Sometimes just let your memories go. Part One.Praha: 2016-08-01 11:00
Budapest: 2016-08-01 11:00
Buenos Aires: 2016-08-01 06:00
Permalink

During the course of June 2016, I decided to extend my backup system with a Western Digital MyCloud EX2 device. Still having the functioning ancestors - WD MyBook World 500GB (BlueRings) and WD MyBook 1TB (WhiteLight) - I decided the purchase a contemporary 8TB one.

The disk storage marketing is getting ridiculous. In old times it was totally acceptable to advertise a 1GB disk while the actual capacity was something 980MB.

Now an 8TB disk in RAID1 is not 4TB but 3.72TB. Approximated quick math with deducing the system software: you get ~26.5GB less.

I guess, this value is fractional nowadays.

Having had WD and other NAS devices in my hand both for personal and business expectations in the last nth years, I tend to believe that I know what I do and don't expect from such equipment. Without any attempt of completeness, I don't need support of unused protocols, media servers, torrent downloaders, remote manageability, and so on.

What I need is:

After a healthy amount of curiosity and work, the previous WD devices have been capable to fulfill the above - let's be honest, shall we - not really complex dreams.

This is where WD MyCloud EX2 terribly fails.

Based on the previous good experiences, I was looking forward to have this device with joy. Primarily because the MyBook is still well around, but:

----

LEGAL DISCLAIMER:
The below paragraphs in many parts will show various steps and actual commands which without sufficient precautions and expertise can - not limited to - cause data loss and/or disrupt your access partly or completely to the services and functionalities of your MyCloud EX2. I shall bear no liability for such event, and refuse any responsibility.

It's a kind of blunt RTFM way. I wasn't happy that time, but now my first major data loss is recalled as funny: during my first steps with Linux around 2000, I executed a cp something /dev/hda.

Back in those days there was no home internet, no extra computer for testing (not even a second harddisk), no virtual machines and clearly no budget for professional data recovery.
This broke the file system, and I bid farewell to my data.

----

Jumping right into the middle of the battleground: while getting comfy with the device, dark clouds started to gather. And it wasn't cheap either.

The first shock and stair of the calvary arrived when the device booted up for the first time, and I couldn't access it by IP address or local hostname; as it's outlined in the manual. I couldn't care less, I have a life to spend than brainstorming on things like Am I Linux Fanboy enough?, so I booted up my Microsoft Windows partition, downloaded and installed the WD Access to pursue the official installation procedures.

No glitch happened on the road, the device became accessible, so I changed back to Linux to configure the users, shares, network and other minorities via the web interface. I couldn't fathom the idea why the passwords are limited to 16 characters in 2016 - but I brushed the thought away. Later I also ignored the DSA key algorithm length at 1024 bits - I'll do the needful when I'm in the device.

The SSHD Hell
The SSH (Secure Shell) is a kind of de-facto remote access protocol for Linuces: an sshd daemon runs on the server, and after connection the ssh client allows to roam there just as if you were doing it locally. Compared to old WD NASes, the EX2 already offers the SSH login - only you have to wade through rows of reprimanding admonitions, including the legal disclaimer telling that your warranty is void if you enable SSH, ecetera - tick it in, tickitin' hard.

So did I enter the device, and as an ignorant naïveté started to configure the system.

Then later rebooted. Shouldn't have done that.

The first thing I noticed, against all of my configurations the SSH connection didn't offer the configured RSA algorithm but returned to the default DSA:

Unable to negotiate with ex2: no matching host key type found. Their offer: ssh-dss

WTF. Nonetheless I logged in to learn, that all of the customized configurations in /etc are gone, disappeared, ceased to exist.

Whattaheck. Getting grasp of the essence of the device, I found the structure built on ramdisk: where the system firmware is loaded from each time you boot up the device - anything you change on the root partition during runtime, is going to be overwritten during next boot.

