Create Debian package for beszel-agent #497
Conversation
Signed-off-by: Daniel Lo Nigro <[email protected]>
Daniel15
changed the title
Signed-off-by: Daniel Lo Nigro <[email protected]>
| Restart=on-failure | ||
| # TODO: See if we can apply more security hardening here | ||
| # TODO: Audit using `systemd-analyze security beszel-agent.service` | ||
| ProtectSystem=yes |
There was a problem hiding this comment.
These changes ( + whatever other security hardening options can be added) would be good to include in systemd unit in the install script too.
There was a problem hiding this comment.
Great idea, I'll look over the other options.
There was a problem hiding this comment.
@henrygd I ran systemd-analyze security beszel-agent.service but got overwhelmed at the number of different things it outputs. Maybe there's one flag we can set that sets all the standard security options. I'm not too familiar with these features of systemd.
|
|
||
| [Service] | ||
| Environment="PORT=45876" | ||
| EnvironmentFile=/etc/beszel-agent.conf |
There was a problem hiding this comment.
Install script should probably do it this way too - store user-configured config environment variables in a separate file rather than directly in the systemd unit.
There was a problem hiding this comment.
Agree, made a note to change this.
|
Beautiful, thank you! Looks great, let me try it out tomorrow. |
| @@ -0,0 +1,11 @@ | |||
| # No changelog in the repo at the moment. This would be good to fix | |||
There was a problem hiding this comment.
This file has a list of Lintian rules that are currently failing.
| beszel-agent: no-debconf-config | ||
| beszel-agent: postinst-uses-db-input | ||
| # Needs to be fixed in Beszel build | ||
| beszel-agent: hardening-no-pie |
There was a problem hiding this comment.
From https://lintian.debian.org/tags/hardening-no-pie.html:
This package provides an ELF executable that was not compiled as a position independent executable (PIE). PIE is required for fully enabling Address Space Layout Randomization (ASLR), which makes "Return-oriented" attacks more difficult.
I don't know Go, so I'm not sure how to fix this or if it'd break anything.
There was a problem hiding this comment.
Never ran into this before but it's probably some build flag that it needs. I'll look into it.
|
Ran out of time to look at this tonight but I'll try to finish up tomorrow if possible. Worked nicely in an Ubuntu VM. I did notice that neither After going through the security options I think these should be fine to set for the time being. And then probably add I think the I'd like to just exclude riscv and mips from the deb builds, but there doesn't seem to be a way to do that without a monthly subscription to GoReleaser Pro. 🤷 |
|
Thanks for looking into it, and thanks for testing on Ubuntu since I only tested on Debian. I think you're right that the service needs to be stopped on removal. I'll add that soon (by end of week).
A SQLite database would go in /var/lib. /run is for things that don't need to be persisted and are okay to delete after rebooting (PID files, sockets, etc)
…On January 27, 2025 7:09:34 PM PST, hank ***@***.***> wrote:
Ran out of time to look at this tonight but I'll try to finish up tomorrow if possible.
Worked nicely in an Ubuntu VM. I did notice that neither `apt remove` or `apt purge` actually stopped the running service. I assume we need to do that in the uninstall script?
After going through the security options I think these should be fine to set for the time being. And then probably add `RuntimeDirectory=beszel/beszel-agent` to leave us the potential to write to `/run/beszel/` in the future if we add a sqlite database or something.
```
KeyringMode=private
LockPersonality=yes
NoNewPrivileges=yes
PrivateTmp=yes
ProtectClock=yes
ProtectHome=read-only
ProtectHostname=yes
ProtectKernel=yes
ProtectKernelLogs=yes
ProtectKernelTunables=yes
ProtectSystem=strict
ReadWritePaths=/run
RemoveIPC=yes
RestrictSUIDSGID=true
SystemCallArchitectures=native
```
I think the `hardening-no-pie` thing is specific to the riscv build, as riscv apparently requires external linking with Cgo to use `-buildmode=pie`. The only way around that is to compile directly on riscv, which isn't possible.
I'd like to just exclude riscv and mips from the deb builds, but there doesn't seem to be a way to do that without a monthly subscription to GoReleaser Pro. :shrug:
--
Reply to this email directly or view it on GitHub:
#497 (comment)
You are receiving this because you authored the thread.
Message ID: ***@***.***>
|
|
True, looks like KeyringMode=private
LockPersonality=yes
NoNewPrivileges=yes
PrivateTmp=yes
ProtectClock=yes
ProtectHome=read-only
ProtectHostname=yes
ProtectKernel=yes
ProtectKernelLogs=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RemoveIPC=yes
RestrictSUIDSGID=true
StateDirectory=beszel-agent
SystemCallArchitectures=native |
Adds a Debian package to the build. Currently, only
beszel-agentis packaged, but a package forbeszel-hubcould be added too. Since the SSH key is a required configuration option, the package prompts for it during installation.This is the first step. The next step would be to set up a Debian repo for the packages.
Test Plan
Run the build:
This produces four
.debfiles in thedistdirectory, for amd64, arm64, armv6, riscv64, and mips64_hardfloat (architectures were already configured in the goreleaser config)Create a new Debian VM
Install package:
cd /tmp wget https://d.ls/debian/beszel-agent_0.9.1-SNAPSHOT-1747b00_linux_amd64.deb sudo apt install ./beszel-agent_0.9.1-SNAPSHOT-1747b00_linux_amd64.debOutput:
During the installation, it prompts for the SSH key:
Verify key is written to
/etc/beszel-agent.conf:Verify systemd unit is enabled and automatically started after installation:
Verify connecting to it from Beszel Hub works:
