From 800e17dace462f8c78dde83458d97e7d8edcb8b1 Mon Sep 17 00:00:00 2001 From: Andrew Battat Date: Tue, 21 Jan 2025 20:40:28 +0000 Subject: [PATCH 1/7] Rename setup-ssh-user-keys --- ic-os/boundary-guestos/docs/Boot.adoc | 2 +- ic-os/components/boundary-guestos.bzl | 4 ++-- .../etc/systemd/system/bootstrap-ic-node.service | 4 ++-- .../etc/systemd/system/setup-ssh-account-keys.service | 2 +- ic-os/components/guestos.bzl | 4 ++-- ic-os/components/hostos.bzl | 4 ++-- .../init/bootstrap-ic-node/bootstrap-ic-node.service | 4 ++-- .../deploy-updated-ssh-account-keys.service | 4 ++-- .../setup-ssh-user-keys.service} | 2 +- .../setup-ssh-user-keys.sh} | 0 ic-os/guestos/docs/Boot.adoc | 4 ++-- 11 files changed, 17 insertions(+), 17 deletions(-) rename ic-os/components/ssh/{setup-ssh-account-keys/setup-ssh-account-keys.service => setup-ssh-user-keys/setup-ssh-user-keys.service} (90%) rename ic-os/components/ssh/{setup-ssh-account-keys/setup-ssh-account-keys.sh => setup-ssh-user-keys/setup-ssh-user-keys.sh} (100%) diff --git a/ic-os/boundary-guestos/docs/Boot.adoc b/ic-os/boundary-guestos/docs/Boot.adoc index 7080e087e8e..f733bfee990 100644 --- a/ic-os/boundary-guestos/docs/Boot.adoc +++ b/ic-os/boundary-guestos/docs/Boot.adoc @@ -85,7 +85,7 @@ files in the `config` partition as well as payload store are created. == Set up ssh account keys -Service: `setup-ssh-account-keys.services`, script `/opt/ic/bin/setup-ssh-account-keys.sh`. +Service: `setup-ssh-user-keys.services`, script `/opt/ic/bin/setup-ssh-user-keys.sh`. Depends on `bootstrap-ic-node.service`. The `authorized_keys` files for the role accounts are taken from the diff --git a/ic-os/components/boundary-guestos.bzl b/ic-os/components/boundary-guestos.bzl index c77f1564c62..c50bc72457b 100644 --- a/ic-os/components/boundary-guestos.bzl +++ b/ic-os/components/boundary-guestos.bzl @@ -56,7 +56,7 @@ component_files = { Label("boundary-guestos/etc/systemd/system/setup-ic-gateway.service"): "/etc/systemd/system/setup-ic-gateway.service", Label("boundary-guestos/etc/systemd/system/setup-lvs.service"): "/etc/systemd/system/setup-lvs.service", Label("boundary-guestos/etc/systemd/system/setup-nftables.service"): "/etc/systemd/system/setup-nftables.service", - Label("boundary-guestos/etc/systemd/system/setup-ssh-account-keys.service"): "/etc/systemd/system/setup-ssh-account-keys.service", + Label("boundary-guestos/etc/systemd/system/setup-ssh-user-keys.service"): "/etc/systemd/system/setup-ssh-user-keys.service", Label("boundary-guestos/etc/systemd/system/setup-ssh-keys.service"): "/etc/systemd/system/setup-ssh-keys.service", Label("boundary-guestos/etc/systemd/system/setup-var-log.service"): "/etc/systemd/system/setup-var-log.service", Label("boundary-guestos/etc/systemd/system/setup-vector.service"): "/etc/systemd/system/setup-vector.service", @@ -86,7 +86,7 @@ component_files = { Label("boundary-guestos/opt/ic/bin/setup-ic-gateway.sh"): "/opt/ic/bin/setup-ic-gateway.sh", Label("boundary-guestos/opt/ic/bin/setup-lvs.sh"): "/opt/ic/bin/setup-lvs.sh", Label("boundary-guestos/opt/ic/bin/setup-nftables.sh"): "/opt/ic/bin/setup-nftables.sh", - Label("boundary-guestos/opt/ic/bin/setup-ssh-account-keys.sh"): "/opt/ic/bin/setup-ssh-account-keys.sh", + Label("boundary-guestos/opt/ic/bin/setup-ssh-user-keys.sh"): "/opt/ic/bin/setup-ssh-user-keys.sh", Label("boundary-guestos/opt/ic/bin/setup-ssh-keys.sh"): "/opt/ic/bin/setup-ssh-keys.sh", Label("boundary-guestos/opt/ic/bin/setup-var-encryption.sh"): "/opt/ic/bin/setup-var-encryption.sh", Label("boundary-guestos/opt/ic/bin/setup-var-log.sh"): "/opt/ic/bin/setup-var-log.sh", diff --git a/ic-os/components/boundary-guestos/etc/systemd/system/bootstrap-ic-node.service b/ic-os/components/boundary-guestos/etc/systemd/system/bootstrap-ic-node.service index 83a8a65fa51..1cf204ffc21 100644 --- a/ic-os/components/boundary-guestos/etc/systemd/system/bootstrap-ic-node.service +++ b/ic-os/components/boundary-guestos/etc/systemd/system/bootstrap-ic-node.service @@ -2,11 +2,11 @@ Description=Bootstrap the IC node Requires=var-log.mount After=var-log.mount -Before=setup-ssh-account-keys.service +Before=setup-ssh-user-keys.service [Install] WantedBy=multi-user.target -RequiredBy=setup-ssh-account-keys.service +RequiredBy=setup-ssh-user-keys.service [Service] Type=oneshot diff --git a/ic-os/components/boundary-guestos/etc/systemd/system/setup-ssh-account-keys.service b/ic-os/components/boundary-guestos/etc/systemd/system/setup-ssh-account-keys.service index 2a862b3f2c4..bd7c003ac40 100644 --- a/ic-os/components/boundary-guestos/etc/systemd/system/setup-ssh-account-keys.service +++ b/ic-os/components/boundary-guestos/etc/systemd/system/setup-ssh-account-keys.service @@ -9,7 +9,7 @@ WantedBy=multi-user.target [Service] Type=oneshot RemainAfterExit=true -ExecStart=/opt/ic/bin/setup-ssh-account-keys.sh +ExecStart=/opt/ic/bin/setup-ssh-user-keys.sh # All services that networking depends on log their outputs to the console # and are piped to the host terminal if the verbose flag is enabled. diff --git a/ic-os/components/guestos.bzl b/ic-os/components/guestos.bzl index 5efa43fad2a..a0e4d1542dc 100644 --- a/ic-os/components/guestos.bzl +++ b/ic-os/components/guestos.bzl @@ -142,8 +142,8 @@ component_files = { Label("ssh/provision-ssh-keys.sh"): "/opt/ic/bin/provision-ssh-keys.sh", Label("ssh/setup-ssh-keys/setup-ssh-keys.sh"): "/opt/ic/bin/setup-ssh-keys.sh", Label("ssh/setup-ssh-keys/setup-ssh-keys.service"): "/etc/systemd/system/setup-ssh-keys.service", - Label("ssh/setup-ssh-account-keys/setup-ssh-account-keys.sh"): "/opt/ic/bin/setup-ssh-account-keys.sh", - Label("ssh/setup-ssh-account-keys/setup-ssh-account-keys.service"): "/etc/systemd/system/setup-ssh-account-keys.service", + Label("ssh/setup-ssh-user-keys/setup-ssh-user-keys.sh"): "/opt/ic/bin/setup-ssh-user-keys.sh", + Label("ssh/setup-ssh-user-keys/setup-ssh-user-keys.service"): "/etc/systemd/system/setup-ssh-user-keys.service", Label("ssh/read-ssh-keys.sh"): "/opt/ic/bin/read-ssh-keys.sh", # upgrade diff --git a/ic-os/components/hostos.bzl b/ic-os/components/hostos.bzl index b41fe465e17..e531122eee7 100644 --- a/ic-os/components/hostos.bzl +++ b/ic-os/components/hostos.bzl @@ -87,8 +87,8 @@ component_files = { # ssh Label("ssh/setup-ssh-keys/setup-ssh-keys.sh"): "/opt/ic/bin/setup-ssh-keys.sh", Label("ssh/setup-ssh-keys/setup-ssh-keys.service"): "/etc/systemd/system/setup-ssh-keys.service", - Label("ssh/setup-ssh-account-keys/setup-ssh-account-keys.sh"): "/opt/ic/bin/setup-ssh-account-keys.sh", - Label("ssh/setup-ssh-account-keys/setup-ssh-account-keys.service"): "/etc/systemd/system/setup-ssh-account-keys.service", + Label("ssh/setup-ssh-user-keys/setup-ssh-user-keys.sh"): "/opt/ic/bin/setup-ssh-user-keys.sh", + Label("ssh/setup-ssh-user-keys/setup-ssh-user-keys.service"): "/etc/systemd/system/setup-ssh-user-keys.service", Label("ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.sh"): "/opt/ic/bin/deploy-updated-ssh-account-keys.sh", Label("ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.service"): "/etc/systemd/system/deploy-updated-ssh-account-keys.service", diff --git a/ic-os/components/init/bootstrap-ic-node/bootstrap-ic-node.service b/ic-os/components/init/bootstrap-ic-node/bootstrap-ic-node.service index 78c040b79ce..055d549b920 100644 --- a/ic-os/components/init/bootstrap-ic-node/bootstrap-ic-node.service +++ b/ic-os/components/init/bootstrap-ic-node/bootstrap-ic-node.service @@ -7,11 +7,11 @@ Requires=var-lib-ic-crypto.mount After=var-lib-ic-crypto.mount Requires=var-lib-ic-backup.mount After=var-lib-ic-backup.mount -Before=setup-ssh-account-keys.service +Before=setup-ssh-user-keys.service [Install] WantedBy=multi-user.target -RequiredBy=setup-ssh-account-keys.service +RequiredBy=setup-ssh-user-keys.service [Service] Type=oneshot diff --git a/ic-os/components/ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.service b/ic-os/components/ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.service index cc1b47ef93e..414a1a85382 100644 --- a/ic-os/components/ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.service +++ b/ic-os/components/ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.service @@ -1,6 +1,6 @@ [Unit] Description=Update ssh account keys -Before=setup-ssh-account-keys.service +Before=setup-ssh-user-keys.service [Service] Type=oneshot @@ -8,5 +8,5 @@ RemainAfterExit=true