I’m going detail below some of how I’m managing this with a couple VMs I have deployed on a cluster of (two) servers. The details of how I do this on a Synology NAS are pretty specific to that hardware – the concepts are not.

Highlights of this framework include:

• Packaging services in a VM contains the scope of the damage when the “server” is compromised.
• Clustered hosts make it easy to move VMs to a new host or failover the VM if its host server is down.
• Snapshots of VMs can be created instantly as scheduled and then replicated to other hosts in the cluster.
• VMs can be exported to an external file system for off-site backup

How I put the pieces together

So much for the abstract, see below I’ll show you how I put this architecture together on my home network, clustering two servers that share two virtual machines.

The purpose of the virtual machines is not hugely relevant but as you’ll see in the screenshots here, the two virtual computers I have are hutbuddy_websites and Quicken_WindowsServer. The first is a virtual computer that runs a copy of Virtual DSM and hosts a few websites on my network. Websites can be notoriously vulnerable to attack. While I’m careful with security at those sites, it’s good to know that if the whole server went down it would still be only those websites and not my whole network. The second VM is something I use for running Quicken on a virtual Windows machine.

Now let’s start with VMs that exist, but they aren’t protected like I’ll outline. On a Synology server and many others, backing up virtual computers can get tricky and some of it gets downright philosophical with certain camps touting that you should just backup the VM from within the VM itself. Yeah that’s possible but recovering from a disaster requires rebuilding that VM from scratch starting by installing an operating system. It’s going to take hours with anything complex, and maybe days. I’m not settling for that because I don’t have to…

Clustering virtual computers

The redundancy starts by clustering hosts that each share the same virtual machines. Only one host at a time is designated to be the one that runs a given VM. But with a simple action in the Protection Plan it is possible to move the VM to another host, either for better loading or because a host is down. Note that on a Synology clustering requires a Virtual Machine Manager Pro license.

The key to redundancy is in the Protection Plan you choose for the VM. By clicking on Protection you get to this console.

In the protection plan you’ll schedule snapshots. A snapshot is a complete copy of the state of the virtual computer. Snapshots can be taken while the VM runs as filesystem-consistent snapshots at a point in time. Then you define a Retention Policy that says exactly when you want to release the space for old snapshots.

In the example policy above, the system retains snapshots for the last week and then keeps one snapshot per week for the last month.

Now that sounds like a lot of diskspace. My websites VM takes up about 250GB and I’m storing 15 or so copies of that?? Not really. Snapshots take advantage of the BTRFS file system and only store deltas. What it does mean is (unless you manually delete snapshots which you can do) if you delete a bunch of stuff it doesn’t go away immediately. That’s usually a good thing!

The outcome of clustering hosts like this is that if a host goes down, I can failover its VMs to the other host in just a few minutes. And if the VM crashes/other then I can restore from a snapshot made at various times that day, or less frequently for up to a month.

What’s missing?

OK so now we have two host servers that can each separately run the very same virtual machines. Not just sort of the same, but the same all the way down to the full content of the file system, the MAC address, everything. If a server goes down then I can almost instantly boot the VMs it hosted and they’re completely back in operation.

The only remaining problem is what if I lose both servers?? The two servers are in physical proximity. Theft, fire, or other might mean that both servers go down perhaps permanently. Obviously I won’t recover from that in just a few minutes, but the real problem is the fact that the servers were replicating snapshots to each other so now ALL the snapshots are gone!

One solution to this problem would be to periodically export the VM to a file. This is NOT a “snapshot” with only deltas, it’s a great big file that’s the whole state of the VM and everything in its internal file system.

The problems here are two-fold. For one thing, the export of a big VM might take several hours and the whole time it exports, you have to have your VM shutdown/offline. The other problem is that this is a manual action! I’m loath to have manual procedures that I can automate. But can I?

At first it seems like we’re stuck here – and that’s indeed where I stayed for months. But ultimately I got some help from a friend at reddit and found this German website that details a solution that includes using an internal utility we find in DSM (good thing google translates).

(I’m fine with using this even though not publically documented – be your own judge)

See my SSH session below (run it with root privilege i.e. sudo -i)

/volume1/@appstore/Virtualization/bin/vmm_backup_ova --help

Usage: /volume1/@appstore/Virtualization/bin/vmm_backup_ova [--dst] [--batch] [--host] [--guests] [--retent] [--retry]
        backup VM to shared folder on VMM

Options:
        --default       use default options to backup
        --dst           shared folder path for storing backup OVA
        --batch         the number of VMs exporting at a time (default: 5)
        --host|--guests mutually exclusive options
                        '--host' only backup VMs which repository is on the specified host (default: all)
                        '--guests' only backup specified VMs (default: not specified, use | for seperator if there are multiple targets)
        --retent        the number of backups for retention (default: 3)
        --retry         the number of times for backup retrying (default: 3)

Examples:
        Run backup script by default
                ./vmm_backup_ova --default
        Backup all guests which repository is on the host and store OVAs in certain shared folder
                ./vmm_backup_ova --dst=<share-name> --host="<host-name>"
        Backup all guests which repository is on the host and limit the number of VMs exporting at a time to avoid affecting performance
                ./vmm_backup_ova --batch=2 --host="<host-name>"
        Backup certain guests and store the last two OVAs per VM
                ./vmm_backup_ova --guests="<guest_name_1>|<guest_name_2>" --retent=2
root@HomeNAS2602:~#

The vmm_backup_ova utility is the cat’s meow here. I launch the program with a ssh script that reads as follows:

# clone/export VMs on this host for disaster recovery
#!/bin/bash
set -e
/volume1/@appstore/Virtualization/bin/vmm_backup_ova --dst=VMBackups --host="HomeNAS2602" --retent=1

In this case I’m telling vmm_backup_ova to export every VM running on that host and store the export in a shared folder called VMBackups and retain only one backup. A key advantage of this utility is that we do NOT have to shutdown the VM! Instead, vmm_backup_ova starts by making a temporary clone of the running VM, which happens in nearly an instant. Then it proceeds to export that clone (which is never run) while the real VM continues to run. The export of a large VM might take several hours, but it runs in the background while everything else continues to function and then the clone VM is automatically deleted.

Tip: Avoid spaces in your virtual computer names. My experience is the utility creates destination directories with the wrong names and then can’t populate them. See my use of underbars instead.

In practice I run a script like that on each of the two hosts. It’s nice that in the GUI of Virtual Machine Manager I can see and monitor the snapshot/export process even though I didn’t initiate it there. And although each NAS exports to its own file system, the VMBackups shared folder is replicated to the other host too via ShareSync, and the Hyper Backup program is used to make off-site copies of VMBackups. Finally, the VM backups share itself gets snapshot retaining content for up to a month (I snapshot nearly everything to protect it from ransomware if nothing else).

I’m currently exporting once per month as scheduled in the Task Scheduler. So if I lost BOTH hosts then I can still recover the VM from the latest export (with some hardware of course), then restore VM files from within the VM itself, as I’ll typically have made more recent file backups and not have to revert all the way back to the last export once I’m all done.

The post The Security and Redundancy of Clustered Virtual Machines appeared first on Walter's Little World.

What are these protections and why are they necessary? First let me cover a little background on how docker containers work. The code in the container executes as part of the docker engine. The docker engine by necessity, executes with root privilege and can therefore read or write any data in the file system whatsoever. To cause damage, malware in the container need only successfully submit a request to delete critical system files etc.

In addition to damaging the file system, containers can also carry out network attacks on other containers on your server. Containers normally run in the default bridge network. Being on the same subnet, the docker engine makes the containers visible to each other by name. So containers can discover other containers and get their IP address thru DNS. The requests they send to each other may be malicious and won’t be blocked by any firewall since they occur within the same docker subnet (which is not a real network – it’s a virtual LAN in the engine).

I recently went digging in this area when I got interested in installing the wiki.js container on my system to hold a wiki site. Wiki.js is a fully fledged web site/web publishing framework. Its JavaScript architecture and interfaces make it particularly susceptible to injection attacks. There’s also a history of quite a few bugs, and I’m not sure the codebase is clean of malware or poor security practices. That might be a reason to have second thoughts about using it all, but IMO that’s a little drastic if things are managed well.

