5. System¶
The System section of the administrative GUI contains these entries:
- Information provides general FreeNAS® system information such as hostname, operating system version, platform, and uptime
- General configures general settings such as HTTPS access, the language, and the timezone
- Boot creates, renames, and deletes boot environments. It also shows the condition of the Boot Volume.
- Advanced configures advanced settings such as the serial console, swap space, and console messages
- Email configures the email address to receive notifications
- System Dataset configures the location where logs and reporting graphs are stored
- Tunables provides a front-end for tuning in real-time and to load additional kernel modules at boot time
- Update performs upgrades and checks for system updates
- Cloud Credentials is used to enter connection credentials for remote cloud service providers
- Alerts lists the available Alert conditions and provides configuration of the notification frequency for each alert.
- Alert Services configures services used to notify the administrator about system events.
- CAs: import or create internal or intermediate CAs (Certificate Authorities)
- Certificates: import existing certificates or create self-signed certificates
- Support: report a bug or request a new feature.
Each of these is described in more detail in this section.
5.1. Information¶
System → Information
displays general information about the FreeNAS® system. An example is
seen in
Figure 5.1.1.
The information includes hostname, build version, type of CPU (platform), amount of memory, current system time, system uptime, number of users connected at the console or by serial, telnet, or SSH connections, and current load average. On systems supplied or certified by iXsystems, an additional Serial Number field showing the hardware serial number is displayed.
To change the system hostname, click the Edit button, type in the new hostname, and click OK. The hostname must include the domain name. If the network does not use a domain name, add .local after the hostname.
Fig. 5.1.1 System Information Tab
5.2. General¶
System → General
is shown in
Figure 5.2.1.
Fig. 5.2.1 General Screen
Table 5.2.1 summarizes the configurable settings in the General tab:
| Setting | Value | Description |
|---|---|---|
| Protocol | drop-down menu | Set the web protocol to use when connecting to the administrative GUI from a browser. To change the default HTTP to HTTPS or to HTTP+HTTPS, select a certificate to use in Certificate. If there are no certificates, first create a CA then a certificate. |
| Certificate | drop-down menu | Required for HTTPS. Browse to the location of the certificate to use for encrypted connections. |
| WebGUI IPv4 Address | drop-down menu | Choose a recent IP address to limit the usage when accessing the administrative GUI. The built-in HTTP server binds to the wildcard address of 0.0.0.0 (any address) and issues an alert if the specified address becomes unavailable. |
| WebGUI IPv6 Address | drop-down menu | Choose a recent IPv6 address to limit the usage when accessing the administrative GUI. The built-in HTTP server binds to any address issues an alert if the specified address becomes unavailable. |
| WebGUI HTTP Port | integer | Allow configuring a non-standard port for accessing the administrative GUI over HTTP. Changing this setting can also require changing a Firefox configuration setting. |
| WebGUI HTTPS Port | integer | Allow configuring a non-standard port for accessing the administrative GUI over HTTPS. |
| WebGUI HTTP –> HTTPS Redirect | checkbox | Set to redirect HTTP connections to HTTPS. HTTPS must be selected in Protocol. |
| Language | drop-down menu | Select a localization. View the status of the localization at weblate.trueos.org. |
| Console Keyboard Map | drop-down menu | Select a keyboard layout. |
| Timezone | drop-down menu | Select a timezone. |
| Syslog level | drop-down menu | When Syslog server is defined, only logs matching this level are sent. |
| Syslog server | string | Select an IP address_or_hostname:optional_port_number to send logs to. Set to write log entries to both the console and the remote server. |
After making any changes, click the Save button.
This screen also contains these buttons:
Reset Configuration to Defaults: reset the configuration database to the default base version. This does not delete user SSH keys or any other data stored in a user home directory. Since configuration changes stored in the configuration database are erased, this option is useful when a mistake has been made or to return a test system to the original configuration.
Save Config: save a backup copy of the current configuration
database in the format hostname-version-architecture to the computer
accessing the administrative interface. Saving the configuration after
making any configuration changes is highly recommended. FreeNAS®
automatically backs up the configuration database to the system
dataset every morning at 3:45. However, this backup does not occur if
the system is shut down at that time. If the system dataset is stored
on the boot pool and the boot pool becomes unavailable, the backup
will also not be available. The location of the system dataset is
viewed or set using
System → System Dataset.
Note
SSH keys are not stored in the configuration database and must be backed up separately.
There are two types of passwords. User account passwords for the base operating system are stored as hashed values, do not need to be encrypted to be secure, and are saved in the system configuration backup. Other passwords, like iSCSI CHAP passwords, Active Directory bind credentials, and cloud credentials are stored in an encrypted form to prevent them from being visible as plain text in the saved system configuration. The key or seed for this encryption is normally stored only on the boot device. When Save Config is chosen, a dialog gives the option to Export Password Secret Seed with the saved configuration, allowing the configuration file to be restored to a different boot device where the decryption seed is not already present. Configuration backups containing the seed must be physically secured to prevent decryption of passwords and unauthorized access.
Warning
The Export Password Secret Seed option is off by default and should only be used when making a configuration backup that will be stored securely. After moving a configuration to new hardware, media containing a configuration backup with a decryption seed should be securely erased before reuse.
Upload Config: allows browsing to the location of a previously saved configuration file to restore that configuration. The screen turns red as an indication that the system will need to reboot to load the restored configuration.
NTP Servers: The network time protocol (NTP) is used to synchronize the time on the computers in a network. Accurate time is necessary for the successful operation of time sensitive applications such as Active Directory or other directory services. By default, FreeNAS® is pre-configured to use three public NTP servers. If the network is using a directory service, ensure that the FreeNAS® system and the server running the directory service have been configured to use the same NTP servers.
Available NTP servers can be found at https://support.ntp.org/bin/view/Servers/NTPPoolServers. For time accuracy, choose NTP servers that are geographically close to the physical location of the FreeNAS® system.
