Skip to content

Commit

Permalink
add remote access switch for edgeview
Browse files Browse the repository at this point in the history
add an option to eve command and edgeview to set the remote
access config switch to On/Off. When On, edgeview and ssh are inaccsiable.

Signed-off-by: Shahriyar Jalayeri <[email protected]>
  • Loading branch information
shjala committed Oct 12, 2023
1 parent bd349a3 commit 9cc5386
Show file tree
Hide file tree
Showing 13 changed files with 996 additions and 907 deletions.
1 change: 1 addition & 0 deletions docs/CONFIG.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ In general, EVE is trying to make sure that its controller always has the last w
* `wpa_supplicant.conf` - a legacy way of configuring EVE's WiFi
* `authorized_keys` - initial authorized SSH keys for accessing EVE's debug console; DO NOT use options, we only accept 'keytype, base64-encoded key, comment' format
* `bootstrap-config.pb`- initial device configuration used only until device is onboarded (see below for details)
* `remote_access_disabled`- a file indicating remote access status, if it exist remote access (edge-view and ssh) is disabled. Please check [config document](SECURITY.md#disabling-remote-access) for more information.

The initial content of these configuration files is stored in the EVE's source tree under [config](../config) folder. From there, these configuration files are baked into the EVE installer images. For the read-write bootable disk installer image these files can further be tweaked by mounting the "EVE" partition and editing those files directly on the installer image. This gives you an ability to take the default installer image and tweak it for your needs without re-building EVE from scratch (obviously this is not an option for a read-only ISO installer image). A typical workflow is to take an installer image from the official EVE build, flash it onto a USB flash drive, insert that USB flash drive into your desktop and edit file on the partition called EVE.

Expand Down
4 changes: 4 additions & 0 deletions docs/SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,10 @@ Two ECOs communicating using the overlay will get an secure channel since LISP w

In addition, the LISP map server can provide ability to limit access to the mappings for certain EIDs based on the EID which is trying to look them up.

## Disabling Remote Access

EVE provides a mechanism to build an image with remote access disabled (edge-view and ssh), this can be done by configuring EVE when building an installer. Enabling remote access back, requires access to the cloud controller to enable debugging access on the edge node, plus physical access to the edge node to issue `eve remote-access` command on the edge node. In addition changing remote access status from its initial value to anything else will result in change of PCR-14 value and subsequent failure in unsealing the vault key that needs to be handled using the cloud controller. Check [config document](CONFIG.md#eve-configuration) for more information.

## Details on keys and certificates

These details are specified in [KEYS-AND-CERTS](KEYS-AND-CERTS.md).
Expand Down
13 changes: 12 additions & 1 deletion pkg/debug/ssh.sh
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,15 @@ echo -1 > /proc/sys/kernel/perf_event_paranoid
KEYS=$(find /etc/ssh -name 'ssh_host_*_key')
[ -z "$KEYS" ] && ssh-keygen -A >/dev/null 2>/dev/null

exec /usr/sbin/sshd -D -e

if [ -f "/config/remote_access_disabled" ]; then
# this is picked up by newlogd
echo "Remote access disabled, ssh server not started" > /dev/kmsg
while true; do
# sleep for a day, keep the container running
sleep 86400
done
else
exec /usr/sbin/sshd -D -e
fi

22 changes: 22 additions & 0 deletions pkg/dom0-ztools/rootfs/bin/eve
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ Welcome to EVE!
persist attach <disk>
config mount <mountpoint>
config unmount
remote-access on|off
http-debug
dump-stacks
dump-memory
Expand Down Expand Up @@ -199,6 +200,27 @@ __EOT__
;;
esac
;;
remote-access)
CONFIGDIR_RW="/tmp/config_rw"
mkdir $CONFIGDIR_RW
if eval "$(mount_partlabel "CONFIG" $CONFIGDIR_RW)"; then
case "$2" in
on) rm -f $CONFIGDIR_RW/remote_access_disabled
eval "$(unmount_partlabel "CONFIG")" && rm -rf $CONFIGDIR_RW
echo "Remote access enabled. Please reboot to apply changes."
;;
off) touch $CONFIGDIR_RW/remote_access_disabled
eval "$(unmount_partlabel "CONFIG")" && rm -rf $CONFIGDIR_RW
echo "Remote access disabled. Please reboot to apply changes."
;;
*) eval "$(unmount_partlabel "CONFIG")" && rm -rf $CONFIGDIR_RW
help
;;
esac
else
echo "Failed to set the remote access configuration!"
fi
;;
version)
v=$(cat /run/eve-release)
echo "$v"
Expand Down
6 changes: 6 additions & 0 deletions pkg/pillar/cmd/zedagent/parseedgeview.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,17 @@ import (
"github.com/google/go-cmp/cmp"
zconfig "github.com/lf-edge/eve-api/go/config"
"github.com/lf-edge/eve/pkg/pillar/types"
"github.com/lf-edge/eve/pkg/pillar/utils"
)

// edge-view specific parser/utility routines

func parseEvConfig(ctx *getconfigContext, config *zconfig.EdgeDevConfig) {
if utils.RemoteAccessDisabled() {
log.Noticef("Remote access to edgeview is disabled")
removeEvFiles()
return
}

log.Tracef("Started parsing edge-view config")
zcfgEv := config.GetEdgeview()
Expand Down
3 changes: 3 additions & 0 deletions pkg/pillar/cmd/zedagent/reportinfo.go
Original file line number Diff line number Diff line change
Expand Up @@ -224,6 +224,9 @@ func PublishDeviceInfoToZedCloud(ctx *zedagentContext, dest destinationBitset) {

