From nobody Thu Dec 12 15:52:31 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Y8H6R6plRz5gQLS; Thu, 12 Dec 2024 15:52:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Y8H6R5JGrz4fW0; Thu, 12 Dec 2024 15:52:31 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1734018751; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=9fNXJTZaO9UOTUpVbV153feRnRhIMcE8zO5r8QVYTWg=; b=f7KfCAxfz1oQkf4rCGoyHCdOWe13BfLf0GfTq8RL0dI7ddvK9xSOW7SiwiJnGMfSOXWmCj WRiuIg9rsW9C+V9HjLt8zff5R7ieVV0YkYWWPXx7Iliz5aBhD03pNKDmJm7/8NQFN49K1s cJker2tTdTHQ9zIb3qq28gV3lUipREfaHC6PLLKpbXK+VeDFeRFpJaLlRkIykrWIuZDo1a wjft0oGiRMHZl83ovffDOHrT7M5ghfF/5uGF72vLf3OIvQToeGtgM6Re1FjQwETWrD8nxJ CVIgM+h43IqEiK80pOnHuKkXtZZaNGqE8+t1mKjDO59CAes8AKC+8gXYQmjE9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1734018751; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=9fNXJTZaO9UOTUpVbV153feRnRhIMcE8zO5r8QVYTWg=; b=pQOPu6kN2abeNgqauLBPPu4/mrOpsa3EeonsU5iBvv0mY+K72FC2R2zf3Z5WqHHOtfVQPM zoJcKT+CruPbnR1xCe0SDHz3XnVYxJUjQRB4WhaDy6dZqfarLZT4BWGmYGhYL24Z9zwDsl /E7O9s+c2shyDE9+2bkehhnSmJkNfvrliMYPSZ8s71S8gkUJaUb9QFNqBVkOgwcdaf3Y8+ 23pDholAi4eSyjjV8FaAI1HhO3M26yGckf+8Fg0m/bQZQyKdfSLQdjkruxexRhB6j1GNWh pzDn/uu5NBBp5pcZRYqcGXsma3P8iCfz8Qk7BQV403H2KPIVxriGCA9XdoxkmA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1734018751; a=rsa-sha256; cv=none; b=WN6lvWIcmr+N4oO4WY7u9/S3dUPPQpAPaFZ5jlujtybFBPlczriJIK5XaFauGhk2z3O9wd DhOW75gjCNEgQsqeTAX77lOG+shEe/zVI1zwtze9Idxs3gU161jq/r6njrOa7O0Q9e92UF b8dr5cs/tfJAz/SVhxygf6Sxyi/bTwbkdKK/HqpN/fSRTfq2K1CZCEB0/UY8KP6kLjBkrK NTM2V9ya1uhdv0kGvE9/hhIrgmiaXosheOjjYUc8QXZ16EDNWbkdGbNygtbNgzL8BC6Gti XUvoQexGn9ZQdkZgqoert6Wb5qe3zskZDUsmlApfuh2M85T/OmGmSwhPslSfAA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Y8H6R4wLpz10Ch; Thu, 12 Dec 2024 15:52:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4BCFqVsW031992; Thu, 12 Dec 2024 15:52:31 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4BCFqVSe031989; Thu, 12 Dec 2024 15:52:31 GMT (envelope-from git) Date: Thu, 12 Dec 2024 15:52:31 GMT Message-Id: <202412121552.4BCFqVSe031989@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Baptiste Daroussin Subject: git: c062d3ec6031 - stable/14 - nuageinit: implement ssh_keys support List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: bapt X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: c062d3ec6031372c2591d3a0eac42de25efdc165 Auto-Submitted: auto-generated The branch stable/14 has been updated by bapt: URL: https://cgit.FreeBSD.org/src/commit/?id=c062d3ec6031372c2591d3a0eac42de25efdc165 commit c062d3ec6031372c2591d3a0eac42de25efdc165 Author: Baptiste Daroussin AuthorDate: 2024-11-27 08:52:29 +0000 Commit: Baptiste Daroussin CommitDate: 2024-12-12 15:52:25 +0000 nuageinit: implement ssh_keys support MFC After: 1 week Sponsored by: OVHCloud (cherry picked from commit 41fe9d53005ef213ff16d9b095c0a88e3f2fb296) --- libexec/nuageinit/nuageinit | 42 +++++++++++++++++++++++---- libexec/nuageinit/tests/nuageinit.sh | 56 ++++++++++++++++++++++++++++++++++++ 2 files changed, 93 insertions(+), 5 deletions(-) diff --git a/libexec/nuageinit/nuageinit b/libexec/nuageinit/nuageinit index c8f74d13b7fd..5249c09eb5f1 100755 --- a/libexec/nuageinit/nuageinit +++ b/libexec/nuageinit/nuageinit @@ -7,6 +7,7 @@ local nuage = require("nuage") local ucl = require("ucl") local yaml = require("yaml") +local sys_stat = require("posix.sys.stat") if #arg ~= 2 then nuage.err("Usage: " .. arg[0] .. " ( | )", false) @@ -28,13 +29,22 @@ if not root then root = "" end -local function open_config(name) - nuage.mkdir_p(root .. "/etc/rc.conf.d") - local f, err = io.open(root .. "/etc/rc.conf.d/" .. name, "w") +local function openat(dir, name) + local path_dir = root .. dir + local path_name = path_dir .. "/" .. name + nuage.mkdir_p(path_dir) + local