#NAbox 4.0.7 is available

• fix: qcow2 images wouldn't use eth0 by default
• fix: enable guest access to Grafana would not work if Grafana organization name had been changed
• fix: web site aborts upgrade package upload after 60s
• fix: wrong permission in upgrade file would break NAbox during manual upgrades
• new: migrate tool for NAbox 3 can be run with -debug for troubleshooting
• Grafana 11.2
• Base OS upgrade (Flatcar Container Linux 3975.2.1)

Just installed, configured and started a upgrade of a system with 4 clusters and quite some history.
The network startup file was not created. Did that by hand.
Installed Harvest and started migrating. Still running. But a well documented smooth experience so far!

Thanks Martijn ! I'm worried that the network startup file wasn't created. Is that on VMware ? Did you setup networking in vCenter deployment or did you leave it blank ?
Harvest wasn't installed already ?

Yes, Harvest was already at 24.08
I set all in VMware 8.0.3, but no start-up file.

So no /etc/systemd/network/10-nabox.network ?

Migration finished. I had to re-enter the passwords for data collection to start after the migration.

Not a single file in the directory

Ok, would you send a support bundle to https://upload.nabox.org/qyko-zocy-cify ?

Sure!

Thanks !

It's there!

Just another note: the Grafana item on the About screen has a question mark and not the version number

Uploaded a screenshot

Yeah I see that. You changed the default password didn't you ?

Yes, sir 😉 Standard practice

But after the migration

Ok there is some weird race condition with setting up grafana auth I'll try and track that in the logs

and I see the issue with network config I think

Did I make a typo?

No I think it's a bug. just trying to understand why I didn't hit it !

How did you configure ip btw ? Originally. Static ip or dhcp in vcenter screen ?

Static!

With the netmask in the IP address ?

I think I got it

/23

for the grafana thing, what you can do is regenerate an api token for the nabox user, in grafana I think it exists, and put it in /etc/nabox/secrets/grafana-secret then systemctl restart naboxd

If you wanna test on my Harvest to make sure it works, feel free. If you break it you fix it. 😄

You don't have to tell me twice 😄

It'll take me a couple hours to get on VPN then I'm unleashed

NAbox 4.0.7 is available

Should I update?

To be on the safe side but you shouldn't have any problem

Just upgraded, will do the Grafana part today

Do you have some more details? Cannot find an nabox user in grafana, nor service account.

Yep that’s the problem. You can create a new “nabox” service account and paste the key in the grafana-secret file

I only have three files. One with a typo:
havrest-secret; jwt-secret and a folder called ssl

It is even stranger. I do not see any service account in the gui. But when I try to create the nabox service account, it states: Service account already exists

And I cannot log into grafana anymore...

Any help would be appreciated

I also see that the container name is havrest

Available for a remote session ?

havrest is the REST frontend that is wrapped around Harvest so that's normal

In grafana, that's the url where you should be able to see service accounts and there should be one for nabox : /grafana/org/serviceaccounts

and in nabox you should have one token created nabox

On a closed site....

I keep asking right ? 😄 ok you can send me screeshots of the service accounts page

First problem is: cannot log into grafana anymore. ssh and admin works fine

what version of NAbox ?

sent you a DM btw

4.0.7

ok cool, so your credentials are denied ?

You can reset password in nabox admin page, it should reset grafana password as well

Yeah: invalid username or password. I did a reset, still no access to grafana.

Will try again

watch journalctl -fu naboxd while doing it

Sep 17 1458 naboxd[1454]: time=2024-09-17T1458.928Z level=ERROR source=main.go:131 msg="unable to create Grafana token" error="{"extra":null,"message"
:"Invalid username or password","messageId":"password-auth.failed","statusCode":401,"traceID":""}\n"

