List contents of host directory or SD card

SaltyFry · October 8, 2021, 7:42pm

Hello all,

Is there a way to list the contents of a directory on the host filesystem?

I currently have a container that allows you to setup the network settings at runtime through dbus, similar to the docs, here, and a helper app, over bluetooth.

However, we now have a requirement for 802.1x cert based auth setup as well. The easiest way to get certs onto the device for setup with NetworkManager would probably be to drop them into system-connections on the SD card, so they get bind mounted to /etc/NetworkManager/system-connections.

At this point, I’ve modified my container to also allow setting the 802.1x NetworkManager fields, but would like to make the user setup a little easier.

Instead of having to type in the certificate names into the helper app, if I was able to read the directory contents of either /etc/NetworkManager/system-connections, or the system-connections folder on the SD card, I could add a drop down selection, since I would know the file names in advance.

I’m not sure if the best way to do this would be to mount the resin-state partition to a volume inside my container, or even something along the lines of ls --ignore '*.nmconnection --ignore '*.ignore' /etc/NetworkManager/system-connections >> fileInsideContainer.txt

Any advice would be appreciated, thanks

majorz · December 20, 2021, 11:12pm

Hi, currently there is not a way to bind mount the /etc/NetworkManager/system-connections folder in a container.

That means if you would like to use the ca-cert or a similar field in a NetworkManager profile (802-1x: NetworkManager Reference Manual), that you cannot currently use a path scheme. You may pass the certificate as a blob or pkcs#11 scheme. I personally have tried using it as a blob in the past and it was tricky but it worked.

Also for reference here is the function that is used for setting the certificates inside NetworkManager:

github.com

NetworkManager/NetworkManager/blob/6a68008e44bf2e9b6bc464825ec61bd062120f4a/src/libnm-core-impl/nm-setting-8021x.c#L1047

    
      
          * @error: on unsuccessful return, an error
          *
          * Reads a certificate from disk and sets the #NMSetting8021x:ca-cert property
          * with the raw certificate data if using the %NM_SETTING_802_1X_CK_SCHEME_BLOB
          * scheme, or with the path to the certificate file if using the
          * %NM_SETTING_802_1X_CK_SCHEME_PATH scheme.
          *
          * Returns: %TRUE if the operation succeeded, %FALSE if it was unsuccessful
          **/
          gboolean
          nm_setting_802_1x_set_ca_cert(NMSetting8021x         *setting,
                                       const char             *value,
                                       NMSetting8021xCKScheme  scheme,
                                       NMSetting8021xCKFormat *out_format,
                                       GError                **error)
          {
             return _cert_impl_set(setting, PROP_CA_CERT, value, NULL, scheme, out_format, error);
          }
          
          
/**
          * nm_setting_802_1x_get_ca_cert_password:

Please note that inside that function (and the docs above) it is asserted that wpa_supplicant only accepts certificates in a binary DER format when passed as a blob (PEM is not supported):

github.com

NetworkManager/NetworkManager/blob/6a68008e44bf2e9b6bc464825ec61bd062120f4a/src/libnm-core-impl/nm-setting-8021x.c#L553

    
      
                  if (!cert)
                      goto err;
              }
          }
          
          
switch (property) {
          case PROP_CA_CERT:
          case PROP_PHASE2_CA_CERT:
              if (value && scheme != NM_SETTING_802_1X_CK_SCHEME_PKCS11
                  && format != NM_CRYPTO_FILE_FORMAT_X509) {
                  /* wpa_supplicant can only use raw x509 CA certs */
                  g_set_error_literal(error,
                                      NM_CONNECTION_ERROR,
                                      NM_CONNECTION_ERROR_INVALID_PROPERTY,
                                      _("CA certificate must be in X.509 format"));
                  goto err;
              }
              p_cert = (property == PROP_CA_CERT) ? &priv->ca_cert : &priv->phase2_ca_cert;
              break;
          case PROP_CLIENT_CERT:
          case PROP_PHASE2_CLIENT_CERT:

Here I see it verifies it uses a binary DER by checking the values of the first two bytes:

github.com

NetworkManager/NetworkManager/blob/6a68008e44bf2e9b6bc464825ec61bd062120f4a/src/libnm-core-impl/nm-crypto.c#L757

    
      
          }
          
          
/* Check for PKCS#12 */
          if (nm_crypto_is_pkcs12_data(contents.bin, contents.len, NULL)) {
              NM_SET_OUT(out_file_format, NM_CRYPTO_FILE_FORMAT_PKCS12);
              NM_SET_OUT(out_certificate, nm_secret_copy_to_gbytes(contents.bin, contents.len));
              return TRUE;
          }
          
          
/* Check for plain DER format */
          if (contents.len > 2 && contents.bin[0] == 0x30 && contents.bin[1] == 0x82) {
              if (_nm_crypto_verify_x509(contents.bin, contents.len, NULL)) {
                  NM_SET_OUT(out_file_format, NM_CRYPTO_FILE_FORMAT_X509);
                  NM_SET_OUT(out_certificate, nm_secret_copy_to_gbytes(contents.bin, contents.len));
                  return TRUE;
              }
          } else {
              nm_auto_clear_secret_ptr NMSecretPtr pem_cert = {0};
          
          
    if (extract_pem_cert_data(contents.bin, contents.len, &pem_cert, NULL)) {
                  if (_nm_crypto_verify_x509(pem_cert.bin, pem_cert.len, NULL)) {

Also importantly you need to look at the NetworkManager’s logs in order to make sure it processes the certificate. I happened to not look at them when I was trying this out and it caused confusion.

It would have been easier with the file scheme, but even if the team agrees to make the system-connection folder bind-mountable, it will take time for this to be released. Also the relevant colleagues may not agree for this to be done, since there is an alternative with using the blob field. I can still raise it as an issue if needed though.

Please let me know whether using the blob schme will work for you and if you have any questions.

Thanks a lot,
Zahari

SaltyFry · December 22, 2021, 10:31pm

Hi Zahari,

At this point, we have everything working on the 802.1x side. This was just a feature request to make setup slightly easier, and the user experience more ‘automatic’, if I could read file names inside of a container, either from the host OS, or the SD card where the user stores them.

Thanks!

ntzovanis · December 23, 2021, 2:14pm

Hello @SaltyFry ,

Thanks for pointing it out. I’ve added the feature request to our internal tracking tool so it can be discussed. We’ll get back to you when we’ve had the chance to do so.

Cheers,
Nico.

Topic		Replies	Views
I want to edit Host OS read-only files Product support raspberrypi3 , wifi , docker , network	2	1947	July 19, 2019
Container access to /var/lib/NetworkManager on host Product support	1	311	May 19, 2022
Persistent WiFi setup from inside container Product support	2	954	March 7, 2017
Possible to modify Host OS or other suggested workaround for Dbus? balenaOS bluetooth , wifi , docker , security	1	1032	December 19, 2020
Get WiFi psk by nmcli on container balenaOS raspberrypizero	32	2112	October 22, 2020

List contents of host directory or SD card

Related topics