f, err = io.open(path_name, "w") if not f then - nuage.err("unable to open " .. name .. " config: " .. err) + nuage.err("unable to open " .. path_name .. ": " .. err) end - return f + return f, path_name +end +local function open_ssh_key(name) + return openat("/etc/ssh", name) +end + +local function open_config(name) + return openat("/etc/rc.conf.d", name) end local function get_ifaces() @@ -268,6 +278,28 @@ if line == "#cloud-config" then -- default user if none are defined nuage.adduser(default_user) end + if obj.ssh_keys and type(obj.ssh_keys) == "table" then + for key, val in pairs(obj.ssh_keys) do + for keyname, keytype in key:gmatch("(%w+)_(%w+)") do + local sshkn = nil + if keytype == "public" then + sshkn = "ssh_host_" .. keyname .. "_key.pub" + elseif keytype == "private" then + sshkn = "ssh_host_" .. keyname .. "_key" + end + if sshkn then + local sshkey, path = open_ssh_key(sshkn) + if sshkey then + sshkey:write(val .. "\n") + sshkey:close() + end + if keytype == "private" then + sys_stat.chmod(path, 384) + end + end + end + end + end if obj.ssh_authorized_keys then local homedir = nuage.adduser(default_user) for _, k in ipairs(obj.ssh_authorized_keys) do diff --git a/libexec/nuageinit/tests/nuageinit.sh b/libexec/nuageinit/tests/nuageinit.sh index f7f39ce32ad8..7e1310c4f0f9 100644 --- a/libexec/nuageinit/tests/nuageinit.sh +++ b/libexec/nuageinit/tests/nuageinit.sh @@ -18,6 +18,7 @@ atf_test_case config2_pubkeys_user_data atf_test_case config2_pubkeys_meta_data atf_test_case config2_network atf_test_case config2_network_static_v4 +atf_test_case config2_ssh_keys args_body() { @@ -404,6 +405,60 @@ EOF atf_check -o file:routing cat "${PWD}"/etc/rc.conf.d/routing } +config2_ssh_keys_head() +{ + atf_set "require.user" root +} +config2_ssh_keys_body() +{ + here=$(pwd) + export NUAGE_FAKE_ROOTDIR=$(pwd) + mkdir -p media/nuageinit + touch media/nuageinit/meta_data.json + cat > media/nuageinit/user-data << EOF +#cloud-config +ssh_keys: + rsa_private: | + -----BEGIN RSA PRIVATE KEY----- + MIIBxwIBAAJhAKD0YSHy73nUgysO13XsJmd4fHiFyQ+00R7VVu2iV9Qco + ... + -----END RSA PRIVATE KEY----- + rsa_public: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAGEAoPRhIfLvedSDKw7Xd ... + ed25519_private: | + -----BEGIN OPENSSH PRIVATE KEY----- + blabla + ... + -----END OPENSSH PRIVATE KEY----- + ed25519_public: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+MH4E8KO32N5CXRvXVqvyZVl0+6ue4DobdhU0FqFd+ +EOF + mkdir -p etc/ssh + cat > etc/master.passwd << EOF +root:*:0:0::0:0:Charlie &:/root:/bin/csh +sys:*:1:0::0:0:Sys:/home/sys:/bin/csh +EOF + pwd_mkdb -d etc ${here}/etc/master.passwd + cat > etc/group << EOF +wheel:*:0:root +users:*:1: +EOF + atf_check /usr/libexec/nuageinit "${PWD}"/media/nuageinit config-2 + _expected="-----BEGIN RSA PRIVATE KEY----- +MIIBxwIBAAJhAKD0YSHy73nUgysO13XsJmd4fHiFyQ+00R7VVu2iV9Qco +... +-----END RSA PRIVATE KEY----- +" + atf_check -o inline:"${_expected}" cat ${PWD}/etc/ssh/ssh_host_rsa_key + _expected="ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAGEAoPRhIfLvedSDKw7Xd ...\n" + atf_check -o inline:"${_expected}" cat ${PWD}/etc/ssh/ssh_host_rsa_key.pub + _expected="-----BEGIN OPENSSH PRIVATE KEY----- +blabla +... +-----END OPENSSH PRIVATE KEY-----\n" + atf_check -o inline:"${_expected}" cat ${PWD}/etc/ssh/ssh_host_ed25519_key + _expected="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+MH4E8KO32N5CXRvXVqvyZVl0+6ue4DobdhU0FqFd+\n" + atf_check -o inline:"${_expected}" cat ${PWD}/etc/ssh/ssh_host_ed25519_key.pub +} + atf_init_test_cases() { atf_add_test_case args @@ -418,4 +473,5 @@ atf_init_test_cases() atf_add_test_case config2_pubkeys_meta_data atf_add_test_case config2_network atf_add_test_case config2_network_static_v4 + atf_add_test_case config2_ssh_keys }