot medium '''DMAR: DRHD: handling fault status reg 3'''
file:Fehler2.png|Error in the Debian installer during hard drive selection: the RAID is not displayed
</gallery>

== Solution ==
To solve the problem, the Intel IOMMU functions must be set to pass-through in the Linux kernel.

The following kernel parameters must be set for this:intel_iommu=on iommu=pt

These parameters must be set three times
# in the Debian installer
# after booting in the GRUB
# in the OS under /etc/default/grub

=== 1) Changes made during installation using the Debian installer ===
'''For a UEFi installation'''
<gallery>
file:Install1.png| With "E" for Edit Selection, the boot entry can be changed
file:Install2.png| Here, the third line must be edited '''"linux /install.amd/vmlinuz vga=788 --- quiet"'''
file:Install3.png| '''"--- quiet"''' must be replaced by '''"intel_iommu=on iommu=pt"'''
</gallery>

'''For a LEGACY installation'''

<gallery>
file:Legacy1.png| In legacy mode, the boot entry can be edited via '''tab-key'''
file:Legacy2-tabdruecken.png|edit '''"linux /install.amd/vmlinuz vga=788 --- quiet"'''
file:Legacy3-dannenter.png| '''"--- quiet"''' must be replaced by '''"intel_iommu=on iommu=pt"'''
</gallery>

'''The Raid is now displayed'''
<gallery>
file:Install4.png| The Raid is now displayed and can be selected for the installation
</gallery>

=== 2) Changes after installation in the GRUB ===
<gallery>
file:Nachinstall1.png| After installation, edit the boot entry via "E"
file:Nachinstall2.png| The third-to-last line '''linux /boot/vmlinuz-5-10.0-17...... ro quiet''' must be edited.
file:Nachinstall3.png|'''"quiet"''' must be replaced by '''"intel_iommu=on iommu=pt"'''
</gallery>

=== 3) Changes in OS ===
<gallery>
file:Grub0.png| Navigate to the '''/etc/default''' directory
file:Grub1.png| Edit '''grub''' with, for example, nano
file:Grub2.png|'''GRUB_CMBLINE_LINUX_DEFAULT="intel_iommu=on iommu=pt"'''
file:Grubupdate2.png|Update GRUB using'''"su -"''' and '''"update-grub"'''
</gallery>

After the parameters have been set and the update-grub command has been performed, they will now be executed every time the system starts up, ensuring that the RAID controller and the RAID array are detected correctly.

== More information ==
* [https://bbs.archlinux.org/viewtopic.php?pid=1738979#p1738979 (SOLVED) "kernel: DMAR: DRHD: handling fault status reg 3"] (bbs.archlinux.org, 29.09.2017)
* [https://forum.proxmox.com/threads/raid-controller-9341-8i.88667/ raid controller 9341-8i] (forum.proxmox.com, 04.05.2021)
* [https://www.linux-kvm.org/page/How_to_assign_devices_with_VT-d_in_KVM How to assign devices with VT-d in KVM] (www.linux-kvm.org 25.6.2016)
* [https://gist.github.com/davesilva/445276f9157e7cb3a4f6ed2fe852b340 Setting up KVM with GPU passthrough in Debian Buster ] (gist.github.com 13.08.2020)

== References ==
# [https://www.intel.com/content/dam/develop/external/us/en/documents/intel-whitepaper-using-iommu-for-dma-protection-in-uefi-820238.pdf A Tour Beyond BIOS: Using IOMMU for DMA Protection in UEFI Firmware ] (www.intel.com)
# [https://www.kernel.org/doc/Documentation/Intel-IOMMU.txt Linux IOMMU Support ] (www.kernel.org/doc)

{{Ldirr}}
{{Aranzinger}}

{{Consultinglink|campaign=Thomas-Krenn Windows Admin Center (WAC) Extension}}
[[Category:Debian]][[Category:LSI]]
[[de:Debian 11 Installation bei Fehlermeldung DMAR DRHD handling fault status reg 3]]

Security advisories on Intel products 2026.2 IPU

2026-05-20T07:39:55Z

Aranzinger:

In '''2026''', Intel published new security advisories as part of the IPU 2026.2 on different Intel products. Some of these security advisories require '''firmware updates'''.

In this article, you will find an excerpt and hints on these security advisories as well as information on where to find updates for Thomas-Krenn products.

== Affected systems ==

* Intel Xeon processors
* Intel Core processors
* Intel Atom processors
* Intel Pentium processors
* Intel Celeron processors

== Security advisories ==
In the following, you will find security advisories on the firmware that has been published by Intel.

{| class="wikitable"
|- style="background-color: #EFEFEF; font-weight: bold;"
! align="center" |Intel security advisory
! align="center" |Title
! align="center" |Affected systems
|-
|align=center | [https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01393.html INTEL-SA-01393]
|align=center | 2026.1 IPU, UEFI Reference Firmware Advisory
| rowspan="35" align="left" | (see Intel-SA)
|-
|align=center | [https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01420.html INTEL-SA-01420]
|align=center | 2026.2 IPU - Intel® Processor Firmware Advisory
|-
|align=center | [https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01413.html INTEL-SA-01413]
|align=center | UEFI Reference Firmware Advisory
|-
|align=center | [https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01425.html INTEL-SA-01425]
|align=center | Intel® Slim Bootloader Advisory
|}

== Updates for Thomas-Krenn products ==
Updates on the corresponding system can be found in the <tklink type="sitex" id="440">download area of Thomas-Krenn</tklink>. The updates in the download area have been tested by us to guarantee the stability and compatibility of our systems.

If you require the latest version for your system and it is not yet available in our download area, you can get it at [https://www.asus.com/de/support/download-center/ Asus] , [https://www.supermicro.com/en/support/resources/downloadcenter/swdownload Supermicro] or [https://www.gigabyte.com/de/Support/Consumer/Download Gigabyte]

== More information ==
* [https://www.intel.com/content/www/us/en/security-center/default.html Security Center] (www.intel.com)
* [https://www.supermicro.com/en/support/security_Intel_IPU2026.2 Intel Platform Update (IPU) Update 2026.2 May 2026] (www.supermicro.com)
* [https://www.supermicro.com/en/support/security_Intel_IPU2026.1_part2 Intel Platform Update (IPU) Update 2026.1 Part 2, May 2026] (www.supermicro.com)
{{Thomas-Krenn.AG}}
{{Aranzinger}}
[[Category:Intel]]
[[de:Sicherheitshinweise zu Intel Produkten 2026.2 IPU]]

AMD Security Vulnerabilities - May 2026

2026-05-20T05:53:03Z

Aranzinger: Created page with "On '''May 12th, 2026''', AMD published the security bulletins '''AMD-SB-3030''' <ref>[https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3030.html AMD EPYC and AMD EPYC Embedded Series Processor Vulnerabilities – May 2026] (www.amd.com/en/resources/product-security)</ref>, '''AMD-SB-4017'''<ref>[https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4017.html AMD Athlon, AMD Ryzen, and AMD Ryzen Embedded Series Processor Vulnerabilities – Ma..."

On '''May 12th, 2026''', AMD published the security bulletins '''AMD-SB-3030''' <ref>[https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3030.html AMD EPYC and AMD EPYC Embedded Series Processor Vulnerabilities – May 2026] (www.amd.com/en/resources/product-security)</ref>, '''AMD-SB-4017'''<ref>[https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4017.html AMD Athlon, AMD Ryzen, and AMD Ryzen Embedded Series Processor Vulnerabilities – May 2026] (www.amd.com/en/resources/product-security)</ref> and '''AMD-SB-7052'''<ref>[https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7052.html CPU OP Cache Corruption - May 2026] (www.amd.com/en/resources/product-security)</ref> with one security vulnerability each. This article includes tables listing measures to address the security vulnerabilities.

== Affected systems ==

'''AMD Threadripper systems:'''

* systems with AMD Ryzen Threadripper PRO 3000WX processors
* systems with AMD Ryzen Threadripper 7000 / PRO 7000WX processors
* systems with AMD Ryzen Threadripper 9000 / PRO 9000WX processors

'''AMD EPYC systems:'''

* systems with "Zen 4" [[AMD EPYC 4004 Raphael]] processors
* systems with "Zen 2" [[AMD EPYC 7002 Rome]] processors
* systems with "Zen 3" [[AMD EPYC 7003 Milan]] processors
* systems with "Zen 4" [[AMD EPYC 9004 Genoa and Bergamo]] & 8004 Siena processors
* systems with "Zen 5" [[AMD EPYC 9005 Turin]] processors

== Solution ==

Here is a table listing the relevant CVEs and corrective measures for the respective EPYC generation, if available.

'''AMD EPYC 4004 Raphael'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2024-36315 CVE-2024-36315]
| align="center" |5.7 (medium)
| align="center" |ComboAM5PI_1.0.0.a (2024-09-11)
ComboAM5PI_1.1.0.3c (2024-09-11)

ComboAM5PI_1.2.0.3 (2024-09-11)
|-
|}

'''AMD EPYC 7002 Rome'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''Correction'''
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-54518 CVE-2025-54518]
| align="center" |7.3 (high)
| align="center" |OS update
|-
|}

'''AMD EPYC 7003 Milan:'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
!TCB‑value for SNP-certification
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-61971 CVE-2025-61971]
| align="center" |5.9 (medium)
| align="center" |MilanPI 1.0.0.J (2025-12-15)
| align="center" |TCB[SNP]>=0x1D
|-
|}

'''AMD EPYC 8004 Siena:'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
!Microcode
!TCB‑value for SNP-certification
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2024-36315 CVE-2024-36315]
| align="center" |5.7 (medium)
| align="center" |GenoaPI 1.0.0.E (2024-12-18)
| align="center" |A2: 0AA00216
| align="center" |N/A
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-61971 CVE-2025-61971]
| align="center" |5.9 (medium)
| align="center" |Genoa++_1.0.0.H (2025-12-15)
| align="center" |N/A
| align="center" |TCB[BL]>=0xC
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-61972 CVE-2025-61972]
| align="center" |8.5 (high)
| align="center" | Genoa++_1.0.0.H (2025-12-15)
| align="center" |N/A
| align="center" |TCB[BL]>=0xC
|-
|}

'''AMD EPYC 9004 Genoa:'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
!Microcode
!TCB‑value for SNP-certification
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2024-36315 CVE-2024-36315]
| align="center" |5.7 (medium)
| align="center" |GenoaPI 1.0.0.E (2024-12-18)
| align="center" |A2: 0x0AA00219
B1: 0x0A101154

B2: 0x0A10124F
| align="center" |N/A
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-61971 CVE-2025-61971]
| align="center" |5.9 (medium)
| align="center" |Genoa++_1.0.0.H (2025-12-15)
| align="center" |N/A
| align="center" |TCB[BL]>=0xC
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-61972 CVE-2025-61972]
| align="center" |8.5 (high)
| align="center" | Genoa++_1.0.0.H (2025-12-15)
| align="center" |N/A
| align="center" |TCB[BL]>=0xC
|-
|}

'''AMD EPYC 9005 Turin / Turin Dense'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
!TCB‑value for SNP-certification
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-61971 CVE-2025-61971]
| align="center" |5.9 (medium)
| align="center" |TurinPI_1.0.0.8 (2025-11-26)
| align="center" |TCB[TEE]>=0x2
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-61972 CVE-2025-61972]
| align="center" |8.5 (high)
| align="center" |TurinPI_1.0.0.8 (2025-11-26)
| align="center" |TCB[TEE]>=0x2
|-
|}

'''AMD Ryzen Threadripper PRO 3000WX'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2021-46747 CVE-2021-46747]
| align="center" |7.1 (high)
| align="center" |CastlePeakWSPI-sWRX8 1.0.0.9 (2022-01-20)
ChagallWSPI-sWRX8 1.0.0.2 (2022-01-20)
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-48516 CVE-2025-48516]
| align="center" |6.9 (medium)
| align="center" |no specific plans
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2021-26380 CVE-2021-26380]
| align="center" |1.8 (low)
| align="center" |ChagallWSPI-sWRX8 1.0.0.2 (2022-01-20)
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-54518 CVE-2025-54518]
| align="center" |7.3 (high)
| align="center" |ChagallWSPI-sWRX8-1.0.0.D (11-04-2025)
CastlePeakWSPI-sWRX8 1.0.0.I (10-17-2025)
|-
|}

