I ran install-dev-tools to install Dell iSM, and the installation completed successfully. I no longer need the development tools or the full root-level permissions that were enabled.
What is the best practice way in TrueNAS SCALE 25.10.2.1 (Goldeye) to remove Developer Mode and re-enable the default read-only protections on the system filesystem?
I have a configuration backup downloaded from before I enabled Developer Mode. I also have a previous boot environment from the 25.10 series available for rollback, but this is from a earlier minor version (25.10.2).
After the next update your custom installed packages will be removed again and you will have to re-install them…
The Documentation only mentions to reenable the write protection, but nothing on how to do it. It only mentions that install-dev-tools is not persistent across updates.
Using install-dev-tools is a one way track, can’t remove AFAIK. However if you’ve used commands such as systemd-sysext unmerge and systemmd-sysext merge then as as long as the merge is done after you add packagesis set then you shouldn’t haveroot-level file permissions issues
Yeah, I’m starting to accept it’s a one way street. Truenas is working, but I really only used dev mode for installing Dell ism. I’m probably going to do a fresh reinstall of truenas and restore my setting from the backup taken before I ran installed dev mode.
As far as reinstalling Dell ism, i’m looking at a more target approach after the reinstall.
Going to attempt to run the disable-rootfs-protection script by itself to disables the read-only protections, install ism, then enable the read-only protections.
Hear me out; why not keep it in its current state? I don’t understand what you’re going to lose by keeping dev mode on, but the rest of your post sounds like a massive headache to me.
• Larger attack surface: Developer Mode disables the default read-only protections on critical system directories (/usr, /opt, etc.). This allows anyone with shell access (or a compromised process) to modify or replace system files, which is normally prevented by design.
• Package management enabled: It installs tools like apt, make, python3-pip, sshpass, and others. This makes it possible to install unvetted or third-party packages, which can introduce malware, unpatched vulnerabilities, or backdoors.
• Bypasses appliance hardening: TrueNAS SCALE is intentionally built as a locked-down appliance. Developer Mode removes one of the key security layers that protects the root filesystem from accidental or malicious changes. The system is no longer in its tested, hardened state.
It’s a lot of overhead to keep around for installing iSM.
