Core update 1.1.0 ⚠

This is the first update to NS8 core since Beta 1 release announcement. This brief recap is written by hand because our @nethbot is still not trained for NS8!

Security alert

First of all, this update contains an important security fix. It will be fully disclosed next Monday. In the mean time, follow the instructions below.

New features

• Custom certificate upload #413 #407 #33 Thanks to @Tbaile

Bugfixes

• Clean up JWT token validation with gin-jwt #414
• Hide the overlayFs partition in get-node-status #406
• Fix UI endless load state in retrieveNodesStatus() #411

…and other fixes and improvements!

To apply the update go to Software Center. If the update available banner is not shown, push the Reload repositories button to refresh the repository metadata cache.

image856×168 9.49 KB

To make the security fix immediately effective, the following steps are required to invalidate any existing cluster-admin (api-server) session:

1. Access the leader node with SSH or console

2. Generate a new JWT seed.

   sed -i "/^SECRET=/ c SECRET=$(uuidgen)" /etc/nethserver/api-server.env
   

3. Restart api-server service

   systemctl restart api-server
   

4. After restarting api-server any cluster-admin session is logged-out. Log in to the updated cluster-admin and change the administrative passwords.

Repeat steps 1-3 on worker nodes, too.

The storage format of 2FA secrets has changed. After the update is applied, 2FA needs to be enabled again by admin users. Follow instructions at Cluster management — NS8 documentation.

See also

• NethServer 8 Beta 1 Release 🚀
• Updates — NS8 documentation

Hi@davidep,

after i entered the commands, the previously set up 2FA authentication for the admin account is no longer active.

Regards…

Uwe

Hi Uwe, you’re right: the update changes the 2FA secrets storage.

You can either

1. enable the 2FA again, by generating a new secret (Cluster management — NS8 documentation), OR

2. convert the old secrets stored in the leader node filesystem to the new Redis-based storage, as described here: Clean up JWT token validation with gin-jwt by DavidePrincipi · Pull Request #414 · NethServer/ns8-core · GitHub

As there is also a security fix in the core update 1.1.0, option 1 is recommended.

I’m editing the post above because it is worth saying it! Thank you

Edit: added step 4 to the update procedure.

2 posts were split to a new topic: Admin’s changed password is not saved to disk

Thanks for this new release, it is possible to have CentOS Stream, Rocky Linux, and Debian 12 images too?

There are only Alma Linux 9.1 and Debian 11 images.

Previous official release images have a problem of user password and it does not work.

First of all, this release does not ship improvements to VM images. Future plans for them are to reduce the number of distro images (just one, e.g. Debian? Rocky?) and focus on platforms (VMWare, Proxmox). See also the Trello card.

In the mean time, please be patient. If the current images are not working, or are missing, try to use the alternative installation method, install.sh (see Installation — NS8 documentation).

Debian 12 support was already planned and some initial tests are progressing. To support Debian 12 we need to elevate NS8 requirements from Python 3.9 to Python 3.11.

Hi @ElKorbo, Rocky Linux’s image now is restored and ready for download. I’m still looking into fixing the Centos image.

This topic was automatically closed after 6 days. New replies are no longer allowed.