TrueNAS 13.0 BETA Experiences

[morganL]

If you download and tryout TrueNAS 13.0 BETA, let us know your experiences.
We're keen to know what plugins and VMs work well and where there are issues?
Thanks for helping us with the testing!

 

[ThreeDee]

teeting?
.. urban dictionary says that means something that I don't think is applicable here .. lol

 

[morganL]

@ThreeDee Agreed, testing BETA is not the same as teeting... changed the text. Thanks.

 

[kspare]

I use it as an nfs store for vmware. we put regular load on from another similar box. so far its running fine.

I couldn't update the feature flags though, I had to blow away the pool and recreate which wasnt a big deal in my case.

 

[morganL]

I use it as an nfs store for vmware. we put regular load on from another similar box. so far its running fine.

I couldn't update the feature flags though, I had to blow away the pool and recreate which wasnt a big deal in my case.

Which feature flags did you want to update?
I'll check, but that might be safety feature of the BETA to allow easy rollback.

 

[kspare]

Which feature flags did you want to update?
I'll check, but that might be safety feature of the BETA to allow easy rollback.

When you go to the pools, it asks you to upgrade the pool. It just failed.

 

[morganL]

When you go to the pools, it asks you to upgrade the pool. It just failed.

Thanks. So you were importing a TrueNAS 12.0 pool... not building a new system? We'll check.
At this stage of the development lifecycle, we would recommend people build new systems rather than migrating their TrueNAS 12.0 systems.

 

[kspare]

I had no data on the pool so I just destroyed the pool.

 

[Etorix]

@ThreeDee Agreed, testing BETA is not the same as teeting... changed the text. Thanks.

It could also have been "Thanks for helping use with the teething of Baby 13.0".

 

[emk2203]

Issues with wireguard module in a jail (13.0-RELEASEp7)
I made a jail with the newest possible version (13.0-RELEASEp7) and tried to get wireguard running.

First observation: When the jail is installed as a base jail, the kernel module is uninstallable with "Fail to create temporary file"; "Read-only file system" probably because the base is read-only.

Q: How can I make the base writeable? Or is this simply not possible?

Second observation: With a cloned jail, the kernel module still fails. Unfortunately, I didn't save the error message. It is possible to use `wireguard-go`, but this is userland, more resource-intensive, slower.

Q: Is there a way to use wireguard in a jail with the kernel module? I know that the code quality is questionable, but I'm looking for performance. Security is not much of an issue with the system environment.

 

[Patrick M. Hausen]

Technically yes, but you would need to load the kernel module on the host. You cannot do anything kernel related inside a jail, because all jails run on the same kernel as the host.

As for how to build and load the wireguard module on a TrueNAS host, the general recommendation is: don't. Definitely not supported. You could try to build it on a separate FreeBSD machine and copy it over. Probably not going to survive a TrueNAS update ...

 

[Ericloewe]

Is there a way to use wireguard in a jail with the kernel module? I know that the code quality is questionable

Even after the rewrite by the Wireguard crowd?

 

[emk2203]

Technically yes, but you would need to load the kernel module on the host. You cannot do anything kernel related inside a jail, because all jails run on the same kernel as the host.

As for how to build and load the wireguard module on a TrueNAS host, the general recommendation is: don't. Definitely not supported. You could try to build it on a separate FreeBSD machine and copy it over. Probably not going to survive a TrueNAS update ...

That's too much of a hassle to really consider it.

I thought that the system itself supports wireguard? The tunables are already mentioned in the docs, but it still may use the go implementation.

Maybe I try to configure it with ifconfig to see if the kernel module is used.

Code:

# ifconfig wg create listen-port 51820 private-key  `cat server.key`
# ifconfig wg0 peer public-key <peer's public key>  endpoint 192.168.2.42:51820 allowed-ips 10.10.0.2/24

should work in this case.

Even after the rewrite by the Wireguard crowd?

If I am not mistaken, it is not yet rewritten.

 

[Patrick M. Hausen]

Maybe I try to configure it with ifconfig to see if the kernel module is used.

I looked in /boot/kernel and /boot/modules and could not find it. In TN CORE 12 ...
You could also try kldload if_wg on the host, just to make sure. If that works you can activate the module with tuneables from the UI.

If I am not mistaken, it is not yet rewritten.

It is. The mess that was produced by Kip Macy sponsored by Netgate was binned and a complete rewrite done partly by Jason Donenfeld. After the "Netgate incident" the core team decided not to pull the new module into the kernel tree at that short notice, but relegate it to ports instead. But it definitely is the new code.

You don't even need FreeBSD 13 to run it. Works for me on 12 and 13 all the same.

The tunables are already mentioned in the docs, but it still may use the go implementation.

Yes, the tuneables in that document activate only the userland side. If the module is present, the wg/wg-quick binaries will pull it in, otherwise fall back to wireguard-go.

HTH,
Patrick

P.S. The issue with jails is - let's pretend the module is there - the tooling automatically activates the module if found. But you cannot load kernel modules inside a jail - that's the point. So if the module is delivered with TN CORE 13.x you will have to load the module on the host (tuneable), then configure and start the tools in the jail. Simple as that.

 

[emk2203]

The module is there in 13.0-BETA. I just confirmed it with ls /boot/modules on the host, it also loads with kldload if_wg. Using it won't block a smooth update, this is comforting.

Thanks for your informative reply. Your three lines of postscriptum alone saved me from three hours of googling and countless tries at least.

 

[toe]

Updated via manual update file from 12.0U8 - No issues on the update.

Ran for two days now. No problems encountered so far.

My setup is a virtualized (through proxmox/qemu and HBA passthrough) with no usage of plugins or similar, so a fairly light use case.
None the less, thought I'd drop a note that BETA1 feels as stable as a regular update for that side of things.

 

[Patrick M. Hausen]

The module is there in 13.0-BETA. I just confirmed it with ls /boot/modules on the host, it also loads with kldload if_wg. Using it won't block a smooth update, this is comforting.

Then create a tuneable in the UI:

• type: loader
• name: if_wg_load
• value: YES

and you should be all set to continue inside the jail. The "wg0" interface with a running server is really just a renamed "tun" interface. So you probably need to "allow_tun" for the jail.

 

[Volts]

I've been using a home-built if_wg.ko since 12. It's been working perfectly for WireGuard VPNs in jails.

I didn't even notice that it was included in the 13 Nightlies/Beta! Yay, and thank you!

I've switched to the provided version. Everything connected correctly. I'll keep testing.

Yes, the jail needs allow_tun.

 

[emk2203]

Then create a tuneable in the UI:

• type: loader
• name: if_wg_load
• value: YES

and you should be all set to continue inside the jail. The "wg0" interface with a running server is really just a renamed "tun" interface. So you probably need to "allow_tun" for the jail.

I solved the issue before I saw your reply via

---

Tasks / Init/Shutdown Scripts / Edit

Description - Load if_wg module​

Type - Command​

Command - kldload if_wg​

When - Post Init​

Enabled - check​

Timeout - 10​

---

Is this just another way to do it, or are there hidden disadvantages? Your proposal sure looks cleaner and easier. My jail had "allow_tun" from the start since I wanted to use a VPN inside.

I uninstalled wireguard-go from the jail, restarted and everything worked as expected. wg0 interface only in the jail, I think a little less load on the system. This is an ancient AMD Turion(tm) II Neo N40L Dual-Core Processor so it pays to keep the load at minimum. Quite happy with this beta so far.

 

[Patrick M. Hausen]

Whatever floats your boat. My suggestion is the "official" way to load kernel modules at boot.