klam-ssh support for CoreOS #187
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,144 @@ | ||
| #!/bin/bash -xe | ||
|
|
||
| etcdctl set /images/klam-ssh "adobecloudops/klam-ssh:latest" | ||
|
|
||
| AZ=$(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone) | ||
| REGION=${AZ::-1} | ||
| ROLE_NAME="$(etcdctl get /klam-ssh/config/role-name)" | ||
| ENCRYPTION_ID="$(etcdctl get /klam-ssh/config/encryption-id)" | ||
| ENCRYPTION_KEY="$(etcdctl get /klam-ssh/config/encryption-key)" | ||
| KEY_LOCATION_PREFIX="$(etcdctl get /klam-ssh/config/key-location-prefix)" | ||
| IMAGE="$(etcdctl get /images/klam-ssh)" | ||
|
|
||
|
|
||
| case $REGION in | ||
| "eu-west-1") | ||
| KEY_LOCATION="-ew1" ;; | ||
| "ap-northeast-1") | ||
| KEY_LOCATION="-an1" ;; | ||
| "us-east-1") | ||
| KEY_LOCATION="-ue1" ;; | ||
| "us-west-1") | ||
| KEY_LOCATION="-uw1" ;; | ||
| "us-west-2") | ||
| KEY_LOCATION="-uw2" ;; | ||
| *) | ||
| echo "An incorrect region value specified" | ||
| exit 1 | ||
| ;; | ||
| esac | ||
|
|
||
| # create nsswitch.conf | ||
|
There was a problem hiding this comment. this is a huge nitpick but there has to be a better way to do this There was a problem hiding this comment. If "unhappy"; then |
||
| cat << EOT >> /home/core/nsswitch.conf | ||
| passwd: files usrfiles ato | ||
| shadow: files usrfiles ato | ||
| group: files usrfiles ato | ||
|
|
||
| hosts: files usrfiles dns | ||
| networks: files usrfiles dns | ||
|
|
||
| services: files usrfiles | ||
| protocols: files usrfiles | ||
| rpc: files usrfiles | ||
|
|
||
| ethers: files | ||
| netmasks: files | ||
| netgroup: nisplus | ||
| bootparams: files | ||
| automount: files nisplus | ||
| aliases: files nisplus | ||
| EOT | ||
|
|
||
|
|
||
| # create klam-ssh.conf | ||
| cat << EOT >> /home/core/klam-ssh.conf | ||
| { | ||
| key_location: ${KEY_LOCATION_PREFIX}${KEY_LOCATION}, | ||
| role_name: ${ROLE_NAME}, | ||
| encryption_id: ${ENCRYPTION_ID}, | ||
| encryption_key: ${ENCRYPTION_KEY}, | ||
| resource_location: amazon, | ||
| time_skew: permissive, | ||
| s3_region: ${REGION} | ||
| } | ||
| EOT | ||
|
|
||
| # Create directory structure | ||
| mkdir -p /opt/klam/lib /opt/klam/lib64 /etc/ld.so.conf.d | ||
|
|
||
| # Docker volume mount | ||
| docker create --name klam-ssh ${IMAGE} | ||
|
|
||
| # Copy libnss_ato library | ||
| docker cp klam-ssh:/tmp/klam-build/coreos/libnss_ato.so.2 /opt/klam/lib64 | ||
|
|
||
| # Create symlink | ||
| ln -sf /opt/klam/lib64/libnss_ato.so.2 /opt/klam/lib64/libnss_ato.so | ||
|
|
||
| # Docker remove container | ||
| docker rm klam-ssh | ||
|
|
||
| # Move the ld.so.conf file to the correct location | ||
| echo "/opt/klam/lib64" > /etc/ld.so.conf.d/klam.conf | ||
| ldconfig | ||
| ldconfig -p | grep klam | ||
|
|
||
| # Validate that the files exist in the correct folder | ||
| ls -l /opt/klam/lib64/libnss_ato.so* | ||
|
|
||
| # Create the klamfed home directory | ||
| useradd -p "*" -U -G sudo -u 5000 -m klamfed -s /bin/bash | ||
| mkdir -p /home/klamfed | ||
| usermod -p "*" klamfed | ||
| usermod -U klamfed | ||
| update-ssh-keys -u klamfed | ||
|
|
||
| # Add klamfed to wheel | ||
| usermod -a -G wheel klamfed | ||
|
|
||
| # Add klamfed to sudo | ||
| usermod -a -G sudo klamfed | ||
|
|
||
| # Add passwordless sudo to klamfed | ||
| echo "klamfed ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/klamfed | ||
|
|
||
| # Validate that the klamfed user has the correct uid value (5000) and home directory | ||
| id klamfed | ||
| ls -ld /home/klamfed | ||
|
|
||
| # Re-link nsswitch.conf | ||
| mv -f /home/core/nsswitch.conf /etc/nsswitch.conf | ||
| cat /etc/nsswitch.conf | ||
|
|
||
| # generate the ATO config | ||
| grep klamfed /etc/passwd > /opt/klam/lib/klam-ato.conf | ||
|
|
||
| # Validate that the contents of /opt/klam/lib/klam-ato.conf | ||
| cat /opt/klam/lib/klam-ato.conf | ||
|
|
||
| # Move klam-ssh.conf | ||
| mv -f /home/core/klam-ssh.conf /opt/klam/lib/klam-ssh.conf | ||
| cat /opt/klam/lib/klam-ssh.conf | ||
|
|
