Hi, for a product we’re developing a requirement which has come up due to security and privacy concerns is to allow the device itself to disable remote access, updates and also the public URL.
For the public url unless directly configurable we could simply use iptables to block the balena VPN from accessing any of our containers.
For updates I suppose we could also use a lock file to prevent updates.
But when it comes to blocking remote access with SSH, is there any way to do this?
The idea is that the end user on e.g a configuration page will be able to toggle these features.
Or perhaps there is a way to simply make the device not contact Balena if the user chooses to do so?
The use case is that if a device is shipped to a customer and the device is connected to sensitive equipment e.g PLCs and having the possibility of e.g a bad actor being able to access Balena Cloud and then being able to remotely access the device (and in turn being able to manipulate sensitive equipment) is a big concern for certain customers.
Simply pulling the plug won’t do since the device is supposed to make outbound connections for e.g uploading data.
I have not attempted that as of yet, but that solution might just work for this use case. Looking into it it seems as if using the supervisor API we can toggle this locally and I think this will do, thanks!
As for updates our hope is that down the line Balena will support offline updates (with persistent data),
and as far as I know this feature is planned down the road but not in highly prioritised as of now.
I do understand that complete offline updates may not be a very common requirement.
We believe we are able to technically allow offline updates by roughly doing the following steps :
Pointing the supervisor to a self hosted API (on the device) and injecting self signed certificates (balenaRootCa)
Using balena-engine load images
Update target state and the device will use the manually loaded images.
Although we’re unsure if this could potentially cause conflict with the balena supervisor and or when OTA updates come into play in between of offline updates.
@Simontaga another solution shared by one of my colleagues is that you could try to stop the sshd service using dbus from the container entry script. I haven’t tested this myself yet.
Then you could control the start/stop of the service using an application variable from balenaCloud.