Enable SSH access to tinyipa

might be useful sometimes,
for example debugging in normal terminal is usually more pleasant
than in QEMU console.

Add env variables `ENABLE_SSH` and `SSH_PUBLIC_KEY`,
documentation is amended accordingly.

Change-Id: I71352c2087e1fb9a7174affb78fe695932a924d7

imagebuild/tinyipa/README.rst

@@ -77,3 +77,14 @@ instead of loading some things at runtime (this results in a slightly bigger
 ramdisk), before running make or build-tinyipa.sh run::
 
   export BUILD_AND_INSTALL_TINYIPA=true
+
+If you want to enable SSH access to the image, set ``ENABLE_SSH`` variable in
+your shell before building the tinyipa::
+
+  export ENABLE_SSH=true
+
+By default it will use public RSA or DSA keys of the user running the build.
+To provide other public SSH key, export path to it in your shell before
+building tinyipa as follows::
+
+  export SSH_PUBLIC_KEY=<full-path-to-public-key>

imagebuild/tinyipa/build_files/bootlocal.sh

@@ -9,6 +9,12 @@ date
 
 export HOME=/root
 
+# Start SSHd
+if [ -f /usr/local/etc/init.d/openssh ]; then
+    echo "Starting OpenSSH server:"
+    /usr/local/etc/init.d/openssh start
+fi
+
 # Maybe save some RAM?
 #rm -rf /tmp/builtin
 

imagebuild/tinyipa/finalise-tinyipa.sh

@@ -6,6 +6,8 @@ BUILDDIR="$WORKDIR/tinyipabuild"
 FINALDIR="$WORKDIR/tinyipafinal"
 BUILD_AND_INSTALL_TINYIPA=${BUILD_AND_INSTALL_TINYIPA:-true}
 TINYCORE_MIRROR_URL=${TINYCORE_MIRROR_URL:-"http://repo.tinycorelinux.net/"}
+ENABLE_SSH=${ENABLE_SSH:-false}
+SSH_PUBLIC_KEY=${SSH_PUBLIC_KEY:-}
 
 TC=1001
 STAFF=50
@@ -16,6 +18,27 @@ TC_CHROOT_CMD="sudo chroot --userspec=$TC:$STAFF $FINALDIR /usr/bin/env -i PATH=
 
 echo "Finalising tinyipa:"
 
+if $ENABLE_SSH ; then
+    echo "Validating location of public SSH key"
+    if [ -n "$SSH_PUBLIC_KEY" ]; then
+        if [ -f "$SSH_PUBLIC_KEY" ]; then
+            _found_ssh_key="$SSH_PUBLIC_KEY"
+        fi
+    else
+        for fmt in rsa dsa; do
+            if [ -f "$HOME/.ssh/id_$fmt.pub" ]; then
+                _found_ssh_key="$HOME/.ssh/id_$fmt.pub"
+                break
+            fi
+        done
+    fi
+
+    if [ -z $_found_ssh_key ]; then
+        echo "Failed to find neither provided nor default SSH key"
+        exit 1
+    fi
+fi
+
 sudo -v
 
 if [ -d "$FINALDIR" ]; then
@@ -68,6 +91,30 @@ while read line; do
     $TC_CHROOT_CMD tce-load -wic $line
 done < $WORKDIR/build_files/finalreqs.lst
 
+if $ENABLE_SSH ; then
+    # Install and configure bare minimum for SSH access
+    $TC_CHROOT_CMD tce-load -wic openssh
+    # Configure OpenSSH
+    $CHROOT_CMD cp /usr/local/etc/ssh/sshd_config.orig /usr/local/etc/ssh/sshd_config
+    echo "PasswordAuthentication no" | $CHROOT_CMD tee -a /usr/local/etc/ssh/sshd_config
+    # Generate and configure host keys - RSA, DSA, Ed25519
+    # NOTE(pas-ha) ECDSA host key will still be re-generated fresh on every image boot
+    $CHROOT_CMD ssh-keygen -t rsa -N "" -f /usr/local/etc/ssh/ssh_host_rsa_key
+    $CHROOT_CMD ssh-keygen -t dsa -N "" -f /usr/local/etc/ssh/ssh_host_dsa_key
+    $CHROOT_CMD ssh-keygen -t ed25519 -N "" -f /usr/local/etc/ssh/ssh_host_ed25519_key
+    echo "HostKey /usr/local/etc/ssh/ssh_host_rsa_key" | $CHROOT_CMD tee -a /usr/local/etc/ssh/sshd_config
+    echo "HostKey /usr/local/etc/ssh/ssh_host_dsa_key" | $CHROOT_CMD tee -a /usr/local/etc/ssh/sshd_config
+    echo "HostKey /usr/local/etc/ssh/ssh_host_ed25519_key" | $CHROOT_CMD tee -a /usr/local/etc/ssh/sshd_config
+
+    # setup user and SSH keys
+    $CHROOT_CMD mkdir -p /home/tc
+    $CHROOT_CMD chown -R tc.staff /home/tc
+    $TC_CHROOT_CMD mkdir -p /home/tc/.ssh
+    cat $_found_ssh_key | $TC_CHROOT_CMD tee /home/tc/.ssh/authorized_keys
+    $CHROOT_CMD chown tc.staff /home/tc/.ssh/authorized_keys
+    $TC_CHROOT_CMD chmod 600 /home/tc/.ssh/authorized_keys
+fi
+
 $TC_CHROOT_CMD tce-load -ic /tmp/builtin/optional/tgt.tcz
 $TC_CHROOT_CMD tce-load -ic /tmp/builtin/optional/qemu-utils.tcz
 

releasenotes/notes/tinyipa-ssh-e8a3a01a3f3ff5f4.yaml

@@ -0,0 +1,6 @@
+---
+other:
+  - When building the TinyIPA ramdisk, it is now possible to enable SSH
+    access to it.
+    Use ``ENABLE_SSH`` and ``SSH_PUBLIC_KEY`` environment variables
+    for that (see TinyIPA's README for more details).