Add dynamic-login element
Troubleshooting an image can be quite hard, specially if you can not get a prompt you can enter commands to find out what went wrong. By default, the images (specially ramdisks) doesn't have any SSH key or password for any user. Of course one could use the ``devuser`` element to generate an image with SSH keys and user/password in the image but that would be a massive security hole and very it's discouraged to run in production with a ramdisk like that. This commit is adding a new element called dynamic-login, which inserts a helper script into the image to allow operators to inject a SSH key and/or change the root password dynamically when it boots via parameters in the kernel command line. Those parameters are: sshkey = If the operator append sshkey="$PUBLIC_SSH_KEY" to the kernel command line on boot, the helper script will append this key to the root user authorized_keys. rootpwd = If the operator append rootpwd="$ENCRYPTED_PASSWORD" to the kernel command line on boot, the helper script will set the root password to the one specified by this option. Note that this password should be an encrypted password. Change-Id: I6b87a1b90163d79745f30dfacd37516051fa0aea
This commit is contained in:
parent
2ff566b80a
commit
25d3ee5471
46
elements/dynamic-login/README.rst
Normal file
46
elements/dynamic-login/README.rst
Normal file
@ -0,0 +1,46 @@
|
||||
=============
|
||||
dynamic-login
|
||||
=============
|
||||
|
||||
This element insert a helper script in the image that allows users to
|
||||
dynamically configure credentials at boot time. This is specially useful
|
||||
for troubleshooting.
|
||||
|
||||
Troubleshooting an image can be quite hard, specially if you can not get
|
||||
a prompt you can enter commands to find out what went wrong. By default,
|
||||
the images (specially ramdisks) doesn't have any SSH key or password for
|
||||
any user. Of course one could use the ``devuser`` element to generate
|
||||
an image with SSH keys and user/password in the image but that would be
|
||||
a massive security hole and very it's discouraged to run in production
|
||||
with a ramdisk like that.
|
||||
|
||||
This element allows the operator to inject a SSH key and/or change the
|
||||
root password dynamically when the image boots. Two kernel command line
|
||||
parameters are used to do it:
|
||||
|
||||
sshkey
|
||||
:Description: If the operator append sshkey="$PUBLIC_SSH_KEY" to the
|
||||
kernel command line on boot, the helper script will append
|
||||
this key to the root user authorized_keys.
|
||||
|
||||
rootpwd
|
||||
:Description: If the operator append rootpwd="$ENCRYPTED_PASSWORD" to the
|
||||
kernel command line on boot, the helper script will set the
|
||||
root password to the one specified by this option. Note that
|
||||
this password should be **encrypted**. Encrypted passwords
|
||||
can be generated using the ``openssl`` command, e.g:
|
||||
*openssl passwd -1*.
|
||||
|
||||
|
||||
.. note::
|
||||
The value of these parameters should be **quoted**, e.g: sshkey="ssh-rsa
|
||||
BBBA1NBzaC1yc2E ..."
|
||||
|
||||
|
||||
.. warning::
|
||||
Some base operational systems might require selinux to be in
|
||||
**permissive** or **disabled** mode so that you can log in
|
||||
the image. This can be achieved by building the image with the
|
||||
``selinux-permissive`` element for diskimage-builder or by passing
|
||||
``selinux=0`` in the kernel command line. RHEL/CentOS are examples
|
||||
of OSs which this is true.
|
3
elements/dynamic-login/element-deps
Normal file
3
elements/dynamic-login/element-deps
Normal file
@ -0,0 +1,3 @@
|
||||
dib-init-system
|
||||
install-static
|
||||
package-installs
|
@ -0,0 +1,10 @@
|
||||
[Unit]
|
||||
Description=Dynamic Login
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/local/bin/dynamic-login
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
31
elements/dynamic-login/init-scripts/sysv/dynamic-login.init
Executable file
31
elements/dynamic-login/init-scripts/sysv/dynamic-login.init
Executable file
@ -0,0 +1,31 @@
|
||||
#!/bin/sh -e
|
||||
### BEGIN INIT INFO
|
||||
# Provides: dynamic-login
|
||||
# Required-Start: $local_fs networking
|
||||
# Required-Stop: $local_fs
|
||||
# Default-Start: S
|
||||
# Default-Stop: 0 6
|
||||
# X-Start-Before:
|
||||
# Short-Description: Dynamic Login
|
||||
# Description: Execute Dynamic Login
|
||||
### END INIT INFO
|
||||
|
||||
NAME=dynamic-login
|
||||
INIT_NAME=/etc/init.d/${NAME}
|
||||
SCRIPT_NAME=/usr/local/bin/${NAME}
|
||||
|
||||
[ -x $SCRIPT_NAME ] || exit 0
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
$SCRIPT_NAME
|
||||
;;
|
||||
stop)
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $INIT_NAME {start}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit 0
|
13
elements/dynamic-login/init-scripts/upstart/dynamic-login.conf
Executable file
13
elements/dynamic-login/init-scripts/upstart/dynamic-login.conf
Executable file
@ -0,0 +1,13 @@
|
||||
description "Dynamic Login"
|
||||
|
||||
start on runlevel [2345]
|
||||
stop on runlevel [!2345]
|
||||
|
||||
umask 022
|
||||
|
||||
expect stop
|
||||
|
||||
script
|
||||
echo "Executing Dynamic Login"
|
||||
/usr/local/bin/dynamic-login
|
||||
end script
|
16
elements/dynamic-login/install.d/70-enable-dynamic-login-services
Executable file
16
elements/dynamic-login/install.d/70-enable-dynamic-login-services
Executable file
@ -0,0 +1,16 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
|
||||
set -x
|
||||
fi
|
||||
set -eu
|
||||
set -o pipefail
|
||||
|
||||
case "$DIB_INIT_SYSTEM" in
|
||||
systemd)
|
||||
systemctl enable dynamic-login.service
|
||||
;;
|
||||
sysv)
|
||||
update-rc.d dynamic-login.init defaults
|
||||
;;
|
||||
esac
|
1
elements/dynamic-login/package-installs.yaml
Normal file
1
elements/dynamic-login/package-installs.yaml
Normal file
@ -0,0 +1 @@
|
||||
openssh-server:
|
31
elements/dynamic-login/static/usr/local/bin/dynamic-login
Executable file
31
elements/dynamic-login/static/usr/local/bin/dynamic-login
Executable file
@ -0,0 +1,31 @@
|
||||
#!/bin/bash
|
||||
# dib-lint: disable=setu sete setpipefail dibdebugtrace
|
||||
# Copyright 2015 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
# Reads an encrypted root password from the kernel command line and set
|
||||
# it to the root user
|
||||
if [[ $(</proc/cmdline) =~ rootpwd=\"([^\"]+)\" ]]; then
|
||||
echo "root:${BASH_REMATCH[1]}" | chpasswd -e
|
||||
fi
|
||||
|
||||
# Reads a sshkey from the kernel command line and appends it to the root
|
||||
# user authorized_keys
|
||||
SSHDIR=/root/.ssh
|
||||
if [[ $(</proc/cmdline) =~ sshkey=\"([^\"]+)\" ]]; then
|
||||
mkdir -p $SSHDIR
|
||||
chmod 700 $SSHDIR
|
||||
echo "${BASH_REMATCH[1]}" > $SSHDIR/authorized_keys
|
||||
chmod 600 $SSHDIR/authorized_keys
|
||||
fi
|
Loading…
Reference in New Issue
Block a user