That is the login error, will now try reset

Sep 17 14:51:57 vsa-gra-002 naboxd[3991]: logger=migrator t=2024-09-17T14:51:57.155594775Z level=info msg="Unlocking database"
Sep 17 14:51:57 vsa-gra-002 naboxd[3991]: logger=secrets t=2024-09-17T14:51:57.156037725Z level=info msg="Envelope encryption state" enabled=true currentprovider=secretKey.v1
Sep 17 14:51:57 vsa-gra-002 naboxd[3991]: Admin password changed successfully
Sep 17 14:51:57 vsa-gra-002 chpasswd[4027]: pam_unix(chpasswd:chauthtok): password changed for admin
Sep 17 14:51:57 vsa-gra-002 naboxd[1454]: time=2024-09-17T14:51:57.233Z level=INFO source=password.go:71 msg="password changed" output=""
Sep 17 14:51:57 vsa-gra-002 naboxd[1454]: 2024/09/17 14:51:57 "POST http://vsa-gra-002/api/2.0/system/password HTTP/1.1" from 192.0.0.3:35848 - 200 30B in 324.075501ms
Sep 17 14:51:58 vsa-gra-002 naboxd[1454]: time=2024-09-17T14:51:58.954Z level=ERROR source=main.go:131 msg="unable to create Grafana token" error="{"extra":null,"message"
:"Invalid username or password","messageId":"password-auth.failed","statusCode":401,"traceID":""}\n"
Sep 17 14:51:59 vsa-gra-002 naboxd[1454]: time=2024-09-17T14:51:59.772Z level=ERROR source=auth.go:74 msg="authentication failed" errors="{"errors":["JWTAuthMiddleware: no
Authorization header","BasicAuthMiddleware: unable to read credentials"]}"
Sep 17 14:51:59 vsa-gra-002 naboxd[1454]: 2024/09/17 14:51:59 "GET http://vsa-gra-002/api/2.0/health HTTP/1.1" from 192.0.0.3:35848 - 401 107B in 103.832 s
Sep 17 14:52:08 vsa-gra-002 naboxd[1454]: time=2024-09-17T14:52:08.972Z level=ERROR source=main.go:131 msg="unable to create Grafana token" error="{"extra":null,"message"
:"Invalid username or password","messageId":"password-auth.failed","statusCode":401,"traceID":""}\n"

dc exec grafana grafana cli admin reset-admin-password <new password> ?

yep, that did the trick. Can login again

Will look for the token now

weird, 4.0.7 should do exactly that

well, actually Admin password changed successfully comes from grafana

what was the output of the successful password change ?

Paste it to the url you sent me.

Also a screenshot of the service accounts screen (nu users visible)

@severe ferry Thanks for the amazing support

trying to get this going on Azure and it fails to boot
after ~5minutes it just goes into a reboot cycle without actually ever starting

went through the same steps/process that I did to get 3.3 working. Converted the disk, uploaded, created new vm using the flatcar image, swapped the OS disk, started the system

You're probably missing the data disk

use the vhdx image, make a new vm and attach a data disk, just had a report today that it works 😄

I created the second disk the same way and attached it.
This was with that attached, doing it without being attached yields the same problem.
Did they deploy in Azure? Should I just add a blank data disk instead of the one created by the ova?

No that was actual Hyper-V. Here is the thing, it seems that Azure image format provided by Flatcar is VHD, not VHDX.
The problem is the VHD is much bigger and I don't have space to uncompress it and pack it. That's why there is no VHD image

I use qemu to convert the disk and then the powershell module "Add-AzVhd" to upload it

the unpacked image for disk1 is 8gb

qemu-img convert -p -f vmdk -O vpc -o subformat=fixed NAbox-disk1.vmdk NAbox-disk1.vhd
Add-AzVhd -LocalFilePath NAbox-disk1.vhd -ResourceGroupName rg-storage -Location eastus2 -DiskName NAbox_4.0.7_disk01 -DiskSKU Standard_LRS -DiskOsType Linux -DiskHyperVGeneration V1

hrm. getting a little farther.
Booted the disk on my hyper-v machine, shut it down after it was successfully at the login prompt.
Used hyper-v to convert to vhd, uploaded and it passed the point it was at last time.
Now it's stuck at
hv_netvsc 6045bdb5-ff8f-6045-bdb5-ff8f6045bdb5 eth0: Data path switched from VF: enP21176s1

going to keep poking at it, see what can be done

that seems to have gotten it. after it times out and does an emergency shutdown/restart it boots and everything seems to work.
i'll finish the documents and pass them over to you for revision/etc

Don't use the VMDK as a base for Hyper-V, though, use the .zip

aye, it is what i was using for the second round

I guess I'll need to make some space on my machine and use the actual azure image. Not sure why they don't provide it as vhdx

they charge you by gb used, so the bigger the better 😮

Is there any way to add another user or group or anything to nabox for the gui?

Not tested, but if you create a system user it should work to authenticate on the web UI as well. I'm considering extending the LDAP configuration to GUI as well, OAuth could also be an option.

where are the ssl allowed ciphers/etc in the new version?
Accepted insecure ciphers: ECDHE-RSA-AES128-SHA256

also, our security team is reporting CSP misconfiguration failures
Port: TCP/443 (80)
Content-Security-Policy header mis-configured Affects:/
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 520
Content-Type: text/html charset=utf-8
Date: Sun, 29 Sep 2024 11:14:39 GMT
Strict-Transport-Security: max-age=315360000 includeSubDomains preload
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Xss-Protection: 1 mode=block
Connection: close

Resolution: Implement or reconfigure the Content Security Policy with source directives.

You have /usr/share/nabox/traefik/dynamic/ssl.yaml and /usr/share/nabox/traefik/dynamic/hsts.yaml

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is indeed accepted

yea, the ssl.yaml file contains that entry, but it's read only filesystem

indeed it is. You can try this : https://upload.nabox.org/tymi-rase-wixy

pushing now. thanks
is this just the ssl changes?