Click NTP Servers → Add NTP Server to add an NTP
server. Figure 5.2.2 shows the screen that appears.
Table 5.2.2 summarizes the options
available when adding an NTP server.
ntp.conf(5)
explains these options in more detail.
Fig. 5.2.2 Add an NTP Server
| Setting | Value | Description |
|---|---|---|
| Address | string | Enter the hostname or IP address of the NTP server. |
| Burst | checkbox | Recommended when Max. Poll is greater than 10. Only use on private servers. Do not use with a public NTP server. |
| IBurst | checkbox | Speed up the initial synchronization, taking seconds rather than minutes. |
| Prefer | checkbox | This option is only recommended for highly accurate NTP servers, such as those with time monitoring hardware. |
| Min. Poll | integer | Minimum polling time in seconds. Must be a power of 2, and cannot be lower than 4 or higher than Max. Poll. |
| Max. Poll | integer | Maximum polling time in seconds. Must be a power of 2, and cannot be higher than 17 or lower than Min. Poll. |
| Force | checkbox | Force the addition of the NTP server, even if it is currently unreachable. |
5.3. Boot¶
FreeNAS® supports a ZFS feature known as multiple boot environments. With multiple boot environments, the process of updating the operating system becomes a low-risk operation. The updater automatically creates a snapshot of the current boot environment and adds it to the boot menu before applying the update.
If an update fails, reboot the system and select the previous boot environment, using the instructions in If Something Goes Wrong, to instruct the system to go back to that system state.
Note
Boot environments are separate from the configuration
database. Boot environments are a snapshot of the
operating system at a specified time. When a FreeNAS® system
boots, it loads the specified boot environment, or operating
system, then reads the configuration database to load the
current configuration values. If the intent is to make
configuration changes rather than operating system changes, make a
backup of the configuration database first using
System → General → Save Config.
As seen in Figure 5.3.1, FreeNAS® displays the condition and statistics of the Boot Volume. It also shows the two boot environments that are created when FreeNAS® is installed. The system will boot into the default boot environment and users can make their changes and update from this version. The Initial-Install boot environment can be booted into if the system needs to be returned to a non-configured version of the installation.
If the Wizard was used, a third boot environment called
Wizard-date is also created, indicating the date and time
the Wizard was run.
Fig. 5.3.1 Viewing Boot Environments
Each boot environment entry contains this information:
- Name: the name of the boot entry as it will appear in the boot menu.
- Active: indicates which entry will boot by default if the user does not select another entry in the boot menu.
- Created: indicates the date and time the boot entry was created.
- Keep: indicates whether or not this boot environment can be pruned if an update does not have enough space to proceed. Click Keep for an entry if that boot environment should not be automatically pruned.
Highlight an entry to view the configuration buttons for it. These configuration buttons are shown:
- Rename: used to change the name of the boot environment.
- Keep/Unkeep: used to toggle whether or not the updater can prune (automatically delete) this boot environment if there is not enough space to proceed with the update.
- Clone: used to create a copy of the highlighted boot environment.
- Delete: used to delete the highlighted entry, which also removes that entry from the boot menu. Since an activated entry cannot be deleted, this button does not appear for the active boot environment. To delete an entry that is currently activated, first activate another entry, which will clear the On reboot field of the currently activated entry. Note that this button does not appear for the default boot environment as this entry is needed to return the system to the original installation state.
- Activate: only appears on entries which are not currently set to Active. Changes the selected entry to the default boot entry on next boot. Its status changes to On Reboot and the current Active entry changes from On Reboot, Now to Now, indicating that it was used on the last boot but will not be used on the next boot.
The buttons above the boot entries can be used to:
- Create: a manual boot environment. A pop-up menu prompts for entry of a Name for the boot environment. Only alphanumeric characters, underscores, and dashes are allowed.
- Scrub Boot: can be used to perform a manual scrub of the boot devices. By default, the boot device is scrubbed every 7 days. To change the default interval, change the number in the Automatic scrub interval (in days) field. The date and results of the last scrub are also listed in this screen. The condition of the boot device should be listed as HEALTHY.
- Status: click this button to see the status of the boot devices. Figure 5.3.2, shows only one boot device, which is ONLINE.
Fig. 5.3.2 Viewing the Status of the Boot Device
If the system has a mirrored boot pool, there will be a Detach button in addition to the Replace button. To remove a device from the boot pool, highlight the device and click its Detach button. Alternately, if one of the boot devices has an OFFLINE Status, click the device to replace, then click Replace to rebuild the boot mirror.
Note that you cannot replace the boot device if it is the only boot device as it contains the operating system itself.
5.3.1. Mirroring the Boot Device¶
If the system is currently booting from a device, another device can be added to create a mirrored boot device. If one device in a mirror fails, the remaining device can still be used to boot the system.
Note
When adding another boot device for a mirror, the new device must have at least the same capacity as the existing boot device. Larger capacity devices can be added, but the mirror will only have the capacity of the smallest device. Different models of devices which advertise the same nominal size are not necessarily the same actual size. For this reason, adding another of the same model of boot device is recommended.
In the example shown in
Figure 5.3.3,
the user has clicked
System → Boot → Status
to display the current status of the boot device. The example
indicates that there is currently one device, ada0p2, its status is
ONLINE, and it is currently the only boot device as indicated by the
word stripe. To create a mirrored boot device, click either the
entry called freenas-boot or stripe, then click the
Attach button. If another device is available, it appears
in the Member disk drop-down menu. Select the desired
device.
The Use all disk space option gives control of how much of the new device is made available to ZFS. The new device is partitioned to the same size as the existing device by default. Select Use all disk space to use all available space on the new device. If either device in the mirror fails, it can be replaced with another of the same size as the original boot device.
When Use all disk space is enabled, the entire capacity of the new device is used. If the original boot device fails and is removed, the boot mirror will consist of just the newer drive, and will grow to whatever capacity it provides. However, new devices added to this mirror must now be as large as the new capacity.
