DEV Community: ductapedev

Install `docker-compose` on NVIDIA Jetson Nano

ductapedev — Tue, 17 Aug 2021 01:45:57 +0000

When working with Jetpack 4.5.1 for NVIDIA Jetson Nano, it comes with Docker installed, but not docker-compose. And because the Nano is arm64 CPU architecture, installing Docker Compose is not straight forward. There are a number of existing tutorials listed in the references section, but none of them worked exactly as-is for me, or some of them have slightly bloated or less secure instructions that I would prefer. So here is my lean, mean, securely-installing ~~machine~~ instructions.

Install prerequisites

Make sure your Ubuntu installation is up to date with the usual apt-get commands

sudo apt-get update && sudo apt-get upgrade -y

Install necessary Ubuntu packages

sudo apt-get install -y python3-pip libssl-dev python-openssl libffi-dev rustc cargo

Now the default version of pip and setuptools that ships with Jetpack 4.5.1 is not new enough to successfully install docker-compose. Those need to be upgraded before continuing. You can upgrade to the newest version, but here are the versions that I tested.

python3 -m pip install --upgrade pip==21.1.3 setuptools==56.2.0

Then, once those are upgraded you can install Docker Compose. Docker Compose needs to be installed as root to give it access to the low-level system resources it needs to execute the installer.

sudo -H python3 -m pip install docker-compose==1.29.2

And after that completes, you should be able to get the version with docker-compose --version

Docker without `sudo`

One thing that can be really annoying when using the default Jetpack version of docker is that you have to run everything with sudo. Here are the steps to add your user as part of the docker group.

sudo groupadd docker
sudo usermod -aG docker $USER

Then log out and log back in as your user to make sure all the settings are applied properly. No more sudo!

References

https://developer.nvidia.com/jetpack-sdk-451-archive

https://docs.docker.com/engine/install/linux-postinstall/

https://dev.to/docker/install-docker-compose-1-28-2-on-nvidia-jetson-nano-is-not-straightforward-3952

https://collabnix.com/running-docker-compose-on-nvidia-jetson-nano-in-5-minutes/

Passwordless SSH on Raspberry Pi

ductapedev — Tue, 17 Aug 2021 00:34:21 +0000

This post is a reference for me and others who wants to improve their InfoSec hygiene. As a software engineer who deals with lots of servers, accounts, and IoT devices, one common task that is a daily routine is to SSH into various computers. SSH commonly is based on username and password. For Raspbian, the default is:

raspberrypi login: pi
Password: raspberry

Which is convenient for starting out with a new board, or for new users. But this is not the most secure, especially when enabling SSH to connect into your devices remotely (even if just for engineering and development). I've never been guilty of forgetting to change the default login on the devices I leave connected to my network. 🙄 Having those devices around on your engineering and development network makes a great pivot for attackers (see Mirai).

Let's start with a Raspberry Pi device.

Connect to your Raspberry Pi device over the serial port, or by using a monitor and keyboard and log in.
Use the raspi-config to configure Wi-Fi or plug in Ethernet cable.
Enable SSH
Upload your SSH public key using ssh-copy-id. This automatically creates the .ssh directory with the correct permissions and puts your public key in the authorized_keys file.

ssh-copy-id pi@[ip_address]

NOTE: Sometimes, if you are using a key-manager like Krypt.co you will not have the typical .pub file to copy, in which case using ssh-copy-id -f option will force it to copy anything close to a public key and this works for me.

Disable the password/challenge-response login so that only your SSH key will work. (But first, make a backup in case you make a mistake! If you do make a mistake, you will have to connect directly to the UART or have a local mouse/monitor/keyboard to fix it and the backup file will be super handy)

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sudo vi /etc/ssh/sshd_config

Uncomment and/or set the following parameters in the sshd_config.

ChallengeResponseAuthentication no
...
PasswordAuthentication no
...
UsePAM no

Then restart the ssh server.

sudo systemctl reload ssh

Downsides

Now, once you disable password/challenge response login, you get the benefits of increased security that no-one can access your pi without being in the authorized_keys file. However, if you ever lose your SSH private key, you can no longer get into your Pi remotely. But, with commodity hardware like raspberry pi, you can always pull the SD card and manually edit the authorized_keys file, or just reflash the card and start again, or connect using a local keyboard/monitor/mouse or via the UART console.

References

Original base of Cover Photo by Takacs Alexandra on Unsplash, modified by me to add Raspberry Pi.

https://www.cyberciti.biz/faq/how-to-disable-ssh-password-login-on-linux/

https://phoenixnap.com/kb/setup-passwordless-ssh

https://community.perforce.com/s/article/6210#:~:text=ssh%20directory%20permissions%20should%20be,-----).

Installing Krypt.co on NVIDIA Jetson Nano

ductapedev — Wed, 21 Jul 2021 20:54:40 +0000

When writing software that will perform AI on the edge, the NVIDIA Jetson Nano devboard is a great piece of hardware to play with. It's a 64-bit ARMv8 CPU architecture.

