{"cloud-init": "#cloud-config\nmounts:\n  - [ /dev/disk/by-label/config-2, /mnt/config ]\npackages:\n  - python\n  - python-requests\nwrite_files:\n  - path: /root/setup-ssh.py\n    permissions: '0700'\n    owner: root:root\n    content: |\n        print 'Importing packages'\n        import json\n        import requests\n        import os\n        import subprocess\n        import uuid\n        def getVendordataFromConfigDrive():\n          path = '/mnt/config/openstack/latest/vendor_data2.json'\n          with open(path, 'r') as f:\n            json_string = f.read()\n            return json.loads(json_string)\n        def getInstanceAndProjectIdFromConfigDrive():\n          path = '/mnt/config/openstack/latest/meta_data.json'\n          with open(path, 'r') as f:\n            json_string = f.read()\n            metadata = json.loads(json_string)\n          assert 'uuid' in metadata\n          assert 'project_id' in metadata\n          return str(uuid.UUID(metadata['uuid'], version=4)), str(uuid.UUID(metadata['project_id'], version=4))\n        print 'Getting vendordata from ConfigDrive'\n        vendordata = getVendordataFromConfigDrive()\n        print 'Getting instance and project IDs'\n        instance_id, project_id = getInstanceAndProjectIdFromConfigDrive()\n        assert 'tatu' in vendordata\n        tatu = vendordata['tatu']\n        assert 'token' in tatu\n        assert 'auth_pub_key_user' in tatu\n        assert 'principals' in tatu\n        principals = tatu['principals'].split(',')\n        with open('/etc/ssh/ssh_host_rsa_key.pub', 'r') as f:\n          host_key_pub = f.read()\n        server = 'http://172.24.4.1:18322'\n        hostcert_request = {\n          'token_id': tatu['token'],\n          'host_id': instance_id,\n          'key.pub': host_key_pub\n        }\n        print 'Request the host certificate.'\n        response = requests.post(\n          # Hard-coded SSHaaS API address will only work for devstack and requires\n          # routing and SNAT or DNAT.\n          # This eventually needs to be either:\n          # 1) 169.254.169.254 if there's a SSHaaS-proxy; OR\n          # 2) the real address of the API, possibly supplied in the vendordata and\n          #    still requiring routing and SNAT or DNAT.\n          server + '/noauth/hostcerts',\n          data=json.dumps(hostcert_request)\n        )\n        print 'Got the host certificate: {}'.format(response.content)\n        assert response.status_code == 201\n        assert 'location' in response.headers\n        location = response.headers['location']\n        # No need to GET the host cert - it's returned in the POST\n        #response = requests.get(server + location)\n        hostcert = json.loads(response.content)\n        assert 'host_id' in hostcert\n        assert hostcert['host_id'] == instance_id\n        assert 'fingerprint' in hostcert\n        assert 'auth_id' in hostcert\n        auth_id = str(uuid.UUID(hostcert['auth_id'], version=4))\n        assert auth_id == project_id\n        assert 'key-cert.pub' in hostcert\n        print 'Begin writing files.'\n        # Write the host's certificate\n        with open('/etc/ssh/ssh_host_rsa_key-cert.pub', 'w') as f:\n          f.write(hostcert['key-cert.pub'])\n        # Write the authorized principals file\n        os.mkdir('/etc/ssh/auth_principals')\n        with open('/etc/ssh/auth_principals/ubuntu', 'w') as f:\n          for p in principals:\n            f.write(p + os.linesep)\n        # Write the User CA public key file\n        with open('/etc/ssh/ca_user.pub', 'w') as f:\n          f.write(tatu['auth_pub_key_user'])\n        print 'All tasks completed.'\nruncmd:\n  - python /root/setup-ssh.py > /var/log/setup-ssh.log 2>&1\n  - sed -i -e '$aTrustedUserCAKeys /etc/ssh/ca_user.pub' /etc/ssh/sshd_config\n  - sed -i -e '$aAuthorizedPrincipalsFile /etc/ssh/auth_principals/%u' /etc/ssh/sshd_config\n  - sed -i -e '$aHostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub' /etc/ssh/sshd_config\n  - systemctl restart ssh\n"}