https://rancher.com/ logo
Title
r

rapid-napkin-54569

04/20/2023, 6:15 PM
Hello! I am working on upgrading Rancher within my company. I was wondering why as of 1.8.1, Rancher requires +w permissions on the settings.json file on launch and close. We usually chmod this so that users cannot make any changes to enable, disable settings that they shouldn’t be. I know the locked .plist file was introduced to lock down the Docker repositories that you can visit, but it appears that is all it can. Is there any suggestion for locking down the rest of the settings since it writes to that file anytime a user updates settings in the GUI?
w

wide-mechanic-33041

04/20/2023, 6:17 PM
you may be able to swing to deployment profiles instead of the file based ACLs if you use a management system
r

rapid-napkin-54569

04/20/2023, 6:20 PM
Yeah I saw those new deployment profiles but it seems like if a user changes the settings.json or settings in the GUI, those override the default profile. The locked profile seems to supersede the settings.json but as far as I can tell, you can only lock on setting down?
w

wide-mechanic-33041

04/20/2023, 6:25 PM
the default yeah, but shouldn’t overwrite the Locked items.
I would say HKLM and Locked would be the most common use case for governance controls.
and GPO to put things back if you have Admin users who can muck around in system root
r

rapid-napkin-54569

04/20/2023, 6:27 PM
And the only thing that can be locked is the allowed images/repositories?
w

wide-mechanic-33041

04/20/2023, 6:28 PM
nope? should be all settings though I have not tested them all
r

rapid-napkin-54569

04/20/2023, 6:29 PM
“The containerEngine.allowedImages settings are currently the only ones that can be locked”. That’s what the docs say so that’s why I was trying to do ACLs which used to work but now Rancher appears to need write permissions on the settings.json file
w

wide-mechanic-33041

04/20/2023, 6:30 PM
i don’t think they have a handy tool for windows yet, but you can use rdctl list-settings to dump everything
let me spin up windows and poke. proxy is my big need so RD has been on my back burner
r

rapid-napkin-54569

04/20/2023, 6:32 PM
Yeah I was trying this on Mac first with a simple chmod on the settings.json, removing write access since it appears that allowed images is the only lockable setting.
f

fast-garage-66093

04/20/2023, 6:34 PM
The locked profile is only implemented for the Allowed Images settings in 1.8.1; the rest is waiting for corresponding support in the Preferences dialog
👍 2
I don't think there is a way to prevent users from changing other settings until the full locked profile support is implemented.
I'm surprised that making
settings.json
read-only would have worked in pre-1.8 releases. Even if the write failed, wouldn't the settings still change for the current session?
r

rapid-napkin-54569

04/20/2023, 6:39 PM
Yeah, it actually did. It would show like it was changed in the GUI but it wouldn’t change anything, and when Rancher would restart they would be reverted back. So essentially, it would show like it was changed but nothing did change and a restart of the app would remove the changes.
f

fast-garage-66093

04/20/2023, 6:41 PM
Interesting. But that was definitely no intentional behaviour, but a side-effect of how the write-failure was handled
I hope that we get the expanded lock profile support into 1.9, but I can't promise that
r

rapid-napkin-54569

04/20/2023, 6:44 PM
Yeah I figured it wasn’t an intention. We were just trying to upgrade to the version with the allowed images since a user found a backdoor issue with the conf.d docker settings within the VM. It can be changed to add proxies, etc and those settings persist when the user restarts the app, essentially going through any controls.
w

wide-mechanic-33041

04/20/2023, 6:45 PM
wouldn’t the upstream proxy catch any distro level proxy shenanigans?
f

fast-garage-66093

04/20/2023, 6:45 PM
Nothing we can do will really prevent a malicious user from changing things; but it should be obvious to the well-intentioned employee that they are circumventing policy when they disable these mechanisms.
👍 1
r

rapid-napkin-54569

04/20/2023, 6:46 PM
Yeah, understandable. We are trying to utilize the override.yaml in the meantime. We have policy around malicious actions but trying to lock down where ever possible.
I love the new deployment profiles and hope those can be expanded like you mentioned
f

fast-garage-66093

04/20/2023, 6:47 PM
I understand. It is like having a lock on the door. Nothing that can't be overcome with a bit of violence, but it will be obvious that you were not invited when you do that
🙌 1
r

rapid-napkin-54569

04/20/2023, 6:49 PM
We are just heavily regulated so the constant fight with our security folks is always a terrible time when we try to implement great products like Rancher
Their ideal world, is not always possible haha
w

wide-mechanic-33041

04/20/2023, 6:50 PM
come on lock the laptop in a safe and drop it to the bottom of the bay. super secure
🤣 1
f

fast-garage-66093

04/20/2023, 6:51 PM
Like how Windows NT4 got a C2 security certification (only valid for configurations without a network card)
👀 1
w

wide-mechanic-33041

04/20/2023, 6:52 PM
anything can be made secure with a bit of epoxy. usable… well you will adapt
🙌 1
r

rapid-napkin-54569

04/20/2023, 6:55 PM
Well thank you both @fast-garage-66093 and @wide-mechanic-33041! Appreciate the input and I look forward to the updates coming to Rancher!
f

fast-garage-66093

04/20/2023, 6:56 PM
Note that "Rancher" typically referes to "Rancher Manager", and this tool is called "Rancher Desktop". In hindsight this was an unfortunate naming decisions, but here we are...
r

rapid-napkin-54569

04/20/2023, 6:57 PM
Oh my apologies! just used to calling that from my day-to-day work. Will note that