v2.0.0-rc2

olljanat · olljanat · commit d29192dbeff8 · 2023-12-15T14:29:33.000Z
* Add ipset to network and console
* Add fdisk to console
* Use Docker 24.0.7 by default
* Revert back to system-docker.sock instead of system-engine.sock
* SSH security hardenings
diff --git a/Dockerfile.dapper b/Dockerfile.dapper
@@ -81,14 +81,14 @@ ARG OS_FIRMWARE=true
 ARG OS_BASE_URL_amd64=https://github.com/burmilla/os-base/releases/download/v2023.05-1/os-base_amd64.tar.xz
 ARG OS_BASE_URL_arm64=https://github.com/burmilla/os-base/releases/download/v2023.05-1/os-base_arm64.tar.xz
 
-ARG OS_INITRD_BASE_URL_amd64=https://github.com/burmilla/os-initrd-base/releases/download/v2023.05-1/os-initrd-base-amd64.tar.gz
-ARG OS_INITRD_BASE_URL_arm64=https://github.com/burmilla/os-initrd-base/releases/download/v2023.05-1/os-initrd-base-arm64.tar.gz
+ARG OS_INITRD_BASE_URL_amd64=https://github.com/burmilla/os-initrd-base/releases/download/v2023.05-2/os-initrd-base-amd64.tar.gz
+ARG OS_INITRD_BASE_URL_arm64=https://github.com/burmilla/os-initrd-base/releases/download/v2023.05-2/os-initrd-base-arm64.tar.gz
 
 ARG SYSTEM_DOCKER_VERSION=17.06.109
 ARG SYSTEM_DOCKER_URL_amd64=https://github.com/burmilla/os-system-docker/releases/download/${SYSTEM_DOCKER_VERSION}/docker-amd64-${SYSTEM_DOCKER_VERSION}.tgz
 ARG SYSTEM_DOCKER_URL_arm64=https://github.com/burmilla/os-system-docker/releases/download/${SYSTEM_DOCKER_VERSION}/docker-arm64-${SYSTEM_DOCKER_VERSION}.tgz
 
-ARG USER_DOCKER_VERSION=24.0.5
+ARG USER_DOCKER_VERSION=24.0.7
 ARG USER_DOCKER_ENGINE_VERSION=docker-${USER_DOCKER_VERSION}
 
 ARG AZURE_SERVICE=false
diff --git a/cmd/control/console_init.go b/cmd/control/console_init.go
@@ -407,7 +407,7 @@ func modifySshdConfig(cfg *config.CloudConfig) error {
 }
 
 func setupSSH(cfg *config.CloudConfig) error {
-	for _, keyType := range []string{"rsa", "dsa", "ecdsa", "ed25519"} {
+	for _, keyType := range []string{"rsa", "ed25519"} {
 		outputFile := fmt.Sprintf("/etc/ssh/ssh_host_%s_key", keyType)
 		outputFilePub := fmt.Sprintf("/etc/ssh/ssh_host_%s_key.pub", keyType)
 
diff --git a/config/docker_config_test.go b/config/docker_config_test.go
@@ -39,10 +39,10 @@ func TestGenerateEngineOptsString(t *testing.T) {
 
 	testContains(t, fmt.Sprint(generateEngineOptsSlice(EngineOpts{
 		Host: []string{
-			"unix:///var/run/system-engine.sock",
+			"unix:///var/run/system-docker.sock",
 			"unix:///var/run/docker.sock",
 		},
-	})), "--host unix:///var/run/system-engine.sock", "--host unix:///var/run/docker.sock")
+	})), "--host unix:///var/run/system-docker.sock", "--host unix:///var/run/docker.sock")
 
 	testContains(t, fmt.Sprint(generateEngineOptsSlice(EngineOpts{
 		LogOpts: map[string]string{
diff --git a/config/types.go b/config/types.go
@@ -18,7 +18,7 @@ const (
 	StateDir         = "/state"
 	RosBin           = "/usr/bin/ros"
 	SysInitBin       = "/usr/bin/ros-sysinit"
-	SystemDockerHost = "unix:///var/run/system-engine.sock"
+	SystemDockerHost = "unix:///var/run/system-docker.sock"
 	DockerHost       = "unix:///var/run/docker.sock"
 	ImagesPath       = "/usr/share/ros"
 	InitImages       = "images-init.tar"
diff --git a/images/02-console/Dockerfile b/images/02-console/Dockerfile
@@ -4,7 +4,7 @@ COPY build/sshd_config.append.tpl /etc/ssh/
 COPY build/lsb-release /etc/
 
