infra/codestorage/hg-ssh

Paddy 2015-10-11 Parent:eeaf3e97ed44 Child:121585c71fd7

Update to be more modular. We updated our Mercurial serving architecture to be a bit more modular. The main difference is that we now are based off the secondbit/hg-repo-sync image, and don't need to do as much setup to get the basics (Mercurial, folders, etc.) We now have a pullkeys.ssh script, which pulls down the SSH keys stored in a specified GCS bucket, and creates users for them. This allows us to update who has push access, without modifying the docker image. We also have a custom run.sh script now, instead of starting sshd directly, because we need to do a few things when starting this up: 1. Modify the permissions on the mounted directories while we're root so SSH users can write and read the committed files. We have to do this at start time instead of at image build time because Kubernetes' volumes don't respect the permissions set at build time. 2. Pull all the repos backed up to GCS to local disk, which means that startup automatically picks up at the last known state. This script is built into the image by secondbit/hg-repo-sync. 3. Pull all the SSH keys from GCS, using the new script. This creates the new users and lets us SSH into the server, while keeping the user definitions separate from the image itself. 4. Finally, start the SSH daemon.

Dockerfile pullkeys.sh run.sh

Diff to previous Statistics

     1.1 --- a/Dockerfile	Mon Aug 17 19:07:28 2015 -0400
     1.2 +++ b/Dockerfile	Sun Oct 11 17:06:15 2015 -0700
     1.3 @@ -1,22 +1,18 @@
     1.4 -FROM ubuntu:14.04
     1.5 -MAINTAINER Paddy Foran "<paddy@secondbit.org>"
     1.6 -
     1.7 -RUN groupadd -g 2000 committers
     1.8 -RUN mkdir -p /mounted/repos
     1.9 -RUN chown -R root:committers /mounted/repos
    1.10 -RUN chmod 0770 /mounted/repos
    1.11 -VOLUME /mounted
    1.12 +FROM secondbit/hg-repo-sync
    1.13 +MAINTAINER Paddy "<paddy@secondbit.org>"
    1.14  
    1.15  ADD create_user.sh /usr/local/bin/helpers/create_user.sh
    1.16  RUN chmod +x /usr/local/bin/helpers/create_user.sh
    1.17 -VOLUME /home
    1.18 +ADD run.sh /usr/local/bin/helpers/run-ssh.sh
    1.19 +RUN chmod +x /usr/local/bin/helpers/run-ssh.sh
    1.20 +ADD pullkeys.sh /usr/local/bin/helpers/pullkeys.sh
    1.21 +RUN chmod +x /usr/local/bin/helpers/pullkeys.sh
    1.22  
    1.23  RUN mkdir /var/run/sshd
    1.24  
    1.25  # install required packages
    1.26  RUN apt-get -y update
    1.27 -RUN apt-get -y install openssh-server python-pip python-dev
    1.28 -RUN pip install Mercurial
    1.29 +RUN apt-get -y install openssh-server 
    1.30  
    1.31  #ADD sshd_config /etc/ssh/sshd_config
    1.32  RUN sed -ri 's/session    required     pam_loginuid.so/session    optional     pam_loginuid.so/g' /etc/pam.d/sshd
    1.33 @@ -25,4 +21,4 @@
    1.34  
    1.35  EXPOSE 22
    1.36  
    1.37 -CMD ["/usr/sbin/sshd", "-D"]
    1.38 +CMD ["/usr/local/bin/helpers/run-ssh.sh"]

     2.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     2.2 +++ b/pullkeys.sh	Sun Oct 11 17:06:15 2015 -0700
     2.3 @@ -0,0 +1,39 @@
     2.4 +#!/bin/bash
     2.5 +DOMAIN=${DOMAIN:-code.secondbit.org}
     2.6 +SSH_KEYS_BUCKET=${SSH_KEYS_BUCKET:-sshkeys.$DOMAIN}
     2.7 +
     2.8 +mkdir -p /tmp/sshkeys
     2.9 +
    2.10 +echo "Cleaning up..."
    2.11 +rm -rf /tmp/sshkeys/*
    2.12 +
    2.13 +echo "Downloading keys from gs://${SSH_KEYS_BUCKET}/"
    2.14 +
    2.15 +output=$(gsutil cp -R gs://$SSH_KEYS_BUCKET/\* /tmp/sshkeys/ 2>&1)
    2.16 +echo $output
    2.17 +
    2.18 +keys=$(find /tmp/sshkeys -name '*.pub')
    2.19 +
    2.20 +for key in $keys
    2.21 +do
    2.22 +	dir=$(dirname $key)
    2.23 +	stripped=${dir#.}
    2.24 +	stripped=${stripped#/tmp/sshkeys}
    2.25 +	target=${key#/tmp/sshkeys}
    2.26 +	target=${target%.pub}
    2.27 +	target=${target#/}
    2.28 +	IFS='-' read -ra USERSPEC <<< $target
    2.29 +	if [ -d "/home${USERSPEC[0]}" ]
    2.30 +	then
    2.31 +		echo "User ${USERSPEC[0]} already exists, skipping."
    2.32 +	else
    2.33 +		echo "Creating user ${USERSPEC[0]} with ID ${USERSPEC[1]}."
    2.34 +		/bin/bash /usr/local/bin/helpers/create_user.sh "${USERSPEC[0]}" "${USERSPEC[1]}"
    2.35 +		cat $key > /home/${USERSPEC[0]}/.ssh/authorized_keys
    2.36 +	fi
    2.37 +done
    2.38 +
    2.39 +echo "Cleaning up..."
    2.40 +rm -rf /tmp/sshkeys/*
    2.41 +
    2.42 +echo "SSH key pull complete."

     3.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     3.2 +++ b/run.sh	Sun Oct 11 17:06:15 2015 -0700
     3.3 @@ -0,0 +1,16 @@
     3.4 +#!/bin/bash
     3.5 +
     3.6 +# We need to reexecute these commands
     3.7 +# because Kubernetes doesn't use the
     3.8 +# VOLUME commands in the Dockerfiles
     3.9 +# when using volumes. So this makes
    3.10 +# things work on Kubernetes, but the
    3.11 +# Dockerfile makes things work when
    3.12 +# running locally.
    3.13 +mkdir -p /mounted/repos
    3.14 +chgrp -R committers /mounted
    3.15 +chmod -R 0770 /mounted
    3.16 +
    3.17 +/bin/bash /usr/local/bin/helpers/pull.sh
    3.18 +/bin/bash /usr/local/bin/helpers/pullkeys.sh
    3.19 +/usr/sbin/sshd -D

File	Total	Ratio
Dockerfile	20
pullkeys.sh	39
run.sh	16