Click Attach Disk to attach the new disk to the mirror.
Fig. 5.3.3 Mirroring a Boot Device
After the mirror is created, the Status screen indicates that it is now a mirror. The number of devices in the mirror are shown as in Figure 5.3.4.
Fig. 5.3.4 Viewing the Status of a Mirrored Boot Device
5.4. Advanced¶
System → Advanced
is shown in
Figure 5.4.1.
The configurable settings are summarized in
Table 5.4.1.
Fig. 5.4.1 Advanced Screen
| Setting | Value | Description |
|---|---|---|
| Show Text Console without Password Prompt | checkbox | Set for the system to immediately display the text console after booting. Unset to require logging into the system before the console menu is shown. |
| Use Serial Console | checkbox | Do not enable this option if the serial port is disabled. |
| Serial Port Address | string | Select the serial port address in hex. |
| Serial Port Speed | drop-down menu | Select the speed used by the serial port. |
| Enable powerd (Power Saving Daemon) | checkbox | powerd(8) monitors the system state and sets the CPU frequency accordingly. |
| Swap size | non-zero integer representing GiB | By default, all data disks are created with this amount of swap. Log or cache devices do not create with swap and are unaffected. Setting to 0 disables swap creation completely. This is strongly discouraged. |
| Show console messages in the footer | checkbox | Set to display console messages in real time at the bottom of the browser. Click the console to bring up a scrollable screen. Set Stop refresh in the scrollable screen to pause updating, and deselect the option to continue to watch the messages as they occur. |
| Show tracebacks in case of fatal errors | checkbox | Open a pop-up of diagnostic information when a fatal error occurs. |
| Show advanced fields by default | checkbox | Show Advanced Mode fields by default. |
| Enable autotune | checkbox | Enable an Autotune script which attempts to optimize the system based on the installed hardware. Warning: Autotuning is only used as a temporary measure and is not a permanent fix for system hardware issues. |
| Enable debug kernel | checkbox | Use a debug version of the kernel on the next boot. |
| MOTD banner | string | This message is shown when a user logs in with SSH. |
| Periodic Notification User | drop-down menu | Choose a user to receive security output emails. This output runs nightly but only sends email when the system reboots or encounters an error. |
| Report CPU usage in percentage | checkbox | Display CPU usage as percentages in Reporting. |
| Remote Graphite Server hostname | string | IP address or hostname of a remote server running Graphite. |
| Use FQDN for logging | checkbox | Include the Fully-Qualified Domain Name in logs to precisely identify systems with similar hostnames. |
| ATA Security User | drop-down menu | User passed to camcontrol security -u for unlocking Self-Encrypting Drives. Values are User or Master. |
| SED Password | string | Global password used to unlock Self-Encrypting Drives. |
| Reset SED Password | checkbox | Select to clear the Password for SED column of
Storage → View Disks. |
Click the Save button after making any changes.
This tab also contains this button:
Save Debug: used to generate a text file of diagnostic information. After the debug data is collected, the system prompts for a location to save the generated ASCII text file.
5.4.1. Autotune¶
FreeNAS® provides an autotune script which optimizes the system depending on the installed hardware. For example, if a ZFS volume exists on a system with limited RAM, the autotune script automatically adjusts some ZFS sysctl values in an attempt to minimize ZFS memory starvation issues. It should only be used as a temporary measure on a system that hangs until the underlying hardware issue is addressed by adding more RAM. Autotune will always slow such a system, as it caps the ARC.
The Enable autotune option in
System → Advanced
is off by default. Enable this option to run the autotuner at boot
time. To run the script immediately, reboot the system.
If the autotune script adjusts any settings, the changed values appear
in
System → Tunables.
These values can be modified and overridden. Note that deleting
tunables that were created by autotune only affects the current
session, as autotune-set tunables are recreated at boot.
When attempting to increase the performance of the FreeNAS® system, and particularly when the current hardware may be limiting performance, try enabling autotune.
For those who wish to see which checks are performed, the autotune
script is located in /usr/local/bin/autotune.
5.4.2. Self-Encrypting Drives¶
FreeNAS® version 11.1-U5 introduced Self-Encrypting Drive (SED) support.
Three types of SED devices are supported:
- Legacy interface for older ATA devices. Not recommended for security-critical environments
- TCG OPAL 2 standard for newer consumer-grade devices (HDD or SSD over PCIe or SATA)
- TCG Enterprise standard for newer enterprise-grade SAS devices
The FreeNAS® middleware implements the security capabilities of camcontrol (for legacy devices) and sedutil-cli (for TCG devices). When managing SED devices from the command line, it is important to use sedutil-cli rather than camcontrol to access the full capabilities of the device. FreeNAS® provides the sedhelper wrapper script to ease SED device administration from the command line.
By default, SED devices are not locked until the administrator explicitly configures a global or per-device password and initializes the devices.
Once configured, the system automatically unlocks all SEDs during the boot process, without requiring manual intervention. This allows a pool to contain a mix of SED and non-SED devices.
A password-protected SED device protects the data stored on the device when the device is physically removed from the FreeNAS® system. This allows secure disposal of the device without having to first wipe its contents. If the device is instead removed to be repurposed on another system, it can only be unlocked if the password is known.
Warning
It is important to remember the password! Without it, the device is unlockable and its data remains unavailable. While it is possible to specify the PSID number on the label of the device with the sedutil-cli command, doing so will erase the contents of the device rather than unlock it. Always record SED passwords whenever they are configured or modified and store them in a safe place!
When SED devices are detected during system boot, the middleware checks for global and device-specific passwords. Devices with their own password are unlocked with their password and any remaining devices, without a device-specific password, are unlocked using the global password.
To configure a global password, go to System →
Advanced → SED Password and enter the password. Recording the
password and storing it in a safe place is recommended.
