From e6792457fb918407c7a77d8a3778bd1cdc877854 Mon Sep 17 00:00:00 2001 From: Brent Baude Date: Thu, 11 Jan 2024 07:46:26 -0500 Subject: [PATCH] Set up podman machine remote user correctly The remote user functionality was not quite correct. This PR breaks out the accumulation of user descriptions into a separate function. One odditiy is ignition must be told to NOT create the core user (or it will by default) by "adding" the core user with a set bool. [NO NEW TESTS NEEDED] Signed-off-by: Brent Baude --- pkg/machine/applehv/machine.go | 2 +- pkg/machine/hyperv/machine.go | 2 +- pkg/machine/ignition.go | 58 +++++++++++++++++++++++++++------- pkg/machine/qemu/machine.go | 5 +-- 4 files changed, 51 insertions(+), 16 deletions(-) diff --git a/pkg/machine/applehv/machine.go b/pkg/machine/applehv/machine.go index 6e628c873b..b4bfdcc927 100644 --- a/pkg/machine/applehv/machine.go +++ b/pkg/machine/applehv/machine.go @@ -968,7 +968,7 @@ func (m *MacMachine) setupAPIForwarding(cmd gvproxy.GvproxyCommand) (gvproxy.Gvp } destSock := fmt.Sprintf("/run/user/%d/podman/podman.sock", m.UID) - forwardUser := "core" + forwardUser := m.RemoteUsername if m.Rootful { destSock = "/run/podman/podman.sock" diff --git a/pkg/machine/hyperv/machine.go b/pkg/machine/hyperv/machine.go index 6155de7b6e..2a431c7f20 100644 --- a/pkg/machine/hyperv/machine.go +++ b/pkg/machine/hyperv/machine.go @@ -876,7 +876,7 @@ func (m *HyperVMachine) setupAPIForwarding(cmd gvproxy.GvproxyCommand) (gvproxy. } destSock := fmt.Sprintf("/run/user/%d/podman/podman.sock", m.UID) - forwardUser := "core" + forwardUser := m.RemoteUsername if m.Rootful { destSock = "/run/podman/podman.sock" diff --git a/pkg/machine/ignition.go b/pkg/machine/ignition.go index dd11160340..6ca80106b6 100644 --- a/pkg/machine/ignition.go +++ b/pkg/machine/ignition.go @@ -75,6 +75,51 @@ func (ign *DynamicIgnition) Write() error { return os.WriteFile(ign.WritePath, b, 0644) } +func (ign *DynamicIgnition) getUsers() []PasswdUser { + var ( + users []PasswdUser + ) + + isCoreUser := ign.Name == DefaultIgnitionUserName + + // if we are not using the 'core' user, we need to tell ignition to + // not add it + if !isCoreUser { + coreUser := PasswdUser{ + Name: DefaultIgnitionUserName, + ShouldExist: BoolToPtr(false), + } + users = append(users, coreUser) + } + + // Adding the user + user := PasswdUser{ + Name: ign.Name, + SSHAuthorizedKeys: []SSHAuthorizedKey{SSHAuthorizedKey(ign.Key)}, + UID: IntToPtr(ign.UID), + } + + // If we are not using the core user, we need to make the user part + // of the following groups + if !isCoreUser { + user.Groups = []Group{ + Group("sudo"), + Group("adm"), + Group("wheel"), + Group("systemd-journal")} + } + + // set root SSH key + root := PasswdUser{ + Name: "root", + SSHAuthorizedKeys: []SSHAuthorizedKey{SSHAuthorizedKey(ign.Key)}, + } + // add them all in + users = append(users, user, root) + + return users +} + // GenerateIgnitionConfig func (ign *DynamicIgnition) GenerateIgnitionConfig() error { if len(ign.Name) < 1 { @@ -84,18 +129,7 @@ func (ign *DynamicIgnition) GenerateIgnitionConfig() error { Version: "3.2.0", } ignPassword := Passwd{ - Users: []PasswdUser{ - { - Name: ign.Name, - SSHAuthorizedKeys: []SSHAuthorizedKey{SSHAuthorizedKey(ign.Key)}, - // Set the UID of the core user inside the machine - UID: IntToPtr(ign.UID), - }, - { - Name: "root", - SSHAuthorizedKeys: []SSHAuthorizedKey{SSHAuthorizedKey(ign.Key)}, - }, - }, + Users: ign.getUsers(), } ignStorage := Storage{ diff --git a/pkg/machine/qemu/machine.go b/pkg/machine/qemu/machine.go index 7ae051eeb0..1118cc4806 100644 --- a/pkg/machine/qemu/machine.go +++ b/pkg/machine/qemu/machine.go @@ -1265,8 +1265,8 @@ func (v *MachineVM) startHostNetworking() (string, machine.APIForwardingState, e cmd.Debug = true logrus.Debug(cmd) } - c := cmd.Cmd(binary) + logrus.Debugf("gvproxy args: %v", c.Args) if err := c.Start(); err != nil { return "", 0, fmt.Errorf("unable to execute: %q: %w", cmd.ToCmdline(), err) } @@ -1281,7 +1281,8 @@ func (v *MachineVM) setupAPIForwarding(cmd gvproxy.GvproxyCommand) (gvproxy.Gvpr } destSock := fmt.Sprintf("/run/user/%d/podman/podman.sock", v.UID) - forwardUser := "core" + + forwardUser := v.RemoteUsername if v.Rootful { destSock = "/run/podman/podman.sock"