Skip to content

klam-ssh support for CoreOS #187

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
eadasiak wants to merge 29 commits into
base: master
Choose a base branch
from
Open

klam-ssh support for CoreOS #187

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
29 commits
Select commit Hold shift + click to select a range
27d5e08
Merge remote-tracking branch 'adobe-platform/master'
Apr 27, 2016
32ba74a
Initial check-in of klam-ssh support
Apr 27, 2016
957e3fb
klam-ssh additions
Apr 29, 2016
f80f050
Merge remote-tracking branch 'adobe-platform/master'
Apr 29, 2016
3a1a4b9
Last few refinements
May 3, 2016
dc90b55
Merge remote-tracking branch 'adobe-platform/master'
May 3, 2016
a457ce5
make scripts executable
May 3, 2016
e41b189
Merge remote-tracking branch 'adobe-platform/master'
May 4, 2016
3b26a28
update from master; fixes from comments in PR
May 4, 2016
285bcc8
Modify global prompt for klam-ssh
May 4, 2016
25a6ac4
setting default klam-ssh image value
May 4, 2016
1695dff
Merge remote-tracking branch 'adobe-platform/master'
May 10, 2016
8fd283f
Merge remote-tracking branch 'adobe-platform/master'
May 12, 2016
05ec34d
etcd2 setup for bastion host as well
May 12, 2016
a2dbc4d
Merge remote-tracking branch 'adobe-platform/master'
May 12, 2016
2df21da
Merge remote-tracking branch 'adobe-platform/master'
May 13, 2016
dc94557
Merge remote-tracking branch 'adobe-platform/master'
May 16, 2016
3b5a4d0
Bastion support in mesos-systemd
May 16, 2016
0c9ce40
Fixing klam-ssh installation issues due to reliance on values from se…
May 16, 2016
c0b2691
Merge remote-tracking branch 'adobe-platform/master'
May 16, 2016
0d8aa6f
something's not right...
May 16, 2016
94a8485
Revert "something's not right..."
May 16, 2016
e7843af
Rearranging the script order
May 16, 2016
685f787
update-ssh-keys is causing problems
May 16, 2016
f87bb3d
Merge remote-tracking branch 'adobe-platform/master'
May 17, 2016
2c2917f
Merge remote-tracking branch 'adobe-platform/master'
May 19, 2016
09c83cc
Bastion host ssh helper script
May 19, 2016
947b01a
Merge remote-tracking branch 'adobe-platform/master'
May 24, 2016
2f66d37
Updating the ssh client config script to use the Bastion as a forward…
May 24, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions v3/profile.d/klam.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
KLAM_USER=$(who -m | awk '{print $1}')
PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$KLAM_USER [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//") [$RETRN_VAL]"'
Copy link
Member

@chr0n1x chr0n1x May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is some...voodoo magic.

Copy link
Author

@eadasiak eadasiak May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got rid of this and made a change to the global command prompt instead to use the who -m voodoo instead. This wasn't working correctly under CoreOS as it was, so away it goes!

137 changes: 137 additions & 0 deletions v3/setup/klam-ssh.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@
#!/bin/bash
Copy link

@bryanlatten bryanlatten May 3, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we slap an -e on there to exit if any command fails?

Copy link
Member

@chr0n1x chr0n1x May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed. I'm also starting to lean towards -xe due to the amount of stuff going on in here

Copy link
Author

@eadasiak eadasiak May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point! Made that change.


AZ=$(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone)
REGION=${AZ::-1}
ROLE_NAME="$(etcdctl get /klam-ssh/ROLE_NAME)"
ENCRYPTION_ID="$(etcdctl get /klam-ssh/ENCRYPTION_ID)"
Copy link
Member

@chr0n1x chr0n1x May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lowercase & dashes for all of these

Copy link
Contributor

@matthewdfuller matthewdfuller May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, put these in /klam-ssh/config/your-value-here

Copy link
Author

@eadasiak eadasiak May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, I fixed these up. There will need to be an update to infrastructure as well so that the example configs have the values corrected.

ENCRYPTION_KEY="$(etcdctl get /klam-ssh/ENCRYPTION_KEY)"
KEY_LOCATION_PREFIX="$(etcdctl get /klam-ssh/KEY_LOCATION_PREFIX)"
IMAGE="$(etcdctl get /images/klam-ssh)"


if [[ $REGION == "eu-west-1" ]]; then
KEY_LOCATION="-ew1"
elif [[ $REGION == "ap-northeast-1" ]]; then
Copy link

@bryanlatten bryanlatten May 3, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we make this list accessible to the widest swath of regions, or is unnecessary?

Copy link
Author

@eadasiak eadasiak May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, I was limited to the regions where klam-ssh is configured. Version 2.0 of klam-ssh will be more widely available, and will get addressed with its release.