'''AMD Ryzen Threadripper 7000 / PRO 7000WX'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2026-0438 CVE-2026-0438]
| align="center" |5.4 (medium)
| align="center" |ShimadaPeakPI-SP6 1.0.0.1c (2025-10-21)
StormPeakPI-SP6 1.0.0.1m (2025-12-01)

StormPeakPI-SP6_1.1.0.0k (2025-12-01)
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-48516 CVE-2025-48516]
| align="center" |6.9 (medium)
| align="center" |ShimadaPeakPI-SP6 1.0.0.1b (2025-08-04)
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2024-36345 CVE-2024-36345]
| align="center" |4.6 (medium)
| align="center" |StormPeakPI-SP6 1.1.0.0k (2025-12-01)
StormPeakPI-SP6 1.0.0.1m (2025-12-01)
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2024-36343 CVE-2024-36343]
| align="center" |4.6 (medium)
| align="center" |StormPeakPI-SP6 1.1.0.0k (2025-12-01)
StormPeakPI-SP6 1.0.0.1m (2025-12-01)
|-
|}

'''AMD Ryzen Threadripper 9000 / PRO 9000WX'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2026-0438 CVE-2026-0438]
| align="center" |5.4 (medium)
| align="center" |ShimadaPeakPI-SP6 1.0.0.1c (2025-10-21)
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-48516 CVE-2025-48516]
| align="center" |6.9 (medium)
| align="center" |ShimadaPeakPI-SP6 1.0.0.1b (2025-08-04)
|-
|}

Supermicro security bulletins were published for security vulnerabilities. A list with BIOS-versions for the respective mainboards, to close the gaps, is also included. In the following, there is an excerpt from this table, in which all mainboards are listed that are offered by Thomas Krenn: <ref>[https://www.supermicro.com/en/support/security_center#!advisories Supermicro Security Center] (www.supermicro.com)</ref>

{| class="wikitable"
|+
!AMD motherboard
! align="center" |'''BIOS version'''
|-
| align="center" |H12SSW-iN/NT
| align="center" |3.6
|-
| align="center" |H12SSL-i/C/CT/NT
| align="center" |3.6
|-
| align="center" |H12DSi-N6/NT6
| align="center" |3.6
|-
| align="center" |H13SSW
| align="center" |3.8
|-
| align="center" |H13SSL-N/NC
| align="center" |3.8
|}

=== Updates for Thomas-Krenn products ===
Updates on the corresponding system can be found in the <tklink type="sitex" id="440">download area of Thomas-Krenn</tklink>. The versions in the download area have been tested to guarantee the stability and compatibility of our systems.

If you require the latest version for your system and it is not yet available in our download area, you can get it at [https://www.asus.com/de/support/download-center/ Asus] or [https://www.supermicro.com/en/support/resources/downloadcenter/swdownload Supermicro].

== References ==
<references/>

{{Thomas-Krenn.AG}}
{{Aranzinger}}
[[Category:AMD Safety Information]]
[[de:AMD Sicherheitslücken - Mai 2026]]

NIC bonding on Debian

2026-05-15T08:25:59Z

Aranzinger: Created page with "==Different kinds of bonding== * mode=0 (balance-rr) * mode=1 (active-backup) * mode=2 (balance-xor) * mode=3 (broadcast) * mode=4 (802.3ad) (see also Link Aggregation and LACP basics) * mode=5 (balance-tlb) * mode=6 (balance-alb) == Install packages == apt-get install ifenslave-2.6 == Configuration Debian 5.0 Lenny and newer == In this example, we explain a configuration with mode 4 (802.3ad). For the link aggregation, we use: * eth0 and * eth1 <code>/etc..."

==Different kinds of bonding==

* mode=0 (balance-rr)
* mode=1 (active-backup)
* mode=2 (balance-xor)
* mode=3 (broadcast)
* mode=4 (802.3ad) (see also [[Link Aggregation and LACP basics]])
* mode=5 (balance-tlb)
* mode=6 (balance-alb)

== Install packages ==
apt-get install ifenslave-2.6

== Configuration Debian 5.0 Lenny and newer ==
In this example, we explain a configuration with mode 4 (802.3ad).

For the link aggregation, we use:
* eth0 and
* eth1

<code>/etc/network/interfaces</code> contains the following configuration:
<pre>
auto lo bond0

iface bond0 inet static
address 10.10.10.174
netmask 255.255.255.0
network 10.10.10.0
gateway 10.10.10.1
slaves eth0 eth1
bond_mode 802.3ad
</pre>

As remote station, we use the switch of an Intel modular server. Eth0 and eth1 of the server are connected to the LAN-ports 1 and 2 on the modular server switch. Both LAN-ports are configured for the link aggregation. Details on this can be found in the articles [[Link Aggregation for the Modular Server]] and [[Link Aggregation Load Balancing Test Modular Server Switch]].

== Configuration Debian 4.0 Etch ==

=== Adjustment of /etc/network/interfaces ===
iface bond0 inet static
address 192.168.0.9
netmask 255.255.255.0
network 192.168.0.0
gateway 192.168.0.1
up /sbin/ifenslave bond0 eth0 eth1
down /sbin/ifenslave -d bond0 eth0 eth1

=== Editing of /etc/modprobe.d/arch/i386 file ===
Add the following line there:

alias bond0 bonding
options bonding mode=5 miimon=100 downdelay=200 updelay=200

=== Restart networking ===
/etc/init.d/networking restart

=== How does bonding work with mode=5 ===
The incoming traffic is received only from the active slave. Outgoing traffic is distributed across both slaves based on their respective loads.

== Further links ==
* http://wiki.debian.org/Bonding
* [http://www.dodgenet.de/Software/bonding.html Bonding Modi auf www.dodgenet.de]
* [http://www.linuxfoundation.org/en/Net:Bonding Ausführliche Anleitung zum Bonding auf www.linuxfoundation.org]

{{Aranzinger}}
[[Category:Debian]]
[[pl:NIC Bonding w Debianie]]
[[de:NIC Bonding unter Debian]]

Reset IPMI password

2026-05-15T05:42:40Z

Aranzinger: Created page with "This article describes how to reset the '''password''' of an '''IPMI module'''. Please note that on Supermicro systems, the maximum password length is effectively 19 characters when setting a new password (The array length is 20 characters and the string is NULL-terminated, leaving 19 characters available). <ref>[https://www.supermicro.com/support/faqs/faq.cfm?faq=16778 What is the maximum password length for IPMI?] (Supermicro FAQ 16778)</ref> ==Resetting the password..."

This article describes how to reset the '''password''' of an '''IPMI module'''. Please note that on Supermicro systems, the maximum password length is effectively 19 characters when setting a new password (The array length is 20 characters and the string is NULL-terminated, leaving 19 characters available). <ref>[https://www.supermicro.com/support/faqs/faq.cfm?faq=16778 What is the maximum password length for IPMI?] (Supermicro FAQ 16778)</ref>

==Resetting the password using the impicfg tool on Supermicro systems==

The IPMI password can be reset by restoring the IPMI to its factory defaults. Please note that with many IPMI versions, particularly older ones, the network settings are also reset! Therefore, it is recommended to note or save the network settings before the reset. All steps, that are required, can be performed with the command line tool ipmicfg. This tool is available for Windows as well as for Linux operating systems.

In the following, the recommended process is explained:

===Step 1: Reading out the current network configuration===

<pre>
root@(none):~# ipmicfg -m
IP=10.10.10.183 MAC=00:25:90:19:78:5A
root@(none):~# ipmicfg -k
Net Mask=255.255.255.0
root@(none):~# ipmicfg -g
IP=10.10.10.1
</pre>

===Step 2: Reset to factory defaults===

<pre>
root@(none):~# ipmicfg -fd
Reset to the factory default completed!
</pre>

===Step 3: Verify network settings and adjust as needed===

<pre>
root@(none):~# ipmicfg -m
IP=10.10.10.183 MAC=00:25:90:19:78:5A
root@(none):~# ipmicfg -k
Net Mask=255.255.255.0
root@(none):~# ipmicfg -g
IP=10.10.10.1
</pre>

If these network settings are not correct anymore, the settings must be reset to the original values.

<pre>
root@(none):~# ipmicfg -m 10.10.10.183
IP=10.10.10.183
root@(none):~# ipmicfg -k 255.255.255.0
Net Mask=255.255.255.0
root@(none):~# ipmicfg -g 10.10.10.1
Gateway IP=10.10.10.1
</pre>

===Default IPMI password===
'''Hint:''' Since the end of 2019, Supermicro creates an individual password per IPMI interface for X10- and X11-mainboards. Please follow the instructions on the stickers on the mainboards or system.

User: ADMIN

Password: ADMIN

===Download link for ipmicfg===
* [ftp://ftp.supermicro.com/utility/IPMICFG/ ipmicfg für DOS/Linux/Windows]

==Resetting password using ipmitool on a Linux server==

The IPMI password can be changed by using <code>ipmitool user set password <userid></code>. Here is the general syntax for <code>ipmitool user</code>:
<pre>
[root@sr2500 ~]# ipmitool user
User Commands: summary [<channel number>]
list [<channel number>]
set name <user id> <username>
set password <user id> [<password>]
disable <user id>
enable <user id>
priv <user id> <privilege level> [<channel number>]
test <user id> <16|20> [<password]>

[root@sr2500 ~]#
</pre>
In the article [[Configuring IPMI under Linux using ipmitool]], there is an example for the SR2500 server.

==Resetting the whole module using the DOS-tool for Supermicro IPMI modules==

Content of Readme.txt

Please boot from a bootable floppy disk then run A:\>defaultp.exe (bzw. erasedat20.exe)

Attention! IPNMAC must then be executed, as the IPMI module is reset to factory defaults!

=== Download link ===

* [https://www.thomas-krenn.com/redx_tools/mb_download.php/mid.070084079082053073121049051113056061/IPMI_config_tools.zip IPMI_config_tools.zip] (contains IPnMAC)

== References ==
<references />

{{Aranzinger}}
[[Category:IPMI]]
[[pl:Przywrócenie domyślnego hasła w IPMI]]
[[de:IPMI Passwort zurücksetzen]]

Reading the Fortron TwinsPro FSP900 DUAL power supply under Linux

2026-05-11T13:17:06Z

Aranzinger: Created page with "1st image: Fortron TwinsPro FSP 900 DUAL '''Fortron TwinsPro FSP900 Dual power supply''' does not provide a native way to read data from the power supply when used with Linux on a server motherboard. However, the data can still be analyzed using Linux's built-in tools. == Problem == Fortron provides only a Windows port as standard, allowing users to monitor the power supply using..."

[[File:TwinsPro900W.png|alt=Abb. 1: Forton TwinsPro FSP 900 DUAL|thumb|300x300px|1st image: Fortron TwinsPro FSP 900 DUAL ]]
'''Fortron TwinsPro FSP900 Dual power supply''' does not provide a native way to read data from the power supply when used with [[Linux]] on a server motherboard. However, the data can still be analyzed using Linux's built-in tools.

== Problem ==
Fortron provides only a Windows port as standard, allowing users to monitor the power supply using the company's proprietary software, FSP Guardian.

If you want to use the power supply on a server motherboard running a Linux server operating system, the manufacturer does not provide the means to read the data. A PMBus interface is also missing.

The following section will therefore explain how to retrieve the data using existing tools in modern Linux environments:
* Configuration with board resources
* Connecting and testing the power supply unit
* Making available the kernelspace for monitoring functions
* Error checking

== Configuration ==
In the following, we configure the data readout with the help of <code>i2c-tools</code> and <code>lm-sensors</code> from a power supply by connecting it to a '''USB 2.0 header'''.

