slaprunner: replaces dropbear by openssh

52a97336 · Nicolas Wavrant · cf09c0eb · 52a97336 · 52a97336 · 52a97336
Commit 52a97336 authored Aug 22, 2016 by Nicolas Wavrant
4 changed files
--- a/software/slaprunner/common.cfg
+++ b/software/slaprunner/common.cfg
@@ -12,6 +12,7 @@ extends =
  ../../component/lxml-python/buildout.cfg
  ../../component/nano/buildout.cfg
  ../../component/nginx/buildout.cfg
+  ../../component/openssh/buildout.cfg
  ../../component/rsync/buildout.cfg
  ../../component/python-2.7/buildout.cfg
  ../../component/screen/buildout.cfg
@@ -54,7 +55,7 @@ mode = 0644
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/instance-runner.cfg
 output = ${buildout:directory}/template-runner.cfg.in
-md5sum = c98c81336cb8c91376737e20bad6636a
+md5sum = 8353a65fcf0def2f7715f15fee368899
 mode = 0644

 [template-runner-import-script]
@@ -70,7 +71,7 @@ mode = 0644
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/instance-runner-import.cfg.in
 output = ${buildout:directory}/instance-runner-import.cfg
-md5sum = 8dc4898bd7c3071b8969e6305da8d643
+md5sum = 22d958bd271a378b84f04e36010ee689
 mode = 0644

 [template-runner-export-script]
@@ -86,13 +87,13 @@ mode = 0644
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/instance-runner-export.cfg.in
 output = ${buildout:directory}/instance-runner-export.cfg
-md5sum = b01ad6fef55fab5405d5cf212832e52f
+md5sum = 38a2b6e9ebb65457c1f477455b205328
 mode = 0644

 [template-resilient]
 recipe = slapos.recipe.build:download
 url = ${:_profile_base_location_}/instance-resilient.cfg.jinja2
-md5sum = 56ea5ab49eca534acd22b2028529b7d9
+md5sum = a902b84ac7d1e29a7fdb06cbc7dec150
 filename = instance-resilient.cfg.jinja2
 mode = 0644


--- a/software/slaprunner/instance-runner-export.cfg.in
+++ b/software/slaprunner/instance-runner-export.cfg.in
@@ -9,14 +9,14 @@ parts +=
  ca-nginx
  gunicorn-launcher
  gunicorn-graceful
-  sshkeys-dropbear-runner
-  dropbear-server-add-authorized-key
  sshkeys-authority
  publish-connection-information
  slaprunner-promise
  apache-httpd-promise
  slaprunner-supervisord-wrapper
-  dropbear-promise
+  runner-sshd-add-authorized-key
+  runner-sshd-graceful
+  runner-sshd-promise
  runtestsuite
  symlinks
  shellinabox
@@ -30,6 +30,7 @@ parts +=
  supervisord-wrapper
  supervisord-promise
  httpd-graceful-wrapper
+  runner-sshd
 ## Monitoring part
 ## Monitor for runner
  monitor-base

--- a/software/slaprunner/instance-runner-import.cfg.in
+++ b/software/slaprunner/instance-runner-import.cfg.in
@@ -9,12 +9,13 @@ parts +=
  ca-nginx
  gunicorn-launcher
  gunicorn-graceful
-  sshkeys-dropbear-runner
-  dropbear-server-add-authorized-key
  sshkeys-authority
  slaprunner-promise
  slaprunner-supervisord-wrapper
-  dropbear-promise
+  runner-sshd
+  runner-sshd-add-authorized-key
+  runner-sshd-graceful
+  runner-sshd-promise
  runtestsuite
  shellinabox
  symlinks
@@ -38,6 +39,11 @@ parts +=
 proxy_port = 50000
 runner_port = 50005

+# Idem for some other services
+[runner-sshd-port]
+minimum = 22232
+maximum = 22241
+
 [importer]
 recipe = slapos.recipe.template:jinja2
 template = ${template-runner-import-script:location}/${template-runner-import-script:filename}
@@ -84,7 +90,6 @@ monitor-url = $${publish:monitor-url}
 monitor-user = $${publish:monitor-user}
 monitor-password = $${publish:monitor-password}

-
 [monitor-instance-parameter]
 monitor-httpd-port = 8360
 #monitor-title = $${slap-parameter:name}

--- a/software/slaprunner/instance-runner.cfg
+++ b/software/slaprunner/instance-runner.cfg
@@ -6,14 +6,15 @@ parts =
  ca-nginx
  gunicorn-launcher
  gunicorn-graceful
-  sshkeys-dropbear-runner
-  dropbear-server-add-authorized-key
  sshkeys-authority
  publish-connection-information
  slaprunner-promise
  apache-httpd-promise
  slaprunner-supervisord-wrapper
-  dropbear-promise
+  runner-sshd
+  runner-sshd-add-authorized-key
+  runner-sshd-graceful
+  runner-sshd-promise
  runtestsuite
  symlinks
  shellinabox
@@ -133,13 +134,13 @@ working-directory = $${runnerdirectory:home}
 project-directory = $${runnerdirectory:project}
 instance_root = $${runnerdirectory:instance-root}
 software_root = $${runnerdirectory:software-root}
+ssh_client = ${openssh:location}/bin/ssh
+public_key = $${runner-sshd-key-authority:location}.pub
+private_key = $${runner-sshd-key-authority:location}
 instance-monitor-url = https://[$${:ipv6}]:$${monitor-parameters:port}
 etc_dir = $${directory:etc}
 log_dir =  $${directory:log}
 run_dir = $${directory:run}
-ssh_client = $${sshkeys-dropbear-runner:wrapper}
-public_key = $${sshkeys-dropbear-runner:public-key}
-private_key = $${sshkeys-dropbear-runner:private-key}
 ipv4 = $${slap-network-information:local-ipv4}
 ipv6 = $${slap-network-information:global-ipv6}
 instance_root = $${runnerdirectory:instance-root}
@@ -198,43 +199,48 @@ command-line = ${buildout:directory}/bin/slaprunnertest
 wrapper-path = $${directory:bin}/runTestSuite
 environment = RUNNER_CONFIG=$${slapos-cfg:rendered}