ExecStart=/opt/ic/bin/deploy-updated-ssh-account-keys.sh [Install] -RequiredBy=setup-ssh-account-keys.service +RequiredBy=setup-ssh-user-keys.service WantedBy=multi-user.target diff --git a/ic-os/components/ssh/setup-ssh-account-keys/setup-ssh-account-keys.service b/ic-os/components/ssh/setup-ssh-user-keys/setup-ssh-user-keys.service similarity index 90% rename from ic-os/components/ssh/setup-ssh-account-keys/setup-ssh-account-keys.service rename to ic-os/components/ssh/setup-ssh-user-keys/setup-ssh-user-keys.service index 2a862b3f2c4..bd7c003ac40 100644 --- a/ic-os/components/ssh/setup-ssh-account-keys/setup-ssh-account-keys.service +++ b/ic-os/components/ssh/setup-ssh-user-keys/setup-ssh-user-keys.service @@ -9,7 +9,7 @@ WantedBy=multi-user.target [Service] Type=oneshot RemainAfterExit=true -ExecStart=/opt/ic/bin/setup-ssh-account-keys.sh +ExecStart=/opt/ic/bin/setup-ssh-user-keys.sh # All services that networking depends on log their outputs to the console # and are piped to the host terminal if the verbose flag is enabled. diff --git a/ic-os/components/ssh/setup-ssh-account-keys/setup-ssh-account-keys.sh b/ic-os/components/ssh/setup-ssh-user-keys/setup-ssh-user-keys.sh similarity index 100% rename from ic-os/components/ssh/setup-ssh-account-keys/setup-ssh-account-keys.sh rename to ic-os/components/ssh/setup-ssh-user-keys/setup-ssh-user-keys.sh diff --git a/ic-os/guestos/docs/Boot.adoc b/ic-os/guestos/docs/Boot.adoc index bffa12bce7e..dda4ac3dcc3 100644 --- a/ic-os/guestos/docs/Boot.adoc +++ b/ic-os/guestos/docs/Boot.adoc @@ -173,7 +173,7 @@ payload store are created. == Deploy updated ssh account keys Service: +deploy-updated-ssh-account-keys.service+, +deploy-updated-ssh-account-keys.sh+. -Depends on +bootstrap-ic-node.service+, runs before +setup-ssh-account-keys.service+. +Depends on +bootstrap-ic-node.service+, runs before +setup-ssh-user-keys.service+. Changes the keys held in the +config+ partition for the +backup+ and +readonly+ user. This is a work-around due to not having a key management solution that updated keys are @@ -181,7 +181,7 @@ deployed via system upgrades. == Set up ssh account keys -Service: +setup-ssh-account-keys.services+, script +/opt/ic/bin/setup-ssh-account-keys.sh+. +Service: +setup-ssh-user-keys.services+, script +/opt/ic/bin/setup-ssh-user-keys.sh+. Depends on +bootstrap-ic-node.service+. The +authorized_keys+ files for the role accounts are taken from the From f9e34567047da6f49f05cd79e8008b686fcc125c Mon Sep 17 00:00:00 2001 From: Andrew Battat Date: Tue, 21 Jan 2025 20:44:41 +0000 Subject: [PATCH 2/7] Rename generate-host-ssh-keys --- ic-os/boundary-guestos/context/README.adoc | 2 +- ic-os/boundary-guestos/docs/Boot.adoc | 2 +- ic-os/components/boundary-guestos.bzl | 4 ++-- .../etc/systemd/system/setup-ssh-keys.service | 2 +- ic-os/components/guestos.bzl | 4 ++-- ic-os/components/hostos.bzl | 4 ++-- ic-os/components/init/README.adoc | 2 +- .../generate-host-ssh-keys.service} | 2 +- .../generate-host-ssh-keys.sh} | 0 ic-os/guestos/docs/Boot.adoc | 2 +- 10 files changed, 12 insertions(+), 12 deletions(-) rename ic-os/components/ssh/{setup-ssh-keys/setup-ssh-keys.service => generate-host-ssh-keys/generate-host-ssh-keys.service} (84%) rename ic-os/components/ssh/{setup-ssh-keys/setup-ssh-keys.sh => generate-host-ssh-keys/generate-host-ssh-keys.sh} (100%) diff --git a/ic-os/boundary-guestos/context/README.adoc b/ic-os/boundary-guestos/context/README.adoc index a235505e96c..6de8f7c3d5a 100644 --- a/ic-os/boundary-guestos/context/README.adoc +++ b/ic-os/boundary-guestos/context/README.adoc @@ -46,7 +46,7 @@ serve as a guide on how to add further actions. === ssh key generation -The `setup-ssh-keys` (and corresponding shell script) service performs one of +The `generate-host-ssh-keys` (and corresponding shell script) service performs one of two things: If this is the first boot ever (on a newly installed system), it generates ssh keys and stashes them away in a location that is preserved across reboots and in the future upgrades. diff --git a/ic-os/boundary-guestos/docs/Boot.adoc b/ic-os/boundary-guestos/docs/Boot.adoc index f733bfee990..20749c09e96 100644 --- a/ic-os/boundary-guestos/docs/Boot.adoc +++ b/ic-os/boundary-guestos/docs/Boot.adoc @@ -53,7 +53,7 @@ Relevant information can be found in the guestos link:../../guestos/docs/Boot.ad == Set up ssh host keys -Service: `setup-ssh-keys.service`, script: `/opt/ic/bin/setup-ssh-keys.sh`, +Service: `generate-host-ssh-keys.service`, script: `/opt/ic/bin/generate-host-ssh-keys.sh`, depends on `/boot/config` mount. This checks if ssh host keys for the system exist in the `config` partition diff --git a/ic-os/components/boundary-guestos.bzl b/ic-os/components/boundary-guestos.bzl index c50bc72457b..3019d8fc082 100644 --- a/ic-os/components/boundary-guestos.bzl +++ b/ic-os/components/boundary-guestos.bzl @@ -57,7 +57,7 @@ component_files = { Label("boundary-guestos/etc/systemd/system/setup-lvs.service"): "/etc/systemd/system/setup-lvs.service", Label("boundary-guestos/etc/systemd/system/setup-nftables.service"): "/etc/systemd/system/setup-nftables.service", Label("boundary-guestos/etc/systemd/system/setup-ssh-user-keys.service"): "/etc/systemd/system/setup-ssh-user-keys.service", - Label("boundary-guestos/etc/systemd/system/setup-ssh-keys.service"): "/etc/systemd/system/setup-ssh-keys.service", + Label("boundary-guestos/etc/systemd/system/generate-host-ssh-keys.service"): "/etc/systemd/system/generate-host-ssh-keys.service", Label("boundary-guestos/etc/systemd/system/setup-var-log.service"): "/etc/systemd/system/setup-var-log.service", Label("boundary-guestos/etc/systemd/system/setup-vector.service"): "/etc/systemd/system/setup-vector.service", Label("boundary-guestos/etc/systemd/system/setup-version-metric.service"): "/etc/systemd/system/setup-version-metric.service", @@ -87,7 +87,7 @@ component_files = { Label("boundary-guestos/opt/ic/bin/setup-lvs.sh"): "/opt/ic/bin/setup-lvs.sh", Label("boundary-guestos/opt/ic/bin/setup-nftables.sh"): "/opt/ic/bin/setup-nftables.sh", Label("boundary-guestos/opt/ic/bin/setup-ssh-user-keys.sh"): "/opt/ic/bin/setup-ssh-user-keys.sh", - Label("boundary-guestos/opt/ic/bin/setup-ssh-keys.sh"): "/opt/ic/bin/setup-ssh-keys.sh", + Label("boundary-guestos/opt/ic/bin/generate-host-ssh-keys.sh"): "/opt/ic/bin/generate-host-ssh-keys.sh", Label("boundary-guestos/opt/ic/bin/setup-var-encryption.sh"): "/opt/ic/bin/setup-var-encryption.sh", Label("boundary-guestos/opt/ic/bin/setup-var-log.sh"): "/opt/ic/bin/setup-var-log.sh", Label("boundary-guestos/opt/ic/bin/setup-vector.sh"): "/opt/ic/bin/setup-vector.sh", diff --git a/ic-os/components/boundary-guestos/etc/systemd/system/setup-ssh-keys.service b/ic-os/components/boundary-guestos/etc/systemd/system/setup-ssh-keys.service index b96b685dee3..fc87e3faf42 100644 --- a/ic-os/components/boundary-guestos/etc/systemd/system/setup-ssh-keys.service +++ b/ic-os/components/boundary-guestos/etc/systemd/system/setup-ssh-keys.service @@ -8,7 +8,7 @@ Before=ssh.service [Service] Type=oneshot RemainAfterExit=true -ExecStart=/opt/ic/bin/setup-ssh-keys.sh +ExecStart=/opt/ic/bin/generate-host-ssh-keys.sh [Install] WantedBy=multi-user.target diff --git a/ic-os/components/guestos.bzl b/ic-os/components/guestos.bzl index a0e4d1542dc..ee80623a666 100644 --- a/ic-os/components/guestos.bzl +++ b/ic-os/components/guestos.bzl @@ -140,8 +140,8 @@ component_files = { # ssh Label("ssh/provision-ssh-keys.sh"): "/opt/ic/bin/provision-ssh-keys.sh", - Label("ssh/setup-ssh-keys/setup-ssh-keys.sh"): "/opt/ic/bin/setup-ssh-keys.sh", - Label("ssh/setup-ssh-keys/setup-ssh-keys.service"): "/etc/systemd/system/setup-ssh-keys.service", + Label("ssh/generate-host-ssh-keys/generate-host-ssh-keys.sh"): "/opt/ic/bin/generate-host-ssh-keys.sh", + Label("ssh/generate-host-ssh-keys/generate-host-ssh-keys.service"): "/etc/systemd/system/generate-host-ssh-keys.service", Label("ssh/setup-ssh-user-keys/setup-ssh-user-keys.sh"): "/opt/ic/bin/setup-ssh-user-keys.sh", Label("ssh/setup-ssh-user-keys/setup-ssh-user-keys.service"): "/etc/systemd/system/setup-ssh-user-keys.service", Label("ssh/read-ssh-keys.sh"): "/opt/ic/bin/read-ssh-keys.sh", diff --git a/ic-os/components/hostos.bzl b/ic-os/components/hostos.bzl index e531122eee7..1f42a3d5635 100644 --- a/ic-os/components/hostos.bzl +++ b/ic-os/components/hostos.bzl @@ -85,8 +85,8 @@ component_files = { Label("networking/hosts"): "/etc/hosts", # ssh - Label("ssh/setup-ssh-keys/setup-ssh-keys.sh"): "/opt/ic/bin/setup-ssh-keys.sh", - Label("ssh/setup-ssh-keys/setup-ssh-keys.service"): "/etc/systemd/system/setup-ssh-keys.service", + Label("ssh/generate-host-ssh-keys/generate-host-ssh-keys.sh"): "/opt/ic/bin/generate-host-ssh-keys.sh", + Label("ssh/generate-host-ssh-keys/generate-host-ssh-keys.service"): "/etc/systemd/system/generate-host-ssh-keys.service", Label("ssh/setup-ssh-user-keys/setup-ssh-user-keys.sh"): "/opt/ic/bin/setup-ssh-user-keys.sh", Label("ssh/setup-ssh-user-keys/setup-ssh-user-keys.service"): "/etc/systemd/system/setup-ssh-user-keys.service", Label("ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.sh"): "/opt/ic/bin/deploy-updated-ssh-account-keys.sh", diff --git a/ic-os/components/init/README.adoc b/ic-os/components/init/README.adoc index d7daa555fe6..5b79ee3587c 100644 --- a/ic-os/components/init/README.adoc +++ b/ic-os/components/init/README.adoc @@ -6,7 +6,7 @@ serve as a guide on how to add further actions. == ssh key generation -The +ssh/setup-ssh-keys+ (and corresponding shell script) service performs one of +The +ssh/generate-host-ssh-keys+ (and corresponding shell script) service performs one of two things: If this is the first boot ever (on a newly installed system), it generates ssh keys and stashes them away in a location that is preserved across upgrades. On first boot after an upgrade, it integrates the keys from their diff --git a/ic-os/components/ssh/setup-ssh-keys/setup-ssh-keys.service b/ic-os/components/ssh/generate-host-ssh-keys/generate-host-ssh-keys.service similarity index 84% rename from ic-os/components/ssh/setup-ssh-keys/setup-ssh-keys.service rename to ic-os/components/ssh/generate-host-ssh-keys/generate-host-ssh-keys.service index b96b685dee3..fc87e3faf42 100644 --- a/ic-os/components/ssh/setup-ssh-keys/setup-ssh-keys.service +++ b/ic-os/components/ssh/generate-host-ssh-keys/generate-host-ssh-keys.service @@ -8,7 +8,7 @@ Before=ssh.service [Service] Type=oneshot RemainAfterExit=true -ExecStart=/opt/ic/bin/setup-ssh-keys.sh +ExecStart=/opt/ic/bin/generate-host-ssh-keys.sh [Install] WantedBy=multi-user.target diff --git a/ic-os/components/ssh/setup-ssh-keys/setup-ssh-keys.sh b/ic-os/components/ssh/generate-host-ssh-keys/generate-host-ssh-keys.sh similarity index 100% rename from ic-os/components/ssh/setup-ssh-keys/setup-ssh-keys.sh rename to ic-os/components/ssh/generate-host-ssh-keys/generate-host-ssh-keys.sh diff --git a/ic-os/guestos/docs/Boot.adoc b/ic-os/guestos/docs/Boot.adoc index dda4ac3dcc3..d3b7ab1f4f7 100644 --- a/ic-os/guestos/docs/Boot.adoc +++ b/ic-os/guestos/docs/Boot.adoc @@ -111,7 +111,7 @@ system will set up its own +/var+ filesystem correctly again. == Set up ssh host keys -Service: +setup-ssh-keys.service+, script: +/opt/ic/bin/setup-ssh-keys.sh+, +Service: +generate-host-ssh-keys.service+, script: +/opt/ic/bin/generate-host-ssh-keys.sh+, depends on +/boot/config+ mount. This checks if ssh host keys for the system exist in the +config+ partition From b49c0f41543228c8373fdd9775dabb9639b781c4 Mon Sep 17 00:00:00 2001 From: Andrew Battat Date: Tue, 21 Jan 2025 21:40:57 +0000 Subject: [PATCH 3/7] Fix boundary node name references --- .../{setup-ssh-keys.service => generate-host-ssh-keys.service} | 0 ...setup-ssh-account-keys.service => setup-ssh-user-keys.service} | 0 .../opt/ic/bin/{setup-ssh-keys.sh => generate-host-ssh-keys.sh} | 0 .../ic/bin/{setup-ssh-account-keys.sh => setup-ssh-user-keys.sh} | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename ic-os/components/boundary-guestos/etc/systemd/system/{setup-ssh-keys.service => generate-host-ssh-keys.service} (100%) rename ic-os/components/boundary-guestos/etc/systemd/system/{setup-ssh-account-keys.service => setup-ssh-user-keys.service} (100%) rename ic-os/components/boundary-guestos/opt/ic/bin/{setup-ssh-keys.sh => generate-host-ssh-keys.sh} (100%) rename ic-os/components/boundary-guestos/opt/ic/bin/{setup-ssh-account-keys.sh => setup-ssh-user-keys.sh} (100%) diff --git a/ic-os/components/boundary-guestos/etc/systemd/system/setup-ssh-keys.service b/ic-os/components/boundary-guestos/etc/systemd/system/generate-host-ssh-keys.service