=== Testing environment ===
For the configuration, a system with Linux operating system is required. We test with an Ubuntu image:<syntaxhighlight lang="bash">

Linux custom-hw-image 5.15.0-97-generic #107-Ubuntu SMP Wed Feb 7 13:26:48 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

</syntaxhighlight>

== Configuration ==

=== Package installation ===

Install <code>i2c-tools</code> and <code>lm-sensors</code>:<syntaxhighlight lang="shell-session">
root@custom-hw-image:~# apt install i2c-tools lm-sensors
</syntaxhighlight>

=== Hardware detection ===
So that the data can be read out, the device must be detected correctly and integrated. Verify first, if the power supply is connected via USB 2.0 header:<syntaxhighlight lang="shell-session">root@custom-hw-image:~# lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 003: ID 10c4:ea90 Silicon Labs CP2112 HID I2C Bridge
Bus 001 Device 002: ID 046d:c31c Logitech, Inc. Keyboard K120
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub</syntaxhighlight>The searched power supply unit '''device 003 on bus 001''' has been detected correctly. Now verify, on which bus the bridge is integrated via I2C:

<syntaxhighlight lang="shell-session">

root@custom-hw-image:~# i2cdetect -l
i2c-0 smbus SMBus I801 adapter at efa0 SMBus adapter
i2c-1 i2c Synopsys DesignWare I2C adapter I2C adapter
i2c-2 i2c Synopsys DesignWare I2C adapter I2C adapter
i2c-3 i2c Synopsys DesignWare I2C adapter I2C adapter
i2c-4 i2c Synopsys DesignWare I2C adapter I2C adapter
i2c-5 i2c Synopsys DesignWare I2C adapter I2C adapter
i2c-6 i2c CP2112 SMBus Bridge on hidraw2 I2C adapter
</syntaxhighlight>

Here, the '''SMBus bridge''' has been found on '''bus i2c-6'''.

=== Reading out bus ===

You can now read out the I2C-bus on this address:<syntaxhighlight lang="shell-session">

root@custom-hw-image:~# i2cdetect -y 6
Warning: Can't use SMBus Quick Write command, will skip some addresses
0 1 2 3 4 5 6 7 8 9 a b c d e f
00:
10:
20:
30: -- -- -- -- -- -- -- --
40:
50: 50 51 -- -- -- -- 56 -- 58 59 -- -- -- -- -- --
60:
70:

</syntaxhighlight>Here, both power supply units are detected on the addresses '''0x58''' and '''0x59'''. To check, if the manufacturer name is correct:<syntaxhighlight lang="shell-session">root@custom-hw-image:~# i2cget -y 6 0x58 0x99 i 8
0x09 0x46 0x53 0x50 0x2d 0x47 0x52 0x4f
root@custom-hw-image:~# printf "\x09\x46\x53\x50\x2d\x47\x52\x4f\n"
FSP-GRO</syntaxhighlight>The voltage can be read out for the verification. <syntaxhighlight lang="shell-session">
root@custom-hw-image:~# i2cget -y 6 0x58 0x8B w
0x1879

</syntaxhighlight>This value must be converted and expressed in volts. The manufacturer uses a '''direct scaling'''. The voltage can be therefore '''calculated linearly''':

<math>(1879)_{16} \widehat{=} (6265)_{10} \widehat{=} \frac{6265}{2^9} = \frac{6265}{512} \approx 12,236 V</math>

== Integration of ports in kernelspace ==
[[File:Fortron_SP900_readout_DUAL_Linux.png|alt=Abb. 2: Detailed evaluation of the power supplies|thumb|365x365px|2nd image: Detailed evaluation of the power supplies]]
With the following commands, you can add both power supply ports to the kernelspace:<syntaxhighlight lang="shell-session">
root@custom-hw-image:~# echo pmbus 0x58 | sudo tee /sys/bus/i2c/devices/i2c-6/new_device
pmbus 0x58
root@custom-hw-image:~# echo pmbus 0x59 | sudo tee /sys/bus/i2c/devices/i2c-6/new_device
pmbus 0x59
</syntaxhighlight>Verify the successful integration:

<syntaxhighlight lang="shell-session">

root@custom-hw-image:~# i2cdetect -y 6
Warning: Can't use SMBus Quick Write command, will skip some addresses
0 1 2 3 4 5 6 7 8 9 a b c d e f
00:
10:
20:
30: -- -- -- -- -- -- -- --
40:
50: 50 51 -- -- -- -- 56 -- UU UU -- -- -- -- -- --
60:
70:

</syntaxhighlight>

The two power supplies cannot be accessed directly via I2C because they are now fully integrated into the kernel-space "UU (Upper Unit)".

Both power supplies can be completely read out with <code>lm-sensors</code> (for the output, take a look at the ''second image''):<syntaxhighlight lang="shell-session">
root@custom-hw-image:~# sensors
</syntaxhighlight>

== Error checking ==

Finally, you can simulate an error scenario.
Here, the IEC power plug from '''power supply 1''' (3rd image):
[[File:Psu failure ps1.png|none|thumb|957x957px|3rd image: Error simulation]]
{{wseifert}}
{{Aranzinger}}
[[de:Fortron TwinsPro FSP900 DUAL Netzteil unter Linux auslesen]]

AIC backplane firmware- and MFG-update via serial console

2026-05-06T09:07:48Z

Aranzinger:

This article describes how to '''update''' the '''AIC backplane firmware''' and '''MFG''' using a '''serial console connection'''.

== Hardware requirements ==
[[file:4HE AIC Gehäuse XE1-4BT00-05 backsideMarked.jpg|alt=Back side of a 4U AIC chassis XE1-4BT00-05|thumb|353x353px|Backside of a 4U AIC chassis XE1-4BT00-05. AUX-ports are highlighted. The upper port is connected to the frontal 24-bay backplane.]]

The following two cables are needed:
<gallery widths="250" heights="250">
file:SerialCableAux.jpeg|alternativtext=Serial cable with 3,5-mm auxiliary connector (male)|1.: Serial cable with 3,5-mm auxiliary connector (male)
file:SerialCableAuxJEXP UART.JPG|2.: AUX to JEXP_UART adapter. This is included in the accessories for a Thomas Krenn server or is already pre-installed in the system.
</gallery>

A secondary system (for example a laptop or neighboring server) is recommended for the flashing procedure.

=== Connection between backplane and secondary system ===
The JEXP_UART-header on the backplane consists of six pins. However, only the upper three pins are needed for flashing.[[file:BackplaneMarkiert.JPG.jpg|alt=4HE AIC Backplane, JEXP_UART header highlighted|thumb|714x714px|Example of a backplane with highlighted JEXP_UART-header |none]]
[[file:JEXP UART Header pluggedIn.jpg|alt=Connected JEXP_UART-Header, top view|thumb|A connected JEXP_UART cable. (top view) Cable colors from left to right: red, black, yellow|none]]

The other end must be connected to the secondary system via serial port.

[[file:SerialCableConnected.jpg|alt=Serial cable connected to the second system|none|thumb|Serial cable connected to the secondary system]]

== Establishing a connection ==
Programs such as '''PuTTY''' or '''ExtraPutty''' are required to establish a connection. Due to its expanded data transfer options, '''ExtraPuTTY''' is highly recommended.

The following parameters need to be set:
{| class="wikitable"
! Parameter
! Value
|-
| Speed (baudrate)
| 38400
|-
| Data Bits
| 8
|-
| Stop Bits
| 1
|-
| Parity
| none
|-
| Flow Control
| none
|}

<gallery widths="250" heights="250">
file:PuttySettings.png|Settings for establishing a connection with the backplane in ExtraPuTTY
file:SessionOffen.png|Live session. After clicking the Enter-key, 'cmd >' should appear.
</gallery>

=== Checking active firmware / MFG ===
The commands '''rev''' and '''showmfg''' can be used to check the installed firmware and MFG versions.

<gallery widths="250" heights="250">
file:Rev.png|'''The rev command''' displays the current firmware version.
file:Showmfg.png|'''The showmfg command''' displays the currently installed MFG version.
</gallery>

== Flashing the backplane ==

=== Precautions ===
To ensure that the backplane is functioning properly and that there are no hardware defects or similar issues, you should run a few commands and check the results before actually flashing the device.<gallery widths="250" heights="250">
file:Sensor.png|The '''sensor''' command can be used to get information about temperature, connected fans or voltage.
file:Phyinfo.png|The '''phyinfo''' displays information about the connected storage devices (none are installed in the screenshot).
file:Counters.png|With the '''counters''' command, different error counter values are displayed. The values nvWrdCnt, DispErrCnt, LossSyncCnt and RstSeqFailCnt need to be 0. If this is not the case, '''counters reset''' can be used to reset all values. Then execute the '''counters''' command again. If the values are not zero, it is likely that there is a defect. <ref name=":0">[https://www.aicipc.com/image/images/psg/EOB%20Backplane%20Check-up%20via%20Serial%20console.pdf EOB Backplane Check-up via Serial console]</ref>
</gallery>

=== Firmware update<ref name=":0" /> ===
<gallery widths="250" heights="250">
file:Fdl 0 0.png|'''The fdl 0 0''' command sets the backplane into update mode. It now expects a firmware file.
file:FileTransfer.png|alternativtext=Xmodem Transfer|The Xmodem protocol is to be used for file transfer. In ExtraPuTTY, this can be done via 'File Transfer → Xmodem → Send'
file:FirmweareFile.png|alternativtext=select firmware file|Afterwards, select the desired firmware file.
file:Datenuebertragung.png|Upload and flash procedure starts automatically.
file:Transferdone.png|Once the process is complete, the message "Upload successful" appears.
</gallery>

=== MFG-update<ref name=":0" /> ===
Updating the MFG works similar to the firmware.

<gallery widths="250" heights="250">
file:Fdl 83 0.png|The update is started with the '''fdl 83 0''' command.
file:Mfg file.png|Select the correct mfg-file.
file:Mfg transfer.png|Data transfer begins.
</gallery>

=== After the updates ===
If no storage devices are connected to any backplane, the update can be completed by executing the '''reset''' command.[[file:Reset.png|alt=Reset command|thumb|'''The reset command''' reboots the backplane.|none]]'''Attention!''' If the '''reset''' command is executed while data storage devices with an active RAID array are connected to the backplane, this may cause the RAID to degrade or fail completely.

[[file:NeueFW.png|alt=new firmware active|thumb|The new firmware and MFG is now active on the backplane. |none]]
== References ==
<references />

{{Swolf}}
[[Category:Server-Hardware]]
[[de:AIC Backplane Firmware- und MFG-Update via serielle Konsole]]

Internet-Speed-Test with LibreSpeed

2026-04-29T09:17:03Z

Aranzinger: Created page with "There are websites for testing the own '''internet speed''' offered by a lot of providers. The most services of this kind collect '''multiple local data''' in such tests, which is why they are '''not without risk from a data protection perspective'''. The open source alternative '''LibreSpeed''' offers a data-efficient alternative. == Data collection of conventional speedtest-alternatives == Traditional providers of internet speed testing services collect a large amoun..."

There are websites for testing the own '''internet speed''' offered by a lot of providers. The most services of this kind collect '''multiple local data''' in such tests, which is why they are '''not without risk from a data protection perspective'''. The open source alternative '''LibreSpeed''' offers a data-efficient alternative.

== Data collection of conventional speedtest-alternatives ==
Traditional providers of internet speed testing services collect a large amount of data from their own networks, own devices and from the applications on it. In connection with the aquisition of Ookla (operator of Speedtest and Downdetector), the international consulting firm, Accenture, announced that '''more than 1,000 attributes''' are queried per test in March 2026.<ref name=accenture>[https://newsroom.accenture.com/news/2026/accenture-to-acquire-ookla-to-strengthen-network-intelligence-and-experience-with-data-and-ai-for-enterprises Accenture to Acquire Ookla to Strengthen Network Intelligence and Experience with Data and AI For Enterprises] (newsroom.accenture.com, 03.03.2026) <cite>As AI scales, the insights captured at the '''network, device, and application layers''' are essential to enhance fraud prevention in banking, smart home analytics in utilities, and traffic optimization in retail. Ookla’s platform, which captures '''more than 1,000 attributes per test''', provides the foundation for these insights.</cite></ref>

<gallery>
File:Accenture-Newsroom-2026-03-03.png|When it acquired Ookla, Accenture announced that more than 1,000 attributes are collected from the user by Speedtest or Downdetecor.
File:Speedtest.png|Always active at speedtest.net: more than 500 partners can, for example, use the cookie information to identify end devices.
</gallery>

== LibreSpeed ==
LibreSpeed works data-efficient. on [https://librespeed.org/ LibreSpeed.org], no data is collected:
<gallery>
File:LibreSpeed-Website.png|Example of a test from a fiber-optic connection in Austria.
File:LibreSpeed-Anbieter.png|Selection of LibreSpeed servers.
</gallery>

Optionally, LibreSpeed servers can, if they are operated by the company itself, store the following data:<ref>[https://github.com/librespeed/speedtest/blob/master/results/stats.php#L103 stats.php Quellcode] (github.com/librespeed/speedtest)</ref>
* Test ID
* Date and time
* IP and ISP Info
* Download speed
* Upload speed
* Ping
* Jitter
* Log
* Extra info

[https://librespeed.org/ LibreSpeed.org] had not enabled this feature as of April 29, 2026, however.

