From 5863bd650e9b7753756492e3bddd4e7da2850d85 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Thu, 11 Apr 2024 18:15:52 -0400 Subject: [PATCH] tree-wide: Update SSH key injection This is an improved reference example that fixes two things: - Error out if SSHPUBKEY is not provided or empty (via `set -eu`) - Also reads any keys in the traditional location (i.e. `/root/.ssh`) so that keys injected via other mechanisms (e.g. cloud-init, podman-bootc CLI) also work (Are we at the point where we should have a script that generates these Containerfiles?) Signed-off-by: Colin Walters --- .../natural_language_processing/chatbot/bootc/Containerfile | 6 +++--- .../chatbot/bootc/Containerfile.nocache | 6 +++--- .../natural_language_processing/codegen/bootc/Containerfile | 6 +++--- .../codegen/bootc/Containerfile.nocache | 6 +++--- recipes/natural_language_processing/rag/bootc/Containerfile | 6 +++--- .../rag/bootc/Containerfile.nocache | 6 +++--- .../summarizer/bootc/Containerfile | 6 +++--- .../summarizer/bootc/Containerfile.nocache | 6 +++--- 8 files changed, 24 insertions(+), 24 deletions(-) diff --git a/recipes/natural_language_processing/chatbot/bootc/Containerfile b/recipes/natural_language_processing/chatbot/bootc/Containerfile index cede41ba..31af5575 100644 --- a/recipes/natural_language_processing/chatbot/bootc/Containerfile +++ b/recipes/natural_language_processing/chatbot/bootc/Containerfile @@ -9,9 +9,9 @@ ARG SSHPUBKEY # The --build-arg "SSHPUBKEY=$(cat ~/.ssh/id_rsa.pub)" option inserts your # public key into the image, allowing root access via ssh. -RUN mkdir /usr/etc-system && \ - echo 'AuthorizedKeysFile /usr/etc-system/%u.keys' >> /etc/ssh/sshd_config.d/30-auth-system.conf && \ - echo ${SSHPUBKEY} > /usr/etc-system/root.keys && chmod 0600 /usr/etc-system/root.keys +RUN set -eu; mkdir -p /usr/ssh && \ + echo 'AuthorizedKeysFile /usr/ssh/%u.keys .ssh/authorized_keys .ssh/authorized_keys2' >> /etc/ssh/sshd_config.d/30-auth-system.conf && \ + echo ${SSHPUBKEY} > /usr/ssh/root.keys && chmod 0600 /usr/ssh/root.keys ARG RECIPE=chatbot ARG MODEL_IMAGE=quay.io/ai-lab/mistral-7b-instruct:latest diff --git a/recipes/natural_language_processing/chatbot/bootc/Containerfile.nocache b/recipes/natural_language_processing/chatbot/bootc/Containerfile.nocache index 2807cf91..563ea2f8 100644 --- a/recipes/natural_language_processing/chatbot/bootc/Containerfile.nocache +++ b/recipes/natural_language_processing/chatbot/bootc/Containerfile.nocache @@ -9,9 +9,9 @@ ARG SSHPUBKEY # The --build-arg "SSHPUBKEY=$(cat ~/.ssh/id_rsa.pub)" option inserts your # public key into the image, allowing root access via ssh. -RUN mkdir /usr/etc-system && \ - echo 'AuthorizedKeysFile /usr/etc-system/%u.keys' >> /etc/ssh/sshd_config.d/30-auth-system.conf && \ - echo ${SSHPUBKEY} > /usr/etc-system/root.keys && chmod 0600 /usr/etc-system/root.keys +RUN set -eu; mkdir -p /usr/ssh && \ + echo 'AuthorizedKeysFile /usr/ssh/%u.keys .ssh/authorized_keys .ssh/authorized_keys2' >> /etc/ssh/sshd_config.d/30-auth-system.conf && \ + echo ${SSHPUBKEY} > /usr/ssh/root.keys && chmod 0600 /usr/ssh/root.keys ARG RECIPE=chatbot diff --git a/recipes/natural_language_processing/codegen/bootc/Containerfile b/recipes/natural_language_processing/codegen/bootc/Containerfile index 77b8d9ea..98bef93c 100644 --- a/recipes/natural_language_processing/codegen/bootc/Containerfile +++ b/recipes/natural_language_processing/codegen/bootc/Containerfile @@ -9,9 +9,9 @@ FROM quay.io/centos-bootc/centos-bootc:stream9 ARG SSHPUBKEY -RUN mkdir /usr/etc-system && \ - echo 'AuthorizedKeysFile /usr/etc-system/%u.keys' >> /etc/ssh/sshd_config.d/30-auth-system.conf && \ - echo ${SSHPUBKEY} > /usr/etc-system/root.keys && chmod 0600 /usr/etc-system/root.keys +RUN set -eu; mkdir -p /usr/ssh && \ + echo 'AuthorizedKeysFile /usr/ssh/%u.keys .ssh/authorized_keys .ssh/authorized_keys2' >> /etc/ssh/sshd_config.d/30-auth-system.conf && \ + echo ${SSHPUBKEY} > /usr/ssh/root.keys && chmod 0600 /usr/ssh/root.keys # pre-pull workload images: # Comment the pull commands to keep bootc image smaller. diff --git a/recipes/natural_language_processing/codegen/bootc/Containerfile.nocache b/recipes/natural_language_processing/codegen/bootc/Containerfile.nocache index ac0a5228..96ea3f44 100644 --- a/recipes/natural_language_processing/codegen/bootc/Containerfile.nocache +++ b/recipes/natural_language_processing/codegen/bootc/Containerfile.nocache @@ -9,9 +9,9 @@ ARG SSHPUBKEY # The --build-arg "SSHPUBKEY=$(cat ~/.ssh/id_rsa.pub)" option inserts your # public key into the image, allowing root access via ssh. -RUN mkdir /usr/etc-system && \ - echo 'AuthorizedKeysFile /usr/etc-system/%u.keys' >> /etc/ssh/sshd_config.d/30-auth-system.conf && \ - echo ${SSHPUBKEY} > /usr/etc-system/root.keys && chmod 0600 /usr/etc-system/root.keys +RUN set -eu; mkdir -p /usr/ssh && \ + echo 'AuthorizedKeysFile /usr/ssh/%u.keys .ssh/authorized_keys .ssh/authorized_keys2' >> /etc/ssh/sshd_config.d/30-auth-system.conf && \ + echo ${SSHPUBKEY} > /usr/ssh/root.keys && chmod 0600 /usr/ssh/root.keys ARG RECIPE=codegen diff --git a/recipes/natural_language_processing/rag/bootc/Containerfile b/recipes/natural_language_processing/rag/bootc/Containerfile index 0b1131b4..b7d7d861 100644 --- a/recipes/natural_language_processing/rag/bootc/Containerfile +++ b/recipes/natural_language_processing/rag/bootc/Containerfile @@ -10,9 +10,9 @@ ARG SSHPUBKEY # The --build-arg "SSHPUBKEY=$(cat ~/.ssh/id_rsa.pub)" option inserts your # public key into the image, allowing root access via ssh. -RUN mkdir /usr/etc-system && \ - echo 'AuthorizedKeysFile /usr/etc-system/%u.keys' >> /etc/ssh/sshd_config.d/30-auth-system.conf && \ - echo ${SSHPUBKEY} > /usr/etc-system/root.keys && chmod 0600 /usr/etc-system/root.keys +RUN set -eu; mkdir -p /usr/ssh && \ + echo 'AuthorizedKeysFile /usr/ssh/%u.keys .ssh/authorized_keys .ssh/authorized_keys2' >> /etc/ssh/sshd_config.d/30-auth-system.conf && \ + echo ${SSHPUBKEY} > /usr/ssh/root.keys && chmod 0600 /usr/ssh/root.keys ARG RECIPE=rag ARG MODEL_IMAGE=quay.io/ai-lab/mistral-7b-instruct:latest