From: Zack Cerza <zack@redhat.com>
Date: Fri, 29 Jul 2022 19:42:48 +0000 (-0600)
Subject: containers: Use secrets for SSH keys, not env vars
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=60b790f799b1fe67d77ea8e4fd1af1a60389ac7f;p=teuthology.git

containers: Use secrets for SSH keys, not env vars

Signed-off-by: Zack Cerza <zack@redhat.com>
---

diff --git a/containers/docker-compose/README.md b/containers/docker-compose/README.md
index e69d1bf7f..b2c14822e 100644
--- a/containers/docker-compose/README.md
+++ b/containers/docker-compose/README.md
@@ -40,11 +40,13 @@ Depending on your local operating system, it may be necessary to connect to the
 
 #### Using your SSH private key
 
-In your local shell, simply:
+In your local shell, first:
 ```bash
-export SSH_PRIVKEY_PATH=$HOME/.ssh/id_rsa
+cp ~/.ssh/id_rsa{,.pub} .
+docker secret create id_rsa ~/.ssh/id_rsa
+docker secret create id_rsa.pub ~/.ssh/id_rsa.pub
 ```
-The teuthology container will write it to a file at runtime.
+Then, remove the entire top-level `secrets:` section from docker-compose.yml.
 
 #### Reserving Machines in the Lab
 
@@ -90,4 +92,4 @@ TEUTHOLOGY_WAIT=1 ./start.sh
 To schedule tests in wait mode:
 ```bash
 docker exec docker-compose_teuthology_1 /venv/bin/teuthology-suite ...
-```
\ No newline at end of file
+```
diff --git a/containers/docker-compose/docker-compose.yml b/containers/docker-compose/docker-compose.yml
index 30cc9fc32..fff32fb9c 100644
--- a/containers/docker-compose/docker-compose.yml
+++ b/containers/docker-compose/docker-compose.yml
@@ -1,5 +1,12 @@
 version: '3.8'
 
+
+secrets:
+  id_rsa:
+    file: id_rsa
+  id_rsa.pub:
+    file: id_rsa.pub
+
 services:
   postgres:
     image: postgres:14
@@ -59,8 +66,6 @@ services:
     build:
       context: ../../
       dockerfile: ./containers/teuthology-dev/Dockerfile
-      args:
-        SSH_PRIVKEY_FILE: $SSH_PRIVKEY_FILE
     depends_on:
         paddles:
             condition: service_healthy
@@ -68,12 +73,12 @@ services:
         - paddles
         - beanstalk
     environment:
-      SSH_PRIVKEY:
-      SSH_PRIVKEY_FILE:
       MACHINE_TYPE:
       TESTNODES:
       TEUTHOLOGY_WAIT:
       TEUTH_BRANCH:
+    secrets:
+      - id_rsa
   testnode:
     build:
       context: ../testnode-docker-compose
@@ -87,6 +92,6 @@ services:
       - paddles
     ports:
       - "22"
-    environment:
-      SSH_PUBKEY:
+    secrets:
+      - id_rsa.pub
     platform: linux/amd64
diff --git a/containers/docker-compose/start.sh b/containers/docker-compose/start.sh
index 871258c5b..c2e0bcebf 100755
--- a/containers/docker-compose/start.sh
+++ b/containers/docker-compose/start.sh
@@ -24,15 +24,8 @@ if [ -n "$CUSTOM_CONF" ]; then
 fi
 
 # Generate an SSH keypair to use if necessary
-if [ -z "$SSH_PRIVKEY_PATH" ]; then
-    SSH_PRIVKEY_PATH=$(mktemp -u /tmp/teuthology-ssh-key-XXXXXX)
-    ssh-keygen -t rsa -N '' -f $SSH_PRIVKEY_PATH
-    export SSH_PRIVKEY=$(cat $SSH_PRIVKEY_PATH)
-    export SSH_PUBKEY=$(cat $SSH_PRIVKEY_PATH.pub)
-    export SSH_PRIVKEY_FILE=id_rsa
-else
-    export SSH_PRIVKEY=$(cat $SSH_PRIVKEY_PATH)
-    export SSH_PRIVKEY_FILE=$(basename $SSH_PRIVKEY_PATH | cut -d. -f1)
+if [ ! -f id_rsa ]; then
+    ssh-keygen -t rsa -N '' -f id_rsa
 fi
 
 if [ -z "$TEUTHOLOGY_WAIT" ]; then
diff --git a/containers/testnode-docker-compose/testnode_start.sh b/containers/testnode-docker-compose/testnode_start.sh
index d29c3b6d0..46d44179e 100755
--- a/containers/testnode-docker-compose/testnode_start.sh
