[WIP] Platform/oci golden vm#13
Conversation
sdake
left a comment
sdake
left a comment
There was a problem hiding this comment.
No problem merging this now, once the --delete problem is fixed. I do think we should be using Ansible as a provisioner (rather than bash). I'll submit a few PRs for this.
| mkdir /home/packer/.ssh | ||
| chmod 700 /home/packer/.ssh | ||
| curl -sLo - https://github.com/sdake.keys >> /home/packer/.ssh/authorized_keys | ||
| curl -sLo - https://github.com/rstarmer.keys >> /home/packer/.ssh/authorized_keys |
There was a problem hiding this comment.
I am not really sure how we should handle dynamic secret management. For now, I have started a wiki entry so we know where our secrets are stored or consumed in our repo.
There was a problem hiding this comment.
I think we can enable this as a provisioning step. If we're goign to use Ansible, then it would likely be easier to add an ansible provisioner that loads the right keys at build time, or even better at image deploy time so that there is nothing static in the base/golden image.
There was a problem hiding this comment.
Right. I think some things should be dynamic, and the rest should be baked (with packer). Dynamically loaded credentials make sense, far more sense then static.
But, I spent like 5+ years working with people at Red Hat that battled and battled over this credential issue. My recommendation - tech debt it for now, we will sort out the workflow later.
Another way to introduce SSH credentials is via the kernel command line.
| cat > /tmp/fixes.sh <<EOF | ||
| #!/bin/bash | ||
| set -x | ||
| echo 'GRUB_CMDLINE_LINUX="console=ttyS0"' >> /etc/default/grub |
There was a problem hiding this comment.
better to put in /etc/default/grub.d. I will submit an update.
There was a problem hiding this comment.
This may not even work, still trying to get a testable environment for dev (I think I can do this in OCI now, but I haven't yet managed to get a connection through the UI or via oci cli yet).
|
|
||
| echo 'packer ALL=(ALL) NOPASSWD:ALL'>> /etc/sudoers.d/91-packer | ||
|
|
||
| passwd -d packer |
There was a problem hiding this comment.
I had to read the man page, and I was still not sure what --delete does. So, I tried it, and the result was
sdake@beast08 ~ [1]> sudo passwd -d sdake
passwd: password expiry information changed.
in this case, it appears to have expired my password, which I guess is reasonable.
Is the goal your really after to remove the ability to login with the password (but with ssh?)
In that case, I think you want
passwd --lock packer
from man page:
-l, --lock
Lock the password of the named account. This option disables a password
by changing it to a value which matches no possible encrypted value (it
adds a ´!´ at the beginning of the password).
Note that this does not disable the account. The user may still be able
to login using another authentication token (e.g. an SSH key). To disable
the account, administrators should use usermod --expiredate 1 (this set
the account's expire date to Jan 2, 1970).
Users with a locked password are not allowed to change their password.
There was a problem hiding this comment.
@rstarmer this needs a change to resolve. I recommend --lock.
There was a problem hiding this comment.
Yes, that makes sense. I looked at the passwd/shadow files, and it "erases" the password, which would presumably make it impossible to login via a password, but would not expressly prohibit setting a password. And with passwordless Sudo, you could potentially set a password via su anyway.
There was a problem hiding this comment.
this is important, but not worth slowing down the PR. Can you file a tech debt bug?
platform/golden/upload-image.sh
Outdated
| @@ -0,0 +1,28 @@ | |||
| cd build | |||
There was a problem hiding this comment.
comments here and there would be cool - not. really sure what this does without a deep dive into the man pages..
| hard_drive_interface = "virtio" | ||
| rtc_time_base = "UTC" | ||
| shutdown_command = "echo '${var.ssh_password}' | sudo -S shutdown -P now" | ||
| shutdown_command = "echo '${var.ssh_password}' | sudo -S /usr/sbin/shutdown -P now" |
There was a problem hiding this comment.
/usr/sbin not in the root path? Doesn't matter for the purposes of merging the PR, just seems odd. :)
There was a problem hiding this comment.
@rstarmer can you respond on these questions? I am trying to learn along the way (this feels wrong, which means /etc/environment may not be right).