So I merged into building a custom firmware: I downloaded the something 900MByte firmware source from WD site, and by time, I finished the custom firmware with my SSH needs, such as:

AllowUsers u sshd # remove after config
PermitEmptyPasswords no
StrictModes yes
PermitRootLogin no

The more root users, the merrier
After reboot I enjoyed to see that I'm unable to login with the sshd user. Why? Checking out /etc/passwd revealed the punchline:

root:x:0:0:Linux User,,,:/home/root:/bin/sh
sshd:x:0:0:Linux User,,,:/home/root:/bin/sh

And default settings in /etc/ssh/sshd_config:

sshd@ex2 / # cat /etc/ssh/sshd_config
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_dsa_key
SyslogFacility AUTHPRIV
AllowUsers root sshd
RSAAuthentication yes
PubkeyAuthentication yes
PermitEmptyPasswords yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
X11Forwarding yes
TCPKeepAlive yes

These mean the sshd user is just a duplicated root (root is the Administrator or the Linux equivalent of God): so if you have crazy security ideas like disallowing root access for SSH via the PermitRootLogin no directive - then you neither will be allowed to login with the sshd user.

Imaginary conversation
- What if sshd was a standard user, then put it into a group which members are permitted to access via SSH?
- Ur stupid? Give root, give 'em all! Hail to the Rule of Most Permissions!
- But...this device...is advertised...and...expected...to connect 24/7 to the internet...like...this? With additional...Permit...Empty...Passwords?
- Oh, shut up smartypants!

Happily lived ever after?
Nope. After cooking a firmware again, solving the PermitRootLogin, I still had to notice the peculiar return of the above SSH config defaults. Reboot again, where the boot process realized that a hardcoded /usr/sbin/ssh_daemon binary still fires itself: this contains and reloads the above amazing configuration each time upon booting.

One step closer to the edge but with a magnifier, found the perpetrator at firmware/module/crfs/localsbin/setServiceStartup.sh which loads the sshd_daemon. One more firmware building, then finally SSH started to work as expected.

After this I decided, I'm just simply not strong enough to enable at all, and check how the officially and legally offered fluffy Cloud Access and Remote Server work. :(

But I clicked that box when enabling SSH!?
If you want an even mildly customized device functionality (the entry is just the tip of the iceberg), then you clearly must enable SSH.
But wait! That will void my warranty! Smooth move WD, smooth.
Also I wonder, if the harddisk(s) failed, and I have enabled SSH - could WD indeed refuse to check and replace the disks? Legally, I guess so?

Probably, since my troubleshooting email to WD support never returned any response. This likely has something to do with I mentioned the enabled SSH.
if (email contains ssh) {
open_ticket_and_drop_request(email);
}

After the initial battle, now it's time to start to use the device.

NFS, Round 1
The NFS (Networking File System) is a kind of de-facto network file system protocol for Linuces: an nfsd daemon runs on the server, and the nfs client connects and carries out the file transfers.

As the manual and previous experiences insist, you enable the protocol, then set up the share on the web interface, and give the R/W permissions for the added private user. The mounting from the client computer works fine, and fstab mounting permissions are set all read and write (R/W). Yet, you still can't write to the device. Why?

Brainstorming, you cannot write, because if the Public option isn't selected on the web interface, then /etc/exports will contain this:

/nfs/sharedfolder *(ro,all_squash,sync,no_wdelay,insecure_locks,insecure,no_subtree_check,anonuid="501,anongid=1000")

The ro means the server will allow only a read-only share. So. The solution is to enable the Public option - which on the contrary that you want to set R/W rights only for a specific user - actually means that anyone on the network can access your presumed private share.

NFS, Round 2
Even you allow some time for this crazy security idea, the default /etc/exports still looks like:

/nfs/Public *(rw,all_squash,sync,no_wdelay,insecure_locks,insecure,no_subtree_check,anonuid="501,anongid=1000")
/nfs/private *(rw,all_squash,sync,no_wdelay,insecure_locks,insecure,no_subtree_check,anonuid="501,anongid=1000")

This means, on the contrary to all the web-interface configurations: any private share will be R/W only for The User Called nobody (ID 501), and not the actual private user.

Possible workarounds:

NFS, Round 3
I laid back and started to brainstorm again. So what actual permissions are configured from the web interface? Probably any FTP, AFP, WebDAV or Samba rights - but deliberately or unknowingly by sheer ignorance nothing for NFS. Except of course, if you were inclined to set up 777 for a private share; but that would be just plain dumb, wouldn't it?

The train of thoughts later became confirmed by evidences examining the /usr/sbin/setSharePrivate.sh and /usr/sbin/share-param.sh files:

NFS-saga resolved
Do you remember /usr/sbin/ssh_daemon? Good eyes.

