Commit 48638fd1 authored by Nicolas Wavrant's avatar Nicolas Wavrant

slaprunner: uses sshkeys_authority recipe to manage openssh keys, otherwise...

slaprunner: uses sshkeys_authority recipe to manage openssh keys, otherwise they may change at any slapos run
parent 1792a74a
...@@ -16,6 +16,8 @@ parts += ...@@ -16,6 +16,8 @@ parts +=
runner-sshd-add-authorized-key runner-sshd-add-authorized-key
runner-sshd-graceful runner-sshd-graceful
runner-sshd-promise runner-sshd-promise
runner-sshkeys-authority
runner-sshkeys-sshd
runtestsuite runtestsuite
symlinks symlinks
shellinabox shellinabox
...@@ -29,7 +31,6 @@ parts += ...@@ -29,7 +31,6 @@ parts +=
supervisord-wrapper supervisord-wrapper
supervisord-promise supervisord-promise
httpd-graceful-wrapper httpd-graceful-wrapper
runner-sshd
## Monitoring part ## Monitoring part
## Monitor for runner ## Monitor for runner
monitor-base monitor-base
......
...@@ -11,10 +11,11 @@ parts += ...@@ -11,10 +11,11 @@ parts +=
gunicorn-graceful gunicorn-graceful
slaprunner-promise slaprunner-promise
slaprunner-supervisord-wrapper slaprunner-supervisord-wrapper
runner-sshd
runner-sshd-add-authorized-key runner-sshd-add-authorized-key
runner-sshd-graceful runner-sshd-graceful
runner-sshd-promise runner-sshd-promise
runner-sshkeys-authority
runner-sshkeys-sshd
runtestsuite runtestsuite
shellinabox shellinabox
symlinks symlinks
......
...@@ -10,10 +10,11 @@ parts = ...@@ -10,10 +10,11 @@ parts =
slaprunner-promise slaprunner-promise
apache-httpd-promise apache-httpd-promise
slaprunner-supervisord-wrapper slaprunner-supervisord-wrapper
runner-sshd
runner-sshd-add-authorized-key runner-sshd-add-authorized-key
runner-sshd-graceful runner-sshd-graceful
runner-sshd-promise runner-sshd-promise
runner-sshkeys-authority
runner-sshkeys-sshd
runtestsuite runtestsuite
symlinks symlinks
shellinabox shellinabox
...@@ -134,8 +135,8 @@ project-directory = $${runnerdirectory:project} ...@@ -134,8 +135,8 @@ project-directory = $${runnerdirectory:project}
instance_root = $${runnerdirectory:instance-root} instance_root = $${runnerdirectory:instance-root}
software_root = $${runnerdirectory:software-root} software_root = $${runnerdirectory:software-root}
ssh_client = ${openssh:location}/bin/ssh ssh_client = ${openssh:location}/bin/ssh
public_key = $${runner-sshd-key-authority:location}.pub public_key = $${runner-sshd-raw-server:rsa-keyfile}.pub
private_key = $${runner-sshd-key-authority:location} private_key = $${runner-sshd-raw-server:rsa-keyfile}
instance-monitor-url = https://[$${:ipv6}]:$${monitor-parameters:port} instance-monitor-url = https://[$${:ipv6}]:$${monitor-parameters:port}
etc_dir = $${directory:etc} etc_dir = $${directory:etc}
log_dir = $${directory:log} log_dir = $${directory:log}
...@@ -199,11 +200,6 @@ wrapper-path = $${directory:bin}/runTestSuite ...@@ -199,11 +200,6 @@ wrapper-path = $${directory:bin}/runTestSuite
environment = RUNNER_CONFIG=$${slapos-cfg:rendered} environment = RUNNER_CONFIG=$${slapos-cfg:rendered}
# Deploy openssh-server # Deploy openssh-server
[runner-sshd-key-authority]
recipe = plone.recipe.command
location = $${directory:sshkeys}/ssh_host_rsa_key
command = if [ ! -f "$${:location}" ]; then ${openssh:location}/bin/ssh-keygen -t rsa -b 4096 -f "$${:location}" -N '' -C ''; fi