KEY_LOCATION="-an1"
elif [[ $REGION == "us-east-1" ]]; then
KEY_LOCATION="-ue1"
elif [[ $REGION == "us-west-1" ]]; then
KEY_LOCATION="-uw1"
elif [[ $REGION == "us-west-2" ]]; then
KEY_LOCATION="-uw2"
else
echo "An incorrect region value specified"
exit 1
fi

# create nsswitch.conf
Copy link
Member

@chr0n1x chr0n1x May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a huge nitpick but there has to be a better way to do this

Copy link
Author

@eadasiak eadasiak May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If "unhappy"; then
how about a case statement?
elif "unsatisfied"; then
how about a case statement?
else
you get a case statement
exit 0

echo "passwd: files usrfiles ato" > /home/core/nsswitch.conf
echo "shadow: files usrfiles ato" >> /home/core/nsswitch.conf
echo "group: files usrfiles ato" >> /home/core/nsswitch.conf
echo -e "\n" >> /home/core/nsswitch.conf
echo "hosts: files usrfiles dns" >> /home/core/nsswitch.conf
echo "networks: files usrfiles dns" >> /home/core/nsswitch.conf
echo -e "\n" >> /home/core/nsswitch.conf
echo "services: files usrfiles" >> /home/core/nsswitch.conf
echo "protocols: files usrfiles" >> /home/core/nsswitch.conf
echo "rpc: files usrfiles" >> /home/core/nsswitch.conf
echo -e "\n" >> /home/core/nsswitch.conf
echo "ethers: files" >> /home/core/nsswitch.conf
echo "netmasks: files" >> /home/core/nsswitch.conf
echo "netgroup: nisplus" >> /home/core/nsswitch.conf
echo "bootparams: files" >> /home/core/nsswitch.conf
echo "automount: files nisplus" >> /home/core/nsswitch.conf
echo "aliases: files nisplus" >> /home/core/nsswitch.conf
Copy link
Contributor

@matthewdfuller matthewdfuller May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another stylistic nitpick, but can't we do something like:

cat <<EOT >> /home/core/nsswitch.conf
passwd: files usrfiles ato
shadow: files usrfiles ato
...
EOT

Just makes things easier to read / cleaner.

Copy link
Member

@chr0n1x chr0n1x May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Copy link
Author

@eadasiak eadasiak May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You got it!


# create klam-ssh.conf
echo "{" > /home/core/klam-ssh.conf
echo " \"key_location\": \"${KEY_LOCATION_PREFIX}${KEY_LOCATION}\"," >> /home/core/klam-ssh.conf
echo " \"role_name\": \"${ROLE_NAME}\"," >> /home/core/klam-ssh.conf
echo " \"encryption_id\": \"${ENCRYPTION_ID}\"," >> /home/core/klam-ssh.conf
echo " \"encryption_key\": \"${ENCRYPTION_KEY}\"," >> /home/core/klam-ssh.conf
echo " \"resource_location\": \"amazon\"," >> /home/core/klam-ssh.conf
echo " \"time_skew\": \"permissive\"," >> /home/core/klam-ssh.conf
echo " \"s3_region\": \"${REGION}\"" >> /home/core/klam-ssh.conf
echo "}" >> /home/core/klam-ssh.conf
Copy link
Contributor

@matthewdfuller matthewdfuller May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here: cat <<EOT >> /home/core/klam-ssh.conf


# Create directory structure
mkdir -p /opt/klam/lib /opt/klam/lib64 /etc/ld.so.conf.d

# Docker volume mount
docker create --name klam-ssh ${IMAGE}

# Copy libnss_ato library
docker cp klam-ssh:/tmp/klam-build/coreos/libnss_ato.so.2 /opt/klam/lib64

# Create symlink
ln -sf /opt/klam/lib64/libnss_ato.so.2 /opt/klam/lib64/libnss_ato.so

# Docker remove container
docker rm klam-ssh

# Move the ld.so.conf file to the correct location
echo "/opt/klam/lib64" > /etc/ld.so.conf.d/klam.conf
ldconfig
ldconfig -p | grep klam

# Validate that the files exist in the correct folder
ls -l /opt/klam/lib64/libnss_ato.so*

# Create the klamfed home directory
useradd -p "*" -U -G sudo -u 5000 -m klamfed -s /bin/bash
mkdir -p /home/klamfed
usermod -p "*" klamfed
usermod -U klamfed
update-ssh-keys -u klamfed

# Add klamfed to wheel
usermod -a -G wheel klamfed

# Add klamfed to sudo
usermod -a -G sudo klamfed

# Add passwordless sudo to klamfed
echo "klamfed ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/klamfed

# Validate that the klamfed user has the correct uid value (5000) and home directory
id klamfed
ls -ld /home/klamfed

# Re-link nsswitch.conf
mv -f /home/core/nsswitch.conf /etc/nsswitch.conf
cat /etc/nsswitch.conf

# generate the ATO config
grep klamfed /etc/passwd > /opt/klam/lib/klam-ato.conf

# Validate that the contents of /opt/klam/lib/klam-ato.conf
cat /opt/klam/lib/klam-ato.conf

# Move klam-ssh.conf
mv -f /home/core/klam-ssh.conf /opt/klam/lib/klam-ssh.conf
cat /opt/klam/lib/klam-ssh.conf

# update /etc/ssh/sshd_config
cp /etc/ssh/sshd_config sshd_config
echo 'AuthorizedKeysCommand /opt/klam/lib/authorizedkeys_command.sh' >> sshd_config
echo 'AuthorizedKeysCommandUser root' >> sshd_config
mv -f sshd_config /etc/ssh/sshd_config
cat /etc/ssh/sshd_config
echo ""

# Change ownership of authorizedkeys_command
chown root:root /home/core/mesos-systemd/v3/util/authorizedkeys_command.sh
Copy link
Member

@chr0n1x chr0n1x May 10, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

huh...does this actually work? And why is this needed?