At this point - since I was after the SSHD Hell - I had a healthy amount of intuition that nfsd was also written...hacked together this way. Lo and behold, the firmware/module/crfs/script/nfs uses the hardcoded /usr/sbin/nfs_config binary, and likewise to ssh_daemon, this does the same configuration-clearning with NFS upon boot and shutdown. After the modifications of this nfs file and creating a new image (see), NFS too started to work as I expected.

Unsorted recommendations

Why should you listen to and respect elder people
I have this feeling, the fact is repeated but not well enough explained. Without any attempt of completeness, the BlueRings and WhiteLight:

shutdown.sh
There's no power button on the MyCloud EX2. How can you shut it down? Well, according to WD you shouldn't turn it off, ever. Even if you wish so, you have to login to the web interface. Which doesn't completely power off the device, just puts into sleep mode.

Getting into ssh and looking around: there are three possibilities, The Halt, The Poweroff and The Shutdown.sh

Green is my ***
If WD anytime or ever mentions the word green in respect of power-saving landscape, just blink rapidly with total confusion. How green could a device be, which is expected to run 24/7? And what gummybear market research, or other motives led WD to this decision?

A few years ago this mass hype shocked the world, and panic roamed everywhere: That little red standby LED on electronic devices, those shall bring doom! Now tell that to WD, please.

Spooky mysteries
Haven't put any effort into these, but:

Internet of Things
There are many sites where long, seemingly proficient entries can be found about how to remedy one-or-two problems. This is a funny one: there's truth in what's being written, and no intentional malice is assumed from the author, but the lack of these information is major:

So, if the device had been indeed out of the box, the #8 post should be understood as I used the Windows setup to enable the UI access. Later after some System Restore, it was enough to connect the device to a DHCP server - but never at the one time, first time.

Don't drink while working, don't work while drinking
I would love to meet the coder who nicks him (or herself) as Vodka. I couldn't find any other reason seeing the bloated, hack n' forth pile of code haystack (would be surprised if any documentation existed).

Whether these findings among others are intentional or a delirium tremens resultate:

Uhm. Any good parts to mention?
Maybe. Compared to the MyBook there are some advantages - but if I was MyCloud, I wouldn't boost forward my pectorales, since some of these can be remediated on MyBook with sufficient motivation:

After all
My not really complex dreams have been achieved, and the device is working as expected. I'll only need to put some extra applications like mc for convenient and the fastest internal (not via any protocols through the computer) content activities (understandable for a file storage, huh?).

Also still need to find a way for proper shutdown; the root of inconsistent results aren't known yet: 2+2 always must equal four, not 1.7 or a turtle.

Theoretical, technical musing
After all the adventure an EX2 owner ventures into. Is it a smart device? Does it teach you anything? Does it prevent you to achieve something (namely, shape it to your needs)?

Linux community vs. WD
It's been clear for ages, that the want-to-learn Linux community hacked the previous WD NAS storages nearly to the bones. This happened with BlueRings, happened with WhiteLight. Guess what happened? Within the limits they could get the best out of their device, happy and satisfied customers forwarded the recommendations.

The burning feeling that their devices had been customized; that's sad, but if WD has really been into Linux, they should have known it's unavoidable - even more, it possibly cost them nothing.

Probably the hacks made WD frustrated, and forced to build this device. One must grant, they also likely received x more support calls from inexperienced users who bricked their devices.

Although with BlueRings and WhiteLight you had to add SSH server by yourself - assuming you knew what you were doing; don't just copypaste from the internet, man!

Then later and now, as far as I know, when SSH became part of the official firmware, enabling it has always voided the warranty.
I know there are processes and procedures, but it's a shame that WD didn't recognize the above errors, yet put a not really cheap product to the market with a sequence of dumb firmware.

There'll be projects, meetings, local teams, virtual teams, roadmaps, spreadsheets, calls, escalations, brainstormings to recognize or cure the glitches before releasing the next official firmware(s); but it's hard to imagine that all the above was oblique before the previous and current firmware releases at a renowned and famous company like WD.

So long WD NAS devices.

^ to the top
:: auto-generated by Ezüstkép miniDiary
All rights reserved © 2017