||
| # update /etc/ssh/sshd_config | ||
| cp /etc/ssh/sshd_config sshd_config | ||
| echo 'AuthorizedKeysCommand /opt/klam/lib/authorizedkeys_command.sh' >> sshd_config | ||
| echo 'AuthorizedKeysCommandUser root' >> sshd_config | ||
| mv -f sshd_config /etc/ssh/sshd_config | ||
| cat /etc/ssh/sshd_config | ||
|
|
||
| # Change ownership of authorizedkeys_command | ||
| chown root:root /home/core/mesos-systemd/v3/util/authorizedkeys_command.sh | ||
|
There was a problem hiding this comment. huh...does this actually work? And why is this needed? |
||
|
|
||
| # Relocate authorizedkeys_command | ||
| mv /home/core/mesos-systemd/v3/util/authorizedkeys_command.sh /opt/klam/lib | ||
|
|
||
| # Change ownership of downloadS3 | ||
| chown root:root /home/core/mesos-systemd/v3/util/downloadS3.sh | ||
|
|
||
| # Relocate downloadS3.sh | ||
| mv /home/core/mesos-systemd/v3/util/downloadS3.sh /opt/klam/lib | ||
|
|
||
| # Restart SSHD | ||
| systemctl restart sshd.service | ||
|
There was a problem hiding this comment. Is this going to conflict with the existing service which restarts sshd? Can we reduce how many times we are restarting it by making sure all the conf changes are made first, then restarting it once? There was a problem hiding this comment. I don't think so? It shouldn't just because this will run serially. @eadasiak can you test and confirm? There was a problem hiding this comment. Conflict was probably the wrong word; I'm thinking more of the fact that ssh is being restarted twice. We already have to wait about five minutes before we can SSH in to an instance, this might make that longer. There was a problem hiding this comment. The restart is actually quite fast though. We see the daemon restart when fleet is restarted and it's near instantaneous to establish a new connection There was a problem hiding this comment. I wasn't able to find where the other sshd restart happens. This particular restart is really fast, but if the sequence of events is such that the setup scripts occur before the other service restart, I can strike this one. There was a problem hiding this comment. I'm okay with leaving this here; was just thinking about optimizing it, but if you say it's fast, LGTM |
||
|
|
||
| echo "KLAM SSH BOOTSTRAP COMPLETE" | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| #!/bin/bash | ||
|
|
||
| ROLE_NAME="$(etcdctl get /klam-ssh/config/role-name)" | ||
| ENCRYPTION_ID="$(etcdctl get /klam-ssh/config/encryption-id)" | ||
| ENCRYPTION_KEY="$(etcdctl get /klam-ssh/config/encryption-key)" | ||
| KEY_LOCATION_PREFIX="$(etcdctl get /klam-ssh/config/key-location-prefix)" | ||
| IMAGE="$(etcdctl get /images/klam-ssh)" | ||
|
|
||
| echo "Running authorizedkeys_command for $1" | systemd-cat -p info -t klam-ssh | ||
|
|
||
| docker run --rm -e ROLE_NAME=${ROLE_NAME} -e ENCRYPTION_ID=${ENCRYPTION_ID} -e ENCRYPTION_KEY=${ENCRYPTION_KEY} -e KEY_LOCATION_PREFIX=${KEY_LOCATION_PREFIX} ${IMAGE} /usr/lib/klam/getKeys.py $1 | ||
| exit 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| #!/bin/bash | ||
|
|
||
| ROLE_NAME="$(etcdctl get /klam-ssh/config/role-name)" | ||
| ENCRYPTION_ID="$(etcdctl get /klam-ssh/config/encryption-id)" | ||
| ENCRYPTION_KEY="$(etcdctl get /klam-ssh/config/encryption-key)" | ||
| KEY_LOCATION_PREFIX="$(etcdctl get /klam-ssh/config/key-location-prefix)" | ||
| IMAGE="$(etcdctl get /images/klam-ssh)" | ||
|
|
||
| docker run --rm -e ROLE_NAME=${ROLE_NAME} -e ENCRYPTION_ID=${ENCRYPTION_ID} -e ENCRYPTION_KEY=${ENCRYPTION_KEY} -e KEY_LOCATION_PREFIX=${KEY_LOCATION_PREFIX} ${IMAGE} /usr/lib/klam/downloadS3.py | ||
| exit 0 |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the KLAM Role is created in the infrastructure stack, it should be added as an environment variable here: https://github.com/adobe-platform/infrastructure/blob/master/v2/src/userdata/templates/write_files/environment/shared.yml
Otherwise, we will have to have users pull their KLAM role out of the infrastructure stack and insert it into secrets.