v2.0.0-rc2

* Add ipset to network and console * Add fdisk to console * Use Docker 24.0.7 by default * SSH security hardenings
2025-08-28 03:01:00 +00:00 · 2023-11-13 06:20:56 +00:00 · 2023-11-13 06:20:56 +00:00 · 8a9e14f887
commit 8a9e14f887
parent 615b3d4f7c
5 changed files with 13 additions and 5 deletions
--- a/Dockerfile.dapper
+++ b/Dockerfile.dapper
@ -81,14 +81,14 @@ ARG OS_FIRMWARE=true
 ARG OS_BASE_URL_amd64=https://github.com/burmilla/os-base/releases/download/v2023.05-1/os-base_amd64.tar.xz
 ARG OS_BASE_URL_arm64=https://github.com/burmilla/os-base/releases/download/v2023.05-1/os-base_arm64.tar.xz

-ARG OS_INITRD_BASE_URL_amd64=https://github.com/burmilla/os-initrd-base/releases/download/v2023.05-1/os-initrd-base-amd64.tar.gz
-ARG OS_INITRD_BASE_URL_arm64=https://github.com/burmilla/os-initrd-base/releases/download/v2023.05-1/os-initrd-base-arm64.tar.gz
+ARG OS_INITRD_BASE_URL_amd64=https://github.com/burmilla/os-initrd-base/releases/download/v2023.05-2/os-initrd-base-amd64.tar.gz
+ARG OS_INITRD_BASE_URL_arm64=https://github.com/burmilla/os-initrd-base/releases/download/v2023.05-2/os-initrd-base-arm64.tar.gz

 ARG SYSTEM_DOCKER_VERSION=17.06.109
 ARG SYSTEM_DOCKER_URL_amd64=https://github.com/burmilla/os-system-docker/releases/download/${SYSTEM_DOCKER_VERSION}/docker-amd64-${SYSTEM_DOCKER_VERSION}.tgz
 ARG SYSTEM_DOCKER_URL_arm64=https://github.com/burmilla/os-system-docker/releases/download/${SYSTEM_DOCKER_VERSION}/docker-arm64-${SYSTEM_DOCKER_VERSION}.tgz

-ARG USER_DOCKER_VERSION=24.0.5
+ARG USER_DOCKER_VERSION=24.0.7
 ARG USER_DOCKER_ENGINE_VERSION=docker-${USER_DOCKER_VERSION}

 ARG AZURE_SERVICE=false
--- a/cmd/control/console_init.go
+++ b/cmd/control/console_init.go
@ -407,7 +407,7 @@ func modifySshdConfig(cfg *config.CloudConfig) error {
 }

 func setupSSH(cfg *config.CloudConfig) error {
-	for _, keyType := range []string{"rsa", "dsa", "ecdsa", "ed25519"} {
+	for _, keyType := range []string{"rsa", "ed25519"} {
 		outputFile := fmt.Sprintf("/etc/ssh/ssh_host_%s_key", keyType)
 		outputFilePub := fmt.Sprintf("/etc/ssh/ssh_host_%s_key.pub", keyType)

--- a/images/02-console/Dockerfile
+++ b/images/02-console/Dockerfile
@ -4,7 +4,7 @@ COPY build/sshd_config.append.tpl /etc/ssh/
 COPY build/lsb-release /etc/

 RUN apt-get update \
-    && apt-get install -y --no-install-recommends iptables openssh-server rsync locales \
+    && apt-get install -y --no-install-recommends fdisk ipset iptables openssh-server rsync locales \
                           sudo less curl ca-certificates psmisc htop kmod iproute2 \
                           net-tools bash-completion wget \
                           nano open-iscsi iputils-ping nvi \
--- a/images/02-console/sshd_config.append.tpl
+++ b/images/02-console/sshd_config.append.tpl
@ -21,3 +21,10 @@ IgnoreRhosts yes
 HostbasedAuthentication no
 PermitEmptyPasswords no
 AllowTcpForwarding no
+DebianBanner no
+
+# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com hardening guide.
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
+HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com
--- a/os-config.tpl.yml
+++ b/os-config.tpl.yml
@ -289,6 +289,7 @@ rancher:
      - system-volumes
      - command-volumes
      volumes:
+      - /usr/bin/ipset:/sbin/ipset:ro
      - /usr/bin/iptables:/sbin/iptables:ro
    ntp:
      image: {{.OS_REPO}}/os-base:{{.VERSION}}{{.SUFFIX}}