similarity index 100% rename from ic-os/components/boundary-guestos/etc/systemd/system/setup-ssh-keys.service rename to ic-os/components/boundary-guestos/etc/systemd/system/generate-host-ssh-keys.service diff --git a/ic-os/components/boundary-guestos/etc/systemd/system/setup-ssh-account-keys.service b/ic-os/components/boundary-guestos/etc/systemd/system/setup-ssh-user-keys.service similarity index 100% rename from ic-os/components/boundary-guestos/etc/systemd/system/setup-ssh-account-keys.service rename to ic-os/components/boundary-guestos/etc/systemd/system/setup-ssh-user-keys.service diff --git a/ic-os/components/boundary-guestos/opt/ic/bin/setup-ssh-keys.sh b/ic-os/components/boundary-guestos/opt/ic/bin/generate-host-ssh-keys.sh similarity index 100% rename from ic-os/components/boundary-guestos/opt/ic/bin/setup-ssh-keys.sh rename to ic-os/components/boundary-guestos/opt/ic/bin/generate-host-ssh-keys.sh diff --git a/ic-os/components/boundary-guestos/opt/ic/bin/setup-ssh-account-keys.sh b/ic-os/components/boundary-guestos/opt/ic/bin/setup-ssh-user-keys.sh similarity index 100% rename from ic-os/components/boundary-guestos/opt/ic/bin/setup-ssh-account-keys.sh rename to ic-os/components/boundary-guestos/opt/ic/bin/setup-ssh-user-keys.sh From a88420cafb345a4ae9df73a0003652b80fbe04d9 Mon Sep 17 00:00:00 2001 From: Andrew Battat Date: Tue, 21 Jan 2025 22:05:46 +0000 Subject: [PATCH 4/7] Rename deploy-update-ssh-user-keys --- ic-os/components/hostos.bzl | 4 ++-- .../deploy-updated-ssh-user-keys.service} | 4 ++-- .../deploy-updated-ssh-user-keys.sh} | 0 3 files changed, 4 insertions(+), 4 deletions(-) rename ic-os/components/ssh/{deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.service => deploy-updated-ssh-user-keys/deploy-updated-ssh-user-keys.service} (63%) rename ic-os/components/ssh/{deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.sh => deploy-updated-ssh-user-keys/deploy-updated-ssh-user-keys.sh} (100%) diff --git a/ic-os/components/hostos.bzl b/ic-os/components/hostos.bzl index 1f42a3d5635..a01836c78c6 100644 --- a/ic-os/components/hostos.bzl +++ b/ic-os/components/hostos.bzl @@ -89,8 +89,8 @@ component_files = { Label("ssh/generate-host-ssh-keys/generate-host-ssh-keys.service"): "/etc/systemd/system/generate-host-ssh-keys.service", Label("ssh/setup-ssh-user-keys/setup-ssh-user-keys.sh"): "/opt/ic/bin/setup-ssh-user-keys.sh", Label("ssh/setup-ssh-user-keys/setup-ssh-user-keys.service"): "/etc/systemd/system/setup-ssh-user-keys.service", - Label("ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.sh"): "/opt/ic/bin/deploy-updated-ssh-account-keys.sh", - Label("ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.service"): "/etc/systemd/system/deploy-updated-ssh-account-keys.service", + Label("ssh/deploy-updated-ssh-user-keys/deploy-updated-ssh-user-keys.sh"): "/opt/ic/bin/deploy-updated-ssh-user-keys.sh", + Label("ssh/deploy-updated-ssh-user-keys/deploy-updated-ssh-user-keys.service"): "/etc/systemd/system/deploy-updated-ssh-user-keys.service", # upgrade Label("upgrade/manageboot/manageboot.sh"): "/opt/ic/bin/manageboot.sh", diff --git a/ic-os/components/ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.service b/ic-os/components/ssh/deploy-updated-ssh-user-keys/deploy-updated-ssh-user-keys.service similarity index 63% rename from ic-os/components/ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.service rename to ic-os/components/ssh/deploy-updated-ssh-user-keys/deploy-updated-ssh-user-keys.service index 414a1a85382..8f24d408a0c 100644 --- a/ic-os/components/ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.service +++ b/ic-os/components/ssh/deploy-updated-ssh-user-keys/deploy-updated-ssh-user-keys.service @@ -1,11 +1,11 @@ [Unit] -Description=Update ssh account keys +Description=Update ssh user keys Before=setup-ssh-user-keys.service [Service] Type=oneshot RemainAfterExit=true -ExecStart=/opt/ic/bin/deploy-updated-ssh-account-keys.sh +ExecStart=/opt/ic/bin/deploy-updated-ssh-user-keys.sh [Install] RequiredBy=setup-ssh-user-keys.service diff --git a/ic-os/components/ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.sh b/ic-os/components/ssh/deploy-updated-ssh-user-keys/deploy-updated-ssh-user-keys.sh