FreeNAS 11.1 - rancheros not user upgradeable - bug #27484

[KrisBee]

FreeNAS 11.1 uses a pre-built rancheros image to implement its "DockerVm" function, but it is not user upgradeable as recognised in bug #27484 report. This is supposedily fixed for release in FreeNAS 11.1-U1, but the fix looks to have hardcoded booting a new rancheros pre-built image with the kernel/initrd for v.1.1.2. So the issue remains, what happens as newer rancheros versions are released?

Why would you deploy a solution for a linux VM which is not user upgradeable and no user action can be taken on the usual security advisories? And just to prove the point along comes "Meltdown".

24 Hrs, before the CRD, rancher labs have released ranchros v.1.1.3 today which bumps the kernel to 4.9.75 in repsonse to CVE-2017-5754 (Meltdown) (see: https://github.com/rancher/os/releases)

I believe the issue stems from the limitations of booting rancheros from grub-bhyve. The rancheros img (or iso) does not use grub, it use syslinux. But grub-bhyve can boot the rancherso image by using a grub.cfg that makes direct referrence to the kernel and initrd used in the rancheros image. The user can upgrade the rancheros from within the vm but this has no affect on re-boot as the grub.cfg is fixed to point to the old version's kernel & initrd.

If rancheros versions < 1.1.3 are now inherently insecure, should anyone be using it at all right now?

 

[dlavigne]

Please add that comment to that bug report.

 

[KrisBee]

Dru,

I would, but after two attempts at registering at https://redmine.ixsystems.com and not receiving an activation email, I gave up.

 

[dlavigne]

Dru,

I would, but after two attempts at registering at https://redmine.ixsystems.com and not receiving an activation email, I gave up.

I activated your bugs account so you should be able to comment on that ticket now.

 

[KrisBee]

Thank you, comment left.

 

[Spencer Skinner]

Was a solution ever found for this, Im yet to be able to upgrade

 

[dlavigne]

Was a solution ever found for this, Im yet to be able to upgrade

This ticket updated RancherOS to 1.1.3 some time ago: https://redmine.ixsystems.com/issues/27757.

 

[Spencer Skinner]

This ticket updated RancherOS to 1.1.3 some time ago: https://redmine.ixsystems.com/issues/27757.

So I am assuming there is no way in which the user can update, we have to wait for it to be released with each freenas release?

 

[KrisBee]

This ticket updated RancherOS to 1.1.3 some time ago: https://redmine.ixsystems.com/issues/27757.

True, but there have been several new rancheros release since then, it's currently at 1.40 see: https://github.com/rancher/os/releases

I raised another ticket today: https://redmine.ixsystems.com/issues/40452 just to push this issue. It's been closed as a duplicate.

@Spencer Skinner Unless and until FreeNAS changes the implementation of this function, a "Docker VM" based on rancheros will NEVER be user updatable.

 

[dlavigne]

Notes that the duplicate issue is slated for BETA3: https://redmine.ixsystems.com/issues/39223 .