TrueNAS Early Release Documentation
This content follows TrueNAS 26 releases.
Use the Product and Version selectors above to view content specific to a stable software release.
Configuring Advanced Settings
12 minute read.
Advanced Settings provides configuration options for the console, syslog, kernel, sysctl, replication, cron jobs, init/shutdown scripts, system dataset pool, isolated GPU device(s), NVIDIA drivers, system access sessions, allowed IP addresses, audit logging, and global two-factor authentication. Enterprise systems with SED drives and the appropriate license also see the self-encrypting drive option. Enterprise systems also see the security options (STIG and FIPS).
Enterprise-licensed system administrators have additional options to configure security-related settings, such as FIPS and STIG compatibility and Self-Encrypting Drive (SED) configuration.
Advanced settings have reasonable defaults in place. A warning message displays for some settings advising of the dangers of making changes. Changing advanced settings can be dangerous when done incorrectly. Use caution before saving changes.
Make sure you are comfortable with ZFS, Linux, and system configuration, backup, and restoration before making any changes.
Enterprise-licensed systems include configuration options for STIG and FIPS security, and failover when the system is a High Availability system.
The Audit card displays the current audit storage and retention policy settings. The public-facing TrueNAS API allows querying audit records, exporting audit reports, and configuring audit dataset settings and retention periods.
The Audit configuration screen sets the retention period, reservation size, quota size and percentage of used space in the audit dataset that triggers warning and critical alerts.
Click Configure to open the Audit configuration screen and to manage storage and retention policies for audit logs.
Use Add on the Tunable card to add a tunable that configures a kernel module parameter at runtime.
The Add Tunable screen shows the settings.
Select the tunable type from the Type dropdown list. There are three options:
- SYSCTL - Linux kernel parameters (called sysctl variables) that tune low-level kernel behavior across networking, memory management, virtual memory, file descriptors, security hardening and more that affect the entire system. Sysctl tunables configure kernel module parameters while the system runs and generally take effect immediately. Best used for general system performance, network stack, memory pressure, security hardening (e.g., against SYN floods:
net.ipv4.tcp_syncookies=1). Variables persist across system remboots if set in config files.Enter a sysctl loader value in Value. - UDEV - UDEV rules, which are dynamic device manager configurations that run with when the kernel detects hardware events (e.g, disk plugged in, USB device attached, block device created). Variables are applied per device or per subsystem. They are ideal for hardware-specific tuning, especially disks/SSDs in ZFS pools e.g., forcing consistent I/O scheduler, readahead, or queue depth on pool drives to avoid defaults that hurt ZFS performance.They are permanent when the rule file exists, and rules re-apply automatically on device add/remove operations.
- ZFS - OpenZFS module parameters for the ZFS kernel module on Linux. They control ZFS-specific behavior like ARC caching, compression, I/O scheduling, prefetching, recordsize limits and more. Use for fine-tuning ZFS performance, memory usage (AREC/L2ARC), compression, dedup, scrub/resilver behavior, and I/O patterns. They only apply to ZFS filesystem/modules. Runtime changes are lost on reboot or module reloads.
Enter the variable name in Variable, the value for the variable in Value, and a short description in Description. See examples below for each tunable type.
Type: SYSCTL
Variable: net.core.somaxconn
Value: 1024
Description: Increase max pending connections for better network handling under load.
Type: UDEV
Variable: ACTION==“add|change”, KERNEL==“sd[a-z]”
Value:1
Description: Set I/O scheduler to deadline on all rotational disks.
Type: ZFS
Variable: zfs_arc_max
Value: 17179869184 (that is 16 GiB in bytes; calculate as desired RAM cap x 10243)
Description: Cap ZFS ARC at 16 GiB to leave headroom for apps/VMs.
Select Enabled. Disabling the tunable does not delete the variable.
Click Save.
The NTP Servers card allows users to add Network Time Protocol (NTP) servers. These sync the local system time with an accurate external reference. By default, new installations use several existing NTP servers. TrueNAS supports adding custom NTP servers.
Storage card shows the pool configured as the system dataset pool and allows users to select a different storage pool to hold the system dataset. The system dataset stores core files for debugging and keys for encrypted pools. It also stores Samba4 metadata, such as the user and group cache and share-level permissions. It also includes the reslivering priority setting.
Configure opens the Storage Settings configuration screen.
If the system has one pool, TrueNAS configures that pool as the system dataset pool. If your system has more than one pool, you can set the system dataset pool using the Select Pool dropdown. Users can move the system dataset to an unencrypted or key-encrypted pool.
Users can move the system dataset to a key-encrypted pool, but cannot change the pool encryption type afterward. If the encrypted pool already has a passphrase set, you cannot move the system dataset to that pool.
To set a different resiliver priority, select Run Resilvering At Higher Priority At Certain Times. Two additional setting options show that allow you to configure the day and time range for resilvering to run.
To return to the default resilver priority, clear the checkbox and click Save.
The Replication card displays the number of replication tasks that can execute simultaneously on the system. It allows users to adjust the maximum number of replication tasks the system can execute simultaneously.
Click Configure to open the Replication configuration screen.
Enter a number for the maximum number of simultaneous replication tasks you want to allow the system to process and click Save.
Use the System > Advanced Settings screen Allowed IP Addresses configuration screen to restrict access to the TrueNAS web UI and API.
Entering an IP address limits access to the system to only the address(es) entered here. To allow unrestricted access to all IP addresses, leave this list empty.
The Access widget shows a list of all active sessions including the current logged-in user and the time it started. The Session Timeout setting shows the number of minutes for the current session.