-# Deploy dropbear (minimalist SSH server)
-[sshkeys-directory]
-recipe = slapos.cookbook:mkdirectory
-requests = $${directory:sshkeys}/requests/
-keys = $${directory:sshkeys}/keys/
-
-[sshkeys-authority]
-recipe = slapos.cookbook:sshkeys_authority
-request-directory = $${sshkeys-directory:requests}
-keys-directory = $${sshkeys-directory:keys}
-wrapper = $${directory:services}/sshkeys_authority
-keygen-binary = ${dropbear:location}/bin/dropbearkey
-
-[dropbear-runner-server]
-recipe = slapos.cookbook:dropbear
-host = $${slap-network-information:global-ipv6}
-port = 22222
-home = $${buildout:directory}
-wrapper = $${directory:bin}/runner_sshd
-shell = ${bash:location}/bin/bash
-rsa-keyfile = $${directory:ssh}/server_key.rsa
-allow-port-forwarding = true
-dropbear-binary = ${dropbear:location}/sbin/dropbear
-
-[sshkeys-dropbear-runner]
-<= sshkeys-authority
-recipe = slapos.cookbook:sshkeys_authority.request
-name = dropbear
-type = rsa
-executable = $${dropbear-runner-server:wrapper}
-public-key = $${dropbear-runner-server:rsa-keyfile}.pub
-private-key = $${dropbear-runner-server:rsa-keyfile}
-wrapper = $${directory:services}/runner_sshd
-
-[dropbear-server-add-authorized-key]
-<= dropbear-runner-server
+# Deploy openssh-server
+[runner-sshd-key-authority]
+recipe = plone.recipe.command
+location = $${directory:sshkeys}/ssh_host_rsa_key
+command = if [ ! -f "$${:location}" ]; then ${openssh:location}/bin/ssh-keygen -t rsa -b 4096 -f "$${:location}" -N ''; fi
+
+[runner-sshd-port]
+recipe = slapos.cookbook:free_port
+minimum = 22222
+maximum = 22231
+ip = $${slap-network-information:global-ipv6}
+
+[runner-sshd-config]
+recipe = slapos.recipe.template:jinja2
+rendered = $${directory:etc}/runner-sshd.conf
+path_pid = $${directory:run}/runner-sshd.pid
+template = inline:
+  PidFile $${:path_pid}
+  Port $${runner-sshd-port:port}
+  ListenAddress $${slap-network-information:global-ipv6}
+  Protocol 2
+  UsePrivilegeSeparation no
+  HostKey $${runner-sshd-key-authority:location}
+  PasswordAuthentication no
+  PubkeyAuthentication yes
+  AuthorizedKeysFile $${buildout:directory}/.ssh/authorized_keys
+  ForceCommand if [ -z "$SSH_ORIGINAL_COMMAND" ]; then ${bash:location}/bin/bash -l; else $SSH_ORIGINAL_COMMAND; fi
+
+[runner-sshd]
+recipe = slapos.cookbook:wrapper
+command-line = ${openssh:location}/sbin/sshd -D -f $${runner-sshd-config:rendered}
+wrapper-path = $${directory:services}/runner-sshd
+environment = SHELL=${bash:location}/bin/bash
+
+[runner-sshd-graceful]
+recipe = slapos.cookbook:wrapper
+command-line = $${directory:bin}/killpidfromfile $${runner-sshd-config:path_pid} SIGHUP
+wrapper-path = $${directory:scripts}/runner-sshd-graceful
+
+[runner-sshd-add-authorized-key]
 recipe = slapos.cookbook:dropbear.add_authorized_key
+home = $${buildout:directory}
 key = $${slap-parameter:user-authorized-key}

 #---------------------------
@@ -494,7 +500,7 @@ recipe = slapos.cookbook:publish
 backend-url = $${slaprunner:access-url}
 init-user = $${runner-htpasswd:user}
 init-password = $${runner-htpasswd:password}
-ssh-command = ssh $${dropbear-runner-server:host} -p $${dropbear-runner-server:port}
+ssh-command = ssh $${environ:USER}@$${slap-network-information:global-ipv6} -p $${runner-sshd-port:port}
 git-public-url = https://[$${httpd-parameters:global_ip}]:$${httpd-parameters:global_port}/git-public/
 git-private-url = https://[$${httpd-parameters:global_ip}]:$${httpd-parameters:global_port}/git/
 monitor-base-url = $${publish:monitor-base-url}
@@ -526,11 +532,11 @@ path = $${directory:promises}/slaprunner
 hostname = $${slaprunner:ipv6}
 port = $${slaprunner:runner_port}

-[dropbear-promise]
+[runner-sshd-promise]
 recipe = slapos.cookbook:check_port_listening
-path = $${directory:promises}/dropbear
-hostname = $${dropbear-runner-server:host}
-port = $${dropbear-runner-server:port}
+path = $${directory:promises}/runner-sshd
+hostname = $${slap-network-information:global-ipv6}
+port = $${runner-sshd-port:port}

 [symlinks]
 recipe = cns.recipe.symlink