From nobody Wed Nov 27 08:53:15 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XytWb5xjFz5dr1Y; Wed, 27 Nov 2024 08:53:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XytWb5JMTz4rK7; Wed, 27 Nov 2024 08:53:15 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1732697595; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3K3a7QLK8mapE6W+SaklJXR4Ka7naBTBGwtmZ/7fWKU=; b=w9qT6NQ5WfQbnDx45OZ4swrm5OwE4OMO/iI9EaYXYUwdQ3po8hquUoKiSbFnljrz6i7HTs cgYxANKxNG9ESsTGa1cAQA/eaSGAOvcz7XhI9EY5ZnefjFMbxN2YXrcFoWxDlyS1ZbAyI9 MXb5yB9tzaI4zLcvdoi73k9VztY9C5M2QofhfmLr1yodDreUmwBmEJOckFVs37/SoGyFUS EjMCgwkBcTfUkqJcMdDlAy83uM/u65bxcCsfrQFf3PGLzLii5YopD7c8Y5SEvBVLahYn+l Snt+09YsIAariVDZwcu2tOV3CNsuhIDV2hHBvZYusQEQ+30raAZHbcsj6HcO/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1732697595; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3K3a7QLK8mapE6W+SaklJXR4Ka7naBTBGwtmZ/7fWKU=; b=FzI8t+VuPCFrtaShXer3FkIrfeWH0/ezPossoL167gSp1O2guVJcNnwKILbaA9k94nbDn0 cSh0kB9ZPXhRzrgNcsuJ0I4bGJkDApNFtQEHLJpIMaIcBCS5pz0gpqBK4RiVyNW5+uylzi UCAqCaAK68KNjpPFZSmHWumAA6m84Zj/njk+o3wtiTHjkx5JhkqxlkUQT3x7Qy5SPZ7qou O7IeiKnbDxzIv7VJ0zy3ZWAf7njnr6CdKycb94pT2bKPhwEWUU5PRk+kuWlm4Q1IWnePVS PUdnJBwUlN7pwxwYq/Grdgrj/UyEtxF53qqnYNgT7AHIjJskKqMr9LIs8u2b6g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1732697595; a=rsa-sha256; cv=none; b=trzgjtHyaGFN4vyakZs8uWWxQk03B5HKPmeNn4o97335u9WYB3lrho2Y67A/etMtf+Uigm ae1aSGW9R1H9M2KDzbPOVD6dwNS7F0JiF0cqTxppnYJuKlkP9qWToaTPrJq+EDoUfwmueQ 7WW0PcMQ7gmsKKPl+KKjvBEPj6p+UEql/25HeysSY5W4KfG+mTE734zaw6o3wuQLJA0uy2 7HkzDS2O8fet94WRwqx4HoCWPTg8vEDISjlQkuf+QcjCOJlLcZvL/XFdfl2xxn/YcN0PP8 WYIhIabBqTBs/EvyTTS+YJOX0brhQuy0wcAHx6tWljfgrM71ARXFDziTxX+vFA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XytWb4w2Qz13QV; Wed, 27 Nov 2024 08:53:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4AR8rFv2015297; Wed, 27 Nov 2024 08:53:15 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4AR8rFeE015294; Wed, 27 Nov 2024 08:53:15 GMT (envelope-from git) Date: Wed, 27 Nov 2024 08:53:15 GMT Message-Id: <202411270853.4AR8rFeE015294@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Baptiste Daroussin Subject: git: 41fe9d53005e - main - nuageinit: implement ssh_keys support List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: bapt X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 41fe9d53005ef213ff16d9b095c0a88e3f2fb296 Auto-Submitted: auto-generated The branch main has been updated by bapt: URL: https://cgit.FreeBSD.org/src/commit/?id=41fe9d53005ef213ff16d9b095c0a88e3f2fb296 commit 41fe9d53005ef213ff16d9b095c0a88e3f2fb296 Author: Baptiste Daroussin AuthorDate: 2024-11-27 08:52:29 +0000 Commit: Baptiste Daroussin CommitDate: 2024-11-27 08:53:04 +0000 nuageinit: implement ssh_keys support MFC After: 1 week Sponsored by: OVHCloud --- libexec/nuageinit/nuageinit | 42 +++++++++++++++++++++++---- libexec/nuageinit/tests/nuageinit.sh | 56 ++++++++++++++++++++++++++++++++++++ 2 files changed, 93 insertions(+), 5 deletions(-) diff --git a/libexec/nuageinit/nuageinit b/libexec/nuageinit/nuageinit index c8f74d13b7fd..5249c09eb5f1 100755 --- a/libexec/nuageinit/nuageinit +++ b/libexec/nuageinit/nuageinit @@ -7,6 +7,7 @@ local nuage = require("nuage") local ucl = require("ucl") local yaml = require("yaml") +local sys_stat = require("posix.sys.stat") if #arg ~= 2 then nuage.err("Usage: " .. arg[0] .. " ( | )", false) @@ -28,13 +29,22 @@ if not root then root = "" end -local function open_config(name) - nuage.mkdir_p(root .. "/etc/rc.conf.d") - local f, err = io.open(root .. "/etc/rc.conf.d/" .. name, "w") +local function openat(dir, name) + local path_dir = root .. dir + local path_name = path_dir .. "/" .. name + nuage.mkdir_p(path_dir) + local f, err = io.open(path_name, "w") if