== LibreSpeed App for Android ==
The LibreSpeed app for Android is available in the F-Droid store (Autor Federico Dossenda).<ref>[https://f-droid.org/en/packages/com.dosse.speedtest/ LibreSpeed F-Droid] (f-droid.org/en/packages)</ref> Attention: Only use this app; there are others in the Google Play Store that have intentionally built in numerous trackers.

<gallery>
File:LibreSpeed-App-01-App-Lounge.png|LibreSpeed Privacy Rating in App Lounge by /e/OS.
File:LibreSpeed-App-02-Trackers.png|Tracker-Report (0 Tracker)<ref>[https://reports.exodus-privacy.eu.org/de/reports/com.dosse.speedtest/latest/ Report for LibreSpeed] (reports.exodus-privacy.eu.org)</ref> for LibreSpeed from Exodus-Privacy<ref>[https://exodus-privacy.eu.org/en/page/who/ Exodus Privacy - Who we are] (exodus-privacy.eu.org)</ref> (French non-Profit).
File:LibreSpeed-App-03-Test.png|LibreSpeed App Home.
File:LibreSpeed-App-04-Privacy-Policy.png|LibreSpeed App Privacy Policy.
File:LibreSpeed-App-05-Test-Result.png|LibreSpeed sample result for an LTE connection in Austria.
</gallery>

== Alternatives ==
The Federal Network Agency's broadband measurement is equally data-efficient:
* https://www.breitbandmessung.de/

== More information ==
* [https://www.theregister.com/2026/03/03/accenture_buys_ookla_downdetector_ziff_davis/ Accenture down to buy Downdetector as part of $1.2 billion deal] (theregister.com, 03.03.2026)
* [https://arstechnica.com/information-technology/2026/03/downdetector-speedtest-sold-to-it-service-provider-accenture-in-1-2b-deal/ Downdetector, Speedtest sold to IT service-provider Accenture in $1.2B deal] (arstechnica.com, 03.03.2026)
* [https://www.reddit.com/r/xprivo/comments/1rmalpy/news_librespeed_opensource_alternative_made_in/ (News) Librespeed - Open-Source Alternative Made in Europe: Downdetector and Speedtest sold to Accenture for $1.2 billion] (www.reddit.com, 2026)

== References ==
<references />

{{Wfischer}}
{{Aranzinger}}
[[Category: Data Protection]]
[[de:Internet-Speed-Test mit LibreSpeed]]

TKMI Settings

2026-04-29T07:28:32Z

Aranzinger: Created page with "== Menu == {| class="wikitable" style="width:100%;" | style="width:240px; text-align:center;" | overview | '''Overview''' Overview of the settings available in the TKMI. |} == System and basic configuration == {| class="wikitable" style="width:100%;" | style="width:240px; text-align:center;" | configure date and time | '''Date & Time''' The '''date, time and time synchronizat..."

== Menu ==
{| class="wikitable" style="width:100%;"
| style="width:240px; text-align:center;" | [[file:TKMI-Settings_overview.png|220px|overview]]
| '''Overview''' 
Overview of the settings available in the TKMI.
|}

== System and basic configuration ==

{| class="wikitable" style="width:100%;"
| style="width:240px; text-align:center;" | [[file:TKMI-Settings_date_time.png|220px|configure date and time]]
| '''Date & Time''' 
The '''date, time and time synchronization''' of the BMC is configured including NTP.
|-
| style="text-align:center;" | [[file:TKMI-Settings_network_settings.png|220px|network configuration]]
| '''Network settings''' 
The '''BMC''' '''network settings''' are determined, for example IP-address, gateway, VLAN and DNS.
|-
| style="text-align:center;" | [[file:TKMI-Settings_services.png|220px|service settings]]
| '''Services''' 
'''BMC-services''' such as Web, SSH, KVM or SNMP are activated or deactivated.
|-
| style="text-align:center;" | [[file:TKMI-Settings_ipmi_interfaces.png|220px|IPMI interfaces]]
| '''IPMI interfaces''' 
The '''IPMI-interfaces''' are configured here.
|-
| style="text-align:center;" | [[file:TKMI-Settings_identify_led.png|220px|Identify LED]]
| '''Identify LED''' 
The '''Identify-LED''' of the system can be controlled here.
|-
| style="text-align:center;" | [[file:TKMI-Settings_fan_control.png|220px|fan control]]
| '''Fan control''' 
The '''fan control''' can be configured here.
|}

== User, registration and safety ==

{| class="wikitable" style="width:100%;"
| style="width:240px; text-align:center;" | [[file:TKMI-Settings_user_management.png|220px|Benutzerverwaltung]]
| '''User Management''' User accounts and permissions are managed in '''the User Management.'''
|-
| style="text-align:center;" | [[file:TKMI-Settings_external_user_services.png|220px|Externe Authentifizierung]]
| '''External User Services''' 
This section is used to integrate external '''authentication services''' such as LDAP or Active Directory.
|-
| style="text-align:center;" | [[file:TKMI-Settings_pam_order.png|220px|Authentifizierungsreihenfolge]]
| '''PAM order settings''' 
This is where the '''order of the authentication methods''' is defined.
|-
| style="text-align:center;" | [[file:TKMI-Settings_ssl_settings.png|220px|SSL Zertifikate]]
| '''SSL settings''' 
This section covers '''SSL- and certificate management'''.
|-
| style="text-align:center;" | [[file:TKMI-Settings_system_firewall.png|220px|Firewall Einstellungen]]
| '''System firewall''' 
The access on the BMC can be restricted via '''integrated firewall'''.
|}

== Logging, notification and events ==

{| class="wikitable" style="width:100%;"
| style="width:240px; text-align:center;" | [[file:TKMI-Settings_log_settings.png|220px|Log Einstellungen]]
| '''Log settings''' 
This section is where you configure settings for '''system and audit logs'''.
|-
| style="text-align:center;" | [[file:TKMI-Settings_platform_event_filters.png|220px|Platform Event Filter]]
| '''Platform Event Filter''' 
The '''Platform Event Filter''' enables automated actions in response to hardware events, such as sending SNMP traps.
|-
| style="text-align:center;" | [[file:TKMI-Settings_smtp_settings.png|220px|SMTP Konfiguration]]
| '''SMTP settings'''
 This is where the settings '''for sending emails''' are configured.
|-
| style="text-align:center;" | [[file:TKMI-Settings_bsod.png|220px|Captured BSOD Übersicht]]
| '''Captured BSOD''' 
This section displays any '''blue screen errors''' in a Windows system that have been detected and logged by the BMC.
|}

== Remote-console and media ==

{| class="wikitable" style="width:100%;"
| style="width:240px; text-align:center;" | [[file:TKMI-Settings_kvm_mouse_settings.png|220px|KVM Maus Einstellungen]]
| '''KVM mouse settings''' 
Here, the settings for the '''mouse control''' can be configured in the '''remote KVM console'''.
|-
| style="text-align:center;" | [[file:TKMI-Settings_media_redirection.png|220px|Virtuelle Medien]]
| '''Media redirection settings''' 
This section provides options on '''virtual media redirection''', for example, for mounting ISO files via the KVM console.
|-
| style="text-align:center;" | [[file:TKMI-Settings_video_recording.png|220px|KVM Aufzeichnung]]
| '''Video recording''' 
This section provides functions for '''recording remote KVM sessions'''.
|}

== Storage and administration ==

{| class="wikitable" style="width:100%;"
| style="width:240px; text-align:center;" | [[file:TKMI-Settings_raid_management.png|220px|RAID Verwaltung]]
| '''RAID Management''' 
This is where supported '''RAID-functions''' are administrated.
|}

== More articles ==
* [[TKMI overview]]
* [[How to activate and configure SNMP in TKMI]]

{{Azillner}}
{{Aranzinger}}
[[Category:Thomas-Krenn Management Interface]]
[[de:TKMI Settings]]

TKMI Remote Control

2026-04-29T05:39:13Z

Aranzinger:

The [[TKMI overview|TKMI]] provides '''remote control''' functions for remote operation '''and direct interaction with the system.''' These include, in particular, the remote KVM console as well as additional control and management options.

In the following, the individual sections are explained.

== Overview ==
[[File:TKMI-Remote-Control_overview.png|alt=Remote Control Menu|thumb|220x220px|Remote Control Menu ]]

This section provides '''access to the remote KVM console (H5Viewer)''' as well as '''Serial over LAN (SOL)''' for direct system integration.

== Remote KVM console ==
[[File:TKMI-Remote-Control_console.png|alt=Remote KVM console|thumb|220x220px|Remote KVM console]]

The system can be '''completely controlled remotely''' via H5Viewer including BIOS/UEFI-access and operating system interaction.

'''Functions within the remote console:'''
* '''Video''' – Control '''video output''' functions such as pause, refresh or turning the display on/off
* '''Mouse''' – Configuring '''mouse control''', for example between absolute and relative mode
* '''Options''' – Adjustment of '''display quality, zoom level and colour depth''' of the remote session
* '''Keyboard''' – Selecting the '''keyboard layout''' for the remote session
* '''Send Keys''' – Allows to '''send shortcuts''' such as <code>Ctrl+Alt+Del</code> to the system
* '''Video Record''' – function for recording the '''remote KVM session'''
* '''Power -''' Direct '''control of system''' (Restart, Shutdown, Power Cycle)
* '''Active Users''' – Display of active users currently accessing the remote console

== Serial Over LAN (SOL) ==
[[File:TKMI-Remote-Control-Serialconsole.png|alt=Serial over LAN|thumb|220x220px|Serial over LAN ]]
This allows the access on the '''serial console of the system via network''', particularly for diagnostic and troubleshooting purposes.

{{Azillner}}
{{Aranzinger}}
[[de:TKMI Remote Control]]

How to activate and configure SNMP in TKMI

2026-04-21T05:06:13Z

Aranzinger: Created page with "This article describes how to activate and configure the ''' SNMP-access''' for an user in the TKMI (Thomas-Krenn Management Interface) == Prerequisites == * A compatible TKMI or Thomas-Krenn server * Access to the TKMI/IPMI-websurface * Valid user login data with administrative rights == User administration == So that SNMP can be used, the access must be activated for a user in the TKMI..."

This article describes how to activate and configure the '''[[SNMP_basics | SNMP-access]]''' for an user in the [[TKMI overview | TKMI (Thomas-Krenn Management Interface)]]

== Prerequisites ==
* A compatible TKMI or Thomas-Krenn server
* Access to the TKMI/IPMI-websurface
* Valid user login data with administrative rights

== User administration ==

So that [[SNMP_Grundlagen | SNMP]] can be used, the access must be activated for a user in the [[Übersicht_TKMI | TKMI]].

<gallery mode="nolines" widths="300" heights="300">
TKMI-SNMP-User_Login.png|Log in to the TKMI web interface with a valid username (for example ''admin'').
TKMI-SNMP-Dashboard.png|After logging in, go to '''Settings''' in the left-hand menu.
TKMI-SNMP-Settings.png|In the '''Settings''' section, open the '''User Management''' option.
TKMI-SNMP-User_Management.png|Select the user for whom you want to enable SNMP.
TKMI-SNMP-User_Logged_In_Password.png|Enter your current password in the '''Logged-In Password''' field to confirm.
TKMI-SNMP-User_SNMP_Activate.png|In the lower section, enable '''SNMP Access''' and configure the desired SNMP parameters.
</gallery>

After the configuration, the changes must be saved with '''Save'''.

== MIB browser ==

For the verification of the SNMP-availability and to read out values, a MIB browser can be used.

In this example, the iReasoning MIB browser is used.