But these concerns did spur me to learn about some controls that can be put in place, and how to use them. What I’m looking for here is to see that the attack surface within the docker engine, is limited to the wiki.js website itself – not my whole server. This means that an attacker might bring down wiki.js and might gain access to any information that’s been published there. But potentially numerous other services like my password manager, websites/sql databases, financial software, online movies, etc. remain unaffected.

Isolate Docker Containers

Docker provides a couple of ways to manage container security. You just have to make a point to use them when you have reason to be concerned about what a container might do (like uh…all the time I should have been doing this all along).

• Give the container its own network. Most people install containers on the default bridge network by simply not specifying otherwise. So usually examples you find on the web try to keep things simple and leave this out. Alternatively, you can isolate your container on its on network and this means it has its own subnet. Now, even if your container magically knew the IP address of another container, it would not be able to send it anything. The docker runtime would not route the request. This is why docker has this facility and why you should use it.
• Limit the logical file-system privilege of the container. As mentioned, the docker runtime runs with root privilege. That would seem to drive a nail into the coffin, for any goal of seeing your container have limited privileges as it executes file system code. But docker has a facility to address just this concern, that being the PUID/PGID arguments that tell docker to execute container requests as-though the request were executed by a specific user. So barring some kind of zero-day vulnerability in the runtime, this goes a long way to limiting the damage done by ill-formed or ill-intent code. Again, you don’t usually see these arguments getting used. They won’t protect you unless you use them.

How I went about container isolation by example

The details of applying the above docker facilities are system specific when you look at the details. But similar steps will apply regardless. In a broad sense, the problem is that of creating a dedicated bridge network for the container and then use that. Then also limit the file system privileges.

These are the specific steps I took to deploy the wiki.js container on my DS-1520+ NAS. There are lots of ways of doing the equivalent things, this is just a by-example for the steps I took based on what’s easy and familiar to me.

The first thing I’m going to do is create a network that I’ll call “wiki” where I’ll isolate the wiki.js container. I do that by running portainer, select my host and go to Networks and click on Add. Fill in the name of the network as “wiki”. Confirm the Driver is “bridge” and accept defaults on everything else and save this as a new network.

Now you can see your new network that’s setup on its own subnet.

With the network ready, I’ll now setup a user account for limiting the container’s privileges.

Start by creating a system user. On my system I just went to the Control Panel and setup a new user I call “docker_wikijs”. This user has file system privileges where the only directory it has any access to whatsoever, is the shared folder where the wiki.js maintains all its settings and data.

Getting the PUID/PGID takes executing the linux id command. If you’re comfortable with using SSH and you have SSH enabled on your server etc. then you can open a SSH prompt and get the output as shown by this example where I execute “id docker_wikijs”.

So what if you’re NOT so comfortable with SSH and you don’t have it setup? Well on a Synology don’t despair. You can actually execute the id command by setting up a task to do that in the Control Panel. The output will come to you as email. See this easy guide on doing that. (by the way you can use this same trick to execute any task such as docker run as root, just know that you need to take proper care doing so)

So take the uid and gid values that come from the id command and that’s all you need for making PUID and PGID arguments for the docker run command.

Having prepared the shared folders that wiki.js specifically wants, now I’m ready to execute docker run to install the container. See the following docker run command with highlighted arguments that isolate the container.

docker run -d --name=wikijs \
--network=wiki \
-e PUID=<uid value> \
-e PGID=<gid value> \
-p 3540:3000 \
-e TZ=America/New_York \
-v /volume1/docker/wikijs/config:/config \
-v /volume1/docker/wikijs/data:/data \
--restart always \
ghcr.io/linuxserver/wikijs

The network argument naturally puts the container on that bridge instead of the default. The PUID and PGID arguments look just like simple environment variables, but the docker runtime picks up on these and quietly applies those privileges.

Like anything though, test it out. For example reduce the user to read-only privilege and observe the wiki website failing to save files when you tell it to.

I execute the above docker run and then go to portainer and find wikijs installed as requested.

The post How to limit the possible damage done by docker container malware appeared first on Walter's Little World.