In order to create a smooth user experience of moving between development machines, I use krypt.co to manage the private keys for my SSH and GPG key pairs. This gives me the security benefit that access to my development machine doesn't give anyone "access" to connect to any SSH connections, or to sign anything with my GPG key. Secondly, this allows me to use 2FA for my SSH and GPG keys. The major downside is that Krypton was acquired by Akamai and at some point in the future, the krypt.co service will have to be shut down :(. Second issue is that my phone is now the guardian of my private keys.

Anyway, let's assume that you also want to use Krypt.co, and that you want to use an NVIDIA Jetson Nano as your dev machine. The problem with this, is that Krypton doesn't maintain an executable of the Linux kr utility for the ARM64 CPU architecture in Linux (Debian flavors-- the Jetson Nano OS is based on Ubuntu). Luckily, Krypton gives you the instructions to build their kr utility from source!

We are going to follow the Krypt.co installer instructions to install kr from source on ARM64 CPU architecture running Linux 4 Tegra (L4T) (an Ubuntu-flavored Linux distro).

Install the apps

Golang

Get the ARM64 build for Linux from the Golang downloads page and follow the install instructions on the page. The download instructions might change, but here is what works for Go 1.16.7:

wget --secure-protocol=TLSv1_2 --https-only https://golang.org/dl/go1.16.7.linux-arm64.tar.gz && echo "63d6b53ecbd2b05c1f0e9903c92042663f2f68afdbb67f4d0d12700156869bac *go1.16.7.linux-arm64.tar.gz" | sha256sum -c -

# Make sure the result is "go1.16.7.linux-arm64.tar.gz: OK" which means the SHA256 has checked out.

This is covered on the instructions page, but essentially, you rm any old versions of go, and then untar the download you just downloaded into /usr/local/go as the root user. Then remove the tarball because you are done with it. Here is how it works for Go 1.16.7:

sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.16.7.linux-arm64.tar.gz && rm go1.16.7.linux-arm64.tar.gz

Handy tip: use the profile.d executor to add go to your path:

sudo touch /etc/profile.d/go-bin-path.sh

Then put the following in that file:

# shellcheck shell=sh

# Expand $PATH to include the directory where golang executable is.
go_bin_path="/usr/local/go/bin"
if [ -n "${PATH##*${go_bin_path}}" ] && [ -n "${PATH##*${go_bin_path}:*}" ]; then
    export PATH=$PATH:${go_bin_path}
fi

And next time you log into the shell session, you will have go installed.

Rustup

While you can follow the official rustup installation (which is pretty easy to install using their install script), we will use the Rust packages that are part of Canonical's Bionic package repository.

sudo apt-get install -y rustc cargo

Install `kr`

Now here is where the instructions deviate from the website. The go get and such didn't really work out for me, but fetching the kr repo directly from GitHub worked when I followed the README in the repo.

wget --secure-protocol=TLSv1_2 --https-only https://github.com/kryptco/kr/archive/1937e31606e4dc0f7263133334d429f956502276.zip && echo "b1bf4a46ee998b4489d880e443cafc435bbfca3184c1d199597b60ee8ba2edf6 *1937e31606e4dc0f7263133334d429f956502276.zip" | sha256sum -c -

# Make sure the ^ command results with "1937e31606e4dc0f7263133334d429f956502276.zip: OK" which means the SHA256 has was correct.

unzip 1937e31606e4dc0f7263133334d429f956502276.zip -d kr && cd kr/kr-1937e31606e4dc0f7263133334d429f956502276
make install
make start

Using `kr`

Set up SSH

Now that you have built and installed the kr utility, all that is left is to pair to your Krypton account.

kr pair

This will configure your Jetson Nano and your Krypt.co account to use 2FA when accessing your SSH keys.

Git commit signing

As mentioned above, kr can also be used to sign your git commits. This is great if your repos require signed commits.

All we have to do is:

git config --global user.name "username"
git config --global user.email "username@email.com"
kr codesign

Now any time you make a git commit your commits will use kr to prompt your phone to approve the use of your GPG key.

Cleaning up the build

Now that you have installed and tested Krypton, you can clean up in the build files.

cd ../../ # Or whatever directory you started in
rm -r 1937e31606e4dc0f7263133334d429f956502276.zip kr

DEV Community: ductapedev

Install `docker-compose` on NVIDIA Jetson Nano

Install prerequisites

Install necessary Ubuntu packages

Docker without sudo

References

Passwordless SSH on Raspberry Pi

Downsides

References

Installing Krypt.co on NVIDIA Jetson Nano

Install the apps

Golang

Rustup

Install kr

Using kr

Set up SSH

Git commit signing

Cleaning up the build

Docker without `sudo`

Install `kr`

Using `kr`