It's both

thanks.
verified the ssl one is fixed, waiting for sec team to rerun the rest of the scans to confirm the other.

Excellent !

another question.
What is this interface and is it in use or can the ip range be changed?

3: br-27627dc19fd4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:95:02🆎49 brd ff:ff:ff:ff:ff:ff
inet 172.19.0.1/16 brd 172.19.255.255 scope global br-27627dc19fd4
valid_lft forever preferred_lft forever

mmm... That's not supposed to be here.
do you have another one with inet 192.0.0.1/24 ?

docker network ls ?

docker network ls
NETWORK ID NAME DRIVER SCOPE
27627dc19fd4 build_default bridge local
e9468e9e41a5 host host local
af04ff016e87 nabox_default bridge local
6121605be548 none null local

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0d:3a:0d:ff:47 brd ff:ff:ff:ff:ff:ff
inet 172.25.1.38/24 brd 172.25.1.255 scope global eth0
valid_lft forever preferred_lft forever
3: br-27627dc19fd4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:95:02🆎49 brd ff:ff:ff:ff:ff:ff
inet 172.19.0.1/16 brd 172.19.255.255 scope global br-27627dc19fd4
valid_lft forever preferred_lft forever
4: br-af04ff016e87: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:34:3c:76:97 brd ff:ff:ff:ff:ff:ff
inet 192.0.0.1/24 brd 192.0.0.255 scope global br-af04ff016e87
valid_lft forever preferred_lft forever
inet6 fe80::42:34ff:fe3c:7697/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever

ok you can remove it

try docker network prune

You might need docker builder prune before

ran both, that interface is showing gone. going to see if that fixed my issue.

aye, that seems to have done it.
no idea why it was there or where it came from

but thank you

is there any way to adjust the timeout on the gui

Some versions were distributed with leftovers from the build process, that's were it came from

you want it longer or shorter ?

currently it should be 20 minutes

would be preferred if it was an option to set it to whatever you want, or disable it
not a huge thing

And we're talking about NAbox UI timeout or does that cover grafana as well ?

nabox is what i was referring to

Hi @severe ferry I just created a new 4.0.7 instance and when I want to open the dashboard I have to many redirect. The URL looks like https://<fqdn>/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/grafana/dashboards

this is from the native URL and also from the links in the admin UI

Mmmm, it does that if you go on « /grafana » or « /grafana/ » ?

Over the UI it is /grafana/dashboards

Do you still have the issue ?

Me yes

Can you do a curl -v https://ip/grafana/dashboards ?

interesting - <a href="<fqdn>/grafana/grafana/dashboards">Moved Permanently</a>

Can you check GF_SERVER_ROOT_URL environment in Grafana container ?

can you provide me a short how to? 🙈

dc exec grafana env|grep ROOT_URL

Should work

GF_SERVER_ROOT_URL=https://%(domain)s/grafana/

that looks fine

and URL looks like

Mmm, did you actually try to delete web site data ?

This was from the private mode but good point, I will delete the data and also use another browser

same issue after deleting the web site data and with firefox

the login to the admin UI works it is only the grafana part

There doesn't appear to be any way to change the Datacenter/logical group after a system is added to NAbox.

Hey Yann, sorry to replay this, but the misconfigured CSP security alert came back on this weeks security scan, so it apparently has not been fixed

Content-Security-Policy header mis-configured Affects:/
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 520
Content-Security-Policy: self
Content-Type: text/html charset=utf-8
Date: Sat, 05 Oct 2024 13:07:47 GMT
Strict-Transport-Security: max-age=315360000 includeSubDomains preload
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Xss-Protection: 1 mode=block
Connection: close
Resolution: Implement or reconfigure the Content Security Policy with source directives.

I might have forgotten the quotes around self.....

guess there isn't an easy way to edit that

https://upload.nabox.org/tymi-rase-wixy

Your guess is right 🙂 it's on a read only part of the FS

thanks, updated and we'll see what the security scan shows next time it runs.
anything that can be done about the ability to edit the datacenter name after the ontap systems are created?
or do you just have to delete them and create new ones and lose existing data

Whenever I looked into renaming metrics I think it ends up with reimporting the data somehow.

GRR, still there
Evidence for reopened
Port: TCP/443/80
Content-Security-Policy header mis-configured Affects:/
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 520
Content-Security-Policy: self
Content-Type: text/html charset=utf-8
Date: Sat, 05 Oct 2024 13:07:47 GMT
Strict-Transport-Security: max-age=315360000 includeSubDomains preload
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Xss-Protection: 1 mode=block
Connection: close

@severe ferry Sorry to keep bugging you about this, but I can't make changes as it's RO

Mmm, it should be self with single quotes.

Ok I have no idea about CSP really. Maybe the expeceted syntax is something like default-src 'self';

honestly don't know myself, i'll have to look into it to see what the error is actually being reported

@severe ferry sent you a DM about the CSP stuff, not sure you get them or not