From 6452c6b508bb0fcb2ae3bcb666f5ac8d4385fc1e Mon Sep 17 00:00:00 2001 From: miampf Date: Tue, 3 Dec 2024 15:05:52 +0100 Subject: [PATCH 01/13] add `openssh-server` and `openssh` package `openssh` package later removed since it is not needed for this feature to function --- image/base/mkosi.conf | 2 ++ image/mirror/SHA256SUMS | 26 ++++++++++++++------------ image/mirror/packages.txt | 2 ++ 3 files changed, 18 insertions(+), 12 deletions(-) diff --git a/image/base/mkosi.conf b/image/base/mkosi.conf index 5deab82c8b..3cab93550d 100644 --- a/image/base/mkosi.conf +++ b/image/base/mkosi.conf @@ -41,6 +41,8 @@ Packages=containerd # Network Packages=iproute dbus + openssh + openssh-server systemd-networkd systemd-resolved diff --git a/image/mirror/SHA256SUMS b/image/mirror/SHA256SUMS index b05af5cd0c..1238c5cac0 100644 --- a/image/mirror/SHA256SUMS +++ b/image/mirror/SHA256SUMS @@ -1,4 +1,3 @@ -37abef83e8927b4b48f69fcbdcc249d349c6029cc669401676d01f0ea326999e WALinuxAgent-udev-2.10.0.8-2.fc40.noarch.rpm 8f9c8c8be1df166f4285824580c9f6588864c167c8a2d51a6c4621d1ea3f8fde aardvark-dns-1.13.1-1.fc40.x86_64.rpm ac860c52abbc65af5835d1bd97400c531a5635d39bc1d68e36a1fe54863385ea alternatives-1.27-1.fc40.x86_64.rpm 6d0cfcd0e97421b42af58a824c7e99a6cbcdd0e81980b4ea9e0d4051ef723db3 audit-libs-4.0.2-1.fc40.i686.rpm @@ -15,11 +14,11 @@ db18a583ebde21d8b0b67f0306e25908b273bef9c532469ac0b7ab92578438f4 authselect-lib 5935816e8d377d0385e5287ca12e4d3b43e3c3cdc9cc4deafa653a6dba78611a composefs-libs-1.0.6-1.fc40.x86_64.rpm db246f6445469b5a71e965a081685471768393cf04181e7250ce0ddcb8a9c3d4 conmon-2.1.12-2.fc40.x86_64.rpm adf4b75cdd9fae9d2d37fb71d9f0bf625a6705c0f0a7784569ab21463fe22152 conntrack-tools-1.4.7-7.fc40.x86_64.rpm -621302b0ea9cdd73d5eea4d30935cb415143df1649cd8e92424e967ea98fc34d container-selinux-2.234.2-1.fc40.noarch.rpm bbe29e0c7b4ca076d50b4ac3954eb383459230d96b13f353ee71ebd5de33b6d1 containerd-1.6.23-5.fc40.x86_64.rpm 0705251ea64b1558098016b2120f202c5aba77470093cb8f89ce6adb2a0b46b6 containernetworking-plugins-1.5.1-1.fc40.x86_64.rpm 3e35525e9224d3427f10343c98036b251fac34bf67c9007335561d846736d0d5 containers-common-0.61.0-1.fc40.noarch.rpm b0740195d12d356e5637b83ece8650fc3f764f37e734678a07cb637fb14faf7d containers-common-extra-0.61.0-1.fc40.noarch.rpm +621302b0ea9cdd73d5eea4d30935cb415143df1649cd8e92424e967ea98fc34d container-selinux-2.234.2-1.fc40.noarch.rpm 299d3e7e1cbc110d9ae8a47f6ca95142c3e3783cb1464bfbd6bc550c414b97ec coreutils-single-9.4-9.fc40.x86_64.rpm d941a78ffb6e2e0b4c24d0097d0351ced8796edde90208b4bddee459bce0a949 cpio-2.15-1.fc40.x86_64.rpm faa23cb6a7a612c0a6e874c788c5add967c5e193bd38c2e6093b82b38a162f81 cracklib-2.9.11-5.fc40.i686.rpm @@ -68,11 +67,11 @@ a6f2098fc2ed16df92c9325bd7459cc41479e17306a4f9cddfd5df8a1b80d0f8 file-5.45-4.fc f76684ee78408660db83ab9932978a1346b280f4210cd744524b00b2e5891fe1 file-libs-5.45-4.fc40.x86_64.rpm 063af3db3808bea0d5c07dbb2d8369b275e1d05ad0850c80a8fec0413f47cd64 filesystem-3.18-8.fc40.x86_64.rpm 21725de2a93e1ea19f8d298e32a2428a3a08b9c98f22561cc778a807ed43639f findutils-4.9.0-9.fc40.x86_64.rpm +2d6631d65e3b5c91afdb100a51ee8e50294f0e074a944c1662008d878d47456e fuse3-3.16.2-3.fc40.x86_64.rpm +a9c6502a5b190aaf169e93afd337c009e0b2e235e31f3da23d29c7d063ad2ff9 fuse3-libs-3.16.2-3.fc40.x86_64.rpm f4c2d51c7b4577f7b7ef498f8e2afb1b007da2de00cca28e220f50129c40a48c fuse-common-3.16.2-3.fc40.x86_64.rpm f94315e447afb7442033b7b82e43a4ed62754f603afda53930280300855e46c7 fuse-libs-2.9.9-21.fc40.x86_64.rpm 8fe84b7e0319afcc9c9eb28130b74e0cd7c675667a6ce075eb7ee2ec1b0014c2 fuse-overlayfs-1.13-1.fc40.x86_64.rpm -2d6631d65e3b5c91afdb100a51ee8e50294f0e074a944c1662008d878d47456e fuse3-3.16.2-3.fc40.x86_64.rpm -a9c6502a5b190aaf169e93afd337c009e0b2e235e31f3da23d29c7d063ad2ff9 fuse3-libs-3.16.2-3.fc40.x86_64.rpm 6c80dfdaf7b27ea92c1276856b8b2ae5fde1ae5c391b773805be725515fdc1ac gawk-5.3.0-3.fc40.x86_64.rpm c4cc69bf3a2655b9ee9ac23492d377bac57811c5b4f81fbf43537520ee33c7af gawk-all-langpacks-5.3.0-3.fc40.x86_64.rpm 21470eb4ec55006c9efeee84c97772462008fceda1ab332e58d2caddfdaa0d1e gdbm-1.23-6.fc40.x86_64.rpm @@ -244,7 +243,9 @@ c425cdd1d0889edb688809ccc2a35a96e67a7dedc119ad540ddd05f8a8997b5e netavark-1.13. 