host OS, user root, *no* password?! security issue?

hi, i’m able to log into balena’s host OS using putty, giving the user root and blank password (image below)! is this considered normal operation? is there a way to secure the device? i’m using a raspberry pi zero. am i missing something? thanks!

image

Hi,
What’s the image type that you chose while provisioning?
If it’s a development image, it is done on purpose while production images require you to have your rsa key added in the config.json

hi thundron, yes, it’s a dev image. phew. is there a way to change the root password without breaking the system? thanks.

Hello, since balenaOS has a read only rootFS it’s not possible to change root’s password via passwd or other means. Even if you could unmount the fs and change it, it is not something we advise doing. Development images are to be used on sandboxed or unexposed networks, where a passwordless SSH should not result in a security issue.
We strongly suggest not to use development images for anything other than development since there are also other useful features enabled by default on them that might result in important security issues on a production environment. For example, dev images expose the docker/balenaEngine socket too.

that’s what i thought :-). am i right in thinking, then, that any changes i make to the default express (node.js) server in the main OS is part of a docker image and i can upload that for distribution to other raspis in the same “cluster”? is there a way to upload the docker so that the one online is always up-to-date, in case the raspi’s SD card fails (that does happen)? thanks!

I’m not sure i’m following you but a quick overview of how it works is as follows:

You can push code into a balena app from various sources, generally it will look first for a docker-compose.yml file on your root directory, if there isn’t one it will look for a Dockerfile, and lastly if none are available it will look for a package.json in case of a node app. Any code you push to a balena app will be distributed to all devices (raspis or other types) that are part of that balena app (“cluster”). For small and simple apps you can do enough with a Dockerfile or even just the package.json file, but for more complex setups docker-compose.yml allows you to use multi container solutions.

Any changes you want to make need to be made locally on your machine and then pushed into the application in order for those to be distributed to your fleet. Any changes you make directly on a device will be lost once the device is rebooted.

Lastly, SD card failure is one of the most common types of failures on the Raspberry Pi family. To mitigate that, balenaOS was designed to minimize IO operations to reduce wear on the SD card, that is one of the reasons that the rootFS is read only. To further prevent damaged SD cards we recommend the use of SanDisk Extreme Pro cards, which in our experience are the most reliable even for industrial cases, and of course at the application level you need to make sure you also reduce IO operations as possible.

Here is a link that expands a bit on this topics:

hi, i’ve a custom express server running on balena that i need to deploy to other devices. i’m running on a separate express server on balena main OS because it caused your app express server to crash. also, it needed some modules to be compiled (i manually installed make and g++). this is on a dev image on a raspi zero.

  1. i tried modifying the pre-installed express server at root@xxxxx:/usr/src/app but it wound up closing the web console connection. luckily, i had just enough time between connections to revert to a saved copy of the original server.js, which solved that problem.
  2. fyi, kill 9 <node-process-id> also causes disconnects (and your web console auto-reconnects).
  3. my server runs on a different port as 80 is taken up by yours.
  4. my server has module dependencies (e.g. npm install sharp) that require compilation on your OS, for which i had to manually install make and g++:
apt-get install make
apt-get install g++

experience shows that tweaks are sometimes needed to migrate node.js apps from windows, so testing directly on balena is absolutely necessary. we’ve got it working on both platforms now (the app is on github). that’s good news. i’m not sure what to do from here. your help would be great.

thanks!

Hi

  • I am not sure what your question is. Can you elaborate where you need help with? Seems like a migration issue of an express app from Windows to Linux.
  • About having to install additional dependencies - yes, it is normal to manually install any dependencies. I recommend you go through our available base images here in case you need something that has what you need part of the image.
  • Also, going forward it would make sense to create new forum threads for separate issues - this helps in making it easier for other folks to find information here as well as contribute answers.

hi, i thought so, too. so i already created a separate thread. this one was started to go elsewhere :slight_smile:. i think you can close this one – i don’t seem to have an option to do it myself. thanks!