Use of prod images only in local without balena cloud

Hello,
I’m developing a balena based deployment solution for an web app and backend that is served on a raspi connected only to a local network that doesn’t have access to internet.
For the moment I’m using the balena dev image versions, and I was surprised when I try to move on to a prod version that I can’t access the host through ssh, so searching on your docs / forums I realised that the prod version can only be accesible if a ssh key is created through the balena cloud mechanism… Is that right?
If that is the case, what are the downsides of using the dev image in an enviroment where the app can’t be accessed from outside the network just because the network is isolated?
BTW, The app will be released as FOSS, as it is part of a timer system for archery competitions that I’m developing free for my archery club.

Thanks in advance
Gabriel

Hi, the downsides are that anyone who can gain access to the network will be able to take control of the device running a dev image. What are your reasons for not wanting to run a production image?

Hello,
None, just that I haven’t found the way to do it without balena cloud, just locally

To be clear, are you trying to set up your device without connecting to balenaCloud or are you concerned about SSH access?

If you are using a production image you don’t lose the ability to use ssh, the difference is that it would run via our VPN. You can still get a shell on your device by using the web dashboard or the balena-cli application: https://www.balena.io/docs/learn/manage/ssh-access/

Hello,
I’m not using balena cloud, this project is just a one device “prototype” and I’m using balena to run a docker compose in an isolate so that doesn’t corrupt the memory card and can be reseted without any problem. I’m deploying it using balena cli locally to a dev image running on a raspi. The finished system is going to be stored until it is used on a competition so I don’t need to keep it updated (unless I want start to add more functionallity) and as it is not going to be connected to internet, doesn’t have any sense to use balena cloud (also, as I said is going to be a FOSS so I can’t afford any extra cost besides my own free time)
I was going to use tinycorelinux but I found balena and it allows me to speed the development as I can just use almost the same docker image I’m creating for testing the app, just I added a pipeline to compile also to arm using balena based images and it works like a charm.
So, I only realized the prod limitation once I already have developed everything as it is not properly stated on the balena os started guide (not complaining, just pointing it out).
I also was thinking on serve myself an openbalena on my home server docker swarm, but I didn’t have time to make it work properly.
Sorry for the long text, to get straight to the point:

  • Is there any way to use a prod host image without using balenacloud and do a proper balena push / ssh using balena-cli locally the same way I doing for a dev image but just using some ssh keys?

Thanks again for the great support.

@gpulido you can add your public ssh key to the balena config.json (on the first partition or /mnt/boot ) and that will allow you to ssh into a production image as root via port 22222. The process is described here https://github.com/balena-os/meta-balena#sshkeys .
Please make sure to use great caution when modifying config.json and check for valid json syntax after editing.

Hello again,
Thank you for pointing me to the right “documentation”, as a suggestion I think that information should be also included on the balena os main documentation site, as it is a bit hidden. The whole getting started doesn’t need to “know” the github page, and it is very easy to follow up.

Also, I think that there is another missing piece of information regarding the balena-sync.yml file. It is mentioned in several places for local development / deployment, but I haven’t found (probably my fault) a proper documentation about what file is, where to place it and how to fill it. From my searches I guess that is a file that has to be on the same folder than the dockerfile / docker_compose that is used to push a container to the balenaos using balena-cli. But I haven’t found documentation about the right format and what is needed and what is optional. Also if the name is “.balena-sync.yml” “balena-sync.yml” “resin-sync.yml” “.resin-sync.yml”.
Again please take my comments as constructives and just as “developer” experience, no complaining on my side :slightly_smiling_face:
Regards
Gabriel

Hi Gabriel,

Thanks for these comments, we always appreciate our users reflecting on their Balena experience and letting us know how we can improve on things!

I’ll ping the local-mode developers for a proper explanation of the sync yml files and get some issues created so the documentation issues you raised don’t get forgotten.

Thanks again.

Hey @gpulido

Firstly, thanks very much for the comments on our documentation, it helps a lot to get this information from developers who aren’t as familiar with our platform.

What I would do in this situation is to use a balenaCloud production image, and either load the images onto the device whilst it has an internet connection, or use balena preload https://www.balena.io/docs/reference/cli/#preload-image. You mentioned that one of the reasons stopping you from using balenaCloud is that you would not like to pay anything for this (understandably so!) but balenaCloud is free for the first 10 devices, regardless of use case. The device doesn’t require a connection to balenaCloud after the initial provision and downloading of images, as long as you don’t want to perform any updates. Using the link my colleague posted above, you could add your SSH key to the device, and perform a local SSH to the production mode device that way, without the use of balenaCloud.

What we do have on our roadmap is to add the ability to preload unmanaged OS images (that is, balenaOS without balenaCloud), but that’s currently unavailable.

We would never recommend using a dev mode device outside of a testing environment, as both the docker socket and ssh are unprotected, allowing root access to the device.

I hope this helps, and I’ll be happy to go into this in more detail if required.

As for balena-sync.yml, we’re phasing out the usage of this and our documentation could probably better explain that.

PS. your use case sound very interesting, I’d love to hear more when you get it completed!