188ce5004e6ed764b4a619b64a4a0f36f1cc4fa919fe0a300599ff1171844144 nftables-1.0.9-3.fc40.x86_64.rpm 784e0fbc9ccb7087c10f4c41edbed13904f94244ff658f308614abe48cdf0d42 npth-1.7-1.fc40.x86_64.rpm f814bc09b50daaab468715088ec056373dbc209a5075306e4ce76f5c55eb2b42 nvme-cli-2.8-1.fc40.x86_64.rpm -deed5caa94b7590e42976c73944e882ac6be7ac94b87ea8d476a7dfe4e56c427 openldap-2.6.8-1.fc40.x86_64.rpm +b09089231ec94ee1b2dc26e34d8d7f19586d411bc40df7d0e495e559ac2d871a openldap-2.6.7-1.fc40.x86_64.rpm +7cc7617d495bdb6b5c06bef538068a53e7cec8209c674918fd30ac82fba95b11 openssh-9.6p1-1.fc40.4.x86_64.rpm +a1142e22df88c6200a7378f20f6d92ec62908ac67aa3fbc223dba874bdf162ba openssh-server-9.6p1-1.fc40.4.x86_64.rpm 5df04d37e492e5f107cc21e547240f9f98b0b7613320467bc0b08f6aa1b0fb88 openssl-libs-3.2.2-3.fc40.i686.rpm e9fca52d76eb6277b9fec3238226faafc0938806318fad1143a527fdd28a16cf openssl-libs-3.2.2-3.fc40.x86_64.rpm 9f0336deb6f1b1524ec48d837622e7e2291995369b0356d7ad1e1d427f3b659a os-prober-1.81-6.fc40.x86_64.rpm @@ -275,10 +276,10 @@ c03ba1c46e0e2dda36e654941f307aaa0d6574ee5143d6fec6e9af2bdf3252a2 popt-1.19-6.fc af85755cda79959a19161ebc26a45e507003298bd97b472b9ab0d512afa5e46a protobuf-c-1.5.0-3.fc40.x86_64.rpm 45ff2e9814aa059f323b23710c73309d41d36306667a3004f5fbb86b0cab4484 psmisc-23.6-6.fc40.x86_64.rpm cca50802d4f75306bc37126feb92db79fed44dcdabf76c1556853334995b9d3b publicsuffix-list-dafsa-20240107-3.fc40.noarch.rpm +6d8342314daafde5c5ec4ec2935e74edb9bea107dc8cd72642e322444f264c7d python3-3.12.7-1.fc40.x86_64.rpm +839d6dd1d8ac9b55f14b504eca5ac5e66b8330341608f7c9132cb29816116ecb python3-libs-3.12.7-1.fc40.x86_64.rpm 7c703b431508f44c5184b5c1df052ed0f49b7439d68aa3597a9a57a5b26bd648 python-pip-wheel-23.3.2-2.fc40.noarch.rpm -86e17167996c17798e116974f42e63dc2e0ac6bce1c10a47416d421c785a5ea4 python-unversioned-command-3.12.8-2.fc40.noarch.rpm -5526220160d59c64689dd2c017a03a26a909c5c50f7973c8bf3750f8f39ca114 python3-3.12.8-2.fc40.x86_64.rpm -0905050a05fce20538191ad45e61bca86d61877f58da47df1b59465d034a4ae6 python3-libs-3.12.8-2.fc40.x86_64.rpm +bcac955e69958e064669ed6e0a394bd9dd2c76e63f558a205ced18a9755012ab python-unversioned-command-3.12.7-1.fc40.noarch.rpm d50b24d1a217e5201b4f8350945b7a3bc3fa01a61a8dd8d28e1b9512295238e1 qemu-user-static-8.2.8-2.fc40.x86_64.rpm 11f752c50493eca8f6dddf3140c694d3db4bc808771eaba25978ea2c309b2196 qemu-user-static-aarch64-8.2.8-2.fc40.x86_64.rpm 8598fde32ac72cafcc57f30edbfed1f920c58001dbeecb6932f4de8ce76091ba qemu-user-static-alpha-8.2.8-2.fc40.x86_64.rpm @@ -339,10 +340,11 @@ c3be8a6d0ea23b1d0bf466b19857b97f7ffde811ad7adec0599161059d84cc74 tpm2-tss-4.1.3 945aa536bc30050abc1870cef167cb944cf78d6628923476db43201a0054574b util-linux-2.40.2-1.fc40.x86_64.rpm 7ec1b5df780c5a30f8e901179480125a6ea87f1f7bad3b69da7f4b351b88c3dd util-linux-core-2.40-0.9.rc1.fc40.x86_64.rpm b1aa4e816c01c08c18924865640f214f717cdfc66837e53a24b8edfb80a86f9d util-linux-core-2.40.2-1.fc40.x86_64.rpm -51e57c8dd885fb8b00b5225e3aa6d037b74ff35cb5f3962d7622af4566e4386e vim-common-9.1.919-1.fc40.x86_64.rpm -b00addd65b86713a3d5507c343cfc750ee9fe656130df464c109f9cd18aa7439 vim-data-9.1.919-1.fc40.noarch.rpm -4eff285f016104291d5515cc103993ead80ba17bebd7b1f7814efb3565a30ea5 vim-enhanced-9.1.919-1.fc40.x86_64.rpm -6642da315fd235087b3b4ee328b0264bc463536e900d6e01a93b70b96ef0d08e vim-filesystem-9.1.919-1.fc40.noarch.rpm +fb78d7a38305025bf2a6f4876cd70ed5d2bd888b4a2df91e35f1426a57267e38 vim-common-9.1.906-1.fc40.x86_64.rpm +f44d05b58d9def775f187b24468aa9e4d21647b6b4303ed92bc994db8d7db986 vim-data-9.1.906-1.fc40.noarch.rpm +3d3ab14b5cd806eade3a5246fefe47b5acf440a1cea9d17c2591fbbdd24cc37a vim-enhanced-9.1.906-1.fc40.x86_64.rpm +175abd5a9e2149da58a203208909681e717c1354050ae9bd71f408b04f5367b3 vim-filesystem-9.1.906-1.fc40.noarch.rpm +37abef83e8927b4b48f69fcbdcc249d349c6029cc669401676d01f0ea326999e WALinuxAgent-udev-2.10.0.8-2.fc40.noarch.rpm 5f4aef6a6f19712c142b3e592ff05bba03dee877a0a098df294d876063918805 wget2-2.2.0-1.fc40.x86_64.rpm a4119091a85b4aa4262a26f6ed2d6653de9b7c4def3636a2b0ad066436f29acd wget2-libs-2.2.0-1.fc40.x86_64.rpm 4948040a53814b1b4b76f6ec9d64ec21f3f2d1196a0a1c5b117f91fa58a267b1 wget2-wget-2.2.0-1.fc40.x86_64.rpm diff --git a/image/mirror/packages.txt b/image/mirror/packages.txt index fd79a427a3..40dd260716 100644 --- a/image/mirror/packages.txt +++ b/image/mirror/packages.txt @@ -19,6 +19,8 @@ mokutil nano nano-default-editor nvme-cli +openssh +openssh-server passt-selinux passwd podman From 0bf747ffec805267ed10404af10cfddeb7fea17f Mon Sep 17 00:00:00 2001 From: miampf Date: Thu, 5 Dec 2024 15:23:27 +0100 Subject: [PATCH 02/13] `sshd` config and creation of `create-host-ssh-key` service --- image/base/mkosi.skeleton/etc/ssh/sshd_config | 1 + .../usr/lib/systemd/system/create-host-ssh-key.service | 10 ++++++++++ 2 files changed, 11 insertions(+) create mode 100644 image/base/mkosi.skeleton/etc/ssh/sshd_config create mode 100644 image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service diff --git a/image/base/mkosi.skeleton/etc/ssh/sshd_config b/image/base/mkosi.skeleton/etc/ssh/sshd_config new file mode 100644 index 0000000000..4e298496b6 --- /dev/null +++ b/image/base/mkosi.skeleton/etc/ssh/sshd_config @@ -0,0 +1 @@ +HostKey /run/ssh_host_ecdsa_key diff --git a/image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service b/image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service new file mode 100644 index 0000000000..084568705f --- /dev/null +++ b/image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service @@ -0,0 +1,10 @@ +[Unit] +Description=Create a host SSH key +Before=sshd.service + +[Service] +Type=oneshot +ExecStart=ssh-keygen -t ecdsa -q -N "" /run/ssh_host_ecdsa_key + +[Install] +WantedBy=multi-user.target From 843e8c412b5ecc1949fbd3db809ac9cc9da6349f Mon Sep 17 00:00:00 2001 From: miampf Date: Thu, 12 Dec 2024 16:06:19 +0100 Subject: [PATCH 03/13] tf ssh access with custom lb changed later to use existing load balancer instead of a custom setup --- terraform/infrastructure/azure/main.tf | 87 +++++++++++++++++++++ terraform/infrastructure/azure/variables.tf | 6 ++ 2 files changed, 93 insertions(+) diff --git a/terraform/infrastructure/azure/main.tf b/terraform/infrastructure/azure/main.tf index c6383d82bf..398156b3e2 100644 --- a/terraform/infrastructure/azure/main.tf +++ b/terraform/infrastructure/azure/main.tf @@ -295,3 +295,90 @@ data "azurerm_user_assigned_identity" "uaid" { name = local.uai_name resource_group_name = local.uai_resource_group } + +############## For emergency ssh access ############## +resource "azurerm_public_ip" "loadbalancer_ssh_ip" { + count = var.emergency_ssh ? 1 : 0 + name = "${local.name}-ssh-lb" + domain_name_label = "${local.name}-ssh" + resource_group_name = var.resource_group + location = var.location + allocation_method = "Static" + sku = "Standard" + tags = local.tags + + lifecycle { + ignore_changes = [name] + } +} + +// Reads data from the resource of the same name. +// Used to wait to the actual resource to become ready, before using data from that resource. +// Property "fqdn" only becomes available on azurerm_public_ip resources once domain_name_label is set. +// Since we are setting domain_name_label starting with 2.10 we need to migrate +// resources for clusters created before 2.9. In those cases we need to wait until loadbalancer_ip has +// been updated before reading from it. +data "azurerm_public_ip" "loadbalancer_ssh_ip" { + count = var.emergency_ssh ? 1 : 0 + name = "${local.name}-ssh-lb" + resource_group_name = var.resource_group + depends_on = [azurerm_public_ip.loadbalancer_ssh_ip] +} + +resource "azurerm_lb" "loadbalancer_ssh" { + count = var.emergency_ssh ? 1 : 0 + name = "${local.name}-ssh" + location = var.location + resource_group_name = var.resource_group + sku = "Standard" + tags = local.tags + + dynamic "frontend_ip_configuration" { + for_each = var.emergency_ssh ? [1] : [] + content { + name = "PublicIPAddress" + public_ip_address_id = azurerm_public_ip.loadbalancer_ssh_ip[0].id + } + } +} + +module "loadbalancer_backend_control_plane_ssh" { + count = var.emergency_ssh ? 1 : 0 + source = "./modules/load_balancer_backend" + + name = "${local.name}-control-plane-ssh" + loadbalancer_id = azurerm_lb.loadbalancer_ssh[0].id + frontend_ip_configuration_name = azurerm_lb.loadbalancer_ssh[0].frontend_ip_configuration[0].name + ports = [{ name = "ssh-cp", port = "22", health_check_protocol = "Tcp", path = null, priority = 100 }] +} + +module "loadbalancer_backend_worker_ssh" { + count = var.emergency_ssh ? 1 : 0 + source = "./modules/load_balancer_backend" + + name = "${local.name}-worker-ssh" + loadbalancer_id = azurerm_lb.loadbalancer_ssh[0].id + frontend_ip_configuration_name = azurerm_lb.loadbalancer_ssh[0].frontend_ip_configuration[0].name + ports = [] +} + +resource "azurerm_lb_backend_address_pool" "all_ssh" { + count = var.emergency_ssh ? 1 : 0 + loadbalancer_id = azurerm_lb.loadbalancer_ssh[0].id + name = "${var.name}-all-ssh" +} + +resource "azurerm_network_security_rule" "nsg_rule_ssh" { + count = var.emergency_ssh ? 1 : 0 + name = "ssh-new" + priority = 210 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = var.resource_group + network_security_group_name = azurerm_network_security_group.security_group.name +} diff --git a/terraform/infrastructure/azure/variables.tf b/terraform/infrastructure/azure/variables.tf index a3ab1fd0b5..e28558068e 100644 --- a/terraform/infrastructure/azure/variables.tf +++ b/terraform/infrastructure/azure/variables.tf @@ -101,3 +101,9 @@ variable "additional_tags" { default = {} description = "Additional tags that should be applied to created resources." } + +variable "emergency_ssh" { + type = bool + default = false + description = "Wether to deploy a load balancer to connect to nodes via ssh." +} From 0cda8418116aaba3b606fdeb574844b55e9a71cc Mon Sep 17 00:00:00 2001 From: miampf Date: Fri, 6 Dec 2024 11:55:57 +0100 Subject: [PATCH 04/13] `sshd` and `create-host-ssh-key` service on node --- .../usr/lib/systemd/system/create-host-ssh-key.service | 6 +++--- .../mkosi.skeleton => sysroot-tree}/etc/ssh/sshd_config | 0 2 files changed, 3 insertions(+), 3 deletions(-) rename image/{base/mkosi.skeleton => sysroot-tree}/etc/ssh/sshd_config (100%) diff --git a/image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service b/image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service index 084568705f..4a23aba460 100644 --- a/image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service +++ b/image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service @@ -1,10 +1,10 @@ [Unit] Description=Create a host SSH key -Before=sshd.service +Before=network-pre.target [Service] Type=oneshot -ExecStart=ssh-keygen -t ecdsa -q -N "" /run/ssh_host_ecdsa_key +ExecStart=/bin/bash -c "ssh-keygen -t ecdsa -q -N '' -f /run/ssh_host_ecdsa_key" [Install] -WantedBy=multi-user.target +WantedBy=network-pre.target diff --git a/image/base/mkosi.skeleton/etc/ssh/sshd_config b/image/sysroot-tree/etc/ssh/sshd_config similarity index 100% rename from image/base/mkosi.skeleton/etc/ssh/sshd_config rename to image/sysroot-tree/etc/ssh/sshd_config From 7f4776014688a2cdf154534c39a655382ccaa874 Mon Sep 17 00:00:00 2001 From: miampf Date: Tue, 17 Dec 2024 10:06:35 +0100 Subject: [PATCH 05/13] terraform ssh setup --- terraform/infrastructure/azure/main.tf | 103 +++++-------------------- 1 file changed, 18 insertions(+), 85 deletions(-) diff --git a/terraform/infrastructure/azure/main.tf b/terraform/infrastructure/azure/main.tf index 398156b3e2..565e248468 100644 --- a/terraform/infrastructure/azure/main.tf +++ b/terraform/infrastructure/azure/main.tf @@ -40,6 +40,7 @@ locals { { name = "recovery", port = "9999", health_check_protocol = "Tcp", path = null, priority = 104 }, { name = "join", port = "30090", health_check_protocol = "Tcp", path = null, priority = 105 }, var.debug ? [{ name = "debugd", port = "4000", health_check_protocol = "Tcp", path = null, priority = 106 }] : [], + var.emergency_ssh ? [{ name = "ssh", port = "22", health_check_protocol = "Tcp", path = null, priority = 107 }] : [], ]) // wildcard_lb_dns_name is the DNS name of the load balancer with a wildcard for the name. // example: given "name-1234567890.location.cloudapp.azure.com" it will return "*.location.cloudapp.azure.com" @@ -296,89 +297,21 @@ data "azurerm_user_assigned_identity" "uaid" { resource_group_name = local.uai_resource_group } -############## For emergency ssh access ############## -resource "azurerm_public_ip" "loadbalancer_ssh_ip" { - count = var.emergency_ssh ? 1 : 0 - name = "${local.name}-ssh-lb" - domain_name_label = "${local.name}-ssh" - resource_group_name = var.resource_group - location = var.location - allocation_method = "Static" - sku = "Standard" - tags = local.tags - - lifecycle { - ignore_changes = [name] - } -} - -// Reads data from the resource of the same name. -// Used to wait to the actual resource to become ready, before using data from that resource. -// Property "fqdn" only becomes available on azurerm_public_ip resources once domain_name_label is set. -// Since we are setting domain_name_label starting with 2.10 we need to migrate -// resources for clusters created before 2.9. In those cases we need to wait until loadbalancer_ip has -// been updated before reading from it. -data "azurerm_public_ip" "loadbalancer_ssh_ip" { - count = var.emergency_ssh ? 1 : 0 - name = "${local.name}-ssh-lb" - resource_group_name = var.resource_group - depends_on = [azurerm_public_ip.loadbalancer_ssh_ip] -} - -resource "azurerm_lb" "loadbalancer_ssh" { - count = var.emergency_ssh ? 1 : 0 - name = "${local.name}-ssh" - location = var.location - resource_group_name = var.resource_group - sku = "Standard" - tags = local.tags - - dynamic "frontend_ip_configuration" { - for_each = var.emergency_ssh ? [1] : [] - content { - name = "PublicIPAddress" - public_ip_address_id = azurerm_public_ip.loadbalancer_ssh_ip[0].id - } - } -} - -module "loadbalancer_backend_control_plane_ssh" { - count = var.emergency_ssh ? 1 : 0 - source = "./modules/load_balancer_backend" - - name = "${local.name}-control-plane-ssh" - loadbalancer_id = azurerm_lb.loadbalancer_ssh[0].id - frontend_ip_configuration_name = azurerm_lb.loadbalancer_ssh[0].frontend_ip_configuration[0].name - ports = [{ name = "ssh-cp", port = "22", health_check_protocol = "Tcp", path = null, priority = 100 }] -} - -module "loadbalancer_backend_worker_ssh" { - count = var.emergency_ssh ? 1 : 0 - source = "./modules/load_balancer_backend" - - name = "${local.name}-worker-ssh" - loadbalancer_id = azurerm_lb.loadbalancer_ssh[0].id - frontend_ip_configuration_name = azurerm_lb.loadbalancer_ssh[0].frontend_ip_configuration[0].name - ports = [] -} - -resource "azurerm_lb_backend_address_pool" "all_ssh" { - count = var.emergency_ssh ? 1 : 0 - loadbalancer_id = azurerm_lb.loadbalancer_ssh[0].id - name = "${var.name}-all-ssh" -} - -resource "azurerm_network_security_rule" "nsg_rule_ssh" { - count = var.emergency_ssh ? 