The Login Banner shows the custom text entered on the Access Settings screen. This text shows before the login screen. When configured, users see the login banner and must click Continue to show the TrueNAS login splash screen.
Administrators can manage other active sessions and configure the session timeout for their accounts.
Terminate Other Sessions ends all sessions except the current session. To end individual sessions, click the logout button next to that session. You must check a confirmation box before the system allows you to end sessions.
The logout icon is inactive for the currently logged-in administrator session and active for any other current sessions. It cannot be used to terminate the currently logged-in active administrator session.
Session Timeout shows the configured token duration for the current session (default is five minutes). TrueNAS logs out user sessions that are inactive for longer than the configured token setting for the user. New activity resets the token counter.
When the configured session timeout is exceeded, TrueNAS displays a Logout dialog with the exceeded ticket lifetime value and the time the session is scheduled to terminate.
Click Extend Session to reset the token counter. If not clicked, TrueNAS terminates the session automatically and returns to the login screen.
To change settings, click Configure to open the Access Settings screen, where you can configure a session timeout or add a login banner.
Enter a value in the number of seconds to suit your needs and security requirements. For example, to change the timeout to 10 minutes, enter 6000.
The default session timeout setting is 300 seconds or five minutes.
The minimum value allowed is 30 seconds, and the maximum is 2147482 seconds, or 20 hours, 31 minutes, and 22 seconds.
Click Save.
To show a login banner before the login screen shows, enter the text in the Login Banner field. Use carriage returns to break up a large block of text and to improve the readability of the text.
After saving the text. The next time an administrative user logs into the UI, a banner screen shows. To advance to the login screen, click Continue.
Only Enterprise-licensed systems allow TrueNAS web UI access for Directory Service accounts
TrueNAS allows Enterprise users to show the UI to users in an Active Directory group. To configure this access, first, add the selected AD users to a group that is granted a TrueNAS privilege that permits it, and enable the Allow Directory Service users to access WebUI option on the Access Settings screen. This option only shows on Enterprise-licensed systems.
After TrueNAS joins AD, it automatically creates a new privilege entry in the Privileges screen table, and this privilege is automatically populated with the domain admins group for the domain. You can edit this privilege by selecting the table row and clicking Edit. Never modify the settings for the standard pre-defined privileges (listed below)! Changing these pre-defined roles can result in lost access to the UI!
Pre-defined TrueNAS privileges are:
- Read-Only Administrator - Allows the user to view settings but not make changes in the UI.
- Sharing Administrator - Allows the user to create new shares and the share dataset.
- Local Administrator - Gives full control (read/write/exeute permissions) to the user.
The NVIDIA Drivers widget allows you to install or remove NVIDIA GPU drivers on your system. NVIDIA GPU support is required for containers that use NVIDIA GPUs for graphics acceleration or computation.
Click Configure to open the NVIDIA Drivers configuration screen.
To install NVIDIA drivers:
- Select Install NVIDIA Drivers.
- Click Save.
Installing NVIDIA drivers requires the system to use the production kernel. If Enable Debug Kernel is selected, NVIDIA driver installation fails. Disable the debug kernel before installing NVIDIA drivers.
After installation completes, NVIDIA GPU devices become available for assignment to containers. To verify installation, check that your GPU devices appear in the container GPU device selection list.
To uninstall the drivers:
- Deselect Install NVIDIA Drivers.
- Click Save.
Containers using NVIDIA GPUs cannot start after driver removal.
See NVIDIA Drivers Card in the UI Reference for detailed field descriptions.
Review these topics and contact TrueNAS Support before enabling STIG and FIPS security settings.
When STIG (and FIPS) are enabled:
- TrueNAS cannot issue API keys, and existing API keys cannot be used for authentication. Only the user credential with a two-factor authentication method is accepted.
- SSH log-ins require a cryptographic algorithm.
- SMB authentication for local TrueNAS accounts is disabled.
- NTLM authentication passthrough to a domain controller is disabled.
- Usage stats are not reported, and the Usage Collection option is disabled.
- One-time passwords (OTP) configured for administrative users have a single use and expire after 24 hours. After logging in with the OTP, the system prompts the user to immediately change the password and set up two-factor authentication.
- TrueNAS is limited to a maximum of 10 concurrent sessions. Accounts lock for 15 minutes after three consecutive failed login attempts.
- Password aging rules are applied to the SMB protocol. After a failed login attempt, users with expired passwords receive a password-expired message.
- TrueNAS prompts users to change their passwords when logging in, and the system flags the account as requiring this change. Users cannot reuse a password if it is marked as used within the last five passwords in the history file. Passwords must be 15 characters in length.
- TrueNAS updates can only use a signed update file provided by the TrueNAS team.
To set up FIPS or STIG compliance on a TrueNAS server, you must first configure two-factor authentication for an admin user with full permissions.
After configuring two-factor authentication, go to System > Advanced Settings and locate the Security card.
Click Settings to open the System Security configuration screen.
Select the toggle to enable FIPS and STIG, then click Save. You must enable FIPS with STIG! The system prompts you to restart.
The system restart takes several minutes to complete before showing the login screen. Highly Available (HA) systems must restart each storage controller before STIG mode is fully enabled.
The remaining options are for setting TrueNAS administrator password rules. Options include defining a password lifetime, types of characters that must be present in the password, how many characters must be present in a valid password, and how many previously used passwords to remember for an account and prevent reuse in a new password.
Adjust these as needed for your security requirements. Enabling STIG compatibility mode requires specific minimum values for these settings.
Note that TrueNAS begins warning all local account types (administrator, full admin, read-only, and sharing-only) seven days before password expiration. After expiration, the account locks and requires administrative action to unlock.