To determine which devices support SED and their device names:
sedutil-cli --scan
In the results:
- no indicates a non-SED device
- 1 indicates a legacy TCG OPAL 1 device
- 2 indicates a modern TCG OPAL 2 device
- E indicates a TCG Enterprise device
To specify a password for a device, go to
Storage → View Disks. Highlight the device name for
the confirmed SED device and click Edit. Enter and confirm
the password in the Password for SED and
Confirm SED Password fields. Disks that have a configured
password will show bullets in their row of the Password for SED
column of Storage → View Disks. Conversely, the rows
in that column will be empty for disks that do not support SED or which
are unlocked using the global password.
Next, remember to initialize the devices:
sedhelper setup password
This command ensures that all detected SED disks are properly setup using the specified password.
Note
Rerun sedhelper setup password every time a new SED disk is placed in the system.
This command is used to unlock all available SED disks:
sedhelper unlock
5.5. Email¶
An automatic script sends a nightly email to the root user account containing important information such as the health of the disks. Alert events are also emailed to the root user account. Problems with Scrubs are reported separately in an email sent at 03:00AM.
Note
S.M.A.R.T. reports are mailed separately to the address configured in that service.
The administrator typically does not read email directly on the FreeNAS® system. Instead, these emails are usually sent to an external email address where they can be read more conveniently. It is important to configure the system so it can send these emails to the administrator’s remote email account so they are aware of problems or status changes.
The first step is to set the remote address where email will be sent.
Select
Account → Users,
click on root to highlight that user, then click
Modify User. In the E-mail field, enter the
email address on the remote system where email is to be sent, like
admin@example.com. Click OK to save the settings.
Additional configuration is performed with
System → Email,
shown in
Figure 5.5.1.
Fig. 5.5.1 Email Screen
| Setting | Value | Description |
|---|---|---|
| From email | string | Setting a known From address is helpful in filtering mail on the receiving system. |
| Outgoing mail server | string or IP address | Hostname or IP address of SMTP server used for sending this email. |
| Port to connect to | integer | SMTP port number. Typically 25, 465 (secure SMTP), or 587 (submission). |
| TLS/SSL | drop-down menu | Choose an encryption type. Choices are Plain, SSL, or TLS |
| Use SMTP Authentication | checkbox | Enable or disable SMTP AUTH using PLAIN SASL. If enabled, enter the required Username and Password. |
| Username | string | Enter the SMTP username if the SMTP server requires authentication. |
| Password | string | Enter the SMTP password if the SMTP server requires authentication. |
| Password Confirmation | string | Confirm the SMTP password. |
Click the Send Test Mail button to verify that the
configured email settings are working. If the test email fails,
double-check that the E-mail field of the root user is
correctly configured by clicking the Modify User button for
the root account in Account → Users → View Users.
Configuring email for TLS/SSL email providers is described in Are you having trouble getting FreeNAS to email you in Gmail?.
Note
The FreeNAS® user who receives periodic email is set in the
Periodic Notification User field in
System → Advanced.
5.6. System Dataset¶
System → System Dataset,
shown in
Figure 5.6.1,
is used to select the pool which contains the persistent system
dataset. The system dataset stores debugging core files and Samba4
metadata such as the user or group cache and share level permissions. If
the FreeNAS® system is configured to be a Domain Controller, all of
the domain controller state is stored there as well, including domain
controller users and groups.
Note
When the system dataset is moved, a new dataset is created and set active. The old dataset is intentionally not deleted by the system because the move might be transient or the information in the old dataset might be useful for later recovery.
Fig. 5.6.1 System Dataset Screen
Note
Encrypted, locked volumes are not displayed in the System dataset pool drop-down menu.
The system dataset can optionally be configured to also store the
system log and Reporting information. If there are lots of log
entries or reporting information, moving these to the system dataset
will prevent /var/ on the device holding the operating system
from filling up as /var/ has limited space.
Use the drop-down menu to select the ZFS volume (pool) to contain the system dataset. Whenever the location of the system dataset is changed, a pop-up warning indicates that the SMB service must be restarted, causing a temporary outage of any active SMB connections.
To store the system log on the system dataset, enable the Syslog option.
To store the reporting information on the system dataset, enable the
Reporting Database option. When this option is not enabled,
a RAM disk is created to prevent reporting information from filling up
/var.
Click the Save button to save changes.
If the pool storing the system dataset is changed at a later time, FreeNAS® migrates the existing data in the system dataset to the new location.
Note
Depending on configuration, the system dataset can occupy a large amount of space and receive frequent writes. Do not put the system dataset on a flash drive or other media with limited space or write life.
5.7. Tunables¶
System → Tunables
can be used to manage:
- FreeBSD sysctls: a sysctl(8) makes changes to the FreeBSD kernel running on a FreeNAS® system and can be used to tune the system.
- FreeBSD loaders: a loader is only loaded when a FreeBSD-based system boots and can be used to pass a parameter to the kernel or to load an additional kernel module such as a FreeBSD hardware driver.
- FreeBSD rc.conf options:
rc.conf(5)
is used to pass system configuration options to the system startup
scripts as the system boots. Since FreeNAS® has been optimized for
storage, not all of the services mentioned in rc.conf(5) are
available for configuration. Note that in FreeNAS®, customized
rc.conf options are stored in
/tmp/rc.conf.freenas.
Warning
Adding a sysctl, loader, or rc.conf option is an
advanced feature. A sysctl immediately affects the kernel running
the FreeNAS® system and a loader could adversely affect the ability
of the FreeNAS® system to successfully boot.
Do not create a tunable on a production system unless you
understand and have tested the ramifications of that change.
Since sysctl, loader, and rc.conf values are specific to the kernel parameter to be tuned, the driver to be loaded, or the service to configure, descriptions and suggested values can be found in the man page for the specific driver and in many sections of the FreeBSD Handbook.
To add a loader, sysctl, or rc.conf option, go to
System → Tunables → Add Tunable,
to access the screen shown in
Figure 5.7.1.