With my DS-1520+ server with its cloud and other functions I keep using more, I’ve managed to put together a house of cards. I’ve added one service after another including various docker containers and applications for about a year now. That included lots of trials and tribulations. I don’t want to lose it all in a hardware failure. I keep backups, but they haven’t been validated and I know for a fact there are various things that won’t get restored by Hyper Backup. So I need a procedure for doing a rebuild, and I need to be able to validate that it works when the time comes, and know what it takes to get a new system functional. And wouldn’t it be great if I could do that without buying new systems to try it out!?! I don’t want to break what I have.

It dawned on me recently that I have all the tools at my disposal to develop and test backup recovery, and without buying any new hardware. On either of my NASes I can run virtual computers using the Virtual Machine Manager. On that virtual computer, I can install a variety of operating systems including Virtual DSM. This lets met build a NAS within a NAS. Now I can start with a fresh installation of DSM and try to restore functionality from a backup. Upon finding and fixing problems with my procedure or limitations in the scope of the backup, I can make various changes and then just throw that Virtual DSM away and start over.

So I’ve been doing exactly that, and stumbled on an interesting thing to try out that I suspect substantially improves the security of my site and is otherwise just cool. In some of my testing I created a Virtual DSM and restored a backup of this web site on it (naturally including databases etc that it needs to function). I got that working and that’s why you can see this web page…the original site has been shut down at least for a while.

The reason this is more secure is this: If at attacker manages to infect the walterstovall.online host with malware, the damage that malware can cause is limited to the virtual computer. If it did get compromised somehow then I could just restore that virtual computer from a saved snapshot. If for example the malware were to somehow delete every file on the hard disk and render the operating system unbootable, this would still be limited to the virtual computer that runs the site. The “hard disk” that got wiped is just a virtual hard disk that’s a small part of the storage on the hosting server.

How I moved this site into a virtual computer

I went thru the process of creating a VM for my site several times before I ended up with a smooth and consolidated set of steps. I wanted to boil it down to the essentials so I can easily move things as I see fit. I think it worked out very nicely and I thought I’d record what I came up with here.

To sum it up here’s what I’ll do below. Setup a virtual NAS on my DS-918 using Virtual Machine Manager. Point that virtual NAS to a backup of my DS-1520 server where walterstovall.online is currently deployed. Restore from that backup, the services necessary for running the walterstovall.online blog along with the site files and SQL database etc. Shutdown the new site and startup the new one in the VM and make it accessible over the internet.

Let’s get into it!

Create Virtual DSM Computer to host my blog

On the DS-918 I’ll visit Virtual Machine Manager and tell it to create a new virtual computer.

Stepping thru a few simple dialogs to allocate hardware resources, the VM gets created and I can connect to it at its assigned IP address. Now I give the computer a unique host name and login account.

That’s about all there is to that…now I login with the new admin account and I’m at a new DSM desktop.

Install Web Backends

After downloading DSM updates I now go to the Package Center and tell it to download the backend services that my site needs. These are mostly provided by third parties and won’t be part of the backup we’re going to restore.

By inspecting the Web Station setup on the source NAS where walterstovall.online resides, I see the following capabilities there.

• Apache HTTP 2.4
• PHP 7.4
• phpMyAdmin

Restore system configuration and web sites

Now I go to the Package Center and tell it to install Hyper Backup which I then launch and tell it to restore a data backup. I’ll point to a backup of the whole NAS.

Now I step thru a few dialogs telling it just what to restore from the backup and get down to this summary to confirm.

That kicks off and runs for a couple hours, loading a few hundred GB of applications and data into this virtual server.

After running, that restores ALL network settings and user accounts from the DS-1520 server. This is great in most respects except that it also gives the server the same network and domain name as the stovallhut.online server I restored this backup from. So now it’s important to visit the network settings and login portal in the Virtual DSM and restore the correct settings. Also important, is to configure my local DNS so the IP address of the server is permanently reserved.

Finally, I can visit https://walterstovall.online and view the site! But not done quite yet…

Fix inability to login at site

Even though I can view the site anonymously, I can’t login. The reason being that my site is setup for a 2FA login and after moving the site, I can’t seem to make that work (even though it is a TOTP code, so it seems like it should work based on the same secret key).

In any case I came up with the following solution that will let me login and get things working.

Open a SSH session and navigate to the wordpress directory where I’ll temporarily hide the wordfence plugin which handles the 2FA login (and a lot of other security issues).

