diff --git a/elements/dynamic-login/README.rst b/elements/dynamic-login/README.rst new file mode 100644 index 00000000..0fb198bf --- /dev/null +++ b/elements/dynamic-login/README.rst @@ -0,0 +1,46 @@ +============= +dynamic-login +============= + +This element insert a helper script in the image that allows users to +dynamically configure credentials at boot time. This is specially useful +for troubleshooting. + +Troubleshooting an image can be quite hard, specially if you can not get +a prompt you can enter commands to find out what went wrong. By default, +the images (specially ramdisks) doesn't have any SSH key or password for +any user. Of course one could use the ``devuser`` element to generate +an image with SSH keys and user/password in the image but that would be +a massive security hole and very it's discouraged to run in production +with a ramdisk like that. + +This element allows the operator to inject a SSH key and/or change the +root password dynamically when the image boots. Two kernel command line +parameters are used to do it: + +sshkey + :Description: If the operator append sshkey="$PUBLIC_SSH_KEY" to the + kernel command line on boot, the helper script will append + this key to the root user authorized_keys. + +rootpwd + :Description: If the operator append rootpwd="$ENCRYPTED_PASSWORD" to the + kernel command line on boot, the helper script will set the + root password to the one specified by this option. Note that + this password should be **encrypted**. Encrypted passwords + can be generated using the ``openssl`` command, e.g: + *openssl passwd -1*. + + +.. note:: + The value of these parameters should be **quoted**, e.g: sshkey="ssh-rsa + BBBA1NBzaC1yc2E ..." + + +.. warning:: + Some base operational systems might require selinux to be in + **permissive** or **disabled** mode so that you can log in + the image. This can be achieved by building the image with the + ``selinux-permissive`` element for diskimage-builder or by passing + ``selinux=0`` in the kernel command line. RHEL/CentOS are examples + of OSs which this is true. diff --git a/elements/dynamic-login/element-deps b/elements/dynamic-login/element-deps new file mode 100644 index 00000000..74451ffb --- /dev/null +++ b/elements/dynamic-login/element-deps @@ -0,0 +1,3 @@ +dib-init-system +install-static +package-installs diff --git a/elements/dynamic-login/init-scripts/systemd/dynamic-login.service b/elements/dynamic-login/init-scripts/systemd/dynamic-login.service new file mode 100644 index 00000000..d83e7bd3 --- /dev/null +++ b/elements/dynamic-login/init-scripts/systemd/dynamic-login.service @@ -0,0 +1,10 @@ +[Unit] +Description=Dynamic Login +After=network.target + +[Service] +ExecStart=/usr/local/bin/dynamic-login + +[Install] +WantedBy=multi-user.target + diff --git a/elements/dynamic-login/init-scripts/sysv/dynamic-login.init b/elements/dynamic-login/init-scripts/sysv/dynamic-login.init new file mode 100755 index 00000000..8cbde822 --- /dev/null +++ b/elements/dynamic-login/init-scripts/sysv/dynamic-login.init @@ -0,0 +1,31 @@ +#!/bin/sh -e +### BEGIN INIT INFO +# Provides: dynamic-login +# Required-Start: $local_fs networking +# Required-Stop: $local_fs +# Default-Start: S +# Default-Stop: 0 6 +# X-Start-Before: +# Short-Description: Dynamic Login +# Description: Execute Dynamic Login +### END INIT INFO + +NAME=dynamic-login +INIT_NAME=/etc/init.d/${NAME} +SCRIPT_NAME=/usr/local/bin/${NAME} + +[ -x $SCRIPT_NAME ] || exit 0 + +case "$1" in + start) + $SCRIPT_NAME + ;; + stop) + ;; + *) + echo "Usage: $INIT_NAME {start}" + exit 1 + ;; +esac + +exit 0 diff --git a/elements/dynamic-login/init-scripts/upstart/dynamic-login.conf b/elements/dynamic-login/init-scripts/upstart/dynamic-login.conf new file mode 100755 index 00000000..d903d6e3 --- /dev/null +++ b/elements/dynamic-login/init-scripts/upstart/dynamic-login.conf @@ -0,0 +1,13 @@ +description "Dynamic Login" + +start on runlevel [2345] +stop on runlevel [!2345] + +umask 022 + +expect stop + +script + echo "Executing Dynamic Login" + /usr/local/bin/dynamic-login +end script diff --git a/elements/dynamic-login/install.d/70-enable-dynamic-login-services b/elements/dynamic-login/install.d/70-enable-dynamic-login-services new file mode 100755 index 00000000..5bcefdfd --- /dev/null +++ b/elements/dynamic-login/install.d/70-enable-dynamic-login-services @@ -0,0 +1,16 @@ +#!/bin/bash + +if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then + set -x +fi +set -eu +set -o pipefail + +case "$DIB_INIT_SYSTEM" in + systemd) + systemctl enable dynamic-login.service + ;; + sysv) + update-rc.d dynamic-login.init defaults + ;; +esac diff --git a/elements/dynamic-login/package-installs.yaml b/elements/dynamic-login/package-installs.yaml new file mode 100644 index 00000000..c342a0be --- /dev/null +++ b/elements/dynamic-login/package-installs.yaml @@ -0,0 +1 @@ +openssh-server: diff --git a/elements/dynamic-login/static/usr/local/bin/dynamic-login b/elements/dynamic-login/static/usr/local/bin/dynamic-login new file mode 100755 index 00000000..823ea90c --- /dev/null +++ b/elements/dynamic-login/static/usr/local/bin/dynamic-login @@ -0,0 +1,31 @@ +#!/bin/bash +# dib-lint: disable=setu sete setpipefail dibdebugtrace +# Copyright 2015 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# Reads an encrypted root password from the kernel command line and set +# it to the root user +if [[ $( $SSHDIR/authorized_keys + chmod 600 $SSHDIR/authorized_keys +fi