resilient: replaces dropbear ssh server by sshd from openssh

0452d241 · Nicolas Wavrant · b018a6a1 · 0452d241 · 0452d241 · 0452d241
Commit 0452d241 authored Aug 24, 2016 by Nicolas Wavrant
5 changed files
--- a/stack/resilient/buildout.cfg
+++ b/stack/resilient/buildout.cfg
@@ -3,6 +3,7 @@ extends =
  ../../component/apache/buildout.cfg
  ../../component/bash/buildout.cfg
  ../../component/dropbear/buildout.cfg
+  ../../component/openssh/buildout.cfg
  ../../component/gzip/buildout.cfg
  ../../component/rdiff-backup/buildout.cfg
  ../../component/rsync/buildout.cfg
@@ -26,6 +27,7 @@ parts =
 recipe = zc.recipe.egg
 eggs =
  collective.recipe.template
+  collective.recipe.environment

 #----------------
 #--
@@ -39,7 +41,7 @@ eggs =
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/pbsready.cfg.in
 output = ${buildout:directory}/pbsready.cfg
-md5sum = d2b06a13354127e9cbbf1c5d21791cb4
+md5sum = 615999be7d67edde1ce7390441c72375
 mode = 0644

 [pbsready-import]
@@ -48,7 +50,7 @@ mode = 0644
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/pbsready-import.cfg.in
 output = ${buildout:directory}/pbsready-import.cfg
-md5sum = dd13497575d13b92c3abb0a633777e2c
+md5sum = 33e4871b101578bfa45aaaf93095ad7e
 mode = 0644

 [pbsready-export]
@@ -57,14 +59,14 @@ mode = 0644
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/pbsready-export.cfg.in
 output = ${buildout:directory}/pbsready-export.cfg
-md5sum = bfd71e454140cf13179d408e10f95bf8
+md5sum = eb6c6acfc68bbada3be9b7c657408f1c
 mode = 0644

 [template-pull-backup]
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/instance-pull-backup.cfg.in
 output = ${buildout:directory}/instance-pull-backup.cfg
-md5sum = cb7acac7ab41bf44c20d6d03bfad8217
+md5sum = 032d5fdf174664a8784a81291f743358
 mode = 0644

 [template-replicated]

--- a/stack/resilient/instance-pull-backup.cfg.in
+++ b/stack/resilient/instance-pull-backup.cfg.in
@@ -59,7 +59,6 @@ notifier-feeds = $${basedirectory:notifier}/feeds
 notifier-callbacks = $${basedirectory:notifier}/callbacks


-
 #----------------
 #--
 #-- Set up the equeue and notifier.

--- a/stack/resilient/pbsready-export.cfg.in
+++ b/stack/resilient/pbsready-export.cfg.in
@@ -28,8 +28,11 @@ pid = $${:var}/pid
 # Define port of ssh server. It has to be different from import so that it
 # supports export/import using same IP (slaprunner, slapos-in-partition,
 # ipv4...)
-[dropbear-server]
-port = 22221
+[dropbear-server-port]
+recipe = slapos.cookbook:free_port
+minimum = 22200
+maximum = 22209
+ip = $${slap-network-information:global-ipv6}

 [resilient-publish-connection-parameter]
 notification-id = http://[$${notifier:host}]:$${notifier:port}/get/$${notifier-exporter:name}

--- a/stack/resilient/pbsready-import.cfg.in
+++ b/stack/resilient/pbsready-import.cfg.in
@@ -33,8 +33,11 @@ takeover-password = $${resilient-web-takeover-password:passwd}
 # Define port of ssh server. It has to be different from import so that it
 # supports export/import using same IP (slaprunner, slapos-in-partition,
 # ipv4...)
-[dropbear-server]
-port = 22220
+[dropbear-server-port]
+recipe = slapos.cookbook:free_port
+minimum = 22210
+maximum = 22219
+ip = $${slap-network-information:global-ipv6}

 # Define port of notifier (same reason)
 [notifier]

--- a/stack/resilient/pbsready.cfg.in
+++ b/stack/resilient/pbsready.cfg.in
@@ -171,17 +171,30 @@ context =
 #----------------
 #--
 #-- Dropbear.
+[resilient-sshd-config]
+# XXX: Add timeout support
+recipe = slapos.recipe.template:jinja2
+rendered = $${directory:etc}/resilient-sshd.conf
+path_pid = $${directory:run}/resilient-sshd.pid
+template = inline:
+ PidFile $${:path_pid}
+ Port $${dropbear-server-port:port}
+ ListenAddress $${slap-network-information:global-ipv6}
+ Protocol 2
+ UsePrivilegeSeparation no
+ HostKey $${directory:ssh}/server_key.rsa
+ AuthorizedKeysFile $${buildout:directory}/.ssh/authorized_keys
+ PasswordAuthentication no
+ PubkeyAuthentication yes
+ ForceCommand $${rdiff-backup-server:wrapper}

 [dropbear-server]
-recipe = slapos.cookbook:dropbear
+recipe = slapos.cookbook:wrapper
 host = $${slap-network-information:global-ipv6}
-# Explicitely excludes to define "port" argument. It will be defined in
-# pbs-ready-import.cfg.in and pbs-ready-export.cfg.in
-home = $${directory:ssh}
-wrapper = $${rootdirectory:bin}/raw_sshd
-shell = $${rdiff-backup-server:wrapper}
 rsa-keyfile = $${directory:ssh}/server_key.rsa
-dropbear-binary = ${dropbear:location}/sbin/dropbear
+home = $${directory:ssh}
+command-line = ${openssh:location}/sbin/sshd -D -e -f $${resilient-sshd-config:rendered}
+wrapper-path = $${rootdirectory:bin}/raw_sshd

 [dropbear-server-pbs-authorized-key]
 <= dropbear-server
@@ -192,7 +205,7 @@ key = $${slap-parameter:authorized-key}
 recipe = collective.recipe.template
 log = $${basedirectory:log}/sshd.log
 input = inline:#!/bin/sh
-    exec $${dropbear-server:wrapper} >> $${:log} 2>&1
+    exec $${dropbear-server:wrapper-path} >> $${:log} 2>&1

 output = $${rootdirectory:bin}/raw_sshd_log
 mode = 700
@@ -211,7 +224,7 @@ recipe = slapos.cookbook:sshkeys_authority
 request-directory = $${sshkeys-directory:requests}
 keys-directory = $${sshkeys-directory:keys}
 wrapper = $${basedirectory:services}/sshkeys_authority
-keygen-binary = ${dropbear:location}/bin/dropbearkey
+keygen-binary = ${openssh:location}/bin/ssh-keygen

 [sshkeys-dropbear]
 <= sshkeys-authority
@@ -234,6 +247,8 @@ input = inline:#!${bash:location}/bin/bash
 output = $${basedirectory:promises}/public-key-existence
 mode = 700

+[environment]
+recipe = collective.recipe.environment

 #----------------
 #--
@@ -242,5 +257,5 @@ mode = 700
 [resilient-publish-connection-parameter]
 recipe = slapos.cookbook:publish
 ssh-public-key = $${sshkeys-dropbear:public-key-value}
-ssh-url = ssh://nobody@[$${dropbear-server:host}]:$${dropbear-server:port}/$${rdiff-backup-server:path}
+ssh-url = ssh://$${environment:USER}@[$${dropbear-server:host}]:$${dropbear-server-port:port}/$${rdiff-backup-server:path}
 ip = $${slap-network-information:global-ipv6}