Remote access switch #3485
Remote access switch #3485
Conversation
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #3485 +/- ##
==========================================
- Coverage 20.53% 20.53% -0.01%
==========================================
Files 202 203 +1
Lines 45608 45622 +14
==========================================
+ Hits 9367 9368 +1
- Misses 35538 35552 +14
+ Partials 703 702 -1
☔ View full report in Codecov by Sentry. |
shjala
force-pushed
the
remote_access_switch
branch
from
43e8086 to
0d99c52
Compare
there is CONFIG.md, but I will add a hint in SECURITY.md too. |
shjala
force-pushed
the
remote_access_switch
branch
2 times, most recently
from
09bd75c to
b5735e5
Compare
shjala
force-pushed
the
remote_access_switch
branch
2 times, most recently
from
892e655 to
9f7ffe9
Compare
shjala
force-pushed
the
remote_access_switch
branch
from
9f7ffe9 to
2acf32c
Compare
shjala
force-pushed
the
remote_access_switch
branch
2 times, most recently
from
981e107 to
bc2a1f3
Compare
shjala
force-pushed
the
remote_access_switch
branch
2 times, most recently
from
27d29ed to
59ba375
Compare
|
Waiting for this lf-edge/eve-api#31 to merge to add the "report status to cloud" part. |
shjala
force-pushed
the
remote_access_switch
branch
2 times, most recently
from
9cc5386 to
ec249bc
Compare
shjala
force-pushed
the
remote_access_switch
branch
from
ec249bc to
cf33bed
Compare
| @@ -13,6 +13,7 @@ In general, EVE is trying to make sure that its controller always has the last w | |||
| * `wpa_supplicant.conf` - a legacy way of configuring EVE's WiFi | |||
| * `authorized_keys` - initial authorized SSH keys for accessing EVE's debug console; DO NOT use options, we only accept 'keytype, base64-encoded key, comment' format | |||
| * `bootstrap-config.pb`- initial device configuration used only until device is onboarded (see below for details) | |||
| * `remote_access_disabled`- a file indicating remote access status, if it exist remote access (edge-view and ssh) is disabled. Please check [config document](SECURITY.md#disabling-remote-access) for more information. | |||
There was a problem hiding this comment.
@shjala , is there any particular reason to use a file for this feature (disabled remote access)? I'm wondering if it couldn't be integrated to the config properties? Also, I'm wondering if you could use this file to hold more config options (for remote access), instead of just mark it as disabled.... for instance, the file could be named as "remote_access", and contains inside the enable/disable option along with other properties (if that's the case).... I'm not against the current implementation though...
There was a problem hiding this comment.
I save that for a future PR.
There was a problem hiding this comment.
@rene The requirement is that it can not be possible to change this from the controller; only a user with local access should be able to enable it. The config properties are all about changes from the controller.
We could make the file more generic, but that means more care (writeRename) to avoid ending up with a corrupted file when there is a power outage. And we don't know what the scope would be for future items which would have the same requirement for local-only modifications. There might be none.
| if [ -f "/config/remote_access_disabled" ]; then | ||
| # this is picked up by newlogd | ||
| echo "Remote access disabled, ssh server not started" > /dev/kmsg | ||
| while true; do |
There was a problem hiding this comment.
you can just use sleep infinity here, which will block the process indefinitely....
There was a problem hiding this comment.
are you sure busybox implements all the GNU version options?
There was a problem hiding this comment.
I checked and it works:
006318ad-dfdc-4a49-87d6-9066cc832b48:# which sleep# ls -l /bin/sleep
/bin/sleep
006318ad-dfdc-4a49-87d6-9066cc832b48:
lrwxrwxrwx 1 root root 12 Sep 12 2022 /bin/sleep -> /bin/busybox
006318ad-dfdc-4a49-87d6-9066cc832b48:~# sleep infinity
|
I guess @rene 's sleep comment is what remains. Passsed the eden test suite (apart from the tests which always fails). |
|
can't see why yetus failed, there is this in the logs : |
ran it locally and checked it manually, can't see any complaint about lines I have changed. |
yetus log shows So need to rebase on master. |
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
sleep to infinity (INT_MAX) instead of just a day. Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
shjala
force-pushed
the
remote_access_switch
branch
from
3e36e00 to
dd45b22
Compare
This is backport of lf-edge#3485, which adds remote access switch to eve, blocking ssh and edge-view if remote access is disabled. Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
This is backport of lf-edge#3485, which adds remote access switch to eve, blocking ssh and edge-view if remote access is disabled. Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
| // RemoteAccessDisabled checks if remote access is enabled/disabled | ||
| // by checking if the file /config/remote_access_disabled exists or not. | ||
| func RemoteAccessDisabled() bool { | ||
| if _, err := os.Stat(types.RemoteAccessFlagFileName); err == nil { |
There was a problem hiding this comment.
| if _, err := os.Stat(types.RemoteAccessFlagFileName); err == nil { | |
| if FileExists(nil, types.RemoteAccessFlagFileName) { |
from utils package
This is backport of #3485, which adds remote access switch to eve, blocking ssh and edge-view if remote access is disabled. Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
if we are happy with the overall approach, I will extend the remote access on/off switch to other access points and add reporting to the cloud controller. I can also add a build time option if needed.