Skip to content

v1.7.7

Choose a tag to compare

@shayanb shayanb released this 01 May 14:06
e68e931

Release v1.7.7

Highlights

  • Shadowsocks-2022 protocol — adds an SS-2022 (AEAD-2022) inbound to the existing sing-box service behind a new
    ENABLE_SS=true toggle. Compatible with NekoBox / Hiddify / Streisand / sing-box / Outline mobile clients via standard ss:// URI. Default cipher 2022-blake3-aes-128-gcm for multi-user support. Off by default. (Refs #93)
  • Container log rotation — every long-running service now caps json-file logs at 10 MB × 3 files via a shared x-logging anchor. Stops chatty services from filling /var/lib/docker/containers on long-running VPS deployments
  • dnstt update with critical bugfix — pinned to upstream v1.20260501.0, fixing a silent-stall bug where dnstt-server kept
    accepting queries but stopped sending responses if sendLoop died on a transient sendto: operation not permitted (commonly triggered when conntrack overflows under load)

Upgrade notes

  • No breaking changes for existing setups. Run moav update to upgrade.
  • If you want Shadowsocks: set ENABLE_SS=true in .env, run moav bootstrap (generates server + per-user PSKs and adds the inbound), then moav restart sing-box. Open firewall port 8388/tcp+udp. Existing user bundles will need moav user regenerate to pick up shadowsocks.txt / shadowsocks-qr.png / shadowsocks-singbox.json
  • If you previously had a chacha20 SS_METHOD (from any pre-release dev pull): bootstrap auto-detects PSK length mismatch and regenerates SS keys cleanly — no manual cleanup needed

What's New

Added

  • Shadowsocks-2022 protocol — New ENABLE_SS=true toggle adds a Shadowsocks-2022 inbound to the existing sing-box service (no new container, no new daemon). Defaults to 2022-blake3-aes-128-gcm for multi-user support (sing-box's SS-2022 multi-user mode only supports the AES variants; chacha20-poly1305 is single-user only). Per-user PSKs are generated at bootstrap and persisted under state/users/<id>/shadowsocks.env; the server PSK lives at state/keys/shadowsocks-server.psk. Bootstrap auto-regenerates the SS state if SS_METHOD changes and the saved PSK no longer matches the cipher key length. User bundles emit a standardss:// URI + QR + sing-box JSON, compatible with NekoBox / Hiddify / Streisand / sing-box clients and the Outline mobile app. Off by default; enable via ENABLE_SS=true in .env and re-bootstrap. Refs #93
  • Container log rotation — All long-running services in docker-compose.yml now use a shared x-logging anchor that caps
    each container's json-file log at max-size: 10m × max-file: 3 (~30 MB per container). Previously containers used the Docker
    default with no size cap, and chatty services (xray, sing-box, telemt, prometheus) could fill /var/lib/docker/containers over time on long-running VPS deployments
  • DNSTT_VERSION env knob — dnstt builds (server + client) are now pinned to a configurable git tag (v1.20260501.0 default) and tracked alongside the other component versions in moav update and moav versions. Was previously cloned at HEAD with no version visibility

Fixed

  • dnstt-server silent stalls under load — Updated dnstt to upstream v1.20260501.0, which fixes a bug where the server could
    keep accepting DNS queries but stop sending responses if sendLoop died on a transient sendto: operation not permitted
    (commonly triggered when the host's Netfilter conntrack table overflows under many concurrent users). Process now exits if either
    recvLoop or sendLoop returns, and sendLoop only logs (no longer dies on) most send errors. See net4people/bbs#609
  • moav user add failing on wireguard/server.pub permission deniedwg-user-add.sh defensively re-synced the server
    public key file on every run, but bootstrap chowns configs/ to 0:1000 with chmod -R g+r (read-only for the admin container's
    uid 1000). The write failed and set -euo pipefail aborted the whole user-add flow. The sync is now best-effort: failed writes log a warning and the script proceeds with the in-memory key from wg show (which is authoritative)
  • dnstt build fails over bamsoftware.com dumb HTTPDockerfile.dnstt and the dnstt-client builder stage in Dockerfile.client used git clone --depth 1 --branch ${DNSTT_VERSION}, which requires smart-HTTP upload-pack. bamsoftware.com serves git as a static Apache directory and rejected the request with exit 128. Switched to a full clone + git checkout ${DNSTT_VERSION} (tag pinning preserved)

Upgrade

moav update

No breaking changes for existing setups. To enable the new Shadowsocks-2022 protocol:

# In .env                                                                                                                         
ENABLE_SS=true                                         
                                                                                                                                  
# Then re-run bootstrap to splice in the SS inbound + generate PSKs                                                               
moav bootstrap                                                                                                                    
moav restart sing-box                                                                                                             
                                                       
# Open the firewall (host + cloud security group)                                                                                 
ufw allow 8388/tcp
ufw allow 8388/udp                                                                                                                
                                                       
# Existing users need a bundle refresh to get the new ss:// URI + QR                                                              
moav user regenerate

Full Changelog: v1.7.6...v1.7.7


Quick Install

curl -fsSL moav.sh/install.sh | bash

This will install MoaV to /opt/moav and guide you through setup.

Documentation

moav.sh/docs — Full documentation