The mv wordfence wordfence.bak just renames the plugin directory and makes it unable to participate in the login which then becomes based only on username & password.

Now that I’m logged in I can then rename wordfence.bak, giving it the original name. This makes it possible to now get to wordfence and turn off 2FA logins. Now I can log out, log in, etc. And turning on 2FA makes that work again too.

Secure internet access

At this point the site is fully functional except for one glaring problem. Security certificates are not installed, so access in a web brower includes bypassing stern warnings about the site not being secure. It’s also not possible to reach the VM over the internet. I’ll solve both of those problems below.

To reach the VM over the internet I’ll setup a reverse proxy on stovallhut.online that will send walterstovall.online traffic to the right place on the LAN. The reverse proxy tells stovallhut.online that when it receives HTTPS traffic directed to walterstovall.online, that it should send that traffic to the IP address of the Virtual DSM where we’ve placed the site.

(this reverse proxy needs to be associated to the walterstovall.online certificate too at the certificates settings page or browsers will still complain regardless of the certificate at the final destination)

Now I’ll just pick the export-action on this certificate so I can import it at my new hutbuddy.online virtual server where the web site has been moved.

With the certificate imported, I’ll then associate it with the walterstovall.online virtual host.

And that’s about it! If that seems like a lot of stuff to do, you should have seen my steps the first time

The post My site has moved – hopefully to a more secure home appeared first on Walter's Little World.

Initially my login showed a new People folder to me with nothing in it. The server worked on indexing my thousands of images for at least an hour or so. Then I came back and now, when I view the people folder I see lots of sub-folders, one for each person the package thinks are the same individual. In each case I see a sample picture of the person. But instead of a person’s name, I see “who’s this?”.

Fill in the person’s name, and hit enter. Repeat with each one. In a few cases I would come to somebody that I’ve already identified, but the software apparently thinks these are two different people. In that case I just type the same name again (auto-completed for me) and I’ll be prompted to merge the two into one.

I’ve also seen where I can remove people from a folder if they’ve been wrongly recognized, but I’ve yet to witness that. What I’m on the lookout for, is a way for me to identify somebody that was not recognized at all, and say who they are. That may be missing feature? Or I’m too much of a newbie.

Even though some people don’t get recognized, it’s often very surprising who it does recognize. Like people in the background of the image. It also appears to me that it correlates separate images, combining clues from each. For example I have a case where it recognizes an image of my nephew. Then in another picture that it also recognizes of him (taken on the same day at the same gathering), there’s a clear shot of his body but he’s looking at the floor and instead of his face, the picture just shows the top his head. When I look at the pictures I know who it is because of what he’s wearing.

Now when I wish I could find some pictures of ??? I can do that. And with the NAS just sitting here anyway, this comes at no extra cost

The post The face detection in Synology Photos is too cool! appeared first on Walter's Little World.

Let’s say I want to watch a movie on my smart tv and the internet is down. My tv is setup to let me play movies from my home server residing at hostname video.stovallhut.online. If I pickup my roku and go to the DS Video app to watch a movie, it will fail right off the bat because it can’t resolve the hostname to a IP address. Dead in the water.

In my case the solution to this problem comes all in configuring my main router for my local network by adding a DNS Server that knows the names of my home servers and will then resolve the name without contacting a server on the internet. This also means the names will resolve much faster here at my house.

While this is a quick setup, it didn’t just fall in my lap. I was immediately hit with unfamiliar entities to setup and not knowing what zones are much less master zones vs. slave zones and why I might want one. But just resolving names on your local network is really pretty easy at least on my RT2600ac router. I captured the steps below in case this helps anybody else (or me later) dodge the complexity and just handle this simple scenario.

Start by logging into the Synology router and go to the Package Center. Install the DNS Server package. Open DNS Server and create a Master Zone. You need one master zone for each domain you want to resolve. So in my case I have a server I get to as stovallhut.online and fill out the dialog like this.

To me it was not intuitive to think of the name I want to resolve to as a “Master DNS server”. Don’t think that you need to setup something on your server for that. This is just the IP of the computer you want to reach using that name. That computer does not participate in resolving the name (I think the master-server concept is for the rare case where you would run your own nameserver).