ReportDeviceInfo := new(info.ZInfoDevice)

// Get the remote access status
ReportDeviceInfo.RemoteAccessDisabled = utils.RemoteAccessDisabled()

var uname unix.Utsname
err := unix.Uname(&uname)
if err != nil {
Expand Down
4 changes: 2 additions & 2 deletions pkg/pillar/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ require (
github.com/docker/docker v20.10.24+incompatible
github.com/eriknordmark/ipinfo v0.0.0-20230728132417-2d8f4da903d7
github.com/fsnotify/fsnotify v1.5.1
github.com/go-chi/chi/v5 v5.0.10
github.com/golang-jwt/jwt v3.2.2+incompatible
github.com/golang/protobuf v1.5.2
github.com/google/go-cmp v0.5.9
Expand All @@ -24,7 +25,7 @@ require (
github.com/jackwakefield/gopac v1.0.2
github.com/jaypipes/ghw v0.8.0
github.com/lf-edge/edge-containers v0.0.0-20221025050409-93c34bebadd2
github.com/lf-edge/eve-api/go v0.0.0-20230917094129-590dad30fe13
github.com/lf-edge/eve-api/go v0.0.0-20231011200019-cb3cb1275e0d
github.com/lf-edge/eve-libs v0.0.0-20230921141205-94d6f6b65597
github.com/linuxkit/linuxkit/src/cmd/linuxkit v0.0.0-20220913135124-e532e7310810
github.com/miekg/dns v1.1.41
Expand Down Expand Up @@ -81,7 +82,6 @@ require (
github.com/docker/go-units v0.4.0 // indirect
github.com/estesp/manifest-tool/v2 v2.0.6-0.20220728154431-89d791ab7966 // indirect
github.com/ghodss/yaml v1.0.0 // indirect
github.com/go-chi/chi/v5 v5.0.10 // indirect
github.com/go-ole/go-ole v1.2.6 // indirect
github.com/godbus/dbus/v5 v5.0.6 // indirect
github.com/gogo/googleapis v1.4.1 // indirect
Expand Down
2 changes: 2 additions & 0 deletions pkg/pillar/go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -1119,6 +1119,8 @@ github.com/lf-edge/edge-containers v0.0.0-20221025050409-93c34bebadd2 h1:ckxNk8M
github.com/lf-edge/edge-containers v0.0.0-20221025050409-93c34bebadd2/go.mod h1:eA41YxPbZRVvewIYRzmqDB1PeLQXxCy9WQEc3AVCsPI=
github.com/lf-edge/eve-api/go v0.0.0-20230917094129-590dad30fe13 h1:10Bwbfl1w63u4t/+7t3XDBb20A+WPCBsmMTeYkW89B8=
github.com/lf-edge/eve-api/go v0.0.0-20230917094129-590dad30fe13/go.mod h1:6XqpOM8p1HsluNIGw2ihYPYsaAisQ5CuJpbIKHXQo5w=
github.com/lf-edge/eve-api/go v0.0.0-20231011200019-cb3cb1275e0d h1:PVKqYtPsH5BAIYfOaKej/+lc7+GKcFZBGnzbS6JWbrE=
github.com/lf-edge/eve-api/go v0.0.0-20231011200019-cb3cb1275e0d/go.mod h1:6XqpOM8p1HsluNIGw2ihYPYsaAisQ5CuJpbIKHXQo5w=
github.com/lf-edge/eve-libs v0.0.0-20230921141205-94d6f6b65597 h1:/UGYRj5tdRw5m3+VjZtTx1RVgphQbthfY/Gu5W7qb5o=
github.com/lf-edge/eve-libs v0.0.0-20230921141205-94d6f6b65597/go.mod h1:dEMW+ISS+vVqukeNsorFlaGCo2nuDwkK0LGyBYd8yrc=
github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
Expand Down
2 changes: 2 additions & 0 deletions pkg/pillar/types/locationconsts.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,8 @@ const (
APIV1FileName = IdentityDirname + "/Force-API-V1"
// BootstrapConfFileName - file to store initial device configuration for bootstrapping
BootstrapConfFileName = IdentityDirname + "/bootstrap-config.pb"
// RemoteAccessFlagFileName -- file to check for remote access configuration
RemoteAccessFlagFileName = IdentityDirname + "/remote_access_disabled"
// BootstrapShaFileName - file to store SHA hash of an already ingested bootstrap config
BootstrapShaFileName = IngestedDirname + "/bootstrap-config.sha"

Expand Down
21 changes: 21 additions & 0 deletions pkg/pillar/utils/access.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
// Copyright (c) 2017-2023 Zededa, Inc.
// SPDX-License-Identifier: Apache-2.0

package utils

import (
"os"

"github.com/lf-edge/eve/pkg/pillar/types"
)

// RemoteAccessDisabled checks if remote access is enabled/disabled
// by checking if the file /config/remote_access_disabled exists or not.
func RemoteAccessDisabled() bool {
if _, err := os.Stat(types.RemoteAccessFlagFileName); err == nil {
// file exists, remote access is disabled
return true
} else {
return false
}
}
Loading

0 comments on commit 9cc5386

Please sign in to comment.