1 : 0 - name = "ssh-new" - priority = 210 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "22" - source_address_prefix = "*" - destination_address_prefix = "*" - resource_group_name = var.resource_group - network_security_group_name = azurerm_network_security_group.security_group.name +# emergency ssh configuration files +resource "local_file" "ssh_config" { + filename = "./ssh_config" + file_permission = "0600" + content = < Date: Tue, 17 Dec 2024 12:57:16 +0100 Subject: [PATCH 06/13] change known_hosts file to writable location --- image/sysroot-tree/etc/ssh/ssh_config | 1 + 1 file changed, 1 insertion(+) create mode 100644 image/sysroot-tree/etc/ssh/ssh_config diff --git a/image/sysroot-tree/etc/ssh/ssh_config b/image/sysroot-tree/etc/ssh/ssh_config new file mode 100644 index 0000000000..599c67c0e8 --- /dev/null +++ b/image/sysroot-tree/etc/ssh/ssh_config @@ -0,0 +1 @@ +UserKnownHostsFile /run/known_hosts From aaf3d1d2b86e35a18d157316cef3e542cdec2f81 Mon Sep 17 00:00:00 2001 From: miampf Date: Tue, 10 Dec 2024 12:37:39 +0100 Subject: [PATCH 07/13] ssh node image configuration --- image/base/mkosi.conf | 1 - .../usr/lib/systemd/system-preset/30-constellation.preset | 1 + .../usr/lib/systemd/system/create-host-ssh-key.service | 4 ++-- image/mirror/packages.txt | 1 - image/sysroot-tree/etc/ssh/ssh_config | 1 - image/sysroot-tree/etc/ssh/sshd_config | 2 ++ 6 files changed, 5 insertions(+), 5 deletions(-) delete mode 100644 image/sysroot-tree/etc/ssh/ssh_config diff --git a/image/base/mkosi.conf b/image/base/mkosi.conf index 3cab93550d..9201a05ff1 100644 --- a/image/base/mkosi.conf +++ b/image/base/mkosi.conf @@ -41,7 +41,6 @@ Packages=containerd # Network Packages=iproute dbus - openssh openssh-server systemd-networkd systemd-resolved diff --git a/image/base/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset b/image/base/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset index dcabbedd9c..493434d54e 100644 --- a/image/base/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset +++ b/image/base/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset @@ -10,3 +10,4 @@ enable measurements.service enable export_constellation_debug.service enable systemd-timesyncd enable udev-trigger.service +enable create-host-ssh-key.service diff --git a/image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service b/image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service index 4a23aba460..b34d802db6 100644 --- a/image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service +++ b/image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service @@ -1,10 +1,10 @@ [Unit] Description=Create a host SSH key -Before=network-pre.target +Before=sshd.service [Service] Type=oneshot ExecStart=/bin/bash -c "ssh-keygen -t ecdsa -q -N '' -f /run/ssh_host_ecdsa_key" [Install] -WantedBy=network-pre.target +WantedBy=multi-user.target diff --git a/image/mirror/packages.txt b/image/mirror/packages.txt index 40dd260716..9d6240a2e4 100644 --- a/image/mirror/packages.txt +++ b/image/mirror/packages.txt @@ -19,7 +19,6 @@ mokutil nano nano-default-editor nvme-cli -openssh openssh-server passt-selinux passwd diff --git a/image/sysroot-tree/etc/ssh/ssh_config b/image/sysroot-tree/etc/ssh/ssh_config deleted file mode 100644 index 599c67c0e8..0000000000 --- a/image/sysroot-tree/etc/ssh/ssh_config +++ /dev/null @@ -1 +0,0 @@ -UserKnownHostsFile /run/known_hosts diff --git a/image/sysroot-tree/etc/ssh/sshd_config b/image/sysroot-tree/etc/ssh/sshd_config index 4e298496b6..2b1060c4a0 100644 --- a/image/sysroot-tree/etc/ssh/sshd_config +++ b/image/sysroot-tree/etc/ssh/sshd_config @@ -1 +1,3 @@ HostKey /run/ssh_host_ecdsa_key +TrustedUserCAKeys /run/ssh_ca.pub +PasswordAuthentication no From d1e44129f6ea26cbdbde5e7d39c82631f540d82d Mon Sep 17 00:00:00 2001 From: miampf Date: Thu, 19 Dec 2024 15:14:38 +0100 Subject: [PATCH 08/13] nix fmt --- flake.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.nix b/flake.nix index 16bd15b4ab..51dc697b51 100644 --- a/flake.nix +++ b/flake.nix @@ -11,10 +11,10 @@ }; outputs = - { - self, - nixpkgsUnstable, - flake-utils, + { self + , nixpkgsUnstable + , flake-utils + , }: flake-utils.lib.eachDefaultSystem ( system: From 6bef2d8943e63b6c17559cbbca6fac8e956daba2 Mon Sep 17 00:00:00 2001 From: miampf Date: Thu, 2 Jan 2025 10:44:18 +0100 Subject: [PATCH 09/13] add emergency_ssh var to other providers (untested) --- terraform/infrastructure/aws/main.tf | 1 + terraform/infrastructure/aws/variables.tf | 6 ++++++ terraform/infrastructure/gcp/main.tf | 1 + terraform/infrastructure/gcp/variables.tf | 6 ++++++ terraform/infrastructure/openstack/main.tf | 1 + terraform/infrastructure/openstack/variables.tf | 6 ++++++ 6 files changed, 21 insertions(+) diff --git a/terraform/infrastructure/aws/main.tf b/terraform/infrastructure/aws/main.tf index 65dff58e16..ad19a7d57e 100644 --- a/terraform/infrastructure/aws/main.tf +++ b/terraform/infrastructure/aws/main.tf @@ -29,6 +29,7 @@ locals { { name = "recovery", port = "9999", health_check = "TCP" }, { name = "join", port = "30090", health_check = "TCP" }, var.debug ? [{ name = "debugd", port = "4000", health_check = "TCP" }] : [], + var.emergency_ssh ? [{ name = "ssh", port = "22", health_check = "TCP" }] : [], ]) target_group_arns = { control-plane : [ diff --git a/terraform/infrastructure/aws/variables.tf b/terraform/infrastructure/aws/variables.tf index 67d0ec4d31..f9966a8b82 100644 --- a/terraform/infrastructure/aws/variables.tf +++ b/terraform/infrastructure/aws/variables.tf @@ -85,3 +85,9 @@ variable "additional_tags" { default = {} description = "Additional tags that should be applied to created resources." } + +variable "emergency_ssh" { + type = bool + default = false + description = "Wether to deploy a load balancer to connect to nodes via ssh." +} diff --git a/terraform/infrastructure/gcp/main.tf b/terraform/infrastructure/gcp/main.tf index b20b74d151..08a996ad16 100644 --- a/terraform/infrastructure/gcp/main.tf +++ b/terraform/infrastructure/gcp/main.tf @@ -40,6 +40,7 @@ locals { { name = "recovery", port = "9999", health_check = "TCP" }, { name = "join", port = "30090", health_check = "TCP" }, var.debug ? [{ name = "debugd", port = "4000", health_check = "TCP" }] : [], + var.emergency_ssh ? [{ name = "ssh", port = "22", health_check = "TCP" }] : [], ]) node_groups_by_role = { for name, node_group in var.node_groups : node_group.role => name... diff --git a/terraform/infrastructure/gcp/variables.tf b/terraform/infrastructure/gcp/variables.tf index 601394a557..dd328485c0 100644 --- a/terraform/infrastructure/gcp/variables.tf +++ b/terraform/infrastructure/gcp/variables.tf @@ -75,3 +75,9 @@ variable "additional_labels" { default = {} description = "Additional labels that should be given to created recources." } + +variable "emergency_ssh" { + type = bool + default = false + description = "Wether to deploy a load balancer to connect to nodes via ssh." +} diff --git a/terraform/infrastructure/openstack/main.tf b/terraform/infrastructure/openstack/main.tf index ed650ccd19..dc1d1a3fa4 100644 --- a/terraform/infrastructure/openstack/main.tf +++ b/terraform/infrastructure/openstack/main.tf @@ -43,6 +43,7 @@ locals { { name = "recovery", port = "9999", health_check = "TCP" }, { name = "join", port = "30090", health_check = "TCP" }, var.debug ? [{ name = "debugd", port = "4000", health_check = "TCP" }] : [], + var.emergency_ssh ? [{ name = "ssh", port = "22", health_check = "TCP" }] : [], ]) cidr_vpc_subnet_nodes = "192.168.178.0/24" cidr_vpc_subnet_lbs = "192.168.177.0/24" diff --git a/terraform/infrastructure/openstack/variables.tf b/terraform/infrastructure/openstack/variables.tf index 12242f08b1..b7f639bd5f 100644 --- a/terraform/infrastructure/openstack/variables.tf +++ b/terraform/infrastructure/openstack/variables.tf @@ -71,3 +71,9 @@ variable "stackit_project_id" { type = string description = "STACKIT project ID." } + +variable "emergency_ssh" { + type = bool + default = false + description = "Wether to deploy a load balancer to connect to nodes via ssh." +} From 897662d76cf0fed92325f6160a5e93d5b3dff11c Mon Sep 17 00:00:00 2001 From: miampf Date: Thu, 2 Jan 2025 10:57:58 +0100 Subject: [PATCH 10/13] fix rebase by updating packages again --- image/mirror/SHA256SUMS | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/image/mirror/SHA256SUMS b/image/mirror/SHA256SUMS index 1238c5cac0..9ac5e158f8 100644 --- a/image/mirror/SHA256SUMS +++ b/image/mirror/SHA256SUMS @@ -80,12 +80,12 @@ c4cc69bf3a2655b9ee9ac23492d377bac57811c5b4f81fbf43537520ee33c7af gawk-all-langp 554a68e692ccdd0cf71ea67a4c550bac910685465f17eee503732d48ccda9c90 gettext-libs-0.22.5-4.fc40.x86_64.rpm 046971e9f5f0c88737854e1c9e02cce8f5854633575984b235cf3f8b11ec7b91 gettext-runtime-0.22.5-4.fc40.x86_64.rpm 0a32c6874ce180375c2c0b1e2f0c8fed38131a598e5c4ba3866cf3aee1f3f5fc glib2-2.80.3-1.fc40.x86_64.rpm -fa3fca50d3f8a89109443218fda069d6051a9acd9734213f424b0cd4baf907a9 glibc-2.39-32.fc40.i686.rpm -a0ada3273c02d2c5bb362e5c4227c2af42066257c93946af446be34abe68535b glibc-2.39-32.fc40.x86_64.rpm -4f16dbcaddad818777d4959456bbd39b705aa0460c4e3a7d00854006eb517e81 glibc-common-2.39-32.fc40.x86_64.rpm -98e2276a957fb2466e66754ed3ec963fd20fbb2dd8706fa089cd3e02aa86bb40 glibc-gconv-extra-2.39-32.fc40.i686.rpm -d7641656bc65f1a154211a8b6d46ff3f48c8f63a01dfcec719f966d17e1a06df glibc-gconv-extra-2.39-32.fc40.x86_64.rpm -8e11c9a11d2c327b62604ffca15e0dea590ec077b4c5185f798cf9db2cf96050 glibc-minimal-langpack-2.39-32.fc40.x86_64.rpm +4a0cc12fb936afe9bafa10e65a2382ceb5d3527dca31edf6f582730c06c6cbe3 glibc-2.39-33.fc40.i686.rpm +7e6ec3b69b313065f0552ba72636b49ae1504aa13a18e98899c6dfea64e81698 glibc-2.39-33.fc40.x86_64.rpm +61a7a7eed34433eb05a5ce2156ca3e85afe5b9f26bbf69e4acac77139b430068 glibc-common-2.39-33.fc40.x86_64.rpm +2e3c0ce27ffa93e3af48bab5a0e3e3903026b6cab09e4b12c1ca5e0454292da6 glibc-gconv-extra-2.39-33.fc40.i686.rpm +11b66a6b5a32492854bb51e6b58bc3b6a5a96ad0bdbe1a59c208786306053784 glibc-gconv-extra-2.39-33.fc40.x86_64.rpm +97833431611221385a39324253a72fb12a696dedf031c479455c5a8a637f56e7 