infra/codestorage/hg-ssh

Paddy 2015-10-15 Parent:bf7b66df555f

6:4c6afe37e83a tip Browse Files

Pull hostkeys when pulling SSH keys. Rather than relying on Kubernetes secrets and baking public keys right in, which was bound to get fraught, we now have some graceful degradation. It defaults to automatically-generated random keys, but will try to download some keys from Google Cloud Storage for the host. If it can find some, it'll try to use those, instead.

Dockerfile hostkeys/ssh_host_dsa_key.pub hostkeys/ssh_host_ecdsa_key.pub hostkeys/ssh_host_ed25519_key.pub hostkeys/ssh_host_key.pub hostkeys/ssh_host_rsa_key.pub pullkeys.sh run.sh 

     1.1 --- a/Dockerfile	Thu Oct 15 00:14:32 2015 -0700
     1.2 +++ b/Dockerfile	Thu Oct 15 01:32:28 2015 -0700
     1.3 @@ -11,7 +11,6 @@
     1.4  RUN chmod +x /usr/local/bin/helpers/broadcast-to-frontends.sh
     1.5  
     1.6  ADD hgrc /etc/mercurial/hgrc
     1.7 -ADD hostkeys/* /tmp/sshpubkeys/
     1.8  
     1.9  RUN mkdir /var/run/sshd
    1.10  

     2.1 --- a/hostkeys/ssh_host_dsa_key.pub	Thu Oct 15 00:14:32 2015 -0700
     2.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     2.3 @@ -1,1 +0,0 @@
     2.4 -ssh-dss AAAAB3NzaC1kc3MAAACBAMMcGMNvokdnVEqDl1JyQhFQPhA2sp7hqEjkfMUB3I3B9TYQFTyY+KlxIn+AO37vW9fya5lPDNNSQOrk1h9X4OFXSLBDi0jTJXGp1gkZ/7IQMbTIszLwFHTjqy61/4DrvXv90Z/L8s2EzPCCku6+Co5vKYXmBn4RmXZvWcn1OLwfAAAAFQDEUQv1jP/OPR9mbdvZE0oE43q8XwAAAIBmPU4nIPs7mxJ1t5scCisgwqIqSKLauMBCcs6HVpeUV4UORNNIKbqD1wdbd0mBS+s5L61Z451f5HBSUB4uLERNqZyN39x/2EScg7PYhSR02QgJYyiXIx3ZkjlQT/DcJBIxy/4S53cG7dgkig0p6ddJKwnMRAv5HHwgaz7eCMRSzQAAAIB3Tf1247VaX6N5OIbWRgJ3wEyNe+K8pqWHbogqhCp+2ScGhFn70NzcFdFcIsnDVuyzzTf9K9HmT84fwVsboBQX8+ARSBeeiBdz2wOu4iFjKP6o4ri+Ls8CaD985zvGkkHzMxhzJiSjbS6J6mtmpYaIPBFLS6GMj1/3pIARkYtHBQ== root@b87d3e0c861d

     3.1 --- a/hostkeys/ssh_host_ecdsa_key.pub	Thu Oct 15 00:14:32 2015 -0700
     3.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     3.3 @@ -1,1 +0,0 @@
     3.4 -ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOuyk2WdvX8C3IaKynFcxZddIoVt06L1LmFcJp5Vxb3qnVjOl2eu0eqrSe/ovXXt0iOXgJSgAuYvDGaURjSX+eM= root@b87d3e0c861d

     4.1 --- a/hostkeys/ssh_host_ed25519_key.pub	Thu Oct 15 00:14:32 2015 -0700
     4.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     4.3 @@ -1,1 +0,0 @@
     4.4 -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICBgzM68R85F+QMgDuNqU73yVbqcIbH3qf/vO5lM72b8 root@b87d3e0c861d

     5.1 --- a/hostkeys/ssh_host_key.pub	Thu Oct 15 00:14:32 2015 -0700
     5.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     5.3 @@ -1,1 +0,0 @@
     5.4 -2048 65537 21964169156689197959968112264599322462701895341261218260361787944654847063102182466706111356203643631486390592624635376605457563285113415022828640338062453419774709231521304295187811616069993296786965265896098834681877856871765712230153288409530596540977307036886233739346988376731485195514300686024403676968268677434073519988333984697665748426054612636743326470415533241995374701249362884557291623823680975594572773413238058279417517286431854243205462589858246185235157619879693664199985539445423689480302926065298699105779896765447253549825977552174969499280898675345574401157182228732198706331972008374460476233441 root@b87d3e0c861d

