OMV 3 for ODROID-XU4/HC1/HC2/MC1

  • I was going to test

    Just to save you some time: Using nand-sata-install to transfer the rootfs to a HDD (with bootloader having to remain either on SD card or eMMC) still doesn't work (at least not the combinations I tried, most probably related to OMV rootfs now relying on btrfs and not ext4 any more). Since I consider this somewhat stupid anyway (since rootfs on a HDD will prevent it to spin-down for longer periods and that's bad for these types of OMV installations) I won't look into it the next months (Armbian on Stretch has higher priority).


    But transferring the installation from SD card to eMMC should work (tested myself after I had implemented a fix @'chymian' reported a while ago that I've had overlooked) while it's still a weird idea. The eMMC modules from Hardkernel are both amazingly fast and expensive and for the OMV use case there's zero benefit running off eMMC anyway. Good genuine Samsung EVO/EVO+ SD cards with 16-64 GB are less expensive and OMV 'performance' is exactly the same as long as the flashmemory plugin is active (default).

    • Offizieller Beitrag

    I tested it. One odd thing is that permit root login was not set. I had to connect a monitor and keyboard to fix that. I didn't think cloudshell ran by default either but it has been a while since I paid attention. I didn't try the emmc stuff because I couldn't find my emmc cards.

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • I tested it. One odd thing is that permit root login was not set.

    That's by intention and on all OMV images now except those for the Raspberries where I simply fear the amount of same questions asked again and again.


    I diskussed this with ayufan few months ago when he started to work on OMV for ROCK64 and we both consider an open root enabled SSH account with default password 'openmediavault' some sort of a backdoor the majority of users (who never will use SSH and might not even know about) is not aware of. Necessary procedure is part of the readme.txt though:


    Code
    - SSH keys are regenerated on first boot but SSH login has to be
        enabled in web UI prior to usage: Services --> SSH --> Permit root
        login

    We discussed this months ago already: A mandatory password change on first login (web UI) which also adjust root passwd at the same time. Waiting since then since no idea where/how to implement something like that in OMV.

    • Offizieller Beitrag

    we both consider an open root enabled SSH account with default password 'openmediavault' some sort of a backdoor the majority of users (who never will use SSH and might not even know about) is not aware of.

    If root login via ssh is going to be disabled, then why not set the root password to a random string? If a user wants to login via ssh, they can create a user with ssh (and sudo) privileges.


    A mandatory password change on first login (web UI) which also adjust root passwd at the same time

    I'm still not sure how to do that. Maybe @votdev has some ideas (not asking votdev to code but just for some ideas).

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • If root login via ssh is going to be disabled, then why not set the root password to a random string? If a user wants to login via ssh, they can create a user with ssh (and sudo) privileges.

    Well, in Armbian we have 'chage -d 0 root' set which means users login via SSH with a default logon credentials 'root:1234' and are immediately forced to assign a new root password (using the distro's default password strength policies so '4321' or 'test123' won't work). We deal with users that fail with the password change (having to enter two times 1234 and then their new password two times again) and we deal with users who can not remember the password they assigned a day later.


    When I started with the ARM OMV images I followed your conventions using a default 'predictable' password without forced passwd change since I thought that's for a reason (maybe support nightmare). I'm open for any suggestions and of course also fine with returning to Armbian defaults which would just require either deleting a single line or adding the chage call again (allowing to login with 'openmediavault' passwd the first time and then forcing the user to choose an own)

    • Offizieller Beitrag

    When I started with the ARM OMV images I followed your conventions using a default 'predictable' password without forced passwd change since I thought that's for a reason (maybe support nightmare). I'm open for any suggestions and of course also fine with returning to Armbian defaults which would just require either deleting a single line or adding the chage call again (allowing to login with 'openmediavault' passwd the first time and then forcing the user to choose an own)

    It was done to make things easy. Lately, it seems like no one connects a monitor to arm boards. So, I'm ok with no (or random) root password being set. I don't think the chage fix helps with users who never use ssh. If we can just get the first login to force the admin user to change its password, I think it would be a fairly secure system.

