VM Docker/RancherOS -- insecure installation?

[kuruption]

FreeNAS 11.2-RELEASE-U1 (latest as of this post)

I am trying to "secure" the RancherOS installation, specifically I want to "disable" password login over SSH (after enabling SSH authentication) and then enable auto-login via the VM serial terminal (where the authentication happens at the FreeNAS UI or CLI level).

Adding the SSH key is not a problem and pretty standard. Now I need to change and/or disable the default password. The password is defined in the boot parameters as shown by dmesg:

[ 0.000000] Command line: console=ttyS0 BOOT_IMAGE=/boot/vmlinuz-4.14.73-rancher rancher.password=docker printk.devkmsg=on rancher.state.dev=LABEL=RANCHER_STATE rancher.state.wait rancher.resize_device=/dev/sda

There are two issues here: 1) The default password is published and well-known, therefore by its very nature insecure. 2) The password always resets to docker... even if you change it after boot.

Typically with RancherOS, I would change the boot parameters by running ros config syslinux, but it doesn't let me... here's what's in there currently:

APPEND printk.devkmsg=on rancher.state.dev=LABEL=RANCHER_STATE rancher.state.wait panic=10

If I add something like rancher.password= or rancher.autologin=true, this does not get properly set within the boot parameters (notice how panic=10 is also not within the command-line pasted above).

I can't find anywhere else these parameters are set to "fix" this issue.

Anyone have any ideas for me?

 

[KrisBee]

In FreeNAS, a rancheros install is treated like an embedded system ( kernel + intird + roofs) which is booted using the bhyve grub-loader from a fixed single stanza grub.cfg file. There's no support for syslinux in bhyve, hence any ros config syslinux command has no effect.

It's the fixed grub.cfg that is causing the password reset you're seeing. The details can be found in the hidden .bhyve_containers dataset. For example:

Code:

root@freenaskvm:/mnt/NasPool/.bhyve_containers/configs/32_rancher1/grub # cat grub.cfg
set timeout=0
set default=RancherOS
menuentry "bhyve-image" --id RancherOS {
set root=(hd0,msdos1)
linux /boot/vmlinuz-4.14.73-rancher rancher.password=docker printk.devkmsg=on rancher.state.dev=LABEL=RANCHER_STATE rancher.state.wait rancher.resize_device=
/dev/sda
initrd /boot/initrd-v1.4.2
}root@freenaskvm:/mnt/NasPool/.bhyve_containers/configs/32_rancher1/grub #

You'll need to edit this via the CLI.

Version 1.5.0 of rancheros was released a few days ago with bug fixes and major enhancements. But the FreeNAS implementation means rancheros is not user upgradeable.

 

[kuruption]

Awesome. This is exactly what I was looking for... I figured it was grub but haven't messed with bhyve much, so didn't know that's how the grub configs were stored.

Maybe we can get this added to the documentation at some point. ;)

 

[KrisBee]

Awesome. This is exactly what I was looking for... I figured it was grub but haven't messed with bhyve much, so didn't know that's how the grub configs were stored.

Maybe we can get this added to the documentation at some point. ;)

That's not likely as hacking underlying config files is not supported. Yet, in this case is your only route. What you need is to be able to set a "password" for the "Docker VM" via the WebUI. Something that was present in early FreeNAs version when using the old UI. Raise an issues at ixsystems/redmine to ask for this user configurable setting.

 

[kuruption]

After reviewing documentation, it appears that there is currently an extra step to change the rancher user password by editing the RAW device of the newly created VM after the Wizard is run. The ability to set the password should exist within the wizard itself. So, sounds like a feature request. Thanks again.

 

[KrisBee]

After reviewing documentation, it appears that there is currently an extra step to change the rancher user password by editing the RAW device of the newly created VM after the Wizard is run. The ability to set the password should exist within the wizard itself. So, sounds like a feature request. Thanks again.

You're right, I'd missed that. IIRC, it didn't exist in the 11.2 betas. A more (?) logical place would be to part of editing the "Docker VM" config itself. Would you think of a password being a property of a device attached to the VM?

 

[Chris Moore]

That's not likely as hacking underlying config files is not supported. Yet, in this case is your only route. What you need is to be able to set a "password" for the "Docker VM" via the WebUI. Something that was present in early FreeNAs version when using the old UI. Raise an issues at ixsystems/redmine to ask for this user configurable setting.

It looks like you are very familiar with the situation, why don't you create the ticket in redmine?