TrueNAS-SCALE-22.12.3 Update Wipes admin account's authorized keys and command history?

[berey]

I was just wondering if anyone else noticed this behavior. Upon upgrading to TrueNAS-SCALE-22.12.3, the next time I tried to ssh in as admin (to do somethingt simple like run iperf3), I found that not only was my ssh key gone from authorized_keys, but command (.zsh-history?) had been cleared as well.

Perhaps the authorized_keys were wiped because I hadn't used the GUI to upload to my key but had instead used ssh-copy-id. But, the history file?

 

[jgreco]

Are you claiming that you properly installed an authorized_keys in the webGUI UI field and this was wiped out, or did you just go and manually edit a key into the ~root/.ssh/authorized_keys file?

One of those two things is expected not to work.

 

[jgreco]

User edited their original message while I had a reply open in a tab. In response:

Perhaps the authorized_keys were wiped because I hadn't used the GUI to upload to my key but had instead used ssh-copy-id. But, the history file?

Yes, that. And the history file. You sort of guessed it in your edit. When you "upgrade" the appliance, you upgrade a whole new disk image for the operating system, which includes stuff like /etc and homedirs and all that. The only things retained from the old appliance image are things stored in the database. So you MUST have stuff in the database, or in your ZFS data pool, if you want it retained.

You are allowed to have your user homedirs on your ZFS data pool if you prefer that. That may have mild repercussions of its own.

 

[winnielinnie]

You are allowed to have your user homedirs on your ZFS data pool if you prefer that. That may have mild repercussions of its own.

I thought that's what you're expected to do with TrueNAS? Otherwise, setting user's homedirs to /home/<user> will lose their contents with an upgrade or reinstall.

As a matter of fact, if you try to manually enter a user's homedir to something outside of /mnt, it will display a warning and prevent you from saving the change.

"Home Directory" must begin with /mnt/ or set to /nonexistent.

What would be the repercussions to setting a user's homedir inside a data pool?

 

[jgreco]

I thought that's what you're expected to do with TrueNAS? Otherwise, setting user's homedirs to /home/<user> will lose their contents with an upgrade or reinstall.

Behaviour has changed over the years and I don't keep track too carefully of what the default is.

What would be the repercussions to setting a user's homedir inside a data pool?

Depending on what the code does, I can see things such as the GUI overwriting contents of ~${user}/.ssh/authorized_keys as an example. There've been numerous "adjustments" to the user homedir stuff over the years, and, again, I don't really track it, I just remain aware of what I need to know in our environment here.

 

[sammael]

I observe this same behaviour, every update since 22.12 all my replication tasks fail after reboot, because the ssh key disappears from the remote system user's authorized keys. I always copy the key back in via the GUI

Yesterday there was new update 22.12.3.2 and this morning I woke up to all replication tasks failed due to authorization failed. When I checked the user on the remote system (it's an admin user to log via web ui, not root) the authorized keys field was empty and I had to copy the key in again, which in turn made the replication work again. Rsync task using root user remained unaffected. When I check root user - it's authorized keys remain preserved.

To me it looks like the upgrade only preserves root's authorized keys and wipes all others.

edit: sorry for possibly stupid question: But where on earth would I keep the home dir if not on the pool? Should I have separate pool for homedir?

 

[jgreco]

To me it looks like the upgrade only preserves root's authorized keys and wipes all others.

I would expect that it wouldn't preserve any manually added authorized_keys; the only thing that TrueNAS preserves during an update are things in its database. If a user's authorized_keys are stored by the GUI in the database and then failing to be reinstalled on update/upgrade, that's a bug, report it as such. If a user's authorized_keys hamfist-edited by a user or admin are just being purged as part of the upgrade, that's something I'd consider both correct and desirable behaviour, since the stated policy is that the upgrade plus the DB results in restoration to a consistent known state, which it cannot be if random tinkering has been done.

edit: sorry for possibly stupid question: But where on earth would I keep the home dir if not on the pool? Should I have separate pool for homedir?

Your data pool. The boot pool is not suitable for storing user homedir information, because it is subject to deletion and destruction when updated. You may also choose to have a separate pool for homedir if you like. TrueNAS won't consider it anything special, it's just another data pool.