# Relocate authorizedkeys_command
mv /home/core/mesos-systemd/v3/util/authorizedkeys_command.sh /opt/klam/lib

# Change ownership of downloadS3
chown root:root /home/core/mesos-systemd/v3/util/downloadS3.sh

# Relocate downloadS3.sh
mv /home/core/mesos-systemd/v3/util/downloadS3.sh /opt/klam/lib

# Restart SSHD
systemctl restart sshd.service
Copy link
Contributor

@matthewdfuller matthewdfuller May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this going to conflict with the existing service which restarts sshd? Can we reduce how many times we are restarting it by making sure all the conf changes are made first, then restarting it once?

Copy link
Member

@chr0n1x chr0n1x May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think so? It shouldn't just because this will run serially. @eadasiak can you test and confirm?

Copy link
Contributor

@matthewdfuller matthewdfuller May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Conflict was probably the wrong word; I'm thinking more of the fact that ssh is being restarted twice. We already have to wait about five minutes before we can SSH in to an instance, this might make that longer.

Copy link
Member

@chr0n1x chr0n1x May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The restart is actually quite fast though. We see the daemon restart when fleet is restarted and it's near instantaneous to establish a new connection

Copy link
Author

@eadasiak eadasiak May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wasn't able to find where the other sshd restart happens. This particular restart is really fast, but if the sequence of events is such that the setup scripts occur before the other service restart, I can strike this one.

Copy link
Contributor

@matthewdfuller matthewdfuller May 5, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm okay with leaving this here; was just thinking about optimizing it, but if you say it's fast, LGTM


echo "KLAM SSH BOOTSTRAP COMPLETE"
12 changes: 12 additions & 0 deletions v3/util/authorizedkeys_command.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
#!/bin/bash

ENCRYPTION_ID=$(etcdctl get /klam-ssh/ENCRYPTION_ID)
ENCRYPTION_KEY=$(etcdctl get /klam-ssh/ENCRYPTION_KEY)
ROLE_NAME=$(etcdctl get /klam-ssh/ROLE_NAME)
KEY_LOCATION_PREFIX=$(etcdctl get /klam-ssh/KEY_LOCATION_PREFIX)
Copy link
Contributor

@matthewdfuller matthewdfuller May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make sure to update these to /klam-ssh/config/your-value-here as well.

Copy link
Author

@eadasiak eadasiak May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!

Copy link
Author

@eadasiak eadasiak May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Associated infrastructure PR https://github.com/adobe-platform/infrastructure/pull/71

IMAGE=$(etcdctl get /images/klam-ssh)
Copy link
Contributor

@matthewdfuller matthewdfuller May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

'images/klam-ssh should be set (as a default) in v3/setup/klam-ssh.sh

Copy link
Author

@eadasiak eadasiak May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I see your point. I was relying on the configs from the infrastructure repo to do this instead. I've set a default value in v3/setup/klam-ssh.sh


echo "Running authorizedkeys_command for $1" | systemd-cat -p info -t klam-ssh

docker run --rm -e ROLE_NAME=${ROLE_NAME} -e ENCRYPTION_ID=${ENCRYPTION_ID} -e ENCRYPTION_KEY=${ENCRYPTION_KEY} -e KEY_LOCATION_PREFIX=${KEY_LOCATION_PREFIX} ${IMAGE} /usr/lib/klam/getKeys.py $1
exit 0
10 changes: 10 additions & 0 deletions v3/util/downloadS3.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
#!/bin/bash

ENCRYPTION_ID=$(etcdctl get /klam-ssh/ENCRYPTION_ID)
ENCRYPTION_KEY=$(etcdctl get /klam-ssh/ENCRYPTION_KEY)
ROLE_NAME=$(etcdctl get /klam-ssh/ROLE_NAME)
KEY_LOCATION_PREFIX=$(etcdctl get /klam-ssh/KEY_LOCATION_PREFIX)
IMAGE=$(etcdctl get /images/klam-ssh)

docker run --rm -e ROLE_NAME=${ROLE_NAME} -e ENCRYPTION_ID=${ENCRYPTION_ID} -e ENCRYPTION_KEY=${ENCRYPTION_KEY} -e KEY_LOCATION_PREFIX=${KEY_LOCATION_PREFIX} ${IMAGE} /usr/lib/klam/downloadS3.py
exit 0