     6.1 --- a/hostkeys/ssh_host_rsa_key.pub	Thu Oct 15 00:14:32 2015 -0700
     6.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     6.3 @@ -1,1 +0,0 @@
     6.4 -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCR7RLJMBE8+EqwQFINNqsR+3MvwUJeSj0AsHoNIEhKmvQWlJdtbrdJb++oVYnie42HCYt6NmYfO4SSo2218vLaTsG6bXg7d8/HjePYKJQ0GEFrg4qIAhQjcwpwIqUxYF1PO9DxMBq5BdzGKLct6oAv6M4/nvmpcbsT076OxqbV/ybML9MWXGdTMcmxy6BqhTlMyvbpRJIRo6xMlIYClXLJx78q95G4tMjHTznHx2OQ9u8IWTjHmp25TdC3esjQYYw95FYbrnuhTCQV/4/koSfXZb5XuNiCyDlPfhUB/KLVIXSwI05Ys7adK99KAVQDe+TqVQBdMC8W4glivd+5rQY9 root@b87d3e0c861d

     7.1 --- a/pullkeys.sh	Thu Oct 15 00:14:32 2015 -0700
     7.2 +++ b/pullkeys.sh	Thu Oct 15 01:32:28 2015 -0700
     7.3 @@ -1,11 +1,14 @@
     7.4  #!/bin/bash
     7.5  DOMAIN=${DOMAIN:-code.secondbit.org}
     7.6  SSH_KEYS_BUCKET=${SSH_KEYS_BUCKET:-sshkeys.$DOMAIN}
     7.7 +SSH_HOST_KEYS_BUCKET=${SSH_HOST_KEYS_BUCKET:-hostkeys.$DOMAIN}
     7.8  
     7.9  mkdir -p /tmp/sshkeys
    7.10 +mkdir -p /tmp/hostkeys
    7.11  
    7.12  echo "Cleaning up..."
    7.13  rm -rf /tmp/sshkeys/*
    7.14 +rm -rf /tmp/hostkeys/*
    7.15  
    7.16  echo "Downloading keys from gs://${SSH_KEYS_BUCKET}/"
    7.17  
    7.18 @@ -33,7 +36,27 @@
    7.19  	fi
    7.20  done
    7.21  
    7.22 +echo "Downloading host keys from gs://${SSH_HOST_KEYS_BUCKET}/"
    7.23 +
    7.24 +output=$(gsutil cp -R gs://$SSH_HOST_KEYS_BUCKET/\* /tmp/hostkeys/ 2>&1)
    7.25 +echo $output
    7.26 +
    7.27 +keys=/tmp/hostkeys/*
    7.28 +
    7.29 +for key in $keys
    7.30 +do
    7.31 +	if [[ $key != *".pub" ]]
    7.32 +	then
    7.33 +		chmod 0700 $key
    7.34 +	fi
    7.35 +	target="/etc/ssh/${key##*/}"
    7.36 +	echo "Moving $key to $target"
    7.37 +	rm $target
    7.38 +	mv $key $target
    7.39 +done
    7.40 +
    7.41  echo "Cleaning up..."
    7.42  rm -rf /tmp/sshkeys/*
    7.43 +rm -rf /tmp/hostkeys/*
    7.44  
    7.45  echo "SSH key pull complete."

     8.1 --- a/run.sh	Thu Oct 15 00:14:32 2015 -0700
     8.2 +++ b/run.sh	Thu Oct 15 01:32:28 2015 -0700
     8.3 @@ -11,19 +11,7 @@
     8.4  chgrp -R committers /mounted
     8.5  chmod -R 0770 /mounted
     8.6  
     8.7 -RUN mkdir -p /data/ssh
     8.8 -
     8.9  /bin/bash /usr/local/bin/helpers/pull.sh
    8.10  /bin/bash /usr/local/bin/helpers/pullkeys.sh
    8.11  
    8.12 -KEYS=/data/ssh/*
    8.13 -for k in "${KEYS[@]}"
    8.14 -do
    8.15 -	base=${k##*/}
    8.16 -	echo "Linking ${k} to /etc/ssh/${base}"
    8.17 -	ln -s $k /etc/ssh/$base
    8.18 -done
    8.19 -
    8.20 -cp /tmp/sshpubkeys/* /etc/ssh/
    8.21 -
    8.22  /usr/sbin/sshd -D