+++ b/containers/testnode-docker-compose/testnode_start.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/bash
 set -x
-echo "$SSH_PUBKEY" > /root/.ssh/authorized_keys
-echo "$SSH_PUBKEY" > /home/ubuntu/.ssh/authorized_keys
+cat /run/secrets/id_rsa.pub >> /root/.ssh/authorized_keys
+cat /run/secrets/id_rsa.pub >> /home/ubuntu/.ssh/authorized_keys
 chown ubuntu /home/ubuntu/.ssh/authorized_keys
 payload="{\"name\": \"$(hostname)\", \"machine_type\": \"testnode\", \"up\": true, \"locked\": false, \"os_type\": \"ubuntu\", \"os_version\": \"20.04\"}"
 for i in $(seq 1 5); do
diff --git a/containers/testnode/Dockerfile b/containers/testnode/Dockerfile
index 016d32117..355b6951f 100644
--- a/containers/testnode/Dockerfile
+++ b/containers/testnode/Dockerfile
@@ -14,7 +14,7 @@ COPY testnode_start.sh /
 COPY testnode_stop.sh /
 COPY testnode_sudoers /etc/sudoers.d/teuthology
 RUN \
-    ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' && \
+    ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' && \
     sed -i 's/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config && \
     mkdir -p /root/.ssh && \
     chmod 700 /root/.ssh && \
diff --git a/containers/testnode/testnode_start.sh b/containers/testnode/testnode_start.sh
index d29c3b6d0..46d44179e 100755
--- a/containers/testnode/testnode_start.sh
+++ b/containers/testnode/testnode_start.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/bash
 set -x
-echo "$SSH_PUBKEY" > /root/.ssh/authorized_keys
-echo "$SSH_PUBKEY" > /home/ubuntu/.ssh/authorized_keys
+cat /run/secrets/id_rsa.pub >> /root/.ssh/authorized_keys
+cat /run/secrets/id_rsa.pub >> /home/ubuntu/.ssh/authorized_keys
 chown ubuntu /home/ubuntu/.ssh/authorized_keys
 payload="{\"name\": \"$(hostname)\", \"machine_type\": \"testnode\", \"up\": true, \"locked\": false, \"os_type\": \"ubuntu\", \"os_version\": \"20.04\"}"
 for i in $(seq 1 5); do
diff --git a/containers/teuthology-dev/Dockerfile b/containers/teuthology-dev/Dockerfile
index f350b31db..c2566a045 100644
--- a/containers/teuthology-dev/Dockerfile
+++ b/containers/teuthology-dev/Dockerfile
@@ -1,5 +1,4 @@
 FROM ubuntu:latest
-ARG SSH_PRIVKEY_FILE=id_ed25519
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update && \
     apt-get install -y \
@@ -36,8 +35,8 @@ COPY containers/teuthology-dev/ansible_inventory/hosts /etc/ansible/
 COPY containers/teuthology-dev/ansible_inventory/secrets /etc/ansible/
 RUN \
     mkdir $HOME/.ssh && \
-    touch $HOME/.ssh/${SSH_PRIVKEY_FILE} && \
-    chmod 600 $HOME/.ssh/${SSH_PRIVKEY_FILE} && \
+    touch $HOME/.ssh/id_rsa && \
+    chmod 600 $HOME/.ssh/id_rsa && \
     echo "StrictHostKeyChecking=no" > $HOME/.ssh/config && \
     echo "UserKnownHostsFile=/dev/null" >> $HOME/.ssh/config
-ENTRYPOINT /teuthology.sh
\ No newline at end of file
+ENTRYPOINT /teuthology.sh
diff --git a/containers/teuthology-dev/teuthology.sh b/containers/teuthology-dev/teuthology.sh
index 0378f93d4..7f8eed650 100755
--- a/containers/teuthology-dev/teuthology.sh
+++ b/containers/teuthology-dev/teuthology.sh
@@ -1,11 +1,8 @@
 #!/usr/bin/bash
 set -e
-# We don't want -x yet, in case the private key is sensitive
-if [ -n "$SSH_PRIVKEY_FILE" ]; then
-    echo "$SSH_PRIVKEY" > $HOME/.ssh/$SSH_PRIVKEY_FILE
-fi
 source /teuthology/virtualenv/bin/activate
 set -x
+cat /run/secrets/id_rsa > $HOME/.ssh/id_rsa
 if [ -n "$TESTNODES" ]; then
     for node in $(echo $TESTNODES | tr , ' '); do
         teuthology-update-inventory -m $MACHINE_TYPE $node