ci: generate SSH key after downloading artifacts

Generate SSH key after downloading artifacts, and add it to the rootfs.

This avoids having an SSH key hardcoded in the rootfs. Downside is that
we have to rebuild the rootfs, but that is fast.

Signed-off-by: Pablo Barbáchano <[email protected]>

Author: pb8o

.buildkite/pipeline_cross.py

@@ -21,6 +21,9 @@
     instances_x86_64 = ["c5n.metal", "m5n.metal", "m6i.metal", "m6a.metal"]
     instances_aarch64 = ["m7g.metal"]
     commands = [
+        # we run 0 tests for the side effect of downloading the artifacts. We
+        # should convert create_snapshot_artifact to a proper test/
+        "./tools/devtool test -- integration_tests/performance/test_benchmarks.py",
         "./tools/devtool -y sh ./tools/create_snapshot_artifact/main.py",
         "mkdir -pv snapshots/{instance}_{kv}",
         "sudo chown -Rc $USER: snapshot_artifacts",

docs/getting-started.md

@@ -106,13 +106,15 @@ latest=$(wget "http://spec.ccfc.min.s3.amazonaws.com/?prefix=firecracker-ci/v1.1
 wget "https://s3.amazonaws.com/spec.ccfc.min/${latest}"
 
 # Download a rootfs
-wget "https://s3.amazonaws.com/spec.ccfc.min/firecracker-ci/v1.10/${ARCH}/ubuntu-24.04.ext4"
-
-# Download the ssh key for the rootfs
-wget "https://s3.amazonaws.com/spec.ccfc.min/firecracker-ci/v1.10/${ARCH}/ubuntu-24.04.id_rsa"
-
-# Set user read permission on the ssh key
-chmod 400 ./ubuntu-24.04.id_rsa
+wget -O ubuntu-24.04.squashfs.upstream "https://s3.amazonaws.com/spec.ccfc.min/firecracker-ci/v1.10/${ARCH}/ubuntu-24.04.squashfs"
+
+# Create an ssh key for the rootfs
+unsquashfs ubuntu-24.04.squashfs.upstream
+ssh-keygen -f id_rsa -N ""
+cp -v id_rsa.pub squashfs-root/root/.ssh/authorized_keys
+mv -v id_rsa ./ubuntu-24.04.id_rsa
+# re-squash
+mksquashfs squashfs-root ubuntu-24.04.squashfs -all-root -noappend -comp zstd
 ```
 
 ### Getting a Firecracker Binary

resources/rebuild.sh

@@ -70,23 +70,13 @@ EOF
     # TBD what abt /etc/hosts?
     echo | tee $rootfs/etc/resolv.conf
 
-    # Generate key for ssh access from host
-    if [ ! -s id_rsa ]; then
-        ssh-keygen -f id_rsa -N ""
-    fi
-    install -d -m 0600 "$rootfs/root/.ssh/"
-    cp id_rsa.pub "$rootfs/root/.ssh/authorized_keys"
-    id_rsa=$OUTPUT_DIR/$ROOTFS_NAME.id_rsa
-    cp id_rsa $id_rsa
-
     rootfs_img="$OUTPUT_DIR/$ROOTFS_NAME.squashfs"
     mv $rootfs/root/manifest $OUTPUT_DIR/$ROOTFS_NAME.manifest
     mksquashfs $rootfs $rootfs_img -all-root -noappend -comp zstd
     rm -rf $rootfs
     for bin in fast_page_fault_helper fillmem init readmem; do
         rm $PWD/overlay/usr/local/bin/$bin
     done
-    rm -f id_rsa{,.pub}
     rm -f nohup.out
 }
 

tools/setup-ci-artifacts.sh

@@ -14,17 +14,32 @@ cd build/img/$(uname -m)
 say "Fix executable permissions"
 find "firecracker" -type f |xargs chmod -c 755
 
-say "Fix RSA key permissions"
-find . -type f -name "*.id_rsa" |xargs chmod -c 400
+say "Generate SSH key to connect from host"
+if [ ! -s id_rsa ]; then
+    ssh-keygen -f id_rsa -N ""
+fi
 
 for SQUASHFS in *.squashfs; do
+    say "Include SSH key in $SQUASHFS"
+    RSA=$(basename $SQUASHFS .squashfs).id_rsa
     EXT4=$(basename $SQUASHFS .squashfs).ext4
+    [ -s $SQUASHFS.orig ] && continue
+    unsquashfs $SQUASHFS
+    mkdir -pv squashfs-root/root/.ssh
+    # copy the SSH key into the rootfs
+    if [ ! -s $RSA ]; then
+        # append SSH key to the squashfs image
+        cp -v id_rsa.pub squashfs-root/root/.ssh/authorized_keys
+        cp -v id_rsa $RSA
+    fi
+    # re-squash
+    mv -v $SQUASHFS $SQUASHFS.orig
+    mksquashfs squashfs-root $SQUASHFS -all-root -noappend -comp zstd
 
     # Create rw ext4 image from ro squashfs
     [ -f $EXT4 ] && continue
     say "Converting $SQUASHFS to $EXT4"
     truncate -s 400M $EXT4
-    unsquashfs $SQUASHFS
     mkfs.ext4 -F $EXT4 -d squashfs-root
     rm -rf squashfs-root
 done