<gallery mode="nolines" widths="100" heights="100">
Download.png| iReasoning MIB browser [https://www.ireasoning.com/mibbrowser.shtml download]
</gallery>

== Establish connection to TKMI ==

After activation of the SNMP in TKMI, the connection can be tested as follows:

<gallery mode="nolines" widths="300" heights="300">
TKMI-SNMP_MIB_Browser.png|Enter the TKMI's IP address in the '''Address''' field. Click '''Advanced...''' to access the advanced SNMP settings.
TKMI-SNMP-MIB_Browser_Settings.png|In the advanced settings, select '''SNMP Version 3''' and enter the login access data.
TKMI-SNMP-MIB_Browser_Test.png|Once configured, you can run a query by clicking '''Go'''. Successful results are displayed in the '''Result Table'''.
</gallery>

== Important settings (SNMPv3) ==

For a successful connection, the following parameters must comply with the set values in TKMI:

* '''Address:''' IP-address of TKMI
* '''Port:''' 161
* '''SNMP Version:''' 3
* '''User:''' Corresponds to the user configured in the TKMI
* '''Security Level:''' authPriv
* '''Auth Algorithm:''' for example SHA256
* '''Auth Password:''' set authentication password
* '''Privacy Algorithm:''' for example DES
* '''Privacy Password:''' set encryption password

'''Hint:'''
If there are discrepancies in the username, password, or algorithms, no SNMP responses will be returned.

== Test query ==

For a simple function test, the following OID can be used:

* '''1.3.6.1.2.1.1.1.0''' (sysDescr)

If the connection is successful, a system description of the TKMI is displayed in the '''Result Table'''.

== Troubleshooting ==

If the SNMP-access does not function:

* '''SNMP Access not activated'''
* '''Wrong access data / community'''
* '''Firewall blocks SNMP (Port 161/UDP)'''
* '''Incorrect OID specified'''
* '''SNMP-version does not comply'''

{{Azillner}}
{{Aranzinger}}
[[Category:IPMI]]
[[de:SNMP im TKMI aktivieren und konfigurieren]]

AMD Security Vulnerabilities - April 2026

2026-04-20T09:14:47Z

Aranzinger: Created page with "On '''April 14th''', '''2026''', AMD published '''AMD-SB-7054''' Security Bulletins <ref>[https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7054.html Incorrect use of LocateProtocol Service of the EFI_BOOT_Services table in SMI Handler – April 2026] (www.amd.com/en/resources/product-security)</ref>, '''AMD-SB-3034'''<ref>[https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3034.html SEV-SNP Routing Misconfiguration – April 2026] (www.amd..."

On '''April 14th''', '''2026''', AMD published '''AMD-SB-7054''' Security Bulletins <ref>[https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7054.html Incorrect use of LocateProtocol Service of the EFI_BOOT_Services table in SMI Handler – April 2026] (www.amd.com/en/resources/product-security)</ref>, '''AMD-SB-3034'''<ref>[https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3034.html SEV-SNP Routing Misconfiguration – April 2026] (www.amd.com/en/resources/product-security)</ref> and '''AMD-SB-3016'''<ref>[https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3016.html IOMMU Write Buffer Vulnerability – April 2026] (www.amd.com/en/resources/product-security)</ref> containing a security vulnerability each. This article contains tables listing measures to address the security vulnerabilities.

== Affected systems ==

'''AMD Threadripper systems:'''

* systems with AMD Ryzen Threadripper PRO 3000WX processors
* systems with AMD Ryzen Threadripper PRO 5000WX processors
* systems with AMD Ryzen Threadripper 7000 / PRO 7000WX processors
* systems with AMD Ryzen Threadripper 9000 / PRO 9000WX processors

'''AMD EPYC systems:'''

* systems with "Zen 4" [[AMD EPYC 4004 Raphael]] processors
* systems with "Zen 2" [[AMD EPYC 7002 Rome]] processors
* systems with "Zen 3" [[AMD EPYC 7003 Milan]] processors
* systems with "Zen 4" [[AMD EPYC 9004 Genoa und Bergamo]] & 8004 Siena processors
* systems with "Zen 5" [[AMD EPYC 9005 Turin]] processors

== Solution for the problem ==

Here is a table listing the relevant CVEs and corrective measures for each EPYC generation, where available.

'''AMD EPYC 4004 Raphael'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-54502 CVE-2025-54502]
| align="center" |7.1 (high)
| align="center" |ComboAM5PI 1.0.0.d (2025-11-12)
|-
|}

'''AMD EPYC 7002 Rome'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-54502 CVE-2025-54502]
| align="center" |7.1 (high)
| align="center" |RomePI 1.0.0.P (2025-11-04)
|-
|}

'''AMD EPYC 7003 Milan:'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
!SEV FW
!TCB‑Wert for SEV‑certification
!TCB‑Wert for SNP‑certification
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-54502 CVE-2025-54502]
| align="center" |7.1 (high)
| align="center" |MilanPI 1.0.0.J (2025-12-15)
| align="center" |N/A
| align="center" |N/A
| align="center" |N/A
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-54510 CVE-2025-54510]
| align="center" |5.9 (medium)
| align="center" |MilanPI 1.0.0.J (2025-12-15)
| align="center" |N/A
| align="center" |TCB[SNP]>=0x1D
mitigation bit = 4
| align="center" |N/A
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2023-20585 CVE-2023-20585]
| align="center" |5.6 (medium)
| align="center" | MilanPI 1.0.0.H (2025-09-04) + OS update
| align="center" | SEV FW 1.37.23 + OS update
| align="center" |N/A
| align="center" |TCB[SNP]>=0x1B
|-
|}

'''AMD EPYC 8004 Siena:'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
!SEV FW
!TCB‑Wert for SEV‑certification
!TCB‑Wert for SNP‑certification
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-54502 CVE-2025-54502]
| align="center" |7.1 (high)
| align="center" |GenoaPI 1.0.0.H (2025-12-15)
| align="center" |N/A
| align="center" |N/A
| align="center" |N/A
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-54510 CVE-2025-54510]
| align="center" |5.9 (medium)
| align="center" |GenoaPI 1.0.0.H (2025-12-15)
| align="center" |N/A
| align="center" |TCB[SNP]>=0x1C
| align="center" |N/A
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2023-20585 CVE-2023-20585]
| align="center" |5.6 (Mittel)
| align="center" | GenoaPI_1.0.0.G (2025-06-27) + OS update
| align="center" | SEV FW 1.37.31 + OS update
| align="center" |N/A
| align="center" |TCB[SNP]>=0x1B
|-
|}

'''AMD EPYC 9004 Genoa:'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
!SEV FW
!TCB‑Wert für die SEV‑certification
!TCB‑Wert für die SNP‑certification
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-54502 CVE-2025-54502]
| align="center" |7.1 (high)
| align="center" |GenoaPI 1.0.0.H (2025-12-15)
| align="center" |N/A
| align="center" |N/A
| align="center" |N/A
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-54510 CVE-2025-54510]
| align="center" |5.9 (medium)
| align="center" |GenoaPI 1.0.0.H (2025-12-15)
| align="center" |N/A
| align="center" |TCB[SNP]>=0x1C
| align="center" |N/A
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2023-20585 CVE-2023-20585]
| align="center" |5.6 (medium)
| align="center" | GenoaPI_1.0.0.G (2025-06-27) + OS update
| align="center" | SEV FW 1.37.31 + OS update
| align="center" |N/A
| align="center" |TCB[SNP]>=0x1B
|-
|}

'''AMD EPYC 9005 Turin / Turin Dense'''

{| class="wikitable"
|+
!Security vulnerability
!Risk potential:
! align="center" |'''AGESA version'''
!SEV FW
!TCB‑Wert für die SEV‑certification
!TCB‑Wert für die SNP‑certification
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-54502 CVE-2025-54502]
| align="center" |7.1 (high)
| align="center" |TurinPI 1.0.0.9 (2025-12-31)
| align="center" |N/A
| align="center" |N/A
| align="center" |N/A
|-
| align="center" |[https://www.cve.org/CVERecord?id=CVE-2025-54510 CVE-2025-54510]
| align="center" |5.9 (medium)
| align="center" |TurinPI 1.0.0.8 (2025-11-26)
| align="center" |N/A
| align="center" |TCB[SNP]>=0x5
| align="center" |N/A
|-
|}

'''Table from [https://www.cve.org/CVERecord?id=CVE-2025-54502 CVE-2025-54502] affected Threadripper processors:'''

{| class="wikitable"
|+
!CPU
! align="center" |'''AGESA version'''
|-
| align="center" |AMD Ryzen Threadripper PRO 3000WX
| align="center" |ChagallWSPI-sWRX8 1.0.0.D (2025-11-04)
CastlePeakWSPI-sWRX8 1.0.0.I (2025-10-17)
|-
| align="center" |AMD Ryzen Threadripper PRO 5000WX
| align="center" |ChagallWSPI-sWRX8 1.0.0.D (2025-11-04)
|-
| align="center" |AMD Ryzen Threadripper 7000
| align="center" |ShimadaPeakPI-SP6 1.0.0.1c (2025-10-21)
|-
| align="center" |AMD Ryzen Threadripper PRO 7000WX
| align="center" |ShimadaPeakPI-SP6 1.0.0.1c (2025-10-21)
StormPeakPI-SP6 1.0.0.1m (2025-12-01)

StormPeakPI-SP6_1.1.0.0k (2025-12-01)
|-
| align="center" |AMD Ryzen Threadripper 9000
| align="center" |ShimadaPeakPI-SP6 1.0.0.1c (2025-10-21)
|-
| align="center" |AMD Ryzen Threadripper PRO 9000WX
| align="center" |ShimadaPeakPI-SP6 1.0.0.1c (2025-10-21)
|-
|}

Supermicro Security Bulletins were published on security vulnerabilities. A list with BIOS-versions of the respective mainboards, to close the gaps, is also included. Below is an extract from this table, which lists all the motherboards available from Thomas-Krenn: <ref>[https://www.supermicro.com/en/support/security_center#!advisories Supermicro Security Center] (www.supermicro.com)</ref>

{| class="wikitable"
|+
!AMD motherboard
! align="center" |'''BIOS version'''
|-
| align="center" |H12SSW-iN/NT
| align="center" |3.6
|-
| align="center" |H12SSL-i/C/CT/NT
| align="center" |3.6
|-
| align="center" |H12DSi-N6/NT6
| align="center" |3.6
|-
| align="center" |H13SSW
| align="center" |3.9
|-
| align="center" |H13SSL-N/NC
| align="center" |3.9
|}

=== Updates on Thomas-Krenn products ===
Updates on the respective system can be found in the <tklink type="sitex" id="440"> Thomas-Krenn download area</tklink>.
The versions in the download area have been tested by us to guarantee the stability and compatibility of our systems.

If you require the latest version for your system and it is not yet available in our download area, you can get it at [https://www.asus.com/de/support/download-center/ Asus] or [https://www.supermicro.com/en/support/resources/downloadcenter/swdownload Supermicro].

== References ==
<references/>

{{Thomas-Krenn.AG}}
{{Aranzinger}}
[[Category:AMD Safety Information]]
[[de:AMD Sicherheitslücken - April 2026]]

Windows Secure Boot certificate expiry

2026-04-17T08:13:04Z

Aranzinger: /* Which certificates are affected? */

In this article, we explain how to read out the secure boot certificate.

The previous certificates have been issued in 2011 which expire this year.

== Which certificates are affected? ==
Definitions:

* '''KEK:''' Key Enrollment Key
* '''CA:''' Certificate Authority
* '''DB:''' Secure Boot Signature Database
* '''DBX:''' Secure Boot Revoked Signature Database

{| class="wikitable"
|+Summary table
!Expiring certificates
!Expiry date
!New certificate
!Location
!Purpose
|-
|'''Microsoft Corporation KEK CA 2011'''
|June 2026
|Microsoft Corporation KEK 2K CA 2023
|Stored in KEK
|Signes updates for DB and DBX.
|-
|'''Microsoft Windows Production PCA 2011'''
|October 2026
|Windows UEFI CA 2023
|Stored in data base
|Used for signing of the Windows boot loader.
|-
|'''Microsoft UEFI CA 2011''*'''''
|June 2026
|Microsoft UEFI CA 2023
|Stored in data base
|Signs boot loaders from third-party providers and EFI applications.
|-
|'''Microsoft UEFI CA 2011''*'''''
|June 2026
|Microsoft Option ROM UEFI CA 2023
|Stored in data base
|Signs third-party Option ROMs
|}
<nowiki>*</nowiki>During the renewal of the Microsoft Corporation UEFI CA 2011 certificate, two certificates separate the bootloader signature from the Option ROM signature.

