Skip to content
This repository has been archived by the owner on Oct 11, 2023. It is now read-only.

Commit

Permalink
v2.0.0-rc2
Browse files Browse the repository at this point in the history
* Add ipset to network and console
* Add fdisk to console
* Use Docker 24.0.7 by default
* SSH security hardenings
  • Loading branch information
olljanat committed Dec 19, 2023
1 parent 615b3d4 commit 8a9e14f
Show file tree
Hide file tree
Showing 5 changed files with 13 additions and 5 deletions.
6 changes: 3 additions & 3 deletions Dockerfile.dapper
Original file line number Diff line number Diff line change
Expand Up @@ -81,14 +81,14 @@ ARG OS_FIRMWARE=true
ARG OS_BASE_URL_amd64=https://github.com/burmilla/os-base/releases/download/v2023.05-1/os-base_amd64.tar.xz
ARG OS_BASE_URL_arm64=https://github.com/burmilla/os-base/releases/download/v2023.05-1/os-base_arm64.tar.xz

ARG OS_INITRD_BASE_URL_amd64=https://github.com/burmilla/os-initrd-base/releases/download/v2023.05-1/os-initrd-base-amd64.tar.gz
ARG OS_INITRD_BASE_URL_arm64=https://github.com/burmilla/os-initrd-base/releases/download/v2023.05-1/os-initrd-base-arm64.tar.gz
ARG OS_INITRD_BASE_URL_amd64=https://github.com/burmilla/os-initrd-base/releases/download/v2023.05-2/os-initrd-base-amd64.tar.gz
ARG OS_INITRD_BASE_URL_arm64=https://github.com/burmilla/os-initrd-base/releases/download/v2023.05-2/os-initrd-base-arm64.tar.gz

ARG SYSTEM_DOCKER_VERSION=17.06.109
ARG SYSTEM_DOCKER_URL_amd64=https://github.com/burmilla/os-system-docker/releases/download/${SYSTEM_DOCKER_VERSION}/docker-amd64-${SYSTEM_DOCKER_VERSION}.tgz
ARG SYSTEM_DOCKER_URL_arm64=https://github.com/burmilla/os-system-docker/releases/download/${SYSTEM_DOCKER_VERSION}/docker-arm64-${SYSTEM_DOCKER_VERSION}.tgz

ARG USER_DOCKER_VERSION=24.0.5
ARG USER_DOCKER_VERSION=24.0.7
ARG USER_DOCKER_ENGINE_VERSION=docker-${USER_DOCKER_VERSION}

ARG AZURE_SERVICE=false
Expand Down
2 changes: 1 addition & 1 deletion cmd/control/console_init.go
Original file line number Diff line number Diff line change
Expand Up @@ -407,7 +407,7 @@ func modifySshdConfig(cfg *config.CloudConfig) error {
}

func setupSSH(cfg *config.CloudConfig) error {
for _, keyType := range []string{"rsa", "dsa", "ecdsa", "ed25519"} {
for _, keyType := range []string{"rsa", "ed25519"} {
outputFile := fmt.Sprintf("/etc/ssh/ssh_host_%s_key", keyType)
outputFilePub := fmt.Sprintf("/etc/ssh/ssh_host_%s_key.pub", keyType)

Expand Down
2 changes: 1 addition & 1 deletion images/02-console/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ COPY build/sshd_config.append.tpl /etc/ssh/
COPY build/lsb-release /etc/

RUN apt-get update \
&& apt-get install -y --no-install-recommends iptables openssh-server rsync locales \
&& apt-get install -y --no-install-recommends fdisk ipset iptables openssh-server rsync locales \
sudo less curl ca-certificates psmisc htop kmod iproute2 \
net-tools bash-completion wget \
nano open-iscsi iputils-ping nvi \
Expand Down
7 changes: 7 additions & 0 deletions images/02-console/sshd_config.append.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,10 @@ IgnoreRhosts yes
HostbasedAuthentication no
PermitEmptyPasswords no
AllowTcpForwarding no
DebianBanner no

# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com hardening guide.
KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected]
HostKeyAlgorithms ssh-ed25519,[email protected],[email protected],[email protected],rsa-sha2-256,rsa-sha2-512,[email protected],[email protected]
1 change: 1 addition & 0 deletions os-config.tpl.yml
Original file line number Diff line number Diff line change
Expand Up @@ -289,6 +289,7 @@ rancher:
- system-volumes
- command-volumes
volumes:
- /usr/bin/ipset:/sbin/ipset:ro
- /usr/bin/iptables:/sbin/iptables:ro
ntp:
image: {{.OS_REPO}}/os-base:{{.VERSION}}{{.SUFFIX}}
Expand Down

0 comments on commit 8a9e14f

Please sign in to comment.