Create runtime-ssh-host-keys element

Move managing of SSH host keys into a dedicated element.

Because glean doesn't generate SSH host keys anymore, we need to do it
with a systemd script. This is already handled by CentOS / Fedora so
we don't want to add it there.

This was done to address the upstream bug in debian:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500192

Change-Id: I31ad667672e08350872db21a83445fe0aa7a4a39
Signed-off-by: Paul Belanger <pabelanger@redhat.com>

elements/runtime-ssh-host-keys/README.rst

@@ -0,0 +1,10 @@
+=====================
+runtime-ssh-host-keys
+=====================
+An element to generate SSH host keys on first boot.
+
+Since ssh key generation is not yet common to all operating systems, we need to
+create a DIB element to manage this. We force the removal of the SSH host keys,
+then add init scripts to generate them on first boot.
+
+This element currently supports Debian and Ubuntu (both systemd and upstart).

elements/runtime-ssh-host-keys/cleanup.d/90-remove-ssh-host-keys

@@ -10,9 +10,6 @@ set -o pipefail
 # in so that they are regenerated on first boot and
 # are unique.
 
-# TODO(greghaynes) This should be a thing we do for all images, not just
-# simple-init.
-
 if [ -d $TARGET_ROOT/etc/ssh ] ; then
     sudo find $TARGET_ROOT/etc/ssh -name 'ssh_host*' -type f -delete
 fi

elements/runtime-ssh-host-keys/element-deps

@@ -0,0 +1 @@
+dib-init-system

elements/runtime-ssh-host-keys/init-scripts/systemd/ssh-keygen.service

@@ -0,0 +1,22 @@
+[Unit]
+Description=OpenSSH Server Key Generation
+Before=ssh.service
+
+ConditionPathExists=|!/etc/ssh/ssh_host_key
+ConditionPathExists=|!/etc/ssh/ssh_host_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
+ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub
+
+[Service]
+ExecStart=/usr/bin/ssh-keygen -A
+Type=oneshot
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

elements/runtime-ssh-host-keys/init-scripts/upstart/ssh-keygen.conf

@@ -0,0 +1,8 @@
+description "OpenSSH Server Key Generation"
+
+start on starting ssh
+console output
+
+task
+
+exec /usr/bin/ssh-keygen -A

elements/runtime-ssh-host-keys/package-installs.yaml

@@ -0,0 +1 @@
+openssh-client:

elements/runtime-ssh-host-keys/pkg-map

@@ -0,0 +1,7 @@
+{
+  "family": {
+    "redhat": {
+      "openssh-client": "openssh"
+    }
+  }
+}

elements/runtime-ssh-host-keys/post-install.d/80-ssh-keygen

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+case "$DIB_INIT_SYSTEM" in
+    upstart)
+        # nothing to do
+        exit 0
+        ;;
+    systemd)
+        if [[ $DISTRO_NAME = "ubuntu" || $DISTRO_NAME = "debian" ]]; then
+            # NOTE(pabelanger): Only support ubuntu / debian today.
+            systemctl enable ssh-keygen.service
+        else
+            # Since we are not enabling it, delete it.
+            rm /usr/lib/systemd/system/ssh-keygen.service
+        fi
+        ;;
+    openrc)
+        # let dib-init-system's postinstall handle enabling init scripts
+        exit 0
+        ;;
+    *)
+        echo "Unsupported init system"
+        exit 1
+        ;;
+esac

elements/simple-init/element-deps

@@ -1,5 +1,5 @@
 cloud-init-datasources
-dib-init-system
 install-types
 pip-and-virtualenv
+runtime-ssh-host-keys
 source-repositories

releasenotes/notes/runtime-ssh-host-keys-7a2fc873cc90d33e.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - New element (runtime-ssh-host-keys) to manage SSH host keys at boot. Since
+    SSH host key generation is not standard across operating systems, add
+    support for both Debian and Ubuntu to handle it. While this is a new
+    element, simple-init has been updated to depend on it.