not f then - nuage.err("unable to open " .. name .. " config: " .. err) + nuage.err("unable to open " .. path_name .. ": " .. err) end - return f + return f, path_name +end +local function open_ssh_key(name) + return openat("/etc/ssh", name) +end + +local function open_config(name) + return openat("/etc/rc.conf.d", name) end local function get_ifaces() @@ -268,6 +278,28 @@ if line == "#cloud-config" then -- default user if none are defined nuage.adduser(default_user) end + if obj.ssh_keys and type(obj.ssh_keys) == "table" then + for key, val in pairs(obj.ssh_keys) do + for keyname, keytype in key:gmatch("(%w+)_(%w+)") do + local sshkn = nil + if keytype == "public" then + sshkn = "ssh_host_" .. keyname .. "_key.pub" + elseif keytype == "private" then + sshkn = "ssh_host_" .. keyname .. "_key" + end + if sshkn then + local sshkey, path = open_ssh_key(sshkn) + if sshkey then + sshkey:write(val .. "\n") + sshkey:close() + end + if keytype == "private" then + sys_stat.chmod(path, 384) + end + end + end + end + end if obj.ssh_authorized_keys then local homedir = nuage.adduser(default_user) for _, k in ipairs(obj.ssh_authorized_keys) do diff --git a/libexec/nuageinit/tests/nuageinit.sh b/libexec/nuageinit/tests/nuageinit.sh index f7f39ce32ad8..7e1310c4f0f9 100644 --- a/libexec/nuageinit/tests/nuageinit.sh +++ b/libexec/nuageinit/tests/nuageinit.sh @@ -18,6 +18,7 @@ atf_test_case config2_pubkeys_user_data atf_test_case config2_pubkeys_meta_data atf_test_case config2_network atf_test_case config2_network_static_v4 +atf_test_case config2_ssh_keys args_body() { @@ -404,6 +405,60 @@ EOF atf_check -o file:routing cat "${PWD}"/etc/rc.conf.d/routing } +config2_ssh_keys_head() +{ + atf_set "require.user" root +} +config2_ssh_keys_body() +{ + here=$(pwd) + export NUAGE_FAKE_ROOTDIR=$(pwd) + mkdir -p media/nuageinit + touch media/nuageinit/meta_data.json + cat > media/nuageinit/user-data << EOF +#cloud-config +ssh_keys: + rsa_private: | + -----BEGIN RSA PRIVATE KEY----- + MIIBxwIBAAJhAKD0YSHy73nUgysO13XsJmd4fHiFyQ+00R7VVu2iV9Qco + ... + -----END RSA PRIVATE KEY----- + rsa_public: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAGEAoPRhIfLvedSDKw7Xd ... + ed25519_private: | + -----BEGIN OPENSSH PRIVATE KEY----- + blabla + ... + -----END OPENSSH PRIVATE KEY----- + ed25519_public: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+MH4E8KO32N5CXRvXVqvyZVl0+6ue4DobdhU0FqFd+ +EOF + mkdir -p etc/ssh + cat > etc/master.passwd << EOF +root:*:0:0::0:0:Charlie &:/root:/bin/csh +sys:*:1:0::0:0:Sys:/home/sys:/bin/csh +EOF + pwd_mkdb -d etc ${here}/etc/master.passwd + cat > etc/group << EOF +wheel:*:0:root +users:*:1: +EOF + atf_check /usr/libexec/nuageinit "${PWD}"/media/nuageinit config-2 + _expected="-----BEGIN RSA PRIVATE KEY----- +MIIBxwIBAAJhAKD0YSHy73nUgysO13XsJmd4fHiFyQ+00R7VVu2iV9Qco +... +-----END RSA PRIVATE KEY----- +" + atf_check -o inline:"${_expected}" cat ${PWD}/etc/ssh/ssh_host_rsa_key + _expected="ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAGEAoPRhIfLvedSDKw7Xd ...\n" + atf_check -o inline:"${_expected}" cat ${PWD}/etc/ssh/ssh_host_rsa_key.pub + _expected="-----BEGIN OPENSSH PRIVATE KEY----- +blabla +... +-----END OPENSSH PRIVATE KEY-----\n" + atf_check -o inline:"${_expected}" cat ${PWD}/etc/ssh/ssh_host_ed25519_key + _expected="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+MH4E8KO32N5CXRvXVqvyZVl0+6ue4DobdhU0FqFd+\n" + atf_check -o inline:"${_expected}" cat ${PWD}/etc/ssh/ssh_host_ed25519_key.pub +} + atf_init_test_cases() { atf_add_test_case args @@ -418,4 +473,5 @@ atf_init_test_cases() atf_add_test_case config2_pubkeys_meta_data atf_add_test_case config2_network atf_add_test_case config2_network_static_v4 + atf_add_test_case config2_ssh_keys }