Fig. 5.7.1 Adding a Tunable
Table 5.7.1 summarizes the options when adding a tunable.
| Setting | Value | Description |
|---|---|---|
| Variable | string | The name of the sysctl or driver to load. |
| Value | integer or string | Set a value for the Variable. Refer to the man page for the specific driver or the FreeBSD Handbook for suggested values. |
| Type | drop-down menu | Choices are Loader, rc.conf, or Sysctl. |
| Comment | string | Enter a userful description of this tunable. |
| Enabled | checkbox | Unset this option to disable the tunable without deleting it. |
Note
As soon as a Sysctl is added or edited, the running kernel changes that variable to the value specified. However, when a Loader or rc.conf value is changed, it does not take effect until the system is rebooted. Regardless of the type of tunable, changes persist at each boot and across upgrades unless the tunable is deleted or the Enabled option is deselected.
Any added tunables are listed in
System → Tunables.
To change the value of an existing tunable, click its Edit
button. To remove a tunable, click its Delete button.
Restarting the FreeNAS® system after making sysctl changes is recommended. Some sysctls only take effect at system startup, and restarting the system guarantees that the setting values correspond with what is being used by the running system.
The GUI does not display the sysctls that are pre-set when FreeNAS® is installed. FreeNAS® 11.2 ships with these sysctls set:
kern.metadelay=3
kern.dirdelay=4
kern.filedelay=5
kern.coredump=1
kern.sugid_coredump=1
vfs.timestamp_precision=3
net.link.lagg.lacp.default_strict_mode=0
vfs.zfs.min_auto_ashift=12
Do not add or edit these default sysctls as doing so may render the system unusable.
The GUI does not display the loaders that are pre-set when FreeNAS® is installed. FreeNAS® 11.2 ships with these loaders set:
autoboot_delay="2"
loader_logo="freenas"
loader_menu_title="Welcome to FreeNAS"
loader_brand="freenas-brand"
loader_version=" "
kern.cam.boot_delay="30000"
debug.debugger_on_panic=1
debug.ddb.textdump.pending=1
hw.hptrr.attach_generic=0
vfs.mountroot.timeout="30"
ispfw_load="YES"
freenas_sysctl_load="YES"
hint.isp.0.role=2
hint.isp.1.role=2
hint.isp.2.role=2
hint.isp.3.role=2
hint.isp.0.topology="nport-only"
hint.isp.1.topology="nport-only"
hint.isp.2.topology="nport-only"
hint.isp.3.topology="nport-only"
module_path="/boot/kernel;/boot/modules;/usr/local/modules"
net.inet6.ip6.auto_linklocal="0"
vfs.zfs.vol.mode=2
kern.geom.label.disk_ident.enable="0"
hint.ahciem.0.disabled="1"
hint.ahciem.1.disabled="1"
kern.msgbufsize="524288"
hw.mfi.mrsas_enable="1"
hw.usb.no_shutdown_wait=1
hw.cxgbe.toecaps_allowed=0
hw.cxgbe.rdmacaps_allowed=0
hw.cxgbe.iscsicaps_allowed=0
vfs.nfsd.fha.write=0
vfs.nfsd.fha.max_nfsds_per_fh=32
Do not add or edit the default tunables. Changing the default tunables can make the system unusable.
The ZFS version used in 11.2 deprecates these tunables:
vfs.zfs.write_limit_override
vfs.zfs.write_limit_inflated
vfs.zfs.write_limit_max
vfs.zfs.write_limit_min
vfs.zfs.write_limit_shift
vfs.zfs.no_write_throttle
After upgrading from an earlier version of FreeNAS®, these tunables are automatically deleted. Please do not manually add them back.
5.8. Update¶
FreeNAS® has an integrated update system to make it easy to keep up to date.
5.8.1. Preparing for Updates¶
It is best to perform updates at times the FreeNAS® system is idle, with no clients connected and no scrubs or other disk activity going on. A reboot is required after most updates, so they are often planned for scheduled maintenance times to avoid disrupting user activities.
The update process will not proceed unless there is enough free space in the boot pool for the new update files. If a space warning is shown, use Boot to remove unneeded boot environments.
5.8.2. Updates and Trains¶
FreeNAS® uses signed update files. This provides flexibility in deciding when to upgrade the system with patches, new drivers, or new features. It also allows “test driving” an upcoming release. Combined with boot environments, new features or system patches can be tested while still being able to revert to a previous version of the operating system (see If Something Goes Wrong). Digitally signing update files eliminates the need to manually download both an upgrade file and the associated checksum to verify file integrity.
Figure 5.8.1
shows an example of the
System → Update
screen.
Fig. 5.8.1 Update Options
By default, the system automatically checks for updates and issues an alert when a new update becomes available. The automatic check can be disabled by deselecting Automatically check for updates.
This screen lists the URL of the official update server in case that information is needed in a network with outbound firewall restrictions. It also shows which software branch, or train, is being tracked for updates.
Several trains are available for updates.
Caution
Only Production trains are recommended for regular usage. Other trains are made available for pre-production testing and updates to legacy versions. Pre-production testing trains are provided only to permit testing of new versions before switching to a new branch. Before using a non-production train, be prepared to experience bugs or problems. Testers are encouraged to submit bug reports at https://redmine.ixsystems.com/projects/freenas/issues.
These trains are available:
For Production Use
- FreeNAS-11-STABLE: Recommended. After testing, new fixes and features are added to this train. Selecting this train and applying any pending updates is recommended.
- FreeNAS-11.2-STABLE: Recommended for Jails/Plugins/VM users. This train provides the latest updates to the new UI, the new iocage backend for Jails and Plugins, and the latest fixes for VMs. Users who rely on these features are encouraged to upgrade to this train and to use the Support Icon to report any issues.
For Pre-Production Testing
- FreeNAS-11-Nightlies: Do not use this train in production. It is the experimental branch for future versions and is meant only for testers and developers.
