ci: generate SSH key after downloading artifacts

pb8o · pb8o · commit 4f8c6896d574 · 2024-10-18T14:08:28.000+02:00
Generate SSH key after downloading artifacts, and add it to the rootfs.

This avoids having an SSH key hardcoded in the rootfs. Downside is that
we have to rebuild the rootfs, but that is fast.

Signed-off-by: Pablo Barbáchano &lt;pablob@amazon.com&gt;
diff --git a/.buildkite/pipeline_cross.py b/.buildkite/pipeline_cross.py
@@ -21,6 +21,9 @@
     instances_x86_64 = ["c5n.metal", "m5n.metal", "m6i.metal", "m6a.metal"]
     instances_aarch64 = ["m7g.metal"]
     commands = [
+        # we run 0 tests for the side effect of downloading the artifacts. We
+        # should convert create_snapshot_artifact to a proper test/
+        "./tools/devtool test -- integration_tests/performance/test_benchmarks.py",
         "./tools/devtool -y sh ./tools/create_snapshot_artifact/main.py",
         "mkdir -pv snapshots/{instance}_{kv}",
         "sudo chown -Rc $USER: snapshot_artifacts",
diff --git a/resources/rebuild.sh b/resources/rebuild.sh
@@ -70,15 +70,6 @@ EOF
     # TBD what abt /etc/hosts?
     echo | tee $rootfs/etc/resolv.conf
 
-    # Generate key for ssh access from host
-    if [ ! -s id_rsa ]; then
-        ssh-keygen -f id_rsa -N ""
-    fi
-    install -d -m 0600 "$rootfs/root/.ssh/"
-    cp id_rsa.pub "$rootfs/root/.ssh/authorized_keys"
-    id_rsa=$OUTPUT_DIR/$ROOTFS_NAME.id_rsa
-    cp id_rsa $id_rsa
-
     rootfs_img="$OUTPUT_DIR/$ROOTFS_NAME.squashfs"
     mv $rootfs/root/manifest $OUTPUT_DIR/$ROOTFS_NAME.manifest
     mksquashfs $rootfs $rootfs_img -all-root -noappend -comp zstd
diff --git a/tools/devtool b/tools/devtool
@@ -542,7 +542,6 @@ ensure_ci_artifacts() {
         mkdir -pv $ARTIFACTS
         aws s3 sync --no-sign-request "$S3_URL" "$ARTIFACTS"
         # fix permissions
-        find "$ARTIFACTS" -type f -name "*.id_rsa" |xargs chmod -c 400
         find "$ARTIFACTS/firecracker" -type f |xargs chmod -c 755
     fi
 }
diff --git a/tools/test.sh b/tools/test.sh
@@ -31,14 +31,32 @@ if [ -f $CGROUP/cgroup.controllers -a -e $CGROUP/cgroup.type ]; then
         > $CGROUP/cgroup.subtree_control
 fi
 
+say "Fixing CI artifacts"
 cd build/img/$(uname -m)
+# Generate key for ssh access from host
+if [ ! -s id_rsa ]; then
+    ssh-keygen -f id_rsa -N ""
+fi
 for SQUASHFS in *.squashfs; do
+    RSA=$(basename $SQUASHFS .squashfs).id_rsa
     EXT4=$(basename $SQUASHFS .squashfs).ext4
+    [ -s $SQUASHFS.orig ] && continue
+    unsquashfs $SQUASHFS
+    mkdir -pv squashfs-root/root/.ssh
+    # copy the SSH key into the rootfs
+    if [ ! -s $RSA ]; then
+        # append SSH key to the squashfs image
+        cp -v id_rsa.pub squashfs-root/root/.ssh/authorized_keys
+        cp -v id_rsa $RSA
+    fi
+    # re-squash
+    mv -v $SQUASHFS $SQUASHFS.orig
+    mksquashfs squashfs-root $SQUASHFS -all-root -noappend -comp zstd
+
     # Create rw ext4 image from ro squashfs
     [ -f $EXT4 ] && continue
     say "Converting $SQUASHFS to $EXT4"
     truncate -s 400M $EXT4
-    unsquashfs $SQUASHFS
     mkfs.ext4 -F $EXT4 -d squashfs-root
     rm -rf squashfs-root
 done

Original file line number	Diff line number	Diff line change
`@@ -542,7 +542,6 @@ ensure_ci_artifacts() {`
`542`	`542`	`mkdir -pv $ARTIFACTS`
`543`	`543`	`aws s3 sync --no-sign-request "$S3_URL" "$ARTIFACTS"`
`544`	`544`	`# fix permissions`
`545`		`- find "$ARTIFACTS" -type f -name "*.id_rsa" \|xargs chmod -c 400`
`546`	`545`	`find "$ARTIFACTS/firecracker" -type f \|xargs chmod -c 755`
`547`	`546`	`fi`
`548`	`547`	`}`