v1.7.7
Release v1.7.7
Highlights
- Shadowsocks-2022 protocol — adds an SS-2022 (AEAD-2022) inbound to the existing sing-box service behind a new
ENABLE_SS=truetoggle. Compatible with NekoBox / Hiddify / Streisand / sing-box / Outline mobile clients via standardss://URI. Default cipher2022-blake3-aes-128-gcmfor multi-user support. Off by default. (Refs #93) - Container log rotation — every long-running service now caps
json-filelogs at 10 MB × 3 files via a sharedx-logginganchor. Stops chatty services from filling/var/lib/docker/containerson long-running VPS deployments - dnstt update with critical bugfix — pinned to upstream
v1.20260501.0, fixing a silent-stall bug where dnstt-server kept
accepting queries but stopped sending responses ifsendLoopdied on a transientsendto: operation not permitted(commonly triggered when conntrack overflows under load)
Upgrade notes
- No breaking changes for existing setups. Run
moav updateto upgrade. - If you want Shadowsocks: set
ENABLE_SS=truein.env, runmoav bootstrap(generates server + per-user PSKs and adds the inbound), thenmoav restart sing-box. Open firewall port 8388/tcp+udp. Existing user bundles will needmoav user regenerateto pick upshadowsocks.txt/shadowsocks-qr.png/shadowsocks-singbox.json - If you previously had a chacha20 SS_METHOD (from any pre-release dev pull): bootstrap auto-detects PSK length mismatch and regenerates SS keys cleanly — no manual cleanup needed
What's New
Added
- Shadowsocks-2022 protocol — New
ENABLE_SS=truetoggle adds a Shadowsocks-2022 inbound to the existing sing-box service (no new container, no new daemon). Defaults to2022-blake3-aes-128-gcmfor multi-user support (sing-box's SS-2022 multi-user mode only supports the AES variants;chacha20-poly1305is single-user only). Per-user PSKs are generated at bootstrap and persisted understate/users/<id>/shadowsocks.env; the server PSK lives atstate/keys/shadowsocks-server.psk. Bootstrap auto-regenerates the SS state ifSS_METHODchanges and the saved PSK no longer matches the cipher key length. User bundles emit a standardss://URI + QR + sing-box JSON, compatible with NekoBox / Hiddify / Streisand / sing-box clients and the Outline mobile app. Off by default; enable viaENABLE_SS=truein.envand re-bootstrap. Refs #93 - Container log rotation — All long-running services in
docker-compose.ymlnow use a sharedx-logginganchor that caps
each container'sjson-filelog atmax-size: 10m×max-file: 3(~30 MB per container). Previously containers used the Docker
default with no size cap, and chatty services (xray, sing-box, telemt, prometheus) could fill/var/lib/docker/containersover time on long-running VPS deployments DNSTT_VERSIONenv knob — dnstt builds (server + client) are now pinned to a configurable git tag (v1.20260501.0default) and tracked alongside the other component versions inmoav updateandmoav versions. Was previously cloned at HEAD with no version visibility
Fixed
- dnstt-server silent stalls under load — Updated dnstt to upstream
v1.20260501.0, which fixes a bug where the server could
keep accepting DNS queries but stop sending responses ifsendLoopdied on a transientsendto: operation not permitted
(commonly triggered when the host's Netfilter conntrack table overflows under many concurrent users). Process now exits if either
recvLooporsendLoopreturns, andsendLooponly logs (no longer dies on) most send errors. See net4people/bbs#609 moav user addfailing onwireguard/server.pubpermission denied —wg-user-add.shdefensively re-synced the server
public key file on every run, but bootstrap chownsconfigs/to0:1000withchmod -R g+r(read-only for the admin container's
uid 1000). The write failed andset -euo pipefailaborted the whole user-add flow. The sync is now best-effort: failed writes log a warning and the script proceeds with the in-memory key fromwg show(which is authoritative)- dnstt build fails over bamsoftware.com dumb HTTP —
Dockerfile.dnsttand the dnstt-client builder stage inDockerfile.clientusedgit clone --depth 1 --branch ${DNSTT_VERSION}, which requires smart-HTTP upload-pack. bamsoftware.com serves git as a static Apache directory and rejected the request with exit 128. Switched to a full clone +git checkout ${DNSTT_VERSION}(tag pinning preserved)
Upgrade
moav updateNo breaking changes for existing setups. To enable the new Shadowsocks-2022 protocol:
# In .env
ENABLE_SS=true
# Then re-run bootstrap to splice in the SS inbound + generate PSKs
moav bootstrap
moav restart sing-box
# Open the firewall (host + cloud security group)
ufw allow 8388/tcp
ufw allow 8388/udp
# Existing users need a bundle refresh to get the new ss:// URI + QR
moav user regenerate
Full Changelog: v1.7.6...v1.7.7
Quick Install
curl -fsSL moav.sh/install.sh | bashThis will install MoaV to /opt/moav and guide you through setup.
Documentation
moav.sh/docs — Full documentation
- Setup Guide — Complete installation instructions
- Client Setup — How to connect from devices
- DNS Configuration — DNS records setup
- CLI Reference — All commands and options
- Monitoring — Grafana dashboards and metrics
- Troubleshooting — Common issues and solutions