src/commands/create: Never use the host's SSH key pair

It's probably not a great idea to copy the private key into the container, and it also causes problems when there is a passphrase. Signed-off-by: Alberto Faria <[email protected]>
containers · Mar 11, 2024 · 1bfede6 · 1bfede6
1 parent 982af4f
commit 1bfede6
Showing 1 changed file with 12 additions and 37 deletions.
diff --git a/src/commands/create/mod.rs b/src/commands/create/mod.rs
@@ -47,7 +47,7 @@ pub fn create(global_args: &liboci_cli::GlobalOpts, args: &liboci_cli::Create) -
     set_up_extra_container_mounts_and_devices(&mut spec)?;
     set_up_security(&mut spec);
 
-    set_up_first_boot_config(&spec, &mounts, &custom_options, runtime_env)?;
+    set_up_first_boot_config(&spec, &mounts, &custom_options)?;
     set_up_libvirt_domain_xml(&spec, &base_vm_image_info, &mounts, &custom_options)?;
 
     adjust_container_rlimits_and_resources(&mut spec);
@@ -486,9 +486,8 @@ fn set_up_first_boot_config(
     spec: &oci_spec::runtime::Spec,
     mounts: &Mounts,
     custom_options: &CustomOptions,
-    env: RuntimeEnv,
 ) -> Result<()> {
-    let container_public_key = get_container_ssh_key_pair(spec, env)?;
+    let container_public_key = gen_container_ssh_key_pair(spec)?;
 
     let config = FirstBootConfig {
         hostname: spec.hostname().as_deref(),
@@ -516,46 +515,22 @@ fn set_up_first_boot_config(
 }
 
 /// Returns the public key for the container.
-///
-/// This first attempts to use the current user's key pair, in case the VM does not support
-/// cloud-init but the user injected their public key into it themselves.
-fn get_container_ssh_key_pair(spec: &oci_spec::runtime::Spec, env: RuntimeEnv) -> Result<String> {
+fn gen_container_ssh_key_pair(spec: &oci_spec::runtime::Spec) -> Result<String> {
     let ssh_path = spec.root_path()?.join("root/.ssh");
 
     if !ssh_path.join("id_rsa.pub").exists() {
         fs::create_dir_all(&ssh_path)?;
 
-        let try_copy_user_key_pair = || -> Result<bool> {
-            if env != RuntimeEnv::Other {
-                // definitely not Podman, we're probably not running as the user that invoked the engine
-                return Ok(false);
-            }
-
-            if let Some(user_home_path) = home::home_dir() {
-                let user_ssh = user_home_path.join(".ssh");
-
-                if user_ssh.join("id_rsa.pub").is_file() && user_ssh.join("id_rsa").is_file() {
-                    fs::copy(user_ssh.join("id_rsa.pub"), ssh_path.join("id_rsa.pub"))?;
-                    fs::copy(user_ssh.join("id_rsa"), ssh_path.join("id_rsa"))?;
-                    return Ok(true);
-                }
-            }
-
-            Ok(false)
-        };
+        let status = Command::new("ssh-keygen")
+            .arg("-q")
+            .arg("-f")
+            .arg(ssh_path.join("id_rsa"))
+            .arg("-N")
+            .arg("")
+            .spawn()?
+            .wait()?;
 
-        if !try_copy_user_key_pair()? {
-            let status = Command::new("ssh-keygen")
-                .arg("-q")
-                .arg("-f")
-                .arg(ssh_path.join("id_rsa"))
-                .arg("-N")
-                .arg("")
-                .spawn()?
-                .wait()?;
-
-            ensure!(status.success(), "ssh-keygen failed");
-        }
+        ensure!(status.success(), "ssh-keygen failed");
     }
 
     Ok(fs::read_to_string(ssh_path.join("id_rsa.pub"))?)