 RUN apt-get update \
-    && apt-get install -y --no-install-recommends iptables openssh-server rsync locales \
+    && apt-get install -y --no-install-recommends fdisk ipset iptables openssh-server rsync locales \
                            sudo less curl ca-certificates psmisc htop kmod iproute2 \
                            net-tools bash-completion wget \
                            nano open-iscsi iputils-ping nvi \
diff --git a/images/02-console/sshd_config.append.tpl b/images/02-console/sshd_config.append.tpl
@@ -21,3 +21,10 @@ IgnoreRhosts yes
 HostbasedAuthentication no
 PermitEmptyPasswords no
 AllowTcpForwarding no
+DebianBanner no
+
+# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com hardening guide.
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
+HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com
diff --git a/os-config.tpl.yml b/os-config.tpl.yml
@@ -79,7 +79,7 @@ rancher:
     restart: false
     graph: /var/lib/system-docker
     group: root
-    host: ["unix:///var/run/system-engine.sock"]
+    host: ["unix:///var/run/system-docker.sock"]
     userland_proxy: false
   console: {{.OS_CONSOLE}}
   cloud_init:
@@ -289,6 +289,7 @@ rancher:
       - system-volumes
       - command-volumes
       volumes:
+      - /usr/bin/ipset:/sbin/ipset:ro
       - /usr/bin/iptables:/sbin/iptables:ro
     ntp:
       image: {{.OS_REPO}}/os-base:{{.VERSION}}{{.SUFFIX}}
@@ -341,7 +342,7 @@ rancher:
       privileged: true
       restart: always
       volumes:
-      - /var/run/system-engine.sock:/var/run/docker.sock
+      - /var/run/system-docker.sock:/var/run/docker.sock
       environment:
         DOCKER_API_VERSION: "1.22"
     udev-cold:
@@ -402,7 +403,7 @@ rancher:
     restart: false
     graph: /var/lib/system-docker
     group: root
-    host: ["unix:///var/run/system-engine.sock"]
+    host: ["unix:///var/run/system-docker.sock"]
     pid_file: /var/run/system-docker.pid
     exec_root: /var/run/system-docker
     config_file: /etc/docker/system-docker.json
diff --git a/pkg/init/recovery/recovery.go b/pkg/init/recovery/recovery.go
@@ -77,7 +77,7 @@ func Recovery(initFailure error) {
 			Restart:       &[]bool{false}[0],
 			Graph:         "/var/lib/recovery-docker",
 			Group:         "root",
-			Host:          []string{"unix:///var/run/system-engine.sock"},
+			Host:          []string{"unix:///var/run/system-docker.sock"},
 			UserlandProxy: &[]bool{false}[0],
 		},
 	}

Original file line number	Diff line number	Diff line change
`@@ -407,7 +407,7 @@ func modifySshdConfig(cfg *config.CloudConfig) error {`
`407`	`407`	`}`
`408`	`408`
`409`	`409`	`func setupSSH(cfg *config.CloudConfig) error {`
`410`		`- for _, keyType := range []string{"rsa", "dsa", "ecdsa", "ed25519"} {`
	`410`	`+ for _, keyType := range []string{"rsa", "ed25519"} {`
`411`	`411`	`outputFile := fmt.Sprintf("/etc/ssh/ssh_host_%s_key", keyType)`
`412`	`412`	`outputFilePub := fmt.Sprintf("/etc/ssh/ssh_host_%s_key.pub", keyType)`
`413`	`413`
-Original file line number
+Diff line change
 HostbasedAuthentication no
 PermitEmptyPasswords no
 AllowTcpForwarding no
 +DebianBanner no
++
 +# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com hardening guide.
 +KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
 +Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
 +MACs [email protected],[email protected],[email protected]
 +HostKeyAlgorithms ssh-ed25519,[email protected],[email protected],[email protected],rsa-sha2-256,rsa-sha2-512,[email protected],[email protected]
Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,7 @@ func Recovery(initFailure error) {`
`77`	`77`	`Restart: &[]bool{false}[0],`
`78`	`78`	`Graph: "/var/lib/recovery-docker",`
`79`	`79`	`Group: "root",`
`80`		`- Host: []string{"unix:///var/run/system-engine.sock"},`
	`80`	`+ Host: []string{"unix:///var/run/system-docker.sock"},`
`81`	`81`	`UserlandProxy: &[]bool{false}[0],`
`82`	`82`	`},`
`83`	`83`	`}`