Accept defaults for other choices and save the new Master Zone. To resolve the name though, you’re not quite done…

Assuming you have a Windows computer connected to your router (and using the DNS server i.e. no manual override of DHCP settings), open a command prompt and try to resolve the name you just setup.

See above that no address at all shows when trying to resolve the new domain. Compare that to resolving cnn.com which comes back with several IPs.

To resolve the name you need to add a “A” record to the master zone you just created. Visit the zone and double-click to edit.

Fill in just the IP address and save the rule – that’s all there is to it. Now go back to your dos prompt and you should see the name resolve correctly now.

Handle subdomains with more “A Records”

If you have any subdomains you’ll need A Records for each of them too. See below how I setup a few subdomains for my stovallhut.online domain.

Now my smart tv can go find movies at video.stovallhut.online when my internet is disconnected

Visit this site for more information on the Synology DNS Server. Note that I could have used CNAME records for my subdomains. That might be a little less maintenance especially if you change around your IP addresses. But I elected not to because of at least a minor performance issue in that CNAME records include the overhead of an additional query to the DNS Server during name resolution.

Going further with DNS Records

My above focus on basic address resolution leaves a lot out of what you can do with a DNS Server. See this good reference for what the various records in your DNS Server can do to help you manage a local network.

The post Keep your “online” life alive when the internet is down appeared first on Walter's Little World.

I’ve had a burr in my butt around the need for multifactor authentication on my server, especially for an admin account that if stolen, would be awful needless to say. It’s equally important for other accounts too depending on usage. But I come along kicking and screaming. I don’t login for good luck. I’m trying to do something and logging in is a distraction and a frustration if it takes much time or data entry. After setting up 2FA on my Synology DS-1520+ I’ve been real pleased with the outcome.

I’ll start with the outcome…let’s say I’m logging onto my NAS (directly or using one of my apps) and I’m prompted to authenticate. I enter my User Id and password and press enter. Now my web page tells me to approve the login at my phone.

I open the notice on my phone and hit Approve and I’m logged in

While I don’t welcome the interruption of another prompt, with two factor authentication being the goal I can’t see how it gets much easier than this.

The Secure Signin will also let you login using OTP codes.

It’s interesting to note that the security code can be generated and used even if your phone has no cell or internet connection. In fact you don’t even need a LAN connection to your NAS. The code is just good by itself since both the NAS and the phone have synchronized times and both of them know the secret key used to generate the code.

What if you don’t care about 2FA and just want a easier login?

Do you want the security of some authentication, but don’t want to mess around finding and typing in your long cryptic password all the time? You can setup your account for what’s called passwordless login. This will enable you, while holding your unlocked phone, to authenticate with literally one button press (avoid giving the phone an unlock code by setting up biometrics on the phone).

To see how easy this is let’s say I’m logging into the DS-1520 and I’m prompted to authenticate. I DO have to type in my user name.

Now when I click on the arrow I get this message in my browser window…

Now I look at my previously sleeping and locked phone…

So I tap on that message, my phone unlocks based on facial recognition, and I can approve or deny my waiting browser login…

At this point I’m done

OK so it works good but I bet setting it up is a nightmare right?

Nope – it was actually painless. As an administrator I didn’t have to do anything more than the basic server configuration I had in place where the server knows its domain name, is configured with security certificates, etc. as need for normal operation.

After that the setup of 2FA or passwordless login is all done by the user that wants that capability.

At the DSM desktop the user edits their account settings and has the option of setting up these login options.

With either passwordless or 2FA, now you point your phone at the QR code to download the app.

There’s one more code to scan in order to point the app to your server and then you’re done.

More to think about

I personally think if you have the option of getting an approve prompt on your phone and just pressing it is nearly as secure as true “2FA” where you type in a code you see on the phone, assuming your phone doesn’t stay unlocked of course. I’m no expert. It does mean that somebody that knows your user id and has your unlocked phone can login without your password. It also means somebody that knows your user id and password can login, which is what 2FA is there to prevent in the first place. Be your own judge.