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • where to report pbls. like these?


    Building a jessie OMV armbian today left me with an unreachable device.


    on the first run with automatic reboot, the ovm-mkconfig interfaces destroys the /etc/network/interfaces:



    after fixing it manualy and bringing the interface up with ifup, the web-gui is still not able to connect, after login.


    the interface config can be fixed with omv-firstaid & reboot.
    but web-gui is still not able to connect, after login: communication failure


    in case it might help, i played with stretch and OMV4 before, there was no such error.

    • Offizieller Beitrag

    If root login via ssh is going to be disabled, then why not set the root password to a random string? If a user wants to login via ssh, they can create a user with ssh (and sudo) privileges.

    I'm still not sure how to do that. Maybe @votdev has some ideas (not asking votdev to code but just for some ideas).

    The root password is set during the ISO installation, so there is no need to change it. If OMV is installed manually, then the admin is responsible for its account. If OMV is installed via images, then there some scripts must ensure the password is unique and not a default one.

    • Offizieller Beitrag

    It was done to make things easy. Lately, it seems like no one connects a monitor to arm boards. So, I'm ok with no (or random) root password being set. I don't think the chage fix helps with users who never use ssh. If we can just get the first login to force the admin user to change its password, I think it would be a fairly secure system.

    The root user and password should NEVER me modified and managed via the UI. This is a big security hole and that's why it is not implemented until now.

  • If OMV is installed via images, then there some scripts must ensure the password is unique and not a default one.

    Fully Agreed. Unlike the ISO installation for x64 the 'installation' on ARM devices is not guided in any form and I fear this won't change anytime soon or at all (headless devices and lack of serial console by majority of users)


    As an approach for OMV ARM installations providing same security level as on x64 I could imagine the following:

    • permit root login set to NO by default (done on every ARM image currently except Raspberry Pi)
    • default root password is set to openmediavault (default now)
    • Password policy enforces root passwd change the first time root logs in either locally or via SSH (that's how Armbian does it, not implemented yet on the OMV images since I disabled it to remain compatible to the 'old' behaviour)


    So by default no root SSH login possible unless user sets permit root login to YES in web UI. When logging in through SSH as root he's forced to immediately change the password. An alternative approach is the user creating an own user account belonging to the sudo group (which is what I would prefer to write into the documentation).

  • on the first run with automatic reboot, the ovm-mkconfig interfaces destroys the /etc/network/interfaces

    Hmm... IMO wrong place to discuss this low level stuff and self-built images here. But please try out to replace these lines with


    Code
    sleep 30 && sync && reboot' /etc/init.d/firstrun

    and report back in Armbian forum.

  • Password policy enforces root passwd change the first time root logs in either locally or via SSH

    Sounds for me like the way to go. ;)


    permit root login set to NO by default (done on every ARM image currently except Raspberry Pi)

    Be coherent. Don't make it behave different on different platforms.


    default root password is set to openmediavault (default now)

    Not sure what is the way to go here, I'd suggest it to be openmediavault and have it changed on first login, as long as permit root login is disabled. Make a note on all github readmes that root login is disabled.


    Greetings
    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

    • Offizieller Beitrag

    The root user and password should NEVER me modified and managed via the UI. This is a big security hole and that's why it is not implemented until now.

    I was more interested in force the admin password to be changed on first web ui login. root can be disabled for all I care.

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • just installed OMV_3_0_88_Odroidxu4_4.9.52.img.xz on the HC1, going to update and i get an error on a repo:


    W: Failed to fetch http://apt.armbian.com/dists/jessie/InRelease Unable to find expected entry 'jessie-utils/binary-armhf/Packages' in Release file (Wrong sources.list entry or malformed file)
    E: Some index files failed to download. They have been ignored, or old ones used instead.


    and what's the correct procedure to update to OMV4, when my apt will work?
    thanks

    • Offizieller Beitrag

    Request for test

    Working fine here. Uploading now.


    Done now.

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    Einmal editiert, zuletzt von ryecoaaron ()

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!