glibc-minimal-langpack-2.39-33.fc40.x86_64.rpm b054d6a9ee3477e935686b327aa47379bd1909eac4ce06c4c45dff1a201ecb49 gmp-6.2.1-8.fc40.x86_64.rpm 0a8b1b3fb625e4d1864ad6726f583e2db5db7f10d9f3564b5916ca7fed1b71cb gnupg2-2.4.4-1.fc40.x86_64.rpm 4425dbd35ab65f25b092d12ac56c4b565371a1c52ac882c8896dbeae7d52bbb1 gnupg2-smime-2.4.4-1.fc40.x86_64.rpm @@ -220,8 +220,8 @@ b8add82e1794a5624bf6b6dbbc6ad96e542e6215dbdc96ab3dc1c547c70d3257 libxcrypt-4.4. fdc08da848ae56ce326ef900b6d2532c046bf7d4719e84d4be073bf58d623b47 libxcrypt-4.4.36-12.fc40.x86_64.rpm a17f9a8894a00ee97a42219b3b21d64bfb850d74059d89ae299210bc477e8967 libxkbcommon-1.6.0-2.fc40.i686.rpm 1f1d0c1e1132016735acc6fc3390102b35f9eb257244547c7b61c32a9c2314cc libxkbcommon-1.6.0-2.fc40.x86_64.rpm -302104acbc7b094958be4f764c14f738462fdb381fc38aac63e0e7eaedaa82a7 libxml2-2.12.8-1.fc40.i686.rpm -ed8d18570524445954dae5aff6239d9cc987cf8b3313fcd48c42f1b79b8eb247 libxml2-2.12.8-1.fc40.x86_64.rpm +db2c5422aeef81940a186b597df582b75a0f156e481262bef262f1b69ea1b799 libxml2-2.12.9-1.fc40.i686.rpm +1d33dae8642a772dc8fae5c8e2e81010d0536e8158f8fafb27e51fa1ee645df0 libxml2-2.12.9-1.fc40.x86_64.rpm cd866911efd52e3a70655df3da9d71ad2f4a326463aeaa381493a7547e14871d libzstd-1.5.6-1.fc40.i686.rpm bed3075b9ff919eded25cb45e9e03b8a7c63bcc8e893ec28c999aecaa68c51d3 libzstd-1.5.6-1.fc40.x86_64.rpm 81409455da42a5ffdcf5b8cc711632ce037fec25d5ae00cbfda5010c9db04157 lua-libs-5.4.6-5.fc40.x86_64.rpm @@ -243,7 +243,7 @@ c425cdd1d0889edb688809ccc2a35a96e67a7dedc119ad540ddd05f8a8997b5e netavark-1.13. 188ce5004e6ed764b4a619b64a4a0f36f1cc4fa919fe0a300599ff1171844144 nftables-1.0.9-3.fc40.x86_64.rpm 784e0fbc9ccb7087c10f4c41edbed13904f94244ff658f308614abe48cdf0d42 npth-1.7-1.fc40.x86_64.rpm f814bc09b50daaab468715088ec056373dbc209a5075306e4ce76f5c55eb2b42 nvme-cli-2.8-1.fc40.x86_64.rpm -b09089231ec94ee1b2dc26e34d8d7f19586d411bc40df7d0e495e559ac2d871a openldap-2.6.7-1.fc40.x86_64.rpm +deed5caa94b7590e42976c73944e882ac6be7ac94b87ea8d476a7dfe4e56c427 openldap-2.6.8-1.fc40.x86_64.rpm 7cc7617d495bdb6b5c06bef538068a53e7cec8209c674918fd30ac82fba95b11 openssh-9.6p1-1.fc40.4.x86_64.rpm a1142e22df88c6200a7378f20f6d92ec62908ac67aa3fbc223dba874bdf162ba openssh-server-9.6p1-1.fc40.4.x86_64.rpm 5df04d37e492e5f107cc21e547240f9f98b0b7613320467bc0b08f6aa1b0fb88 openssl-libs-3.2.2-3.fc40.i686.rpm @@ -276,10 +276,10 @@ c03ba1c46e0e2dda36e654941f307aaa0d6574ee5143d6fec6e9af2bdf3252a2 popt-1.19-6.fc af85755cda79959a19161ebc26a45e507003298bd97b472b9ab0d512afa5e46a protobuf-c-1.5.0-3.fc40.x86_64.rpm 45ff2e9814aa059f323b23710c73309d41d36306667a3004f5fbb86b0cab4484 psmisc-23.6-6.fc40.x86_64.rpm cca50802d4f75306bc37126feb92db79fed44dcdabf76c1556853334995b9d3b publicsuffix-list-dafsa-20240107-3.fc40.noarch.rpm -6d8342314daafde5c5ec4ec2935e74edb9bea107dc8cd72642e322444f264c7d python3-3.12.7-1.fc40.x86_64.rpm -839d6dd1d8ac9b55f14b504eca5ac5e66b8330341608f7c9132cb29816116ecb python3-libs-3.12.7-1.fc40.x86_64.rpm +5526220160d59c64689dd2c017a03a26a909c5c50f7973c8bf3750f8f39ca114 python3-3.12.8-2.fc40.x86_64.rpm +0905050a05fce20538191ad45e61bca86d61877f58da47df1b59465d034a4ae6 python3-libs-3.12.8-2.fc40.x86_64.rpm 7c703b431508f44c5184b5c1df052ed0f49b7439d68aa3597a9a57a5b26bd648 python-pip-wheel-23.3.2-2.fc40.noarch.rpm -bcac955e69958e064669ed6e0a394bd9dd2c76e63f558a205ced18a9755012ab python-unversioned-command-3.12.7-1.fc40.noarch.rpm +86e17167996c17798e116974f42e63dc2e0ac6bce1c10a47416d421c785a5ea4 python-unversioned-command-3.12.8-2.fc40.noarch.rpm d50b24d1a217e5201b4f8350945b7a3bc3fa01a61a8dd8d28e1b9512295238e1 qemu-user-static-8.2.8-2.fc40.x86_64.rpm 11f752c50493eca8f6dddf3140c694d3db4bc808771eaba25978ea2c309b2196 qemu-user-static-aarch64-8.2.8-2.fc40.x86_64.rpm 8598fde32ac72cafcc57f30edbfed1f920c58001dbeecb6932f4de8ce76091ba qemu-user-static-alpha-8.2.8-2.fc40.x86_64.rpm @@ -340,10 +340,10 @@ c3be8a6d0ea23b1d0bf466b19857b97f7ffde811ad7adec0599161059d84cc74 tpm2-tss-4.1.3 945aa536bc30050abc1870cef167cb944cf78d6628923476db43201a0054574b util-linux-2.40.2-1.fc40.x86_64.rpm 7ec1b5df780c5a30f8e901179480125a6ea87f1f7bad3b69da7f4b351b88c3dd util-linux-core-2.40-0.9.rc1.fc40.x86_64.rpm b1aa4e816c01c08c18924865640f214f717cdfc66837e53a24b8edfb80a86f9d util-linux-core-2.40.2-1.fc40.x86_64.rpm -fb78d7a38305025bf2a6f4876cd70ed5d2bd888b4a2df91e35f1426a57267e38 vim-common-9.1.906-1.fc40.x86_64.rpm -f44d05b58d9def775f187b24468aa9e4d21647b6b4303ed92bc994db8d7db986 vim-data-9.1.906-1.fc40.noarch.rpm -3d3ab14b5cd806eade3a5246fefe47b5acf440a1cea9d17c2591fbbdd24cc37a vim-enhanced-9.1.906-1.fc40.x86_64.rpm -175abd5a9e2149da58a203208909681e717c1354050ae9bd71f408b04f5367b3 vim-filesystem-9.1.906-1.fc40.noarch.rpm +51e57c8dd885fb8b00b5225e3aa6d037b74ff35cb5f3962d7622af4566e4386e vim-common-9.1.919-1.fc40.x86_64.rpm +b00addd65b86713a3d5507c343cfc750ee9fe656130df464c109f9cd18aa7439 vim-data-9.1.919-1.fc40.noarch.rpm +4eff285f016104291d5515cc103993ead80ba17bebd7b1f7814efb3565a30ea5 vim-enhanced-9.1.919-1.fc40.x86_64.rpm +6642da315fd235087b3b4ee328b0264bc463536e900d6e01a93b70b96ef0d08e vim-filesystem-9.1.919-1.fc40.noarch.rpm 37abef83e8927b4b48f69fcbdcc249d349c6029cc669401676d01f0ea326999e WALinuxAgent-udev-2.10.0.8-2.fc40.noarch.rpm 5f4aef6a6f19712c142b3e592ff05bba03dee877a0a098df294d876063918805 wget2-2.2.0-1.fc40.x86_64.rpm a4119091a85b4aa4262a26f6ed2d6653de9b7c4def3636a2b0ad066436f29acd wget2-libs-2.2.0-1.fc40.x86_64.rpm From 0f0af7acb36d018ac930984c731f3c396ca17efc Mon Sep 17 00:00:00 2001 From: miampf Date: Thu, 2 Jan 2025 11:49:32 +0100 Subject: [PATCH 11/13] adjust `emergency_ssh` variable description --- terraform/infrastructure/aws/variables.tf | 2 +- terraform/infrastructure/azure/variables.tf | 2 +- terraform/infrastructure/gcp/variables.tf | 2 +- terraform/infrastructure/openstack/variables.tf | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/infrastructure/aws/variables.tf b/terraform/infrastructure/aws/variables.tf index f9966a8b82..d55dedabb7 100644 --- a/terraform/infrastructure/aws/variables.tf +++ b/terraform/infrastructure/aws/variables.tf @@ -89,5 +89,5 @@ variable "additional_tags" { variable "emergency_ssh" { type = bool default = false - description = "Wether to deploy a load balancer to connect to nodes via ssh." + description = "Wether to expose the SSH port through the public load balancer." } diff --git a/terraform/infrastructure/azure/variables.tf b/terraform/infrastructure/azure/variables.tf index e28558068e..64a02a35dd 100644 --- a/terraform/infrastructure/azure/variables.tf +++ b/terraform/infrastructure/azure/variables.tf @@ -105,5 +105,5 @@ variable "additional_tags" { variable "emergency_ssh" { type = bool default = false - description = "Wether to deploy a load balancer to connect to nodes via ssh." + description = "Wether to expose the SSH port through the public load balancer." } diff --git a/terraform/infrastructure/gcp/variables.tf b/terraform/infrastructure/gcp/variables.tf index dd328485c0..b62b975db9 100644 --- a/terraform/infrastructure/gcp/variables.tf +++ b/terraform/infrastructure/gcp/variables.tf @@ -79,5 +79,5 @@ variable "additional_labels" { variable "emergency_ssh" { type = bool default = false - description = "Wether to deploy a load balancer to connect to nodes via ssh." + description = "Wether to expose the SSH port through the public load balancer." } diff --git a/terraform/infrastructure/openstack/variables.tf b/terraform/infrastructure/openstack/variables.tf index b7f639bd5f..3afa8c97a3 100644 --- a/terraform/infrastructure/openstack/variables.tf +++ b/terraform/infrastructure/openstack/variables.tf @@ -75,5 +75,5 @@ variable "stackit_project_id" { variable "emergency_ssh" { type = bool default = false - description = "Wether to deploy a load balancer to connect to nodes via ssh." + description = "Wether to expose the SSH port through the public load balancer." } From 28da57ce74f227bfac9055b734687c99c968fb34 Mon Sep 17 00:00:00 2001 From: miampf Date: Thu, 2 Jan 2025 11:56:14 +0100 Subject: [PATCH 12/13] ProxyJump for hosts outside of 10.* range removed unnecessary values for proxy host --- terraform/infrastructure/azure/main.tf | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/terraform/infrastructure/azure/main.tf b/terraform/infrastructure/azure/main.tf index 565e248468..246737e407 100644 --- a/terraform/infrastructure/azure/main.tf +++ b/terraform/infrastructure/azure/main.tf @@ -302,16 +302,13 @@ resource "local_file" "ssh_config" { filename = "./ssh_config" file_permission = "0600" content = < Date: Thu, 2 Jan 2025 14:36:41 +0100 Subject: [PATCH 13/13] use `/run/ssh` subdir + harden openssh config a bit --- .../usr/lib/systemd/system/create-host-ssh-key.service | 2 +- image/sysroot-tree/etc/ssh/sshd_config | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service b/image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service index b34d802db6..f1ed3e3416 100644 --- a/image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service +++ b/image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service @@ -4,7 +4,7 @@ Before=sshd.service [Service] Type=oneshot -ExecStart=/bin/bash -c "ssh-keygen -t ecdsa -q -N '' -f /run/ssh_host_ecdsa_key" +ExecStart=/bin/bash -c "mkdir -p /run/ssh; ssh-keygen -t ecdsa -q -N '' -f /run/ssh/ssh_host_ecdsa_key" [Install] WantedBy=multi-user.target diff --git a/image/sysroot-tree/etc/ssh/sshd_config b/image/sysroot-tree/etc/ssh/sshd_config index 2b1060c4a0..507c3cde51 100644 --- a/image/sysroot-tree/etc/ssh/sshd_config +++ b/image/sysroot-tree/etc/ssh/sshd_config @@ -1,3 +1,5 @@ -HostKey /run/ssh_host_ecdsa_key -TrustedUserCAKeys /run/ssh_ca.pub +HostKey /run/ssh/ssh_host_ecdsa_key +TrustedUserCAKeys /run/ssh/ssh_ca.pub PasswordAuthentication no +ChallengeResponseAuthentication no +AuthorizedKeysFile /dev/null