The Engine uses dnsmasq for DNS resolution since OS v2.0-beta.1, by passing
the dnsmasq IP using `--dns` when starting up balenad. It is less complicated
to have dnsmasq handle DNS resolution; the firewall adding DNS rules to
iptables is overly complex with an unclear & undocumented reason as to why.
"WIP" indicates that this commit is under consideration for its security impact.
Change-type: patch
Signed-off-by: Christina Ying Wang <christina@balena.io>
We only allow DNS requests through `balena0` interface, but this
is the default Docker bridge which is used for containers that
don't have a custom bridge. However, the Supervisor creates a
custom bridge for all containers unless another network mode is
specified.
Change-type: patch
Signed-off-by: Christina Ying Wang <christina@balena.io>
Resolve an issue in balenaMachine instances that were installed at <v14.1.0,
in which a Supervisor app with random UUID is kept in the target db due to its appId
being the same, even after the BM instance has upgraded to v14.1.0 which patches
the correct reserved Supervisor app UUIDs in. This results in two Supervisors running
on devices under the BM instance which persists after BM upgrade.
See: https://balena.fibery.io/search/T7ozi#Inputs/Pattern/Two-supervisors-are-running-on-device-3370
Change-type: patch
Signed-off-by: Christina Ying Wang <christina@balena.io>
On NXP iMX devices the partitions are not encrypted with LUKS but with
the lower level dm-crypt subsystem.
Adapt the partition mount script to use dmsetup which works for both
LUKS and dm-crypt encrypted partitions.
Change-type: patch
Signed-off-by: Alex Gonzalez <alexg@balena.io>
Debian no longer publishes linux/arm/v5 images for bullseye, breaking
support for raspberry pi zero.
This change might not solve the issue indefinitely
as we don't know how long debian will continue publishing armv5 images.
Change-type: patch
Init supports boolean values, and is not included in the config when
not defined.
Change-type: patch
Signed-off-by: Christina Ying Wang <christina@balena.io>
This moves from throwing an error when an app is rejected due to unmet
requirements (because of contracts) to storing the target with a
`rejected` flag on the database.
The application manager filters rejected apps when calculating steps to
prevent them from affecting the current state. The state engine uses the
rejection info to generate the state report.
Change-type: minor
Users may specify dnsu2t config by including a `dns` field
in the `proxy` section of PATCH /v1/device/host-config's body:
```
{
network: {
proxy: {
dns: '1.1.1.1:53',
}
}
}
```
If `dns` is a string, ADDRESS and PORT are required and should be
in the format `ADDRESS:PORT`. The endpoint with error with
code 400 if either ADDRESS or PORT are missing.
`dns` may also be a boolean. If true, defaults will be configured.
If false, the dns configuration will be removed.
If `proxy` is patched to empty, `dns` will be removed regardless
of its current or input configs, as `dns` depends on an active
redsocks proxy to function.
Change-type: minor
Signed-off-by: Christina Ying Wang <christina@balena.io>