[runner-sshd-port] [runner-sshd-port]
recipe = slapos.cookbook:free_port recipe = slapos.cookbook:free_port
minimum = 22222 minimum = 22222
...@@ -220,22 +216,61 @@ template = inline: ...@@ -220,22 +216,61 @@ template = inline:
ListenAddress $${slap-network-information:global-ipv6} ListenAddress $${slap-network-information:global-ipv6}
Protocol 2 Protocol 2
UsePrivilegeSeparation no UsePrivilegeSeparation no
HostKey $${runner-sshd-key-authority:location} HostKey $${directory:ssh}/server_key.rsa
PasswordAuthentication no PasswordAuthentication no
PubkeyAuthentication yes PubkeyAuthentication yes
AuthorizedKeysFile $${buildout:directory}/.ssh/authorized_keys AuthorizedKeysFile $${buildout:directory}/.ssh/authorized_keys
ForceCommand if [ -z "$SSH_ORIGINAL_COMMAND" ]; then ${bash:location}/bin/bash -l; else $SSH_ORIGINAL_COMMAND; fi ForceCommand if [ -z "$SSH_ORIGINAL_COMMAND" ]; then ${bash:location}/bin/bash -l; else $SSH_ORIGINAL_COMMAND; fi
[runner-sshd] [runner-sshd-raw-server]
recipe = slapos.cookbook:wrapper recipe = slapos.cookbook:wrapper
host = $${slap-network-information:global-ipv6}
rsa-keyfile = $${directory:ssh}/server_key.rsa
home = $${directory:ssh}
command-line = ${openssh:location}/sbin/sshd -D -e -f $${runner-sshd-config:rendered} command-line = ${openssh:location}/sbin/sshd -D -e -f $${runner-sshd-config:rendered}
wrapper-path = $${directory:services}/runner-sshd wrapper-path = $${directory:bin}/runner_raw_sshd
[runner-sshd-authorized-key]
<= runner-sshd-raw-server
recipe = slapos.cookbook:dropbear.add_authorized_key
key = $${slap-parameter:user-authorized-key}
[runner-sshd-server]
recipe = collective.recipe.template
log = $${basedirectory:log}/runner-sshd.log
input = inline:#!/bin/sh
exec $${runner-sshd-raw-server:wrapper-path} >> $${:log} 2>&1
output = $${rootdirectory:bin}/runner_raw_sshd_log
mode = 700
[runner-sshd-graceful] [runner-sshd-graceful]
recipe = slapos.cookbook:wrapper recipe = slapos.cookbook:wrapper
command-line = $${directory:bin}/killpidfromfile $${runner-sshd-config:path_pid} SIGHUP command-line = $${directory:bin}/killpidfromfile $${runner-sshd-config:path_pid} SIGHUP
wrapper-path = $${directory:scripts}/runner-sshd-graceful wrapper-path = $${directory:scripts}/runner-sshd-graceful
[sshkeys-directory]
recipe = slapos.cookbook:mkdirectory
requests = $${directory:sshkeys}/requests/
keys = $${directory:sshkeys}/keys/
[runner-sshkeys-authority]
recipe = slapos.cookbook:sshkeys_authority
request-directory = $${sshkeys-directory:requests}
keys-directory = $${sshkeys-directory:keys}
wrapper = $${directory:services}/sshkeys_authority
keygen-binary = ${openssh:location}/bin/ssh-keygen
[runner-sshkeys-sshd]
<= runner-sshkeys-authority
recipe = slapos.cookbook:sshkeys_authority.request
name = dropbear
type = rsa
executable = $${runner-sshd-server:output}
public-key = $${runner-sshd-raw-server:rsa-keyfile}.pub
private-key = $${runner-sshd-raw-server:rsa-keyfile}
wrapper = $${directory:services}/runner-sshd
[runner-sshd-add-authorized-key] [runner-sshd-add-authorized-key]
recipe = slapos.cookbook:dropbear.add_authorized_key recipe = slapos.cookbook:dropbear.add_authorized_key
home = $${buildout:directory} home = $${buildout:directory}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment