Skip to content

internal/*: drop merging authorized_keys.d into authorized_keys#751

Merged
bgilbert merged 3 commits intocoreos:masterfrom
rfairley:rfairley-drop-merging-authorized_keys_d
Mar 7, 2019
Merged

internal/*: drop merging authorized_keys.d into authorized_keys#751
bgilbert merged 3 commits intocoreos:masterfrom
rfairley:rfairley-drop-merging-authorized_keys_d

Conversation

@rfairley
Copy link
Copy Markdown
Contributor

@rfairley rfairley commented Feb 27, 2019
edited
Loading

Will rebase this PR once #749 is merged.

So far I have verified that the blackbox test works, and that the old blackbox test fails with the build flag
GLDFLAGS+="-X github.com/coreos/ignition/internal/distro.useAuthorizedKeysFile=true " (in ./build_blackbox_tests).

Still to do:

  • Verify in a built OS image that this works (with/without useAuthorizedKeysFile=true)
  • Add documentation mentioned in Drop merging of authorized_keys.d into authorized_keys #716
  • Thinking of adding a blackbox test with the distro.useAuthorizedKeysFile=true flag that checks that authorized_keys gets updated

Fixes: #716

@coreosbot
Copy link
Copy Markdown
Contributor

coreosbot commented Feb 27, 2019

Can one of the admins verify this patch?

@rfairley rfairley force-pushed the rfairley-drop-merging-authorized_keys_d branch from 594b5ff to 0fba9d2 Compare March 4, 2019 14:35
@rfairley
Copy link
Copy Markdown
Contributor Author

rfairley commented Mar 4, 2019
edited
Loading

Thinking of adding a blackbox test with the distro.useAuthorizedKeysFile=true flag that checks that authorized_keys gets updated

Hmm - finding it a bit tricky to add a test for this as writing to authorized_keys requires the linker flag setting which would need to be done in ./build_blackbox_tests. I wonder about setting distro.useAuthorizedKeysFile to "true" at runtime before executing a blackbox test, but distro.useAuthorizedKeysFile needs to be exported for that.

I think since Ignition v3 will support authorized_keys.d over authorized_keys (primarily), it should be sufficient having the blackbox test here which has been adjusted to check for the fragment in authorized_keys.d.

@rfairley rfairley changed the title [WIP] internal/*: drop merging authorized_keys.d into authorized_keys internal/*: drop merging authorized_keys.d into authorized_keys Mar 4, 2019
@rfairley
Copy link
Copy Markdown
Contributor Author

rfairley commented Mar 4, 2019

Ready for a review

bgilbert
bgilbert reviewed Mar 4, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@bgilbert bgilbert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should delete the authorized_keys_d code entirely. Ignition should be running before anything else has written keys to disk, so we should be able to completely clobber .ssh/authorized_keys if usedAuthorizedKeysFile is true.

Comment thread doc/configuration-v3_0-experimental.md Outdated
@bgilbert
Copy link
Copy Markdown
Contributor

bgilbert commented Mar 4, 2019

For the blackbox tests we could expose the option via an environment variable, the same as for systemConfigDir.

@rfairley rfairley mentioned this pull request Mar 4, 2019
Open
@rfairley rfairley changed the title internal/*: drop merging authorized_keys.d into authorized_keys [WIP]: internal/*: drop merging authorized_keys.d into authorized_keys Mar 4, 2019
@rfairley rfairley changed the title [WIP]: internal/*: drop merging authorized_keys.d into authorized_keys [WIP] internal/*: drop merging authorized_keys.d into authorized_keys Mar 4, 2019
@rfairley rfairley force-pushed the rfairley-drop-merging-authorized_keys_d branch 5 times, most recently from 0d927a0 to 6a6b24d Compare March 4, 2019 22:44
@rfairley
Copy link
Copy Markdown
Contributor Author

rfairley commented Mar 4, 2019

Made some edits:

  • Dropped the code in authorized_keys_d and brought as_user to the directory level above (I think the helper functions in as_user will still be needed, for writing the keyfile with the right uid/gid).
  • Made it so that if .ssh/authorized_keys is written, .ssh/authorized_keys.d/ignition is not. Would this behavior be preferred for distros that don't support authorized_keys.d? Thinking if merging doesn't need to be performed, then we can avoid having authorized_keys.d appear altogether.
  • Made distro.useAuthorizedKeysFile configurable with an environment variable. I did wonder about having this option be a path instead, i.e. distro.authorizedKeysFile. I can't think of any use case where any path other than authorized_key or authorized_keys.d/ignition are needed, but having it a path would simplify the logic in internal/exec/util/passwd.go (could just pass the given path into writeAuthKeysFile rather than have a conditional).

To do:

  • Add a blackbox test that uses IGNITION_USE_AUTHORIZED_KEYS_FILE=true. Will look into this tomorrow.

@rfairley rfairley force-pushed the rfairley-drop-merging-authorized_keys_d branch from 6a6b24d to 1abddeb Compare March 5, 2019 19:08
rfairley pushed a commit to rfairley/ignition that referenced this pull request Mar 5, 2019
tests: expose env vars through Test.IgnitionEnv
1072c86 
This allows individual tests to configure environment variables by
setting the IgnitionEnv member of types.Test. The TestIgnitionBlackBox
and TestIgnitionBlackBoxNegative functions may then append additional
environment variables during setup that apply to all tests.

Preparatory commit for adding a blackbox test in coreos#751.
@rfairley rfairley force-pushed the rfairley-drop-merging-authorized_keys_d branch from 1abddeb to 2a2461e Compare March 5, 2019 19:33
rfairley pushed a commit to rfairley/ignition that referenced this pull request Mar 5, 2019
tests: expose env vars through Test.IgnitionEnv
d156d49 
This allows individual tests to configure environment variables by
setting the IgnitionEnv member of types.Test. The TestIgnitionBlackBox
and TestIgnitionBlackBoxNegative functions may then append additional
environment variables during setup that apply to all tests.

Preparatory commit for adding a blackbox test in coreos#751.
@rfairley rfairley force-pushed the rfairley-drop-merging-authorized_keys_d branch 3 times, most recently from a0f3a1d to 46f711b Compare March 5, 2019 19:45
@rfairley
Copy link
Copy Markdown
Contributor Author

rfairley commented Mar 5, 2019

⬆ Pushed changes to add another blackbox test for .ssh/authorized_keys when IGNITION_USE_AUTHORIZED_KEYS_FILE=true. This adds IgnitionEnv as a member to types.Test. Also tidies up passwd.go a bit since removing authorized_keys_d.

Diff since the push yesterday: https://github.com/coreos/ignition/compare/6a6b24d5fffa0a957672c641a2361e730da11109..46f711b002e2ee7d988ccab6bac9ef1572477bef.

@arithx
Copy link
Copy Markdown
Contributor

arithx commented Mar 5, 2019

ok to test

@rfairley rfairley changed the title [WIP] internal/*: drop merging authorized_keys.d into authorized_keys internal/*: drop merging authorized_keys.d into authorized_keys Mar 5, 2019
@rfairley rfairley changed the title internal/*: drop merging authorized_keys.d into authorized_keys [[WIP] internal/*: drop merging authorized_keys.d into authorized_keys Mar 5, 2019
@rfairley rfairley changed the title [[WIP] internal/*: drop merging authorized_keys.d into authorized_keys [WIP] internal/*: drop merging authorized_keys.d into authorized_keys Mar 5, 2019
@rfairley rfairley changed the title [WIP] internal/*: drop merging authorized_keys.d into authorized_keys internal/*: drop merging authorized_keys.d into authorized_keys Mar 5, 2019
@rfairley
Copy link
Copy Markdown
Contributor Author

rfairley commented Mar 5, 2019

Lifted WIP - ready for another look.

For the distro-specific documentation part, should we handle that later in #649? (I left a comment there - so we won't forget). Or, I could get a doc started here in this PR, which #649 will add to/revise.

@bgilbert
Copy link
Copy Markdown
Contributor

bgilbert commented Mar 6, 2019

I'm okay handling the additional docs in #649.

bgilbert
bgilbert reviewed Mar 6, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@bgilbert bgilbert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM generally.

Comment thread tests/types/types.go Outdated
Comment thread internal/distro/distro.go Outdated
Comment thread internal/distro/distro.go Outdated
Comment thread tests/positive/passwd/users.go
@rfairley rfairley force-pushed the rfairley-drop-merging-authorized_keys_d branch from 46f711b to 4e06881 Compare March 6, 2019 18:18
rfairley pushed a commit to rfairley/ignition that referenced this pull request Mar 6, 2019
tests: expose env vars through Test.IgnitionEnv
ca68e48 
This allows individual tests to configure environment variables by
setting the IgnitionEnv member of types.Test. The TestIgnitionBlackBox
and TestIgnitionBlackBoxNegative functions may then append additional
environment variables during setup that apply to all tests.

Preparatory commit for adding a blackbox test in coreos#751.
@rfairley rfairley force-pushed the rfairley-drop-merging-authorized_keys_d branch from 4e06881 to 166a00c Compare March 6, 2019 18:20
rfairley pushed a commit to rfairley/ignition that referenced this pull request Mar 6, 2019
tests: expose env vars through Test.Env
308cb3e 
This allows individual tests to configure environment variables by
setting the Env member of types.Test. The TestIgnitionBlackBox
and TestIgnitionBlackBoxNegative functions may then append additional
environment variables during setup that apply to all tests.

Preparatory commit for adding a blackbox test in coreos#751.
ajeddeloh
ajeddeloh reviewed Mar 6, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@ajeddeloh ajeddeloh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with the changes @bgilbert suggested. We typically put tests in their own commit.

Comment thread tests/positive/passwd/users.go Outdated
Comment thread tests/positive/passwd/users.go Outdated
@rfairley rfairley force-pushed the rfairley-drop-merging-authorized_keys_d branch from 166a00c to 61eb130 Compare March 6, 2019 18:52
rfairley pushed a commit to rfairley/ignition that referenced this pull request Mar 6, 2019
tests/*: expose env vars through Test.Env
5cbabb9 
This allows individual tests to configure environment variables by
setting the Env member of types.Test. The TestIgnitionBlackBox
and TestIgnitionBlackBoxNegative functions may then append additional
environment variables during setup that apply to all tests.

Preparatory commit for adding a blackbox test in coreos#751.
@rfairley rfairley force-pushed the rfairley-drop-merging-authorized_keys_d branch from 61eb130 to 57e19f7 Compare March 6, 2019 18:58
rfairley pushed a commit to rfairley/ignition that referenced this pull request Mar 6, 2019
tests/*: expose env vars through Test.Env
fd2cef3 
This allows individual tests to configure environment variables by
setting the Env member of types.Test. The TestIgnitionBlackBox
and TestIgnitionBlackBoxNegative functions may then append additional
environment variables during setup that apply to all tests.

Preparatory commit for adding a blackbox test in coreos#751.
@rfairley
Copy link
Copy Markdown
Contributor Author

rfairley commented Mar 6, 2019

Updated! I split the added test into its own commit - which also updates the existing AddPasswdUsers test to set the environment variable in the same commit.

ajeddeloh
ajeddeloh approved these changes Mar 6, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@ajeddeloh ajeddeloh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rfairley
Copy link
Copy Markdown
Contributor Author

rfairley commented Mar 6, 2019

Hmm - failure just seems to be from the gofmt. Thinking it wants to indent the function due to the line length. Any way to disable/configure gofmt to not consider that a failure? Having the one-line function body is neater. https://travis-ci.org/coreos/ignition/jobs/502719646#L603

@ajeddeloh
Copy link
Copy Markdown
Contributor

ajeddeloh commented Mar 6, 2019

I'd say go with gofmt in this case, it is quite a long line otherwise.

@rfairley rfairley force-pushed the rfairley-drop-merging-authorized_keys_d branch from 57e19f7 to 0460eb0 Compare March 6, 2019 19:15
rfairley pushed a commit to rfairley/ignition that referenced this pull request Mar 6, 2019
tests/*: expose env vars through Test.Env
a931d0d 
This allows individual tests to configure environment variables by
setting the Env member of types.Test. The TestIgnitionBlackBox
and TestIgnitionBlackBoxNegative functions may then append additional
environment variables during setup that apply to all tests.

Preparatory commit for adding a blackbox test in coreos#751.
Robert Fairley added 3 commits March 6, 2019 14:16
internal/*: drop merging authorized_keys.d into authorized_keys
6b434dd 
This drops the authorized_keys_d code, having Ignition directly
write SSH keys to a keyfile. By default, Ignition writes the
fragment to .ssh/authorized_keys.d/ignition.

Setting the flag distro.writeAuthorizedKeysFragment to "false" (through
the environment variable IGNITION_WRITE_AUTHORIZED_KEYS_FRAGMENT) causes
Ignition to write the SSH keys to .ssh/authorized_keys. Distributions
that do not read fragments from .ssh/authorized_keys.d can then instead
read from .ssh/authorized_keys.

Fixes: coreos#716
tests/*: expose env vars through Test.Env
f167d03 
This allows individual tests to configure environment variables by
setting the Env member of types.Test. The TestIgnitionBlackBox
and TestIgnitionBlackBoxNegative functions may then append additional
environment variables during setup that apply to all tests.

Preparatory commit for adding a blackbox test in coreos#751.
tests/positive/passwd: add test UseAuthorizedKeysFile
f89ffe2 
Add a blackbox test to verify that ~/.ssh/authorized_keys is written
when IGNITION_WRITE_AUTHORIZED_KEYS_FRAGMENT=false.

Also updates the existing test AddPasswdUsers to use the environment
variable IGNITION_WRITE_AUTHORIZED_KEYS_FRAGMENT=true so that
the test will pass consistently if the binary is built with a
non-default writeAuthorizedKeysFragment flag.
@rfairley rfairley force-pushed the rfairley-drop-merging-authorized_keys_d branch from 0460eb0 to f89ffe2 Compare March 6, 2019 19:16
@rfairley
Copy link
Copy Markdown
Contributor Author

rfairley commented Mar 6, 2019

Fixed! (had committed but forgot to squash it into 6b434dd just then). Should be good now.

ajeddeloh
ajeddeloh approved these changes Mar 6, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@ajeddeloh ajeddeloh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bgilbert
Copy link
Copy Markdown
Contributor

bgilbert commented Mar 7, 2019

@rfairley Good to merge?

@rfairley
Copy link
Copy Markdown
Contributor Author

rfairley commented Mar 7, 2019

@bgilbert Good to merge!

@bgilbert bgilbert merged commit 6d56258 into coreos:master Mar 7, 2019
@rfairley rfairley deleted the rfairley-drop-merging-authorized_keys_d branch March 7, 2019 21:38
@vrutkovs vrutkovs mentioned this pull request Feb 16, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@bgilbert bgilbert bgilbert approved these changes

@ajeddeloh ajeddeloh ajeddeloh approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@rfairley @coreosbot @bgilbert @arithx @ajeddeloh