diff --git a/docker/haproxy/haproxy-ssh/Dockerfile.j2 b/docker/haproxy/haproxy-ssh/Dockerfile.j2 new file mode 100644 index 0000000000..8eecc88916 --- /dev/null +++ b/docker/haproxy/haproxy-ssh/Dockerfile.j2 @@ -0,0 +1,40 @@ +FROM {{ namespace }}/{{ image_prefix }}base:{{ tag }} +{% block labels %} +LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}" +{% endblock %} + +{% block haproxy_ssh_header %}{% endblock %} + +{% import "macros.j2" as macros with context %} + +{{ macros.configure_user(name='haproxy', shell='/bin/bash') }} + +{% if base_package_type == 'rpm' %} + {% set haproxy_ssh_packages = [ + 'openssh-server', + 'openssh-clients', + ] %} + +# NOTE(mgoddard): The centos:8 image contains a /run/nologin file, which +# prevents SSH access to it. +RUN rm -f /run/nologin + +{% elif base_package_type == 'deb' %} + {% set haproxy_ssh_packages = [ + 'openssh-server', + 'openssh-client', + ] %} + +RUN mkdir -p /var/run/sshd \ + && chmod 0755 /var/run/sshd + +{% endif %} + +{{ macros.install_packages(haproxy_ssh_packages | customizable("packages")) }} + +COPY extend_start.sh /usr/local/bin/kolla_extend_start +RUN chmod 644 /usr/local/bin/kolla_extend_start \ + && sed -ri 's/session(\s+)required(\s+)pam_loginuid.so/session\1optional\2pam_loginuid.so/' /etc/pam.d/sshd + +{% block haproxy_ssh_footer %}{% endblock %} +{% block footer %}{% endblock %} diff --git a/docker/haproxy/haproxy-ssh/extend_start.sh b/docker/haproxy/haproxy-ssh/extend_start.sh new file mode 100644 index 0000000000..d571e72920 --- /dev/null +++ b/docker/haproxy/haproxy-ssh/extend_start.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +SSH_HOST_KEY_TYPES=( "ecdsa" ) + +for key_type in ${SSH_HOST_KEY_TYPES[@]}; do + KEY_PATH=/etc/ssh/ssh_host_${key_type}_key + if [[ ! -f "${KEY_PATH}" ]]; then + ssh-keygen -q -t ${key_type} -f ${KEY_PATH} -N "" + fi +done + +mkdir -p /var/lib/haproxy/.ssh + +if [[ $(stat -c %U:%G /var/lib/haproxy/.ssh) != "haproxy:haproxy" ]]; then + sudo chown haproxy: /var/lib/haproxy/.ssh +fi diff --git a/docker/haproxy/Dockerfile.j2 b/docker/haproxy/haproxy/Dockerfile.j2 similarity index 100% rename from docker/haproxy/Dockerfile.j2 rename to docker/haproxy/haproxy/Dockerfile.j2 diff --git a/docker/haproxy/ensure_latest_config.sh b/docker/haproxy/haproxy/ensure_latest_config.sh similarity index 100% rename from docker/haproxy/ensure_latest_config.sh rename to docker/haproxy/haproxy/ensure_latest_config.sh diff --git a/docker/letsencrypt/Dockerfile.j2 b/docker/letsencrypt/Dockerfile.j2 index b344c6734d..30062f0b0c 100644 --- a/docker/letsencrypt/Dockerfile.j2 +++ b/docker/letsencrypt/Dockerfile.j2 @@ -5,25 +5,32 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" {% import "macros.j2" as macros with context %} -{# NOTE(jkirsch): EPEL required for lego #} -{{ macros.enable_extra_repos(['epel']) }} - {% if base_package_type == 'rpm' %} {% set letsencrypt_packages = [ - 'certbot', + 'openssh-clients', 'cronie' ] %} {% elif base_package_type == 'deb' %} {% set letsencrypt_packages = [ - 'certbot', + 'openssh-client', 'cron' ] %} {% endif %} {{ macros.install_packages(letsencrypt_packages | customizable("packages")) }} - COPY extend_start.sh /usr/local/bin/kolla_extend_start RUN chmod 644 /usr/local/bin/kolla_extend_start +{% block lego_repository %} +ENV lego_version=4.6.0 +ENV lego_download_url=https://github.com/go-acme/lego/releases/download/v${lego_version}/lego_v${lego_version}_linux_{{debian_arch}}.tar.gz +{% endblock %} + +{% block lego_install %} +RUN curl -o /tmp/lego.tar.gz ${lego_download_url} \ + && tar xvf /tmp/lego.tar.gz -C /opt/ \ + && rm -f /tmp/lego.tar.gz +{% endblock %} + {% block letsencrypt_footer %}{% endblock %} {% block footer %}{% endblock %}