There was a problem hiding this comment.
This was to resolve an issue with running shutdown, and I'm not sure why the environment worked initially, and then didn't. I'll do a bit more debugging, and I agree, I've not seen a single example where the full path to shutdown was required.
There was a problem hiding this comment.
all good then. Perhaps a debt tech bug would help us keep track of it for new developer low hanging fruit.
WORK_REQUEST_ID needed to have ""s stripped Work Request matches SUCCEEDED not SUCCESS
The provisioners need not be this finegrained, just that tasks are.
WORK_REQUEST_ID needed to have ""s stripped Work Request matches SUCCEEDED not SUCCESS
…alwisdom-origin into platform/oci-golden-vm
|
@rstarmer was this rdy for review? cheers, |
| hard_drive_interface = "virtio" | ||
| rtc_time_base = "UTC" | ||
| shutdown_command = "echo '${var.ssh_password}' | sudo -S shutdown -P now" | ||
| shutdown_command = "echo '${var.ssh_password}' | sudo -S /usr/sbin/shutdown -P now" |
There was a problem hiding this comment.
@rstarmer can you respond on these questions? I am trying to learn along the way (this feels wrong, which means /etc/environment may not be right).
| @@ -0,0 +1,7 @@ | |||
| - hosts: all | |||
There was a problem hiding this comment.
strange, I think this shouldn't be here.
| @@ -0,0 +1,10 @@ | |||
| - name: "Get installed packages" | |||
| @@ -0,0 +1,157 @@ | |||
| --- | |||
There was a problem hiding this comment.
this looks like a rebase gone wrong. Probably as a result of my force push error to main...
|
|
||
| echo 'packer ALL=(ALL) NOPASSWD:ALL'>> /etc/sudoers.d/91-packer | ||
|
|
||
| passwd -d packer |
There was a problem hiding this comment.
@rstarmer this needs a change to resolve. I recommend --lock.
sdake
left a comment
sdake
left a comment
There was a problem hiding this comment.
pasword needs --lock I believe.
sdake
left a comment
sdake
left a comment
There was a problem hiding this comment.
line 106 may be broken. (after reading the virtualbox provisioner and vbox source code for hours), I believe this is correct. This uses the natnetwork created by vbox/start.sh to expose an ssh port, that can then be used by the ssh connector.
vboxmanage = [
[ "modifyvm", "{{.Name}}", "--recording", "on" ],
[ "modifyvm", "{{.Name}}", "--nic1", "natnetwork" ]
]
| hard_drive_interface = "virtio" | ||
| rtc_time_base = "UTC" | ||
| shutdown_command = "echo '${var.ssh_password}' | sudo -S shutdown -P now" | ||
| shutdown_command = "echo '${var.ssh_password}' | sudo -S /usr/sbin/shutdown -P now" |
There was a problem hiding this comment.
all good then. Perhaps a debt tech bug would help us keep track of it for new developer low hanging fruit.
|
|
||
| echo 'packer ALL=(ALL) NOPASSWD:ALL'>> /etc/sudoers.d/91-packer | ||
|
|
||
| passwd -d packer |
There was a problem hiding this comment.
this is important, but not worth slowing down the PR. Can you file a tech debt bug?
| mkdir /home/packer/.ssh | ||
| chmod 700 /home/packer/.ssh | ||
| curl -sLo - https://github.com/sdake.keys >> /home/packer/.ssh/authorized_keys | ||
| curl -sLo - https://github.com/rstarmer.keys >> /home/packer/.ssh/authorized_keys |
There was a problem hiding this comment.
Right. I think some things should be dynamic, and the rest should be baked (with packer). Dynamically loaded credentials make sense, far more sense then static.
But, I spent like 5+ years working with people at Red Hat that battled and battled over this credential issue. My recommendation - tech debt it for now, we will sort out the workflow later.
Another way to introduce SSH credentials is via the kernel command line.
2 participants
adds cloud-init (needed for ssh key additions)
removes packer user password
adds serial interface grub config
checks for persistent network (mac) and removes it
minor tweaks to packer build (shutdown path)