github nasty-project/nasty v0.0.14
NASty 0.0.14

5 hours ago

This is the enterprise identity, fast-fabric & recovery release — the
largest to date. NASty learns Active Directory from both ends: join an
existing domain as a member, or become the domain controller yourself,
with integrated DNS, Kerberos and WebUI user/group/computer management.
Backups gain their missing half — whole-snapshot restore, including
disaster recovery onto a bare box. An engine-managed firewall replaces
ad-hoc rules with deny-by-default nftables plus custom port rules; RDMA over
RoCE and InfiniBand
brings zero-copy iSER, NVMe-oF/RDMA and NFS-RDMA to the
sharing stack; and SR-IOV + hardware passthrough gain per-device and
per-VF control. Round it out with the Operations control center, iSCSI
portal management, compose .env files, on-demand folder sizes, Linux 6.18.38

  • bcachefs 1.38.8, and a broad sweep of fixes and dependency refreshes.

Headline changes

  • Active Directory — member and domain controller (#20; #627, #638). Join an
    existing AD domain as a member (security = ADS, winbind, RID idmap, with
    a credentials-over-stdin join/leave ceremony), or have NASty host its own
    domain as the controller
    samba-tool provisioning with integrated
    SAMBA_INTERNAL DNS and Kerberos, WebUI user / group / computer management,
    on-box domain backups, and RSAT compatibility for advanced
    administration. Single-DC, state on the root filesystem; marked experimental.
    Closes the oldest open issue in the tracker.

  • Backup restore + disaster recovery (#626; #635). The other half of backups:
    restore a whole snapshot back under /fs, including DR onto a fresh box
    from an existing repository — point a new install at the repo, pick a snapshot,
    and pull it back. Restores run through the same encrypted/deduplicated engine as
    backups.

  • Engine-managed firewall (#620; #637). Deny-by-default nftables managed by
    the engine, with per-service source/interface restrictions and user-defined
    custom port rules
    for anything running outside NASty's service model
    (IPv4 + IPv6, TCP/UDP, port ranges).

  • RDMA over RoCE & InfiniBand (#611, #616). Optional zero-copy transports
    iSER, NVMe-oF/RDMA and NFS-RDMA — for RoCE and InfiniBand NICs, wired
    into the sharing stack with an InfiniBand foundation underneath. RDMA controls
    surface only when a capable device is present.

  • SR-IOV & hardware passthrough (#603, #612, #614, #618). IOMMU-group view,
    vfio-pci toggles that survive reboots, per-device passthrough, and SR-IOV
    virtual-function management
    — VF count plus per-VF VLAN, MAC, trust and
    spoof-check
    .

  • Operations control center (#649, #650). The Operations page becomes the
    single place to see and drive every bcachefs array operation across pools —
    scrub (start/cancel), evacuation, and pausable reconcile/copy-GC — each row
    labeled with its pool; the duplicate controls were removed from the Filesystems
    diagnostics panel.

Active Directory

  • Member join/leave with realm validation, NetBIOS workgroup derivation, and idmap
    range allocation that can't collide with local accounts; join proceeds with a
    warning when DNS routing to the DC isn't in place (#627).
  • Domain-controller provisioning, demote, status and backup; DC user/group/computer
    management; a dns forwarder that survives samba's last-value-wins config; and a
    guard so enabling the SMB protocol can't fight a hosted DC (#638).
  • AD leave/unjoin now removes the machine keytab (/etc/krb5.keytab) it created —
    a leftover keytab otherwise tripped rpc-svcgssd into failing every system
    activation and blocking upgrades on NFS boxes (#658). See Upgrading.

Storage, block & fabrics

  • iSCSI portal management (#617): per-target portal add/remove and listen-address
    control.
  • NVMe-oF: wait for port addresses to come up before restoring targets, so a
    reboot doesn't race the transport into an unusable state (#630).
  • RDMA transports across iSER / NVMe-oF-RDMA / NFS-RDMA, gated on device presence
    (#616; UI hides the section when no RDMA device exists, #645).
  • bcachefs 1.38.8 (#621) + Linux 6.18.38 (#633); multi-device mount-source and
    quota resolution fixed for 1.38.8's by-uuid mount behaviour (#623); reconcile
    converge/rebalance profile handling improved (#615); disk-chip state refresh fixes
    (#624).

Backups & recovery

  • Whole-snapshot restore to /fs and disaster recovery onto a fresh box from an
    existing repository (#635).

Apps & Docker

  • Compose .env files (#629; #632): ship a managed .env alongside a compose
    stack, with the operator's env preserved across engine re-renders.
  • Remove external Docker networks from the UI (#651; #652): a leftover network an
    app brought with it (or one made outside NASty) can now be cleaned up from
    Apps → Networks — behind a confirm, disabled while containers are attached, with
    Docker's built-in bridge left untouchable.

Files

  • On-demand folder sizes (#654; #659): a per-folder "Calculate size" action totals
    a directory tree (apparent size) without walking it on every listing.

Networking & security

  • Engine-managed firewall with custom port rules (#637).
  • Network config preserves settings for interfaces that are temporarily absent, rather
    than dropping them (#610).
  • Authorization audit (#641): every API method's declared role reconciled with the
    effective gate, with a bidirectional guard test so the two can't silently drift.

Secure Boot

  • lanzaboote v1.1.0 (#655): Secure Boot boot-chain bumped and validated live on
    real OVMF + TPM2 hardware
    (enroll → boot under enforcing SB). PCR-7-bound TPM2
    auto-unlock is unaffected. See Upgrading.

WebUI polish

  • Operations control center + per-row pool labels (#649, #650); RDMA section hidden
    when absent and moved to the bottom of Sharing (#645); Directory page shows Join and
    Host side by side (#643); Firewall page and its port inputs widened (#640); optional
    hide-the-sidebar-logo toggle for more menu space (#646); duplicate per-page
    titles removed (#647); disk-import dialog lists supported image formats (#644).

Fixes

  • vfio-pci rebind on device detach (#603); domain-join DNS-routing warning (#627);
    multi-device mount source (#623); disk-chip refresh (#624).

Dependencies & platform

  • Linux 6.18.38, bcachefs 1.38.8, lanzaboote v1.1.0, weekly nixpkgs bumps (#633, #642).
  • WebUI: off the layerchart prerelease onto stable 2.0.1 (tooltip API migrated to
    layerchart v2) (#656); @types/node 26 (#657); routine in-range npm bumps (#653).
  • Engine: crossbeam-epoch (#622), diskwatch (#608).

Docs

  • README + built-in Glossary catch up with RDMA/RoCE/InfiniBand, Active Directory
    (experimental), backup restore, the firewall and SR-IOV (#639); new glossary entries
    for Evacuate, Fsck, Copy GC, Ingress and Firewall (#619).

Upgrading

  • Boxes that previously joined then left AD, and serve NFS: an older engine left a
    stray /etc/krb5.keytab behind on leave, which makes rpc-svcgssd fail every system
    activation (exit 4) and blocks the upgrade. Remove it once — rm /etc/krb5.keytab
    then update. New leaves clean it up automatically (#658).
  • Secure Boot users: the lanzaboote v1.1.0 stub (lzbt) builds from source on
    first enrollment/rebuild if it isn't in the binary cache (~30 min on modest
    hardware). Prime nasty.cachix.org with it before rolling out to avoid that compile.

Proxmox users: NASty requires UEFI. Switch the VM firmware from SeaBIOS to OVMF before installing, otherwise NASty won't boot after the first restart.

Switch from SeaBIOS

to OVMF (UEFI)

Don't miss a new nasty release

NewReleases is sending notifications on new releases.