Hey,
I have few safety point to add on BalenaOS and I want to have your advise.
Are there any point which can be disturb stability of Supervisor ?
Thanks,
Ben
Hi there,
It sounds like you’re using a development image, as the root user only allows passwordless access on devices using the development version of balenaOS. Production images only allow SSH access from the balena backend, or from port 22222 using an added authorissation key.
You can add extra authorised keys for login by altering the /mnt/boot/config.json file and adding the os property:
os: {
"sshKeys": [ <publicKey1>, <publicKey2>, ... ]
}
Best regards,
Heds
Hi,
thanks for your feedback. Yes at the moment I am using a development image. I tried production image and it’s effectively more secure.
Next step is to add fail2ban recipe on my custom balenaOS.
I need your help for another point. On my board, balenaOS is flashed on emmc and I boot on a SD for a configuration stage. I try to mount balena rootfs to modify one config file in /etc/ directory. But I don’t have access to this repo. I don’t able to execute also chroot command because /bin/sh is missing. How can mount full rootfs and modify it ?
Thanks,
Ben
Can you elaborate a bit more on what you are trying to do? As far as I could understand, you are booting from the SD card using a non-balenaOS and then trying to mount the emmc that has balenaOS but it not the one that you have booted? In this case, /bin/sh missing would be an issue with the non-balenaOS that you have booted from using the SD card
Also, please share some additional info if possible about your OS build process and your hardware platform.
Hi,
I have flashed debian stretch OS on my SD card (/dev/mmcblk0) and BalenaOS v2.41 on my emmc (/dev/mmcblk2). I use a custom board based on Humming board.
Before first connection of BalenaOS, I have a configuration stage to register device on BalenaCloud, generate config.json and mount it on boot partition of BalenaOS and others configurations point.
One of point needs to modify configuration file in /etc/ of BalenaOS. When I mount rootfs of Balena OS (/dev/mmcblk 2p1) I don’t find any file on /etc directory.
Other approach I tried, is to use chroot to switch filesystem to use BalenaOS executables. Nonetheless chroot command need /bin/sh of BalenaOS as entrypoint. But on BalenaOS rootfs (/dev/mmcblk2p1) I don’t have any /bin/ directory.
Ben
Hi,
balenaOS images are stored a as decompressed docker overlay filesystem on the SDcard. At boot time, this is pivoted onto /. To make changes, you’ll need to mount the correct partition on the SD card or eMMC (and bare in mind you can’t do this on the balena device if it’s been booted from it, as it’ll have pivoted to /), find the correct location for the FS, and then make the relevant changes. Here’s a brief guide of what to do:
sudo mount -o loop,rw,offset=$(( 90112 * 512 )) <sdCardDeviceNode> /mnt/balena-img
sudo su now for best experience as most directories need root accesscd /mnt/balena-img/balena/[aufs | overlay]/difffind . -name <fileToChange> will find you the right layer name/location for the filemd5sum <fileToChange>find . -name resinos.fingerprint in the appropriate container, then edit it replacing the previous md5sum with the new one for the altered filecd <backToWhereImageIsLocated>umount /mnt/balena-imgNote that this is not an official guide to doing this, and making changes to balenaOS can cause unexpected side-effects.
Best regards,
Heds
Thanks @hedss it’s work fine.
I work around this method by launching a ssh script at the first connection of bridge. I prefer avoid unexpected side-effects and have easy configure process for technicians.
Ben
Hi,
Great to hear that it worked fine for you.
We are always trying to improve, could you explain what you mean by you “prefer avoid unexpected side-effects and have easy configure process for technicians.”? Do you mean the complexity to customize the balenaOS userspace?
Thank you.