This enables precise control over the system trust. Systems, that trust Option-ROMs, can, for example, add the Microsoft option ROM UEFI CA 2023 without granting a trusted status to third-party bootloaders.

== What happens if my certificate expires? ==

Windows starts and functions as usual. Updates can still be downloaded and installed.

However, updates cannot be installed for the early boot process. This concerns the Windows Boot Manager, Secure Boot data base and Revocation lists or fixes for new discovered boot level vulnerabilities.

These effects reduce the protection of the devices against impending dangers, which rely on Secure Boot, such as BitLocker Hardening or third-party bootloaders.

== How do I verify my certificates ==

The validity of the installed certificates can be checked using the Windows Security app.

'''Windows-Security> Equipment Safety > Safe Start'''

There are three possible scenarios.

=== Scenario 1: Everything is completely updated (green tick) ===
All certificate updates were applied.

=== Scenario 2: No update has been installed yet (yellow warning symbol) ===
Automatic updates are not available. The hardware manufacturer must be contacted.

=== Scenario 3: Action is required (Red X) ===
The device cannot receive required updates.

If a Windows Update is missing, this menu option may not display any information about the certificates.

In this case, the certificate can be read out manually with a workaround.

With the following powershell command, the certificates can be stored as .bin in any location.<syntaxhighlight lang="powershell">
$var = Get-SecureBootUEFI -Name db; [System.IO.File]::WriteAllBytes("C:\Users\Administrator\Documents\db.bin", $var.Bytes)
</syntaxhighlight>This path can be customized as required.

After this, the db.bin file must be divided on a Linux system (for example WSL) with the efitools.<syntaxhighlight lang="bash">
sudo apt update && apt install efitools
sudo sig-list-to-certs db.bin cert
</syntaxhighlight>

Now, 5 certificates have been created in the current directory: cert-0.der cert-1.der cert-2.der cert-3.der cert-4.der

The content of these certificates can be read out with Openssl.<syntaxhighlight lang="bash">
openssl x509 -in cert-0.der -inform DER -text -noout
</syntaxhighlight>
The file name "cert-0.der" must be adapted to the respective certificate.

The line Validity is important. If this line displays the following value, the certificate expires in June 2026:

Validity

Not Before: Jun 27 21:22:45 2011 GMT

Not After : Jun 27 21:32:45 2026 GMT

==How do I update my certificates? ==

There are multiple ways to update the certificate. The simplest and best method is to update the BIOS, as the hardware manufacturer has already incorporated the new certificates.

== References ==

* [https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e Windows Secure Boot certificate expiration and CA updates] (support.microsoft.com)
* [https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11#14-signature-databases-db-and-dbx Windows Secure Boot Key Creation and Management Guidance] (learn.microsoft.com)
* [https://support.microsoft.com/en-us/topic/it-admin-guide-secure-boot-certificate-update-status-in-the-windows-security-app-fb8e2121-4402-433b-af8b-623760951fdb IT admin guide: Secure Boot certificate update status in the Windows Security app] (support.microsoft.com)

{{Bstockinger}}
{{Aranzinger}}
[[Category:Windows]]
[[de:Windows Secure Boot Zertifikat Ende der Gültigkeit]]

Activation of Q-Feeds webinterface and licenses

2026-04-16T08:54:06Z

Aranzinger: Created page with "Q-Feeds, the cybersecurity plugin, provides a Cloud platform with a variety of information. With this, licenses can be added to the own account and tokens can be created for devices such as OPNsense-firewalls. This article shows how to '''add a license''' and '''create a token for your firewall''' in the '''Q-Feeds Threat Intelligence Platform v2.3'''. {{#widget:Imagebox-left|link={{#tklink:type=sitex|id=21563|linkonly=1}}|image=/de/wikiDE/images/8/84/Q-Feeds-Sh..."

[[Q-Feeds]], the cybersecurity plugin, provides a Cloud platform with a variety of information. With this, licenses can be added to the own account and tokens can be created for devices such as [[OPNsense]]-firewalls. This article shows how to '''add a license''' and '''create a token for your firewall''' in the '''Q-Feeds Threat Intelligence Platform v2.3'''.

{{#widget:Imagebox-left|link={{#tklink:type=sitex|id=21563|linkonly=1}}|image=/de/wikiDE/images/8/84/Q-Feeds-Shopbanner.png|text=Click here for our Q-Feeds licenses in the Thomas-Krenn online shop|campaign=Activate Q-Feeds webinterface and license}}
{{#widget:SitexBox|link={{#tklink:type=sitex|id=21563|linkonly=1}}|text=Click here for our Q-Feeds licenses in the Thomas-Krenn online shop|campaign=Activate Q-Feeds webinterface and license}}

== Cloud platform login ==
Log in to tip.qfeeds.com, or create a new account.

:[[File:Q-Feeds-Webinterface-001.png|300px]]

== Q-Feeds dashboard ==
Now, the dashboard is displayed after the login.

:[[File:Q-Feeds-Webinterface-002.png|300px]]

== Add and administrate license ==
This paragraph shows how to activate a license and add it to your account.

<gallery>
File:Q-Feeds-Webinterface-003.png|Click on your ''account name'' in the top right-hand corner, then select ''Licenses''.
File:Q-Feeds-Webinterface-004.png|Then click on the ''Activate License'' button in the top-right corner. A menu will then appear; enter the licence key and click on ''Activate License''.
File:Q-Feeds-Webinterface-005.png|The license has been added and is now active.
</gallery>

== Create API key for terminal devices such as OPNsense firewalls ==
This paragraph shows how to create API keys for your OPNsense firewalls. Such a key is required for the Q-Feeds plugin on the OPNsense firewall.

<gallery>
File:Q-Feeds-Webinterface-006.png|In the dashboard, click on ''Account Settings'' in the bottom-left corner, then click on the ''API KEYS'' tab. You can now add a key using the ''Add API Key'' button. Enter a description and select a valid licence in the ''Assign License'' field. Click on ''Save Key''.
File:Q-Feeds-Webinterface-007.png|The API token appears. Copy it and paste it into the OPNsense firewall using the Q-Feeds plugin.
</gallery>

{{Tniedermeier}}
{{Aranzinger}}
[[Category:Q-Feeds]]
[[de:Q-Feeds Webinterface und Lizenz aktivieren]]

Q-Feeds Connect Installation under OPNsense 26.1

2026-04-09T08:35:20Z

Aranzinger: Created page with "The Open Source Firewall OPNsense can be enhanced by integrating Q-Feeds firewall blocklists and DNS filter rules with the latest threat intelligence. This article shows how to install '''Q-Feeds Connect plugin and how to create firewall rules''' and '''Unbound DNS filter rules''' under '''OPNsense 26.1'''. {{#widget:Imagebox-left|link={{#tklink:type=sitex|id=21563|linkonly=1}}|image=/de/wikiDE/images/8/84/Q-Feeds-Shopbanner.png|text=Click here for our Q-Feeds Conne..."

The Open Source Firewall [[OPNsense]] can be enhanced by integrating Q-Feeds firewall blocklists and DNS filter rules with the latest threat intelligence. This article shows how to install '''Q-Feeds Connect plugin and how to create firewall rules''' and '''Unbound DNS filter rules''' under '''OPNsense 26.1'''.

{{#widget:Imagebox-left|link={{#tklink:type=sitex|id=21563|linkonly=1}}|image=/de/wikiDE/images/8/84/Q-Feeds-Shopbanner.png|text=Click here for our Q-Feeds Connect licenses in the Thomas-Krenn online shop|campaign=Q-Feeds Connect installation under OPNsense 26.1 }}
{{#widget:SitexBox|link={{#tklink:type=sitex|id=21563|linkonly=1}}|text=Click here for our Q-Feeds Connect licenses in the Thomas-Krenn online shop|campaign=Q-Feeds Connect Einrichtung unter OPNsense 26.1}}

== Q-Feeds Connect plugin ==
The Q-Feeds Connect plugin can be installed as Plugin at OPNsense.

=== Installation of plugin ===
<gallery>
File:OPNsense-Q-Feeds-001.png|Go to ''System → Firmware → Plugins''.
File:OPNsense-Q-Feeds-002.png|The "os-q-feeds-connector" plugin is maintained in the OPNsense repository and can be installed directly. To install it, click on the '''+'''.
File:OPNsense-Q-Feeds-003.png|Q-Feeds Connect has been installed.
File:OPNsense-Q-Feeds-004.png|Click on the button to reload the browser.
</gallery>

=== Configuration of plugin ===
The plugin has been installed and the configuration can now be made.
<gallery>
File:OPNsense-Q-Feeds-005.png|Click on the new menu option ''Security''.
File:OPNsense-Q-Feeds-006.png|After this, go to ''Q-Feeds Connect''.
File:OPNsense-Q-Feeds-007.png|The settings are configured in the Settings tab.
File:OPNsense-Q-Feeds-008.png|State you API-key. Set the box next to '''Register domain feeds''', to activate the Unbound DNS blocklists from Q-Feeds. After this, click on ''Apply''.
File:OPNsense-Q-Feeds-009.png|In the '''Feeds''' tab, the loaded IP-addresses and domain names are listed.
File:OPNsense-Q-Feeds-010.png|Events tab.
</gallery>

=== Firewall Maximum Table Entries adjustments ===
The maximum number of Firewall Maximum Table Entries can be adjusted optionally.

<gallery>
File:OPNsense-Q-Feeds-011.png|Switch to the menu ''Firewall → Settings → Advanced'' and scroll to '''Firewall Maximum Table Entries'''. Adjust the default value if necessary.
File:OPNsense-Q-Feeds-012.png|The current number of entries can be considered in the menu ''Firewall → Aliases''.
File:OPNsense-Q-Feeds-013.png|A Q-Feeds Alias has been created.
</gallery>

== Q-Feeds firewall rule configuration ==
After installation and configuration of the plugin, the firewall rules can be set. In this example, the Q-Feeds blocklist is activated on the LAN and WAN interface.

=== Block rule for outbound traffic on the LAN interface ===
For a LAN interface, a suitable rule would be one that blocks all incoming LAN traffic destined for addresses included in the block list.

<gallery>
File:OPNsense-Q-Feeds-029.png|Go to the menu Firewall → Rules [new] and click on the '''+'''.
File:OPNsense-Q-Feeds-030.png|State a description and assign the '''LAN''' interface to the rule.
File:OPNsense-Q-Feeds-031.png|Select ''Block on Action.''
File:OPNsense-Q-Feeds-032.png|Destination is the Alias '''__qfeeds_malware_ip'''.
File:OPNsense-Q-Feeds-033.png|Click on ''Save''.
File:OPNsense-Q-Feeds-034.png|Activate the checkbox before the new rule and click on the arrow at Allow from LAN rule. Therefore, the block rule is processed before the allow rule.
File:OPNsense-Q-Feeds-035.png|Click on '''Apply'''.
</gallery>

=== Block rule for incoming traffic on the WAN interface ===
For a WAN interface, a suitable rule would be one that blocks all incoming WAN traffic from source IP addresses included in the Q-Feeds blocklist.