- FreeNAS-11-Nightlies-SDK: Do not use this train in production. This train is meant only for developers. It is similar to FreeNAS-11-Nightlies but with extra development and debugging utilities added.
- FreeNAS-HEAD-Nightlies: Do not use this train in production. This train is meant only for developers and contains the source that will eventually become FreeNAS® version 12.
Legacy Versions
FreeNAS-9.10-STABLE
Maintenance-only updates to the older version of FreeNAS®. Upgrading to FreeNAS-11-STABLE is recommended to ensure that the system receives bug fixes and new features.
To change the train, use the drop-down menu to make a different selection.
Note
The train selector does not allow downgrades. For example, the STABLE train cannot be selected while booted into a Nightly boot environment, or a 9.10 train cannot be selected while booted into a 11 boot environment. To go back to an earlier version after testing or running a more recent version, reboot and select a boot environment for that earlier version. This screen can then be used to check for updates that train.
This screen also shows the URL of the official update server. That information can be required when using a network with outbound firewall restrictions.
The Verify Install button verifies that the operating system files in the current installation do not have any inconsistencies. If any problems are found, a pop-up menu lists the files with checksum mismatches or permission errors.
5.8.3. Checking for Updates¶
Check for updates by making sure the desired train is selected and clicking the Check Now button. Any available updates are listed. In the example shown in Figure 5.8.2, the numbers which begin with a # represent the issue number from the issue tracker. Numbers which do not begin with a # represent a git commit. Click the ChangeLog link to open the log of changes in a web browser. Click the ReleaseNotes link to open the Release Notes in the browser.
Fig. 5.8.2 Reviewing Updates
5.8.4. Applying Updates¶
Make sure the system is in a low-usage state as described above in Preparing for Updates.
Click the OK button to download and apply the updates. Be aware that some updates automatically reboot the system after they are applied.
Warning
Each update creates a boot environment. If the update
process needs more space, it attempts to remove old boot
environments. Boot environments marked with the Keep attribute as
shown in Boot will not be removed. If space for a new boot
environment is not available, the upgrade fails. Space on the boot
device can be manually freed using
System → Boot.
Review the boot environments and remove the Keep attribute or
delete any boot environments that are no longer needed.
Updates can also be downloaded and applied later. To do so, deselect the Apply updates after downloading option before pressing OK. In this case, this screen closes after updates are downloaded. Downloaded updates are listed in the Pending Updates section of the screen shown in Figure 5.8.1. When ready to apply the previously downloaded updates, click the Apply Pending Updates button. Remember that the system may reboot after the updates are applied.
Warning
After updates have completed, reboot the system. Configuration changes made after an update but before that final reboot will not be saved.
5.8.5. Manual Updates¶
Updates can be manually downloaded as a file. These updates are then applied with the Manual Update button. After obtaining the update file, click Manual Update and choose a location to temporarily store the file on the FreeNAS® system. Use the file browser to locate the update file, then click Apply Update to apply it.
Manual update files can be identified by their filenames, which end in
-manual-update-unsigned.tar.
Manual updates cannot be used to upgrade from older major versions.
There is also an option to back up the system configuration before updating. Click Click here and select any options to export in the configuration file. Click OK to open a popup window to save the system configuration.
5.9. Cloud Credentials¶
FreeNAS® can use cloud services for features like Cloud Sync.
The credentials to provide secure connections with cloud services
are entered here. Amazon Cloud Drive, Amazon S3, Backblaze B2, Box,
Dropbox, FTP, Google Cloud Storage, Google Drive, HTTP, Hubic, Mega,
Microsoft Azure Blob Storage, Microsoft OneDrive, pCloud, SFTP, WebDAV,
and Yandex are supported.
Select
System → Cloud Credentials
to see the screen shown in Figure 5.9.1.
Fig. 5.9.1 Cloud Credentials List
The list shows the Account Name and Provider for each credential. There are options to Edit and Delete a credential after selecting it. Click Add Cloud Credential to display the dialog shown in Figure 5.9.2.
Fig. 5.9.2 Adding Cloud Credentials
Amazon Cloud Drive options are shown by default. Enter a descriptive and unique name for the cloud credential in the Account Name field, then select a Provider. The remaining options vary by provider, and are shown in Table 5.9.1.
| Provider | Setting | Description |
|---|---|---|
| Amazon Cloud Drive | Application Client ID, Application Key | Enter the Amazon application client ID and application key. |
| Amazon S3 | Access Key, Secret Key | Enter the Amazon account access key and secret key. |
| Amazon S3 | Endpoint URL | Enter the Endpoint URL for the web service. |
| Backblaze B2 | Account ID, Application Key | Enter the Account ID and Application Key for the Backblaze B2 account. These are visible after logging into the account. |
| Box | Access Token | Enter the Box access token. |
| Dropbox | Access Token | Enter the Dropbox access token. The token is located on the App Console. After creating an app, go to Settings and click Generate under the Generated access token field. |
| FTP | Host, Port | Enter the FTP host and port. |
| FTP | Username, Password | Enter the FTP username and password. |
| Google Cloud Storage | JSON Service Account Key | Browse to the location of the saved Google Cloud Storage key and select it. |
| Google Drive | Access Token, Team Drive ID | Enter the Google Drive Access Token. Team Drive ID is only used when connecting to a Team Drive. The ID is also the ID of the top level folder of the Team Drive. |
| HTTP | URL | Enter the URL. |
| Hubic | Access Token | Enter the access token. |
| Mega | Username, Password | Enter the Mega username and password. |
| Microsoft Azure Blob Storage | Account Name, Account Key | Enter the Azure Blob Storage account name and key. |
| Microsoft OneDrive | Access Token | Enter the access token. |
| pCloud | Access Token | Enter the access token. |
| SFTP | Host, Port | Enter the SFTP host and port. |
| SFTP | Username, Password, key file path | Enter the SFTP username, password, and PEM-encoded private key file path. |
| WebDAV | URL, WebDAV Service | Enter URL and use the dropdown to select the WebDAV service. |
| WebDAV | Username, Password | Enter the username and password. |
| Yandex | Access Token | Enter the access token. |
Additional fields are displayed after Provider is selected. For Amazon S3, Access Key and Secret Key are shown. These values are found on the Amazon AWS website by clicking on the account name, then My Security Credentials and Access Keys (Access Key ID and Secret Access Key). Copy the Access Key value to the FreeNAS® Cloud Credential Access Key field, then enter the Secret Key value saved when the key pair was created. If the Secret Key value is unknown, a new key pair can be created on the same Amazon screen. The Google Cloud Storage JSON Service Account Key is found on the Google Cloud Platform Console.