• See PC Mag for a great review of authenticator apps. Using the Synology Secure Login app, I may not need any of these (not sure yet but the codes it generates should be usable anywhere given the standards).
• If you decide to set this up then don’t lock yourself out! Consider what happens when your phone is broken or dead. Various 2FA systems have ways around this. Synology will let you get codes via e-mail. And what if your e-mail is down or inaccessible too? In my case I created another admin account that I don’t use for anything but recovering another account (I can login as a different admin and go turn off 2FA for my real account). You never lock yourself out with passwordless login since you can always use your password without having the phone.
• If you use a verification code, understand using an authenticator app is distinctly better than getting sent a SMS text code. The SMS text is not secure, it takes time for the text message to reach you, and you need to have cell coverage for one thing.
• For Synology servers this is great article on making the server secure in general not just as related to authentication.

The post Do you want two factor authentication or passwordless login? appeared first on Walter's Little World.

All of this is free by just installing the new Photos package on your NAS. This package is available in the DSM 7.0 version just released this year. Synology has merged the Photo Station and Moments applications into this one platform for managing personal photos and videos. Users can manage photos with a web interface or with smartphone apps for IOS or Android phones. The app will optionally backup all of your photos to your NAS.

To be fair, I shouldn’t imply that Google Photos does not have some unique features because it does. I won’t dwell on the details though. Watch the review below for the full story.

The post Synology Photos is a serious contender for Google Photos appeared first on Walter's Little World.

And then after all the worrying and studying release notes etc. the whole upgrade went off with (almost) not a single hiccup! There have been dramatic changes to some of the packages. For example the Photo Station application has now merged with Moments and becomes Synology Photos. I have a lot of different services running including file sharing, Web Station, Synology Drive Server, Hyper Backup, Snapshot Replication, Active Backup for Business, Synology Contacts, Notes, Chat, Photos, Bitwarden, and others!

After the upgrade completed (which took about 1/2 hour) my system restarted and after some checking around it looked like everything was working, with the system pretty busy for a while building new indexes and codecs for movie files etc.

But then I was disappointed to find that each of my wordpress web sites had quit working (including this one) and just show a big error message about how the site can’t connect to the database. Uh oh…then a check at the Package Center showed me that several packages had failed to update during the upgrade.

Fixing my wordpress sites was as simple as pressing the repair button on the MariaDB and phpMyAdmin packages. In the case of topng, that’s a third party package and I at least temporarily deleted it – not critical (I’ll check for a update later).

Now I at least think everything I do with the server is working well. What a relief! That could have really messed me up for hours or longer, but Synology did a great job with their beta program last year and I’m glad to join the ranks of their happy customers

The post My upgrade of Synology DSM to 7.0 could hardly be simpler appeared first on Walter's Little World.

If you think about it, for every PC you add to your backup destination, you’re probably backing up yet another copy of the Windows 10 operating system. So many thousands of duplicate files. With Active Backup for Business, the program applies deduplication techniques by exploiting the power of the BTRFS file system.

The deduplication opportunities are even higher when you think about a small business sharing many of the same files on each workstation and maybe synchronizing many of the files. In my case I have only three PCs backed up. Considering their combined footprints and the fact that I’m retaining some old backups, this comes to a total of 2.7 TB of data. By eliminating the duplicate data, Active Backup for Business manages to store this 2.7 TB, using only 1 TB of disk space.

Considering the cost of hard disk space (including multiple disks in a raid array) that’s saving real money!

The post Backup all your workstations without duplicating data appeared first on Walter's Little World.

Now I have a great player that I can watch from the living room couch, my PC, on the go, share with other users. The player also lets you download movies for offline viewing, organize playlists, edit movie metadata, organize movies vs. TV, play different-language audio tracks or subtitles, etc. Very complete!

Showing Movie Posters/Graphics/Extended Descriptions

See in my screenshot above, the panel with John Wayne’s movie is a scrolling ad panel for movies in my collection. If you’ve ever viewed movies with a straight-up DLNA player then you know how unexciting a list of filenames look by comparison. To get all this graphics and descriptions you have to set that up in Video Station after you install it, where you can configure its access to third party services that provide that. In my case I picked the built-in support for getting the info from The Movie Database TMDB. It takes just a couple minutes to follow the video station help where you can get a API key from the movie database site and plug that into your Video Station app to enable access.

See full technical details on features, supported formats, protocols here.

The post Synology Video Station is a free movie cloud appeared first on Walter's Little World.