Merge "Add dynamic-login element"
This commit is contained in:
commit
3a3e4e4787
8 changed files with 151 additions and 0 deletions
46
elements/dynamic-login/README.rst
Normal file
46
elements/dynamic-login/README.rst
Normal file
|
@ -0,0 +1,46 @@
|
|||
=============
|
||||
dynamic-login
|
||||
=============
|
||||
|
||||
This element insert a helper script in the image that allows users to
|
||||
dynamically configure credentials at boot time. This is specially useful
|
||||
for troubleshooting.
|
||||
|
||||
Troubleshooting an image can be quite hard, specially if you can not get
|
||||
a prompt you can enter commands to find out what went wrong. By default,
|
||||
the images (specially ramdisks) doesn't have any SSH key or password for
|
||||
any user. Of course one could use the ``devuser`` element to generate
|
||||
an image with SSH keys and user/password in the image but that would be
|
||||
a massive security hole and very it's discouraged to run in production
|
||||
with a ramdisk like that.
|
||||
|
||||
This element allows the operator to inject a SSH key and/or change the
|
||||
root password dynamically when the image boots. Two kernel command line
|
||||
parameters are used to do it:
|
||||
|
||||
sshkey
|
||||
:Description: If the operator append sshkey="$PUBLIC_SSH_KEY" to the
|
||||
kernel command line on boot, the helper script will append
|
||||
this key to the root user authorized_keys.
|
||||
|
||||
rootpwd
|
||||
:Description: If the operator append rootpwd="$ENCRYPTED_PASSWORD" to the
|
||||
kernel command line on boot, the helper script will set the
|
||||
root password to the one specified by this option. Note that
|
||||
this password should be **encrypted**. Encrypted passwords
|
||||
can be generated using the ``openssl`` command, e.g:
|
||||
*openssl passwd -1*.
|
||||
|
||||
|
||||
.. note::
|
||||
The value of these parameters should be **quoted**, e.g: sshkey="ssh-rsa
|
||||
BBBA1NBzaC1yc2E ..."
|
||||
|
||||
|
||||
.. warning::
|
||||
Some base operational systems might require selinux to be in
|
||||
**permissive** or **disabled** mode so that you can log in
|
||||
the image. This can be achieved by building the image with the
|
||||
``selinux-permissive`` element for diskimage-builder or by passing
|
||||
``selinux=0`` in the kernel command line. RHEL/CentOS are examples
|
||||
of OSs which this is true.
|
3
elements/dynamic-login/element-deps
Normal file
3
elements/dynamic-login/element-deps
Normal file
|
@ -0,0 +1,3 @@
|
|||
dib-init-system
|
||||
install-static
|
||||
package-installs
|
|
@ -0,0 +1,10 @@
|
|||
[Unit]
|
||||
Description=Dynamic Login
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/local/bin/dynamic-login
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
31
elements/dynamic-login/init-scripts/sysv/dynamic-login.init
Executable file
31
elements/dynamic-login/init-scripts/sysv/dynamic-login.init
Executable file
|
@ -0,0 +1,31 @@
|
|||
#!/bin/sh -e
|
||||
### BEGIN INIT INFO
|
||||
# Provides: dynamic-login
|
||||
# Required-Start: $local_fs networking
|
||||
# Required-Stop: $local_fs
|
||||
# Default-Start: S
|
||||
# Default-Stop: 0 6
|
||||
# X-Start-Before:
|
||||
# Short-Description: Dynamic Login
|
||||
# Description: Execute Dynamic Login
|
||||
### END INIT INFO
|
||||
|
||||
NAME=dynamic-login
|
||||
INIT_NAME=/etc/init.d/${NAME}
|
||||
SCRIPT_NAME=/usr/local/bin/${NAME}
|
||||
|
||||
[ -x $SCRIPT_NAME ] || exit 0
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
$SCRIPT_NAME
|
||||
;;
|
||||
stop)
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $INIT_NAME {start}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit 0
|
13
elements/dynamic-login/init-scripts/upstart/dynamic-login.conf
Executable file
13
elements/dynamic-login/init-scripts/upstart/dynamic-login.conf
Executable file
|
@ -0,0 +1,13 @@
|
|||
description "Dynamic Login"
|
||||
|
||||
start on runlevel [2345]
|
||||
stop on runlevel [!2345]
|
||||
|
||||
umask 022
|
||||
|
||||
expect stop
|
||||
|
||||
script
|
||||
echo "Executing Dynamic Login"
|
||||
/usr/local/bin/dynamic-login
|
||||
end script
|
16
elements/dynamic-login/install.d/70-enable-dynamic-login-services
Executable file
16
elements/dynamic-login/install.d/70-enable-dynamic-login-services
Executable file
|
@ -0,0 +1,16 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
|
||||
set -x
|
||||
fi
|
||||
set -eu
|
||||
set -o pipefail
|
||||
|
||||
case "$DIB_INIT_SYSTEM" in
|
||||
systemd)
|
||||
systemctl enable dynamic-login.service
|
||||
;;
|
||||
sysv)
|
||||
update-rc.d dynamic-login.init defaults
|
||||
;;
|
||||
esac
|
1
elements/dynamic-login/package-installs.yaml
Normal file
1
elements/dynamic-login/package-installs.yaml
Normal file
|
@ -0,0 +1 @@
|
|||
openssh-server:
|
31
elements/dynamic-login/static/usr/local/bin/dynamic-login
Executable file
31
elements/dynamic-login/static/usr/local/bin/dynamic-login
Executable file
|
@ -0,0 +1,31 @@
|
|||
#!/bin/bash
|
||||
# dib-lint: disable=setu sete setpipefail dibdebugtrace
|
||||
# Copyright 2015 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
# Reads an encrypted root password from the kernel command line and set
|
||||
# it to the root user
|
||||
if [[ $(</proc/cmdline) =~ rootpwd=\"([^\"]+)\" ]]; then
|
||||
echo "root:${BASH_REMATCH[1]}" | chpasswd -e
|
||||
fi
|
||||
|
||||
# Reads a sshkey from the kernel command line and appends it to the root
|
||||
# user authorized_keys
|
||||
SSHDIR=/root/.ssh
|
||||
if [[ $(</proc/cmdline) =~ sshkey=\"([^\"]+)\" ]]; then
|
||||
mkdir -p $SSHDIR
|
||||
chmod 700 $SSHDIR
|
||||
echo "${BASH_REMATCH[1]}" > $SSHDIR/authorized_keys
|
||||
chmod 600 $SSHDIR/authorized_keys
|
||||
fi
|
Loading…
Reference in a new issue