5.10. Alerts¶
System → Alerts displays the default notification
frequency for each type of Alert. An example is seen in
Figure 5.10.1.
Fig. 5.10.1 Configure Alert Notification Frequency
To change the notification frequency of an alert, click its drop-down menu and select IMMEDIATELY, HOURLY, DAILY, or NEVER.
Note
To configure where to send alerts, use Alert Services.
5.11. Alert Services¶
FreeNAS® can use a number of methods to notify the administrator of system events that require attention. These events are system Alerts marked WARN or CRITICAL.
Currently available alert services:
Warning
These alert services might use a third party commercial vendor not directly affiliated with iXsystems. Please investigate and fully understand that vendor’s pricing policies and services before using their alert service. iXsystems is not responsible for any charges incurred from the use of third party vendors with the Alert Services feature.
Select
System → Alert Services to show the Alert Services
screen. Click Add Service to display the dialog shown in
Figure 5.11.1.
Fig. 5.11.1 Add Alert Service
The Service Name drop-down menu is used to pick a specific alert service. The fields shown in the rest of the dialog change to those required by that service. Enter the required information, set the Enabled option, then click OK to save the settings.
System alerts marked WARN or CRITICAL are sent to each alert service that has been configured and enabled.
Alert services are deleted from this list by clicking them and then clicking the Delete button at the bottom of the window. To disable an alert service temporarily, click Edit and remove the checkmark from the Enabled option.
Note
To send a test alert, highlight an alert entry, click Edit, and click the Send Test Alert button.
5.11.1. How it Works¶
A nas-health service is registered with Consul. This service runs
/usr/local/etc/consul-checks/freenas_health.sh periodically,
currently every two minutes. If an alert marked WARNING or
CRITICAL is found, the nas-health service is marked as
“unhealthy”, triggering consul-alerts to notify configured
alert services.
5.12. CAs¶
FreeNAS® can act as a Certificate Authority (CA). When encrypting SSL or TLS connections to the FreeNAS® system, either import an existing certificate, or create a CA on the FreeNAS® system, then create a certificate. This certificate will appear in the drop-down menus for services that support SSL or TLS.
For secure LDAP, the public key of an existing CA is imported with Import CA, or a new CA created on the FreeNAS® system and used on the LDAP server also.
Figure 5.12.1
shows the screen after clicking
System → CAs.
Fig. 5.12.1 Initial CA Screen
If the organization already has a CA, the CA certificate and key can be imported. Click the Import CA button to open the configuration screen shown in Figure 5.12.2. The configurable options are summarized in Table 5.12.1.
Fig. 5.12.2 Importing a CA
| Setting | Value | Description |
|---|---|---|
| Identifier | string | Enter a descriptive name for the CA using only alphanumeric,
underscore (_), and dash (-) characters. |
| Certificate | string | Paste in the certificate for the CA. |
| Private Key | string | If there is a private key associated with the Certificate, paste it here. |
| Passphrase | string | If the Private Key is protected by a passphrase, enter it here and repeat it in the “Confirm Passphrase” field. |
| Serial | string | Enter the serial number for the certificate. |
To create a new CA, first decide if it will be the only CA which will sign certificates for internal use or if the CA will be part of a certificate chain.
To create a CA for internal use only, click the Create Internal CA button which will open the screen shown in Figure 5.12.3.
Fig. 5.12.3 Creating an Internal CA
The configurable options are described in Table 5.12.2. When completing the fields for the certificate authority, supply the information for the organization.
| Setting | Value | Description |
|---|---|---|
| Identifier | string | Enter a descriptive name for the CA using only alphanumeric,
underscore (_), and dash (-) characters. |
| Key Length | drop-down menu | For security reasons, a minimum of 2048 is recommended. |
| Digest Algorithm | drop-down menu | The default is acceptable unless the organization requires a different algorithm. |
| Lifetime | integer | The lifetime of the CA is specified in days. |
| Country | drop-down menu | Select the country for the organization. |
| State | string | Enter the state or province of the organization. |
| Locality | string | Enter the location of the organization. |
| Organization | string | Enter the name of the company or organization. |
| Email Address | string | Enter the email address for the person responsible for the CA. |
| Common Name | string | Enter the fully-qualified hostname (FQDN) of the system. The Common Name must be unique within a certificate chain. |
| Subject Alternate Names | string | Multi-domain support. Enter additional domain names and separate them with a space. |
To create an intermediate CA which is part of a certificate chain, click Create Intermediate CA. This screen adds one more option to the screen shown in Figure 5.12.3:
- Signing Certificate Authority: this drop-down menu is used to specify the root CA in the certificate chain. This CA must first be imported or created.
Imported or created CAs are added as entries in
System → CAs.
The columns in this screen indicate the name of the CA, whether it is
an internal CA, whether the issuer is self-signed, the number of
certificates that have been issued by the CA, the distinguished name
of the CA, the date and time the CA was created, and the date and time
the CA expires.
Clicking the entry for a CA causes these buttons to become available:
- Sign CSR: used to sign internal Certificate Signing Requests
created using
System → Certificates → Create Certificate Signing Request. - Export Certificate: prompts to browse to the location to save a copy of the CA X.509 certificate on the computer being used to access the FreeNAS® system.