similarity index 100% rename from ic-os/components/ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.sh rename to ic-os/components/ssh/deploy-updated-ssh-user-keys/deploy-updated-ssh-user-keys.sh From 64a2234a45f52336225aebaefcdaddae95321311 Mon Sep 17 00:00:00 2001 From: Andrew Battat Date: Tue, 21 Jan 2025 22:06:00 +0000 Subject: [PATCH 5/7] Fix outstanding comments --- ic-os/boundary-guestos/docs/Boot.adoc | 4 ++-- .../etc/systemd/system/setup-ssh-user-keys.service | 2 +- .../ssh/setup-ssh-user-keys/setup-ssh-user-keys.service | 2 +- ic-os/guestos/docs/Boot.adoc | 8 ++++---- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/ic-os/boundary-guestos/docs/Boot.adoc b/ic-os/boundary-guestos/docs/Boot.adoc index 20749c09e96..07e7d4cc5ff 100644 --- a/ic-os/boundary-guestos/docs/Boot.adoc +++ b/ic-os/boundary-guestos/docs/Boot.adoc @@ -20,7 +20,7 @@ service are started in the IC-OS boot sequence: - Config injection -- Set up ssh account keys +- Set up ssh user keys - Generate network configuration @@ -83,7 +83,7 @@ USB stick" attached to the VM that contains a tar file with initial configuratio for parts of the system (see link:ConfigStore{outfilesuffix}[config store] for a description). Required files in the `config` partition as well as payload store are created. -== Set up ssh account keys +== Set up ssh user keys Service: `setup-ssh-user-keys.services`, script `/opt/ic/bin/setup-ssh-user-keys.sh`. Depends on `bootstrap-ic-node.service`. diff --git a/ic-os/components/boundary-guestos/etc/systemd/system/setup-ssh-user-keys.service b/ic-os/components/boundary-guestos/etc/systemd/system/setup-ssh-user-keys.service index bd7c003ac40..3fdbbaa3db0 100644 --- a/ic-os/components/boundary-guestos/etc/systemd/system/setup-ssh-user-keys.service +++ b/ic-os/components/boundary-guestos/etc/systemd/system/setup-ssh-user-keys.service @@ -1,5 +1,5 @@ [Unit] -Description=Set up ssh account keys +Description=Set up ssh user keys Before=ssh.service # bootstrap-ic-node.service (if it exists) lists this service as a reverse dependency diff --git a/ic-os/components/ssh/setup-ssh-user-keys/setup-ssh-user-keys.service b/ic-os/components/ssh/setup-ssh-user-keys/setup-ssh-user-keys.service index bd7c003ac40..3fdbbaa3db0 100644 --- a/ic-os/components/ssh/setup-ssh-user-keys/setup-ssh-user-keys.service +++ b/ic-os/components/ssh/setup-ssh-user-keys/setup-ssh-user-keys.service @@ -1,5 +1,5 @@ [Unit] -Description=Set up ssh account keys +Description=Set up ssh user keys Before=ssh.service # bootstrap-ic-node.service (if it exists) lists this service as a reverse dependency diff --git a/ic-os/guestos/docs/Boot.adoc b/ic-os/guestos/docs/Boot.adoc index d3b7ab1f4f7..9fd2c06e165 100644 --- a/ic-os/guestos/docs/Boot.adoc +++ b/ic-os/guestos/docs/Boot.adoc @@ -30,7 +30,7 @@ service are started in the IC-OS boot sequence: - IC node config injection -- Set up ssh account keys +- Set up ssh user keys - Generate network configuration @@ -170,16 +170,16 @@ USB stick" attached to the VM that contains a tar file with initial configuratio for parts of the system. Required files in the +config+ partition as well as payload store are created. -== Deploy updated ssh account keys +== Deploy updated ssh user keys -Service: +deploy-updated-ssh-account-keys.service+, +deploy-updated-ssh-account-keys.sh+. +Service: +deploy-updated-ssh-user-keys.service+, +deploy-updated-ssh-user-keys.sh+. Depends on +bootstrap-ic-node.service+, runs before +setup-ssh-user-keys.service+. Changes the keys held in the +config+ partition for the +backup+ and +readonly+ user. This is a work-around due to not having a key management solution that updated keys are deployed via system upgrades. -== Set up ssh account keys +== Set up ssh user keys Service: +setup-ssh-user-keys.services+, script +/opt/ic/bin/setup-ssh-user-keys.sh+. Depends on +bootstrap-ic-node.service+. From f76e67f7712e11f16383b39021b8b4a4afb53cc3 Mon Sep 17 00:00:00 2001 From: Andrew Battat Date: Wed, 22 Jan 2025 15:46:05 +0000 Subject: [PATCH 6/7] Revert "Rename deploy-update-ssh-user-keys" This reverts commit a88420cafb345a4ae9df73a0003652b80fbe04d9. --- ic-os/components/hostos.bzl | 4 ++-- .../deploy-updated-ssh-account-keys.service} | 4 ++-- .../deploy-updated-ssh-account-keys.sh} | 0 3 files changed, 4 insertions(+), 4 deletions(-) rename ic-os/components/ssh/{deploy-updated-ssh-user-keys/deploy-updated-ssh-user-keys.service => deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.service} (63%) rename ic-os/components/ssh/{deploy-updated-ssh-user-keys/deploy-updated-ssh-user-keys.sh => deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.sh} (100%) diff --git a/ic-os/components/hostos.bzl b/ic-os/components/hostos.bzl index a01836c78c6..1f42a3d5635 100644 --- a/ic-os/components/hostos.bzl +++ b/ic-os/components/hostos.bzl @@ -89,8 +89,8 @@ component_files = { Label("ssh/generate-host-ssh-keys/generate-host-ssh-keys.service"): "/etc/systemd/system/generate-host-ssh-keys.service", Label("ssh/setup-ssh-user-keys/setup-ssh-user-keys.sh"): "/opt/ic/bin/setup-ssh-user-keys.sh", Label("ssh/setup-ssh-user-keys/setup-ssh-user-keys.service"): "/etc/systemd/system/setup-ssh-user-keys.service", - Label("ssh/deploy-updated-ssh-user-keys/deploy-updated-ssh-user-keys.sh"): "/opt/ic/bin/deploy-updated-ssh-user-keys.sh", - Label("ssh/deploy-updated-ssh-user-keys/deploy-updated-ssh-user-keys.service"): "/etc/systemd/system/deploy-updated-ssh-user-keys.service", + Label("ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.sh"): "/opt/ic/bin/deploy-updated-ssh-account-keys.sh", + Label("ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.service"): "/etc/systemd/system/deploy-updated-ssh-account-keys.service", # upgrade Label("upgrade/manageboot/manageboot.sh"): "/opt/ic/bin/manageboot.sh", diff --git a/ic-os/components/ssh/deploy-updated-ssh-user-keys/deploy-updated-ssh-user-keys.service b/ic-os/components/ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.service similarity index 63% rename from ic-os/components/ssh/deploy-updated-ssh-user-keys/deploy-updated-ssh-user-keys.service rename to ic-os/components/ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.service index 8f24d408a0c..414a1a85382 100644 --- a/ic-os/components/ssh/deploy-updated-ssh-user-keys/deploy-updated-ssh-user-keys.service +++ b/ic-os/components/ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.service @@ -1,11 +1,11 @@ [Unit] -Description=Update ssh user keys +Description=Update ssh account keys Before=setup-ssh-user-keys.service [Service] Type=oneshot RemainAfterExit=true -ExecStart=/opt/ic/bin/deploy-updated-ssh-user-keys.sh +ExecStart=/opt/ic/bin/deploy-updated-ssh-account-keys.sh [Install] RequiredBy=setup-ssh-user-keys.service diff --git a/ic-os/components/ssh/deploy-updated-ssh-user-keys/deploy-updated-ssh-user-keys.sh b/ic-os/components/ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.sh similarity index 100% rename from ic-os/components/ssh/deploy-updated-ssh-user-keys/deploy-updated-ssh-user-keys.sh rename to ic-os/components/ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.sh From 49075ff42203b1b80a56864993a4a723c62c118d Mon Sep 17 00:00:00 2001 From: Andrew Battat Date: Wed, 22 Jan 2025 15:47:10 +0000 Subject: [PATCH 7/7] Revert doc changes to Deploy updated ssh account keys --- ic-os/guestos/docs/Boot.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ic-os/guestos/docs/Boot.adoc b/ic-os/guestos/docs/Boot.adoc index 9fd2c06e165..d503c0764da 100644 --- a/ic-os/guestos/docs/Boot.adoc +++ b/ic-os/guestos/docs/Boot.adoc @@ -170,10 +170,10 @@ USB stick" attached to the VM that contains a tar file with initial configuratio for parts of the system. Required files in the +config+ partition as well as payload store are created. -== Deploy updated ssh user keys +== Deploy updated ssh account keys -Service: +deploy-updated-ssh-user-keys.service+, +deploy-updated-ssh-user-keys.sh+. -Depends on +bootstrap-ic-node.service+, runs before +setup-ssh-user-keys.service+. +Service: +deploy-updated-ssh-account-keys.service+, +deploy-updated-ssh-account-keys.sh+. +Depends on +bootstrap-ic-node.service+, runs before +setup-ssh-account-keys.service+. Changes the keys held in the +config+ partition for the +backup+ and +readonly+ user. This is a work-around due to not having a key management solution that updated keys are