⚠️ Security Resolution Incoming ⚠️

maddox · January 5, 2024, 8:05pm

Hey everyone. We're getting ready to roll out an update that has a big change that closes an existing hole in security for your Channels DVR Server.

We aren't going to detail it until we've released the update, but we wanted to give you a heads up. Once the update is out, we'll release a post about it in more detail.

Read below to see if you're effected and how to fix it.

Am I affected?

If you are NOT running Channels DVR Server via Docker, you are NOT affected. You can ignore this post.

If you ARE running Channels DVR Server via Docker AND using bridged networking, you MAY be affected.

What will happen?

If you are affected by the issue and resolution, the update will cause you to no longer be able to freely connect to your Channels DVR Server web admin from your local network. You will be prompted to authenticate with a token.

Additionally, your Channels clients will no longer be able to connect to your Channels DVR Server.

What do I need to do?

You need to change the Docker networking mode for your Channels DVR Server to use host networking.

Once you do this, you will be able to continue using Channels DVR Server and your Channels clients as you were before.

Docker Compose

If you are using Docker Compose, you will need to change your network_mode to host.


network_mode: host

Docker CLI

If you are using the Docker CLI, you will need to add --network=host to your docker run command.


docker run --network=host ...

UI Managed Docker

If you are using other software that manges your Docker deployment, you will need to change the networking mode to host for your Channels DVR Server container.

You will need to reference the documentation of your UI managed Docker deployment to determine how to do this.

maddox · January 5, 2024, 8:59pm

The release has landed:

chDVRuser · January 5, 2024, 9:34pm

Does that mean users running Docker for Mac and Docker for Windows are SOL?

maddox · January 5, 2024, 9:41pm

No, because the Docker implementations on those are likely to be working correctly.

Uno1 · January 5, 2024, 9:50pm

What about unRAID v12.4?
My Channels Docker seems to be in Host mode already.

chDVRuser · January 5, 2024, 9:50pm

If you run multiple Channels DVR Servers in docker containers, how do you change the port they use (from 8089 to something else)?

racameron · January 5, 2024, 10:20pm

The channels-dvr application can accept a command line parameter -port followed by your desired port number, and it will bind to that port. Mount a different run.sh script into the root of the container specifying this new parameter, and that container's instance will be listening on the new port.

(The server application also accepts -dir for the data/working directory, which defaults to ../data, and -host for which network address(es) to bind itself to on the server/host.)

racameron · January 5, 2024, 10:21pm

Then you are unaffected.

chDVRuser · January 5, 2024, 10:38pm

Is there any easy way to do that for multiple containers?
I can modify the run.sh script for each container, but it needs to be in place before the container starts.
Only way I can think of is to create the container, docker cp the modified run.sh script to it and start the container. But would have to remember do this every time I pull a new image.

racameron · January 5, 2024, 10:42pm

For the first container, add -v container1-run.sh:/run.sh to its command line (or equivalent in the compose file). For the second container, -v container2-run.sh:/run.sh, and so on and so forth for each container.

(If you're running multiple containers and familiar with OCI/Docker, this shouldn't be new information.)

eric · January 5, 2024, 10:43pm

@chDVRuser Are you running those containers on a Synology or other platform with the broken iptables setup?

chDVRuser · January 5, 2024, 10:52pm

Synology DSM 7.2.1-69057 Update 3

chDVRuser · January 5, 2024, 10:55pm

Thanks. I wasn't aware you could volume mount a single file like that.

eric · January 5, 2024, 11:04pm

I’ll look at adding an environment variable to the docker file for specify a local port.

racameron · January 5, 2024, 11:06pm

"Volume" is a misnomer ... it's merely an overlay, whether that be an entire directory, or a single file.

chDVRuser · January 5, 2024, 11:08pm

Hopefully before this becomes a stable release

eric · January 5, 2024, 11:33pm

@chDVRuser Please pull the latest docker image. There is a new CHANNELS_PORT environment variable you can use to specify an alternate port.

chDVRuser · January 6, 2024, 12:58am

Thanks. Updated all container and server versions.
I'm good to go. Not sure about all the rest of the users affected.

eric · January 6, 2024, 1:08am

@chDVRuser Just to make sure I understand the situation, were all of your DVRs blocked from local access when you updated until you made the networking change?

chDVRuser · January 6, 2024, 1:09am

I didn't update Pre-Release until I pulled the new docker image. I read these posts and said "Not me. I'm not jumping in with my eyes closed".

I'm assuming this affects older docker daemon versions and not sure which versions work or don't.