From 45467e4229b6222c63a1d274331c6fe81bca8442 Mon Sep 17 00:00:00 2001 From: Paul Belanger Date: Wed, 21 Sep 2016 16:02:16 -0400 Subject: [PATCH] Create runtime-ssh-host-keys element Move managing of SSH host keys into a dedicated element. Because glean doesn't generate SSH host keys anymore, we need to do it with a systemd script. This is already handled by CentOS / Fedora so we don't want to add it there. This was done to address the upstream bug in debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500192 Change-Id: I31ad667672e08350872db21a83445fe0aa7a4a39 Signed-off-by: Paul Belanger --- elements/runtime-ssh-host-keys/README.rst | 10 ++++++ .../cleanup.d/90-remove-ssh-host-keys | 3 -- elements/runtime-ssh-host-keys/element-deps | 1 + .../init-scripts/systemd/ssh-keygen.service | 22 +++++++++++++ .../init-scripts/upstart/ssh-keygen.conf | 8 +++++ .../package-installs.yaml | 1 + elements/runtime-ssh-host-keys/pkg-map | 7 +++++ .../post-install.d/80-ssh-keygen | 31 +++++++++++++++++++ elements/simple-init/element-deps | 2 +- ...untime-ssh-host-keys-7a2fc873cc90d33e.yaml | 6 ++++ 10 files changed, 87 insertions(+), 4 deletions(-) create mode 100644 elements/runtime-ssh-host-keys/README.rst rename elements/{simple-init => runtime-ssh-host-keys}/cleanup.d/90-remove-ssh-host-keys (78%) create mode 100644 elements/runtime-ssh-host-keys/element-deps create mode 100644 elements/runtime-ssh-host-keys/init-scripts/systemd/ssh-keygen.service create mode 100644 elements/runtime-ssh-host-keys/init-scripts/upstart/ssh-keygen.conf create mode 100644 elements/runtime-ssh-host-keys/package-installs.yaml create mode 100644 elements/runtime-ssh-host-keys/pkg-map create mode 100755 elements/runtime-ssh-host-keys/post-install.d/80-ssh-keygen create mode 100644 releasenotes/notes/runtime-ssh-host-keys-7a2fc873cc90d33e.yaml diff --git a/elements/runtime-ssh-host-keys/README.rst b/elements/runtime-ssh-host-keys/README.rst new file mode 100644 index 00000000..b00a2402 --- /dev/null +++ b/elements/runtime-ssh-host-keys/README.rst @@ -0,0 +1,10 @@ +===================== +runtime-ssh-host-keys +===================== +An element to generate SSH host keys on first boot. + +Since ssh key generation is not yet common to all operating systems, we need to +create a DIB element to manage this. We force the removal of the SSH host keys, +then add init scripts to generate them on first boot. + +This element currently supports Debian and Ubuntu (both systemd and upstart). diff --git a/elements/simple-init/cleanup.d/90-remove-ssh-host-keys b/elements/runtime-ssh-host-keys/cleanup.d/90-remove-ssh-host-keys similarity index 78% rename from elements/simple-init/cleanup.d/90-remove-ssh-host-keys rename to elements/runtime-ssh-host-keys/cleanup.d/90-remove-ssh-host-keys index c90626a8..b14e03f1 100755 --- a/elements/simple-init/cleanup.d/90-remove-ssh-host-keys +++ b/elements/runtime-ssh-host-keys/cleanup.d/90-remove-ssh-host-keys @@ -10,9 +10,6 @@ set -o pipefail # in so that they are regenerated on first boot and # are unique. -# TODO(greghaynes) This should be a thing we do for all images, not just -# simple-init. - if [ -d $TARGET_ROOT/etc/ssh ] ; then sudo find $TARGET_ROOT/etc/ssh -name 'ssh_host*' -type f -delete fi diff --git a/elements/runtime-ssh-host-keys/element-deps b/elements/runtime-ssh-host-keys/element-deps new file mode 100644 index 00000000..3a027762 --- /dev/null +++ b/elements/runtime-ssh-host-keys/element-deps @@ -0,0 +1 @@ +dib-init-system diff --git a/elements/runtime-ssh-host-keys/init-scripts/systemd/ssh-keygen.service b/elements/runtime-ssh-host-keys/init-scripts/systemd/ssh-keygen.service new file mode 100644 index 00000000..90a83136 --- /dev/null +++ b/elements/runtime-ssh-host-keys/init-scripts/systemd/ssh-keygen.service @@ -0,0 +1,22 @@ +[Unit] +Description=OpenSSH Server Key Generation +Before=ssh.service + +ConditionPathExists=|!