<gallery>
File:OPNsense-Q-Feeds-036.png|Go to the menu Firewall → Rules [new] and click on the '''+'''.
File:OPNsense-Q-Feeds-037.png|State a description and assign the '''WAN''' interface to the rule.
File:OPNsense-Q-Feeds-038.png|On Action, select ''Block''.
File:OPNsense-Q-Feeds-039.png|Alias is the source '''__qfeeds_malware_ip'''.
File:OPNsense-Q-Feeds-040.png|Click on ''Save''.
File:OPNsense-Q-Feeds-041.png|Tick the box next to the new rule and click the arrow next to the Allow from WAN net rule. Therefore, the block rule is processed before the allow rule.
File:OPNsense-Q-Feeds-042.png|Click on '''Apply'''.
</gallery>

== More settings on Unbound DNS ==
With Q-Feeds Plus (only OSINT) and Premium (OSINT and Paid), DNS requests can be filtered with the Unbound DNS. The DNS filter rule are activated automatically.
<gallery>
File:OPNsense-Q-Feeds-027.png|You can activate the Unbound DNS reporting. Click on ''Reporting → Settings'' and allow the local collection of statistics on Unbound. Click on ''Save''.
File:OPNsense-Q-Feeds-028.png|The size of the blocklist is now displayed.
</gallery>

{{Tniedermeier}}
{{Aranzinger}}
[[Category:Q-Feeds]]
[[de:Q-Feeds Connect Einrichtung unter OPNsense 26.1]]

Q-Feeds Versions: Feature Comparison

2026-04-08T08:12:15Z

Aranzinger: Created page with "Next-Generation-Firewalls (NGFWs) are important tools to protect networks. You can filter DNS and web traffic using external dynamic lists of threat indicators, known as Indicators of Compromise (IoCs). Q-Feeds provides dynamic and updated lists of these IoCs that were specifically designed for use with security controls such as NGFWs. By adding Q-Feeds as a plugin to OPNsense firewalls, you can enhance protection against new and emerging threats. This means that OPN..."

Next-Generation-Firewalls (NGFWs) are important tools to protect networks. You can filter DNS and web traffic using external dynamic lists of threat indicators, known as Indicators of Compromise (IoCs). Q-Feeds provides dynamic and updated lists of these IoCs that were specifically designed for use with security controls such as NGFWs. By adding Q-Feeds as a plugin to [[OPNsense]] firewalls, you can enhance protection against new and emerging threats. This means that OPNsense can stay up to date with the latest threat intelligence to filter out malicious traffic. This article shows '''different Q-Feeds licenses''' with its features '''presented in a table for comparison'''.

{{#widget:Imagebox-left|link={{#tklink:type=sitex|id=21563|linkonly=1}}|image=/de/wikiDE/images/8/84/Q-Feeds-Shopbanner.png|text=Click here to view Q-Feeds Connect licenses in the Thomas-Krenn online shop|campaign=Q-Feeds Versions: Feature Comparison}}
{{#widget:SitexBox|link={{#tklink:type=sitex|id=21563|linkonly=1}}|text=Click here to view Q-Feeds Connect licenses in the Thomas-Krenn online shop|campaign=Q-Feeds Versions: Feature Comparison}}

== Q-Feeds versions ==
This table shows three Q-Feeds licenses with its features and differences.

{| class="wikitable"
|+Q-Feeds Versionen Eigenschaften und Unterschiede
!
!Feature
!Community Edition
!Plus
!Premium
|-
| rowspan="8" |Services
|Active Support
!style="background-color:#FFCCCC;" align="center"|-
!style="background-color:#CCFFCC;" align="center"|✔
!style="background-color:#CCFFCC;" align="center"|✔
|-
|Easy Integration
!style="background-color:#CCFFCC;" align="center"|✔
!style="background-color:#CCFFCC;" align="center"|✔
!style="background-color:#CCFFCC;" align="center"|✔
|-
|Curated data
!style="background-color:#CCFFCC;" align="center"|✔
!style="background-color:#CCFFCC;" align="center"|✔
!style="background-color:#CCFFCC;" align="center"|✔
|-
|Update frequency
|delayed by 7 days
|delayed by 4 hours
|every 20 minutes
|-
|IoC (indicators of compromise) lookup
!style="background-color:#FFCCCC;" align="center"|-
!style="background-color:#CCFFCC;" align="center"|✔
!style="background-color:#CCFFCC;" align="center"|✔
|-
|[https://qfeeds.com/external-attack-surface-management-easm/?srsltid=AfmBOooV-Qo_q4fAO0jWsdbrFjMqRpUGMmKDZnZBOSFYMCfDXFBnFI5U EASM (External Attack Service Management)]
!style="background-color:#FFCCCC;" align="center"|-
|1 scan per week
|1 scan per day
|-
|[https://qfeeds.com/darkweb-monitoring/?srsltid=AfmBOoo6ZXk6TLFtXnFutk_4XD-mwwPRO-pHzSWMI2N9L7yr8Fqd66dz Dark web monitoring]
!style="background-color:#FFCCCC;" align="center"|-
!style="background-color:#CCFFCC;" align="center"|✔
!style="background-color:#CCFFCC;" align="center"|✔
|-
|[https://qfeeds.com/brand-protection-phishing-detection/?srsltid=AfmBOoqTwqgD2DpEVUpBH_8nQ6JstPjBqgQjxcaOqeHBh0uPE07wC1Ed Brand Protection]
!style="background-color:#FFCCCC;" align="center"|-
!style="background-color:#FFCCCC;" align="center"|-
!style="background-color:#CCFFCC;" align="center"|✔
|-
| rowspan="2" |OSINT (Open-Source Intelligence)
|IP
!style="background-color:#CCFFCC;" align="center"|✔
!style="background-color:#CCFFCC;" align="center"|✔
!style="background-color:#CCFFCC;" align="center"|✔
|-
|DNS
!style="background-color:#CCFFCC;" align="center"|✔
!style="background-color:#CCFFCC;" align="center"|✔
!style="background-color:#CCFFCC;" align="center"|✔
|-
| rowspan="2" |Paid
|IP
!style="background-color:#FFCCCC;" align="center"|-
!style="background-color:#CCFFCC;" align="center"|✔
!style="background-color:#CCFFCC;" align="center"|✔
|-
|DNS
!style="background-color:#FFCCCC;" align="center"|-
!style="background-color:#FFCCCC;" align="center"|-
!style="background-color:#CCFFCC;" align="center"|✔
|}

{{Tniedermeier}}
{{Aranzinger}}
[[Category:Q-Feeds]]
[[de:Q-Feeds Versionen Featurevergleich]]

Cloud Computing Concepts

2026-04-02T08:24:19Z

Aranzinger: Created page with "The term '''Cloud'''—actually cloud computing—is a term for various concepts related to the delivery of IT services. These can be broadly divided into three categories and classified using the cloud computing stack. This article provides an overview of these concepts. == Cloud Computing Stack == file:Cloud Computing Stack.jpg|250px|thumb|right|Cloud Computing Stack.<ref>[http://oracle-help.com/oracle-cloud/..."

The term '''Cloud'''—actually [[:Category:Cloud Computing|cloud computing]]—is a term for various concepts related to the delivery of IT services. These can be broadly divided into three categories and classified using the [[#Cloud Computing Stack|cloud computing stack]]. This article provides an overview of these concepts.

== Cloud Computing Stack ==
[[file:Cloud Computing Stack.jpg|250px|thumb|right|Cloud Computing Stack.<ref>[http://oracle-help.com/oracle-cloud/cloud-computing-stack-saas-paas-iaas/ WHAT IS CLOUD COMPUTING STACK (SAAS, PAAS, IAAS)] (oracle-help.com)</ref>]]
This section describes the various cloud concepts using the cloud computing stack. The cloud computing stack illustrates these concepts through the components of externally managed services that are hosted services.

=== Infrastructure as a Service (IaaS) ===
In this concept, the server infrastructure is managed by the cloud service provider (CSP). All components (CPU, [[RAM Basics|RAM]], storage, network) are already virtualized and can be freely allocated by the user. The user has full control over resource usage, meaning that CPU cores, RAM, and storage can be adjusted at any time as needed. Since the infrastructure is a virtualized environment and is typically designed to be redundant, it is impossible to determine on which hardware within a data center the infrastructure is currently running (exceptions are [[Virtual Location|Virtual Locations]]—not to be confused with [[Virtual Private Cloud|VPCs]]).

The user is solely responsible for the maintenance and support of all software, including the operating system (this also includes proper licensing).

Many service providers operate multiple data centers, giving users the ability to choose the geographic location of their data.

==== Benefits ====
Since IaaS allows for the rapid migration of virtual machines and applications without refactoring<ref>[https://de.wikipedia.org/wiki/Refactoring Refactoring] (de.wikipedia.org) </ref> (see also [[Lift and Shift Migration|Lift & Shift]]), it is a particularly good option for time-critical IT migrations to the cloud (for example, when discontinuing colocation in a data center). Using an IaaS platform can also be worthwhile for purpose-specific applications that do not require 24-hour operation.

=== Platform as a Service (PaaS) ===
In addition to the infrastructure, this cloud concept also provides the operating system and runtime environment. As a user, you are only responsible for managing the data within the applications. Specifically, this means that a database pre-installed by the service provider (MySQL, Oracle, Postgres, etc.) is used to develop and deploy your own applications. One advantage for developers is that performance can be scaled dynamically.

Unlike IaaS, there is no longer a need to create a virtual environment.

==== Benefits ====

This approach is particularly beneficial for web developers—such as those in the e-commerce sector or other service providers—as it allows them to focus on application development.

=== Software as a Service (SaaS) ===
SaaS is arguably the best-known model for online services. This is because it has also found its way into the consumer market and is used on a regular basis.

With SaaS, the entire stack—from the hardware to the finished application—is provided as a ready-made solution.

==== Benefits ====
SaaS offerings are a resource-efficient alternative, as they eliminate the need for personnel and time to manage hardware and software.

== More information ==
* [https://www.isbn-suchen.de/search.php?q=978-3-446-46184-0 IT-Management Guide: Concepts, Methods, Solutions and Resources for practical use] (ISBN 978-3-446-46184-0, 7. revised edition (9. März 2020)), Chapter 7: Cloud Computing
* [https://www.linkedin.com/pulse/20140730172610-9679881-pizza-as-a-service/ Pizza as a Service] (linkedin.com/pulse, Albert Barron, 30.07.2014)

== References ==
<references />

{{Sbohn}}
{{Aranzinger}}
[[Category:Cloud Computing]]
[[de:Cloud Computing Konzepte]]

Boot-Device Replacement - Change of Proxmox ZFS Mirror Disk

2026-03-26T12:45:09Z

Aranzinger: Created page with "These instructions describe the '''change of a boot device''' in a '''Proxmox VE (PVE) host system''' '''with ZFS-mirror'''. This change is necessary, when a disk is damaged or has failed in the compound. In this article, it is explained what to do after a system hard drive failure. Options for different boot-loaders ("GRUB" or "systemd-boot") are explained. Furthermore, it is explained how to change a hard drive within a PVE so that the used mirror is completely ''o..."

These instructions describe the '''change of a boot device''' in a '''[[Proxmox VE]] (PVE) host system''' '''with ZFS-mirror'''. This change is necessary, when a disk is damaged or has failed in the compound. In this article, it is explained what to do after a system hard drive failure. Options for different boot-loaders ("GRUB" or "systemd-boot") are explained. Furthermore, it is explained how to change a hard drive within a PVE so that the used mirror is completely ''online,'' and ''healthy'' and that the redundancy of the operating system is recreated.

{{#widget:Imagebox-left|link={{#tklink:type=sitex|id=19702|linkonly=1}}|image=/de/wikiDE/images/d/d5/Ceph-hci-proxmox-3.png|text=Buy Proxmox optimized servers|campaign=Buy Proxmox Servers}}
{{#widget:SitexBox|link={{#tklink:type=sitex|id=19702|linkonly=1}}|text=Buy Proxmox optimized servers|campaign=campaign=Buy Proxmox Servers}}

== Recommendation - Test environment ==
All described steps can be previously performed in a test environment. For this, create a '''virtual machine in Proxmox VE''' and install PVE on a ZFS RAID-1.

Therefore, you gain experience in this process and lower the risk for your productive system.

== Instructions ==
This paragraph summarizes the commands that are necessary for changing your data carrier and its influence on your system in brief.

'''Attention: It is highly recommended to read the detailed instructions if it is your first time performing this process or are still inexperienced in administering Proxmox VE systems!'''

#Identify the faulty storage device and change it.
#Copy partition layout of the ''healthy'' disk on the ''exchange'' disk (and randomize the GUID)
#Find the ZFS partition using the volume ID (<code>Solaris /usr & Apple ZFS</code>)
#Copy partition of the ''new'' disk into the ''zpool''
#Finalize exchange with <code>proxmox-boot-tool</code>
Once you have completed all the steps correctly, your ZFS will be "online", "healthy", and "boot-safe" again.

== Identify failed data carrier ==
First, you need to identify the failed disk and its name in your PVE system. This can be made, for example, with the <code>lsblk</code> command.