diff --git a/recipes/natural_language_processing/rag/bootc/Containerfile.nocache b/recipes/natural_language_processing/rag/bootc/Containerfile.nocache index 061d850d..126286fd 100644 --- a/recipes/natural_language_processing/rag/bootc/Containerfile.nocache +++ b/recipes/natural_language_processing/rag/bootc/Containerfile.nocache @@ -9,9 +9,9 @@ ARG SSHPUBKEY # The --build-arg "SSHPUBKEY=$(cat ~/.ssh/id_rsa.pub)" option inserts your # public key into the image, allowing root access via ssh. -RUN mkdir /usr/etc-system && \ - echo 'AuthorizedKeysFile /usr/etc-system/%u.keys' >> /etc/ssh/sshd_config.d/30-auth-system.conf && \ - echo ${SSHPUBKEY} > /usr/etc-system/root.keys && chmod 0600 /usr/etc-system/root.keys +RUN set -eu; mkdir -p /usr/ssh && \ + echo 'AuthorizedKeysFile /usr/ssh/%u.keys .ssh/authorized_keys .ssh/authorized_keys2' >> /etc/ssh/sshd_config.d/30-auth-system.conf && \ + echo ${SSHPUBKEY} > /usr/ssh/root.keys && chmod 0600 /usr/ssh/root.keys ARG RECIPE=rag diff --git a/recipes/natural_language_processing/summarizer/bootc/Containerfile b/recipes/natural_language_processing/summarizer/bootc/Containerfile index 80e933fe..c335388c 100644 --- a/recipes/natural_language_processing/summarizer/bootc/Containerfile +++ b/recipes/natural_language_processing/summarizer/bootc/Containerfile @@ -9,9 +9,9 @@ ARG SSHPUBKEY # The --build-arg "SSHPUBKEY=$(cat ~/.ssh/id_rsa.pub)" option inserts your # public key into the image, allowing root access via ssh. -RUN mkdir /usr/etc-system && \ - echo 'AuthorizedKeysFile /usr/etc-system/%u.keys' >> /etc/ssh/sshd_config.d/30-auth-system.conf && \ - echo ${SSHPUBKEY} > /usr/etc-system/root.keys && chmod 0600 /usr/etc-system/root.keys +RUN set -eu; mkdir -p /usr/ssh && \ + echo 'AuthorizedKeysFile /usr/ssh/%u.keys .ssh/authorized_keys .ssh/authorized_keys2' >> /etc/ssh/sshd_config.d/30-auth-system.conf && \ + echo ${SSHPUBKEY} > /usr/ssh/root.keys && chmod 0600 /usr/ssh/root.keys ARG RECIPE=summarizer ARG MODEL_IMAGE=quay.io/ai-lab/mistral-7b-instruct:latest diff --git a/recipes/natural_language_processing/summarizer/bootc/Containerfile.nocache b/recipes/natural_language_processing/summarizer/bootc/Containerfile.nocache index 1947eda5..727b9cee 100644 --- a/recipes/natural_language_processing/summarizer/bootc/Containerfile.nocache +++ b/recipes/natural_language_processing/summarizer/bootc/Containerfile.nocache @@ -9,9 +9,9 @@ ARG SSHPUBKEY # The --build-arg "SSHPUBKEY=$(cat ~/.ssh/id_rsa.pub)" option inserts your # public key into the image, allowing root access via ssh. -RUN mkdir /usr/etc-system && \ - echo 'AuthorizedKeysFile /usr/etc-system/%u.keys' >> /etc/ssh/sshd_config.d/30-auth-system.conf && \ - echo ${SSHPUBKEY} > /usr/etc-system/root.keys && chmod 0600 /usr/etc-system/root.keys +RUN set -eu; mkdir -p /usr/ssh && \ + echo 'AuthorizedKeysFile /usr/ssh/%u.keys .ssh/authorized_keys .ssh/authorized_keys2' >> /etc/ssh/sshd_config.d/30-auth-system.conf && \ + echo ${SSHPUBKEY} > /usr/ssh/root.keys && chmod 0600 /usr/ssh/root.keys ARG RECIPE=summarizer