Merge "Add dynamic-login element"

elements/dynamic-login/README.rst

@@ -0,0 +1,46 @@
+=============
+dynamic-login
+=============
+
+This element insert a helper script in the image that allows users to
+dynamically configure credentials at boot time. This is specially useful
+for troubleshooting.
+
+Troubleshooting an image can be quite hard, specially if you can not get
+a prompt you can enter commands to find out what went wrong. By default,
+the images (specially ramdisks) doesn't have any SSH key or password for
+any user. Of course one could use the ``devuser`` element to generate
+an image with SSH keys and user/password in the image but that would be
+a massive security hole and very it's discouraged to run in production
+with a ramdisk like that.
+
+This element allows the operator to inject a SSH key and/or change the
+root password dynamically when the image boots. Two kernel command line
+parameters are used to do it:
+
+sshkey
+  :Description: If the operator append sshkey="$PUBLIC_SSH_KEY" to the
+                kernel command line on boot, the helper script will append
+                this key to the root user authorized_keys.
+
+rootpwd
+  :Description: If the operator append rootpwd="$ENCRYPTED_PASSWORD" to the
+                kernel command line on boot, the helper script will set the
+                root password to the one specified by this option. Note that
+                this password should be **encrypted**. Encrypted passwords
+                can be generated using the ``openssl`` command, e.g:
+                *openssl passwd -1*.
+
+
+.. note::
+   The value of these parameters should be **quoted**, e.g: sshkey="ssh-rsa
+   BBBA1NBzaC1yc2E ..."
+
+
+.. warning::
+    Some base operational systems might require selinux to be in
+    **permissive** or **disabled** mode so that you can log in
+    the image. This can be achieved by building the image with the
+    ``selinux-permissive`` element for diskimage-builder or by passing
+    ``selinux=0`` in the kernel command line. RHEL/CentOS are examples
+    of OSs which this is true.

elements/dynamic-login/element-deps

@@ -0,0 +1,3 @@
+dib-init-system
+install-static
+package-installs

elements/dynamic-login/init-scripts/systemd/dynamic-login.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Dynamic Login
+After=network.target
+
+[Service]
+ExecStart=/usr/local/bin/dynamic-login
+
+[Install]
+WantedBy=multi-user.target
+

elements/dynamic-login/init-scripts/sysv/dynamic-login.init

@@ -0,0 +1,31 @@
+#!/bin/sh -e
+### BEGIN INIT INFO
+# Provides:          dynamic-login
+# Required-Start:    $local_fs networking
+# Required-Stop:     $local_fs
+# Default-Start:     S
+# Default-Stop:      0 6
+# X-Start-Before:
+# Short-Description: Dynamic Login
+# Description:       Execute Dynamic Login
+### END INIT INFO
+
+NAME=dynamic-login
+INIT_NAME=/etc/init.d/${NAME}
+SCRIPT_NAME=/usr/local/bin/${NAME}
+
+[ -x $SCRIPT_NAME ] || exit 0
+
+case "$1" in
+    start)
+        $SCRIPT_NAME
+        ;;
+    stop)
+        ;;
+    *)
+        echo "Usage: $INIT_NAME {start}"
+        exit 1
+        ;;
+esac
+
+exit 0

elements/dynamic-login/init-scripts/upstart/dynamic-login.conf

@@ -0,0 +1,13 @@
+description     "Dynamic Login"
+
+start on runlevel [2345]
+stop on runlevel [!2345]
+
+umask 022
+
+expect stop
+
+script
+    echo "Executing Dynamic Login"
+    /usr/local/bin/dynamic-login
+end script

elements/dynamic-login/install.d/70-enable-dynamic-login-services

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+case "$DIB_INIT_SYSTEM" in
+    systemd)
+        systemctl enable dynamic-login.service
+        ;;
+    sysv)
+        update-rc.d dynamic-login.init defaults
+        ;;
+esac

elements/dynamic-login/package-installs.yaml

@@ -0,0 +1 @@
+openssh-server:

elements/dynamic-login/static/usr/local/bin/dynamic-login

@@ -0,0 +1,31 @@
+#!/bin/bash
+# dib-lint: disable=setu sete setpipefail dibdebugtrace
+# Copyright 2015 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# Reads an encrypted root password from the kernel command line and set
+# it to the root user
+if [[ $(</proc/cmdline) =~ rootpwd=\"([^\"]+)\" ]]; then
+    echo "root:${BASH_REMATCH[1]}" | chpasswd -e
+fi
+
+# Reads a sshkey from the kernel command line and appends it to the root
+# user authorized_keys
+SSHDIR=/root/.ssh
+if [[ $(</proc/cmdline) =~ sshkey=\"([^\"]+)\" ]]; then
+    mkdir -p $SSHDIR
+    chmod 700 $SSHDIR
+    echo "${BASH_REMATCH[1]}" > $SSHDIR/authorized_keys
+    chmod 600 $SSHDIR/authorized_keys
+fi