=== Before failure ===
After installation, two boot disks are available (''sda'' and ''sdb''):
<pre>
root@pve-virtual-01:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 100G 0 disk
├─sda1 8:1 0 1007K 0 part
├─sda2 8:2 0 512M 0 part
└─sda3 8:3 0 99.5G 0 part
sdb 8:16 0 100G 0 disk
├─sdb1 8:17 0 1007K 0 part
├─sdb2 8:18 0 512M 0 part
└─sdb3 8:19 0 99.5G 0 part
</pre>

=== After failure ===
In this test scenario, the ''sda'' hard drive has failed. It is missing in the <code>lsblk</code> output after the failure:
<pre>
root@pve-virtual-01:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sdb 8:16 0 100G 0 disk
├─sdb1 8:17 0 1007K 0 part
├─sdb2 8:18 0 512M 0 part
└─sdb3 8:19 0 99.5G 0 part
</pre>

'''Important''': When replacing a data storage device, the descriptions may change. '''Always verify the exact name immediately after replacing the damaged storage device with a new one!''' A faulty specification of the name could irreparably damage your system in the next steps.

== Copy partition layout ==
This information can be always found in the current Proxmox VE documentation. <ref>[https://pve.proxmox.com/pve-docs/pve-admin-guide.html#chapter_zfs ZFS on Linux] (pve.proxmox.com) Abschnitt ''Changing a failed device'' im Unterkapitel 3.8.5.</ref>
<pre>
# sgdisk <healthy bootable device> -R <new device>
# sgdisk -G <new device>
# zpool replace -f <pool> <old zfs partition> <new zfs partition>
</pre>

The new data carrier is in the system and does not have a partition layout yet. However, we require the partitions so that the system can boot properly and that we can provide two technically identic data carriers for the ZFS:
<pre>
root@pve-virtual-01:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 100G 0 disk
sdb 8:16 0 100G 0 disk
├─sdb1 8:17 0 1007K 0 part
├─sdb2 8:18 0 512M 0 part
└─sdb3 8:19 0 99.5G 0 part
</pre>

We now copy the partition layout from the ''healthy'' data carrier to the ''new'' data carrier.
{| {{Prettytable}} cellspacing="0" style="margin: 1em 1em 1em 0; background: #f9f9f9; border: 1px #a0a0a0 solid; border-collapse: collapse; " rules="all"
| Please note once again that you MUST first identify the correct device name (''device-name'') using (''Device-Name'') with <code>lsblk</code>. Otherwise, you risk ending up with a broken Proxmox VE system, as the partition layout of the "new" disk might be accidentally replicated to the "healthy" disk. This would result in the system being unable to boot at all, forcing you to perform a clean install.
|-
|}
<pre>
root@pve-virtual-01:~# sgdisk /dev/sdb -R /dev/sda
The operation has completed successfully.

root@pve-virtual-01:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 100G 0 disk
├─sda1 8:1 0 1007K 0 part
├─sda2 8:2 0 512M 0 part
└─sda3 8:3 0 99.5G 0 part
sdb 8:16 0 100G 0 disk
├─sdb1 8:17 0 1007K 0 part
├─sdb2 8:18 0 512M 0 part
└─sdb3 8:19 0 99.5G 0 part
</pre>

Since we copied the layout to the new disk, the disk and partitions now have the same GUIDs. That is why we still need to randomize them:
<pre>
root@pve-virtual-01:~# sgdisk -G /dev/sda
The operation has completed successfully.
</pre>

== Find out disk ID (by-id) ==
To replace the volume correctly in ZFS, we need to determine the ID of the new volume. In this case, we are looking for the volume associated with the device name sda.
<pre>
root@pve:~# ls -l /dev/disk/by-id/*

lrwxrwxrwx 1 root root 9 Mar 16 15:11 /dev/disk/by-id/ata-QEMU_DVD-ROM_QM00003 -> ../../sr0
lrwxrwxrwx 1 root root 9 Mar 16 15:11 /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0 -> ../../sda
lrwxrwxrwx 1 root root 10 Mar 16 15:11 /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part1 -> ../../sda1
lrwxrwxrwx 1 root root 10 Mar 16 15:11 /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part2 -> ../../sda2
lrwxrwxrwx 1 root root 10 Mar 16 15:11 /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part3 -> ../../sda3
lrwxrwxrwx 1 root root 9 Mar 16 15:11 /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1 -> ../../sdb
lrwxrwxrwx 1 root root 10 Mar 16 15:11 /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part1 -> ../../sdb1
lrwxrwxrwx 1 root root 10 Mar 16 15:11 /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part2 -> ../../sdb2
lrwxrwxrwx 1 root root 10 Mar 16 15:11 /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part3 -> ../../sdb3
</pre>

PVE always creates dedicated partitions for ''boot, EFI,'' and ''ZFS'' on storage devices:
<pre>
root@pve:~# fdisk -l /dev/sda

Disk /dev/sda: 32 GiB, 34359738368 bytes, 67108864 sectors
Disk model: QEMU HARDDISK
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 7D6423DE-2A9C-4B8D-A272-C7B28E1452D9

Device Start End Sectors Size Type
/dev/sda1 34 2047 2014 1007K BIOS boot
/dev/sda2 2048 1050623 1048576 512M EFI System
/dev/sda3 1050624 67108830 66058207 31.5G Solaris /usr & Apple ZFS
</pre>

In this case, we require the device-ID (''by-id'') from the ''/dev/sda3.'' partition, which is as follows:
/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part3

== Switch ZFS data carrier ==
First, we verify the ZFS pool status. Here, we see that the failed hard drive is not available anymore in the system and previously had the ID ''/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part3.''
<pre>
root@pve-virtual-01:~# zpool status -v
pool: rpool
state: DEGRADED
status: One or more devices could not be used because the label is missing or
invalid. Sufficient replicas exist for the pool to continue
functioning in a degraded state.
action: Replace the device using 'zpool replace'.
see: http://zfsonlinux.org/msg/ZFS-8000-4J
scan: none requested
config:

NAME STATE READ WRITE CKSUM
rpool DEGRADED 0 0 0
mirror-0 DEGRADED 0 0 0
15467202543801207082 UNAVAIL 0 0 0 was /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part3
scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part3 ONLINE 0 0 0
</pre>

Now, we change the data carriers.

'''Important:''' In this example, our new hard drive has the same ID as the old one. This will not be the case in your actual scenario. Please follow the syntax:

<pre>root@pve-virtual-01:~# zpool replace -f rpool /dev/disk/by-id/ID-ALTE-FESTPLATTE /dev/disk/by-id/ID-NEUE-FESTPLATTE
</pre>
In our example:
<pre>
root@pve-virtual-01:~# zpool replace -f rpool /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part3 /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part3
</pre>

The exchange is now complete. Now, you can verify if the RAID-1 (''ZFS-Mirror'') is '''online''' and '''healthy''' again:
<pre>
root@pve-virtual-01:~# zpool status -v
pool: rpool
state: ONLINE
scan: resilvered 998M in 0 days 00:00:08 with 0 errors on Tue Mar 16 12:16:34 2021
config:

NAME STATE READ WRITE CKSUM
rpool ONLINE 0 0 0
mirror-0 ONLINE 0 0 0
scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part3 ONLINE 0 0 0
scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part3 ONLINE 0 0 0
</pre>

== Finalize disk exchange ==
Finally, there are a few steps left to ensure that the system is stable after a reboot and fully functional.

Now, you have to perform the following steps with the ''proxmox-boot-tool'':

* First, you need to find out the disk ID as described in the step [[Boot-Device Replacement - Replacing a Proxmox ZFS Mirror Disk#Find out disk ID (by-id)|Find out disk ID (by-id)]]—but this time, you need to find the '''ID of the second partition''', since this is always used for the '''EFI system'''.
* When you have found out the ID (in this case ''/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part2),'', you can execute the following commands:
<pre>root@pve:~# proxmox-boot-tool format /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part2

UUID="" SIZE="536870912" FSTYPE="" PARTTYPE="c12a7328-f81f-11d2-ba4b-00a0c93ec93b" PKNAME="sdb" MOUNTPOINT=""
Formatting '/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part2' as vfat..
mkfs.fat 4.2 (2021-01-31)
Done.

root@pve:~# proxmox-boot-tool init /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part2

Re-executing '/usr/sbin/proxmox-boot-tool' in new private mount namespace..
UUID="FD52-5CAE" SIZE="536870912" FSTYPE="vfat" PARTTYPE="c12a7328-f81f-11d2-ba4b-00a0c93ec93b" PKNAME="sdb" MOUNTPOINT=""
Mounting '/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part2' on '/var/tmp/espmounts/FD52-5CAE'.
Installing systemd-boot..
Created "/var/tmp/espmounts/FD52-5CAE/EFI/systemd".
Created "/var/tmp/espmounts/FD52-5CAE/EFI/BOOT".
Created "/var/tmp/espmounts/FD52-5CAE/loader".
Created "/var/tmp/espmounts/FD52-5CAE/loader/entries".
Created "/var/tmp/espmounts/FD52-5CAE/EFI/Linux".
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" to "/var/tmp/espmounts/FD52-5CAE/EFI/systemd/systemd-bootx64.efi".
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" to "/var/tmp/espmounts/FD52-5CAE/EFI/BOOT/BOOTX64.EFI".
Random seed file /var/tmp/espmounts/FD52-5CAE/loader/random-seed successfully written (512 bytes).
Not installing system token, since we are running in a virtualized environment.
Created EFI boot entry "Linux Boot Manager".
Configuring systemd-boot..
Unmounting '/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part2'.
Adding '/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part2' to list of synced ESPs..
Refreshing kernels and initrds..
Running hook script 'proxmox-auto-removal'..
Running hook script 'zz-proxmox-boot'..
Copying and configuring kernels on /dev/disk/by-uuid/5D2E-4BFB
Copying kernel and creating boot-entry for 5.15.30-2-pve
WARN: /dev/disk/by-uuid/5D2F-103F does not exist - clean '/etc/kernel/proxmox-boot-uuids'! - skipping
Copying and configuring kernels on /dev/disk/by-uuid/FD52-5CAE
Copying kernel and creating boot-entry for 5.15.30-2-pve

root@pve:~# proxmox-boot-tool status

Re-executing '/usr/sbin/proxmox-boot-tool' in new private mount namespace..
System currently booted with uefi
5D2E-4BFB is configured with: uefi (versions: 5.15.30-2-pve)
WARN: /dev/disk/by-uuid/5D2F-103F does not exist - clean '/etc/kernel/proxmox-boot-uuids'! - skipping
FD52-5CAE is configured with: uefi (versions: 5.15.30-2-pve)

root@pve:~# proxmox-boot-tool refresh

Running hook script 'proxmox-auto-removal'..
Running hook script 'zz-proxmox-boot'..
Re-executing '/etc/kernel/postinst.d/zz-proxmox-boot' in new private mount namespace..
Copying and configuring kernels on /dev/disk/by-uuid/5D2E-4BFB
Copying kernel and creating boot-entry for 5.15.30-2-pve
WARN: /dev/disk/by-uuid/5D2F-103F does not exist - clean '/etc/kernel/proxmox-boot-uuids'! - skipping
Copying and configuring kernels on /dev/disk/by-uuid/FD52-5CAE
Copying kernel and creating boot-entry for 5.15.30-2-pve

root@pve:~# proxmox-boot-tool clean

Checking whether ESP '5D2E-4BFB' exists.. Found!
Checking whether ESP '5D2F-103F' exists.. Not found!
Checking whether ESP 'FD52-5CAE' exists.. Found!
Sorting and removing duplicate ESPs..

root@pve:~# proxmox-boot-tool status

Re-executing '/usr/sbin/proxmox-boot-tool' in new private mount namespace..
System currently booted with uefi
5D2E-4BFB is configured with: uefi (versions: 5.15.30-2-pve)
FD52-5CAE is configured with: uefi (versions: 5.15.30-2-pve)</pre>

After that, the system has been successfully rebooted and is now fully redundant and secure again.

== References ==
<references />

{{Jsterr}}
{{Aranzinger}}
[[Category:Proxmox Administration]]
[[de:Boot-Device Replacement - Proxmox ZFS Mirror Disk austauschen]]