- Export Private Key: prompts to browse to the location to save a copy of the CA private key on the computer being used to access the FreeNAS® system. This option only appears if the CA has a private key.
- Delete: prompts for confirmation before deleting the CA.
5.13. Certificates¶
FreeNAS® can import existing certificates, create new certificates, and issue certificate signing requests so that created certificates can be signed by the CA which was previously imported or created in CAs.
Figure 5.13.1
shows the initial screen after clicking
System → Certificates.
Fig. 5.13.1 Initial Certificates Screen
To import an existing certificate, click Import Certificate to open the configuration screen shown in Figure 5.13.2. When importing a certificate chain, paste the primary certificate, followed by any intermediate certificates, followed by the root CA certificate.
The configurable options are summarized in Table 5.13.1.
Fig. 5.13.2 Importing a Certificate
| Setting | Value | Description |
|---|---|---|
| Identifier | string | Enter a descriptive name for the certificate using only alphanumeric,
underscore (_), and dash (-) characters. |
| Certificate | string | Paste the contents of the certificate. |
| Private Key | string | Paste the private key associated with the certificate. |
| Passphrase | string | If the private key is protected by a passphrase, enter it here and repeat it in the Confirm Passphrase field. |
To create a new self-signed certificate, click the Create Internal Certificate button to see the screen shown in Figure 5.13.3. The configurable options are summarized in Table 5.13.2. When completing the fields for the certificate authority, use the information for the organization. Since this is a self-signed certificate, use the CA that was imported or created with CAs as the signing authority.
Fig. 5.13.3 Creating a New Certificate
| Setting | Value | Description |
|---|---|---|
| Signing Certificate Authority | drop-down menu | Select the CA which was previously imported or created using CAs. |
| Identifier | string | Enter a descriptive name for the certificate using only alphanumeric,
underscore (_), and dash (-) characters. |
| Key Length | drop-down menu | For security reasons, a minimum of 2048 is recommended. |
| Digest Algorithm | drop-down menu | The default is acceptable unless the organization requires a different algorithm. |
| Lifetime | integer | The lifetime of the certificate is specified in days. |
| Country | drop-down menu | Select the country for the organization. |
| State | string | State or province for the organization. |
| Locality | string | Location of the organization. |
| Organization | string | Name of the company or organization. |
| Email Address | string | Email address for the person responsible for the CA. |
| Common Name | string | Enter the fully-qualified hostname (FQDN) of the system. The Common Name must be unique within a certificate chain. |
| Subject Alternate Names | string | Multi-domain support. Enter additional domain names and separate them with a space. |
If the certificate is signed by an external CA, such as Verisign, instead create a certificate signing request. To do so, click Create Certificate Signing Request. A screen like the one in Figure 5.13.3 opens, but without the Signing Certificate Authority field.
Certificates that are imported, self-signed, or for which a
certificate signing request is created are added as entries to
System → Certificates.
In the example shown in
Figure 5.13.4,
a self-signed certificate and a certificate signing request have been
created for the fictional organization My Company. The self-signed
certificate was issued by the internal CA named My Company and the
administrator has not yet sent the certificate signing request to
Verisign so that it can be signed. Once that certificate is signed
and returned by the external CA, it should be imported using
Import Certificate so it is available as a configurable
option for encrypting connections.
Fig. 5.13.4 Managing Certificates
Clicking an entry activates these configuration buttons:
- View: use this option to view the contents of an existing certificate or to edit the Identifier.
- Export Certificate saves a copy of the certificate or certificate signing request to the system being used to access the FreeNAS® system. For a certificate signing request, send the exported certificate to the external signing authority so that it can be signed.
- Export Private Key saves a copy of the private key associated with the certificate or certificate signing request to the system being used to access the FreeNAS® system.
- Delete is used to delete a certificate or certificate signing request.
5.14. Support¶
The FreeNAS® Support tab, shown in Figure 5.14.1, provides a built-in ticketing system for generating bug reports and feature requests.
Fig. 5.14.1 Support Tab
This screen provides a built-in interface to the FreeNAS® issue tracker located at https://redmine.ixsystems.com/projects/freenas/issues. When using the FreeNAS® bug tracker for the first time, go to the website, click the Register link, fill out the form, and reply to the registration email. This will create a username and password which can be used to create bug reports and receive notifications as the reports are actioned.
Before creating a bug report or feature request, ensure that an existing report does not already exist at https://redmine.ixsystems.com/projects/freenas/issues. If a similar issue is already present and has not been marked as Closed or Resolved, comment on that issue, adding new information to help solve it. If similar issues have already been Closed or Resolved, create a new issue and refer to the previous issue.
Note
Update the system to the latest version of STABLE and retest before reporting an issue. Newer versions of the software might have already fixed the problem.
To generate a report using the built-in Support screen, complete these fields:
- Username: enter the login name created when registering at https://redmine.ixsystems.com/projects/freenas/issues.
- Password: enter the password associated with the registered login name.
- Type: select Bug when reporting an issue or Feature when requesting a new feature.
- Category: this drop-down menu is empty until a registered Username and Password are entered. An error message is displayed if either value is incorrect. After the Username and Password are validated, possible categories are populated to the drop-down menu. Select the one that best describes the bug or feature being reported.
- Attach Debug Info: enabling this option is recommended so an overview of the system hardware, build string, and configuration is automatically generated and included with the ticket. Generating and attaching a debug to the ticket can take some time. An error will occur if the debug is more than the file size limit of 20 MiB.
- Subject: enter a descriptive title for the ticket. A good Subject makes it easy for you and other users to find similar reports.
- Description: enter a one- to three-paragraph summary of the issue that describes the problem, and if applicable, what steps can be taken to reproduce it.
- Attachments: this is the only optional field. It is useful for including configuration files or screenshots of any errors or tracebacks.
After completing the fields, click the Submit button to automatically generate and upload the report to https://redmine.ixsystems.com/projects/freenas/issues. A pop-up menu provides a clickable URL so to view status or add additional information to the report.