/etc/ssh/ssh_host_key +ConditionPathExists=|!/etc/ssh/ssh_host_key.pub +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub + +[Service] +ExecStart=/usr/bin/ssh-keygen -A +Type=oneshot +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/elements/runtime-ssh-host-keys/init-scripts/upstart/ssh-keygen.conf b/elements/runtime-ssh-host-keys/init-scripts/upstart/ssh-keygen.conf new file mode 100644 index 00000000..3fa2c012 --- /dev/null +++ b/elements/runtime-ssh-host-keys/init-scripts/upstart/ssh-keygen.conf @@ -0,0 +1,8 @@ +description "OpenSSH Server Key Generation" + +start on starting ssh +console output + +task + +exec /usr/bin/ssh-keygen -A diff --git a/elements/runtime-ssh-host-keys/package-installs.yaml b/elements/runtime-ssh-host-keys/package-installs.yaml new file mode 100644 index 00000000..c5017af3 --- /dev/null +++ b/elements/runtime-ssh-host-keys/package-installs.yaml @@ -0,0 +1 @@ +openssh-client: diff --git a/elements/runtime-ssh-host-keys/pkg-map b/elements/runtime-ssh-host-keys/pkg-map new file mode 100644 index 00000000..413d584e --- /dev/null +++ b/elements/runtime-ssh-host-keys/pkg-map @@ -0,0 +1,7 @@ +{ + "family": { + "redhat": { + "openssh-client": "openssh" + } + } +} diff --git a/elements/runtime-ssh-host-keys/post-install.d/80-ssh-keygen b/elements/runtime-ssh-host-keys/post-install.d/80-ssh-keygen new file mode 100755 index 00000000..926a12d6 --- /dev/null +++ b/elements/runtime-ssh-host-keys/post-install.d/80-ssh-keygen @@ -0,0 +1,31 @@ +#!/bin/bash + +if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then + set -x +fi +set -eu +set -o pipefail + +case "$DIB_INIT_SYSTEM" in + upstart) + # nothing to do + exit 0 + ;; + systemd) + if [[ $DISTRO_NAME = "ubuntu" || $DISTRO_NAME = "debian" ]]; then + # NOTE(pabelanger): Only support ubuntu / debian today. + systemctl enable ssh-keygen.service + else + # Since we are not enabling it, delete it. + rm /usr/lib/systemd/system/ssh-keygen.service + fi + ;; + openrc) + # let dib-init-system's postinstall handle enabling init scripts + exit 0 + ;; + *) + echo "Unsupported init system" + exit 1 + ;; +esac diff --git a/elements/simple-init/element-deps b/elements/simple-init/element-deps index d92bc778..5c7f9bb3 100644 --- a/elements/simple-init/element-deps +++ b/elements/simple-init/element-deps @@ -1,5 +1,5 @@ cloud-init-datasources -dib-init-system install-types pip-and-virtualenv +runtime-ssh-host-keys source-repositories diff --git a/releasenotes/notes/runtime-ssh-host-keys-7a2fc873cc90d33e.yaml b/releasenotes/notes/runtime-ssh-host-keys-7a2fc873cc90d33e.yaml new file mode 100644 index 00000000..3475ae7d --- /dev/null +++ b/releasenotes/notes/runtime-ssh-host-keys-7a2fc873cc90d33e.yaml @@ -0,0 +1,6 @@ +--- +features: + - New element (runtime-ssh-host-keys) to manage SSH host keys at boot. Since + SSH host key generation is not standard across operating systems, add + support for both Debian and Ubuntu to handle it. While this is a new + element, simple-init has been updated to depend on it.