diff --git a/elements/runtime-ssh-host-keys/README.rst b/elements/runtime-ssh-host-keys/README.rst new file mode 100644 index 000000000..b00a2402e --- /dev/null +++ b/elements/runtime-ssh-host-keys/README.rst @@ -0,0 +1,10 @@ +===================== +runtime-ssh-host-keys +===================== +An element to generate SSH host keys on first boot. + +Since ssh key generation is not yet common to all operating systems, we need to +create a DIB element to manage this. We force the removal of the SSH host keys, +then add init scripts to generate them on first boot. + +This element currently supports Debian and Ubuntu (both systemd and upstart). diff --git a/elements/simple-init/cleanup.d/90-remove-ssh-host-keys b/elements/runtime-ssh-host-keys/cleanup.d/90-remove-ssh-host-keys similarity index 78% rename from elements/simple-init/cleanup.d/90-remove-ssh-host-keys rename to elements/runtime-ssh-host-keys/cleanup.d/90-remove-ssh-host-keys index c90626a8a..b14e03f1c 100755 --- a/elements/simple-init/cleanup.d/90-remove-ssh-host-keys +++ b/elements/runtime-ssh-host-keys/cleanup.d/90-remove-ssh-host-keys @@ -10,9 +10,6 @@ set -o pipefail # in so that they are regenerated on first boot and # are unique. -# TODO(greghaynes) This should be a thing we do for all images, not just -# simple-init. - if [ -d $TARGET_ROOT/etc/ssh ] ; then sudo find $TARGET_ROOT/etc/ssh -name 'ssh_host*' -type f -delete fi diff --git a/elements/runtime-ssh-host-keys/element-deps b/elements/runtime-ssh-host-keys/element-deps new file mode 100644 index 000000000..3a0277624 --- /dev/null +++ b/elements/runtime-ssh-host-keys/element-deps @@ -0,0 +1 @@ +dib-init-system diff --git a/elements/runtime-ssh-host-keys/init-scripts/systemd/ssh-keygen.service b/elements/runtime-ssh-host-keys/init-scripts/systemd/ssh-keygen.service new file mode 100644 index 000000000..90a831362 --- /dev/null +++ b/elements/runtime-ssh-host-keys/init-scripts/systemd/ssh-keygen.service @@ -0,0 +1,22 @@ +[Unit] +Description=OpenSSH Server Key Generation +Before=ssh.service + +ConditionPathExists=|!/etc/ssh/ssh_host_key +ConditionPathExists=|!/etc/ssh/ssh_host_key.pub +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub + +[Service] +ExecStart=/usr/bin/ssh-keygen -A +Type=oneshot +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/elements/runtime-ssh-host-keys/init-scripts/upstart/ssh-keygen.conf b/elements/runtime-ssh-host-keys/init-scripts/upstart/ssh-keygen.conf new file mode 100644 index 000000000..3fa2c0126 --- /dev/null +++ b/elements/runtime-ssh-host-keys/init-scripts/upstart/ssh-keygen.conf @@ -0,0 +1,8 @@ +description "OpenSSH Server Key Generation" + +start on starting ssh +console output + +task + +exec /usr/bin/ssh-keygen -A diff --git a/elements/runtime-ssh-host-keys/package-installs.yaml b/elements/runtime-ssh-host-keys/package-installs.yaml new file mode 100644 index 000000000..c5017af3f --- /dev/null +++ b/elements/runtime-ssh-host-keys/package-installs.yaml @@ -0,0 +1 @@ +openssh-client: diff --git a/elements/runtime-ssh-host-keys/pkg-map b/elements/runtime-ssh-host-keys/pkg-map new file mode 100644 index 000000000..413d584e7 --- /dev/null +++ b/elements/runtime-ssh-host-keys/pkg-map @@ -0,0 +1,7 @@ +{ + "family": { + "redhat": { + "openssh-client": "openssh" + } + } +} diff --git a/elements/runtime-ssh-host-keys/post-install.d/80-ssh-keygen b/elements/runtime-ssh-host-keys/post-install.d/80-ssh-keygen new file mode 100755 index 000000000..926a12d69 --- /dev/null +++ b/elements/runtime-ssh-host-keys/post-install.d/80-ssh-keygen @@ -0,0 +1,31 @@ +#!/bin/bash + +if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then + set -x +fi +set -eu +set -o pipefail + +case "$DIB_INIT_SYSTEM" in + upstart) + # nothing to do + exit 0 + ;; + systemd) + if [[ $DISTRO_NAME = "ubuntu" || $DISTRO_NAME = "debian" ]]; then + # NOTE(pabelanger): Only support ubuntu / debian today. + systemctl enable ssh-keygen.service + else + # Since we are not enabling it, delete it. + rm /usr/lib/systemd/system/ssh-keygen.service + fi + ;; + openrc) + # let dib-init-system's postinstall handle enabling init scripts + exit 0 + ;; + *) + echo "Unsupported init system" + exit 1 + ;; +esac diff --git a/elements/simple-init/element-deps b/elements/simple-init/element-deps index d92bc778c..5c7f9bb38 100644 --- a/elements/simple-init/element-deps +++ b/elements/simple-init/element-deps @@ -1,5 +1,5 @@ cloud-init-datasources -dib-init-system install-types pip-and-virtualenv +runtime-ssh-host-keys source-repositories diff --git a/releasenotes/notes/runtime-ssh-host-keys-7a2fc873cc90d33e.yaml b/releasenotes/notes/runtime-ssh-host-keys-7a2fc873cc90d33e.yaml new file mode 100644 index 000000000..3475ae7d0 --- /dev/null +++ b/releasenotes/notes/runtime-ssh-host-keys-7a2fc873cc90d33e.yaml @@ -0,0 +1,6 @@ +--- +features: + - New element (runtime-ssh-host-keys) to manage SSH host keys at boot. Since + SSH host key generation is not standard across operating systems, add + support for both Debian and Ubuntu to handle it. While this is a new + element, simple-init has been updated to depend on it.