feat: implement RFC 16 to allow emergency node access

flake.nix

@@ -11,10 +11,10 @@
   };
 
   outputs =
-    {
-      self,
-      nixpkgsUnstable,
-      flake-utils,
+    { self
+    , nixpkgsUnstable
+    , flake-utils
+    ,
     }:
     flake-utils.lib.eachDefaultSystem (
       system:

image/base/mkosi.conf

@@ -41,6 +41,7 @@ Packages=containerd
 # Network
 Packages=iproute
          dbus
+         openssh-server
          systemd-networkd
          systemd-resolved
 

image/base/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset

@@ -10,3 +10,4 @@ enable measurements.service
 enable export_constellation_debug.service
 enable systemd-timesyncd
 enable udev-trigger.service
+enable create-host-ssh-key.service

image/base/mkosi.skeleton/usr/lib/systemd/system/create-host-ssh-key.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Create a host SSH key
+Before=sshd.service
+
+[Service]
+Type=oneshot
+ExecStart=/bin/bash -c "ssh-keygen -t ecdsa -q -N '' -f /run/ssh_host_ecdsa_key"
+
+[Install]
+WantedBy=multi-user.target

image/mirror/SHA256SUMS

@@ -1,4 +1,3 @@
-37abef83e8927b4b48f69fcbdcc249d349c6029cc669401676d01f0ea326999e  WALinuxAgent-udev-2.10.0.8-2.fc40.noarch.rpm
 8f9c8c8be1df166f4285824580c9f6588864c167c8a2d51a6c4621d1ea3f8fde  aardvark-dns-1.13.1-1.fc40.x86_64.rpm
 ac860c52abbc65af5835d1bd97400c531a5635d39bc1d68e36a1fe54863385ea  alternatives-1.27-1.fc40.x86_64.rpm
 6d0cfcd0e97421b42af58a824c7e99a6cbcdd0e81980b4ea9e0d4051ef723db3  audit-libs-4.0.2-1.fc40.i686.rpm
@@ -15,11 +14,11 @@ db18a583ebde21d8b0b67f0306e25908b273bef9c532469ac0b7ab92578438f4  authselect-lib
 5935816e8d377d0385e5287ca12e4d3b43e3c3cdc9cc4deafa653a6dba78611a  composefs-libs-1.0.6-1.fc40.x86_64.rpm
 db246f6445469b5a71e965a081685471768393cf04181e7250ce0ddcb8a9c3d4  conmon-2.1.12-2.fc40.x86_64.rpm
 adf4b75cdd9fae9d2d37fb71d9f0bf625a6705c0f0a7784569ab21463fe22152  conntrack-tools-1.4.7-7.fc40.x86_64.rpm
-621302b0ea9cdd73d5eea4d30935cb415143df1649cd8e92424e967ea98fc34d  container-selinux-2.234.2-1.fc40.noarch.rpm
 bbe29e0c7b4ca076d50b4ac3954eb383459230d96b13f353ee71ebd5de33b6d1  containerd-1.6.23-5.fc40.x86_64.rpm
 0705251ea64b1558098016b2120f202c5aba77470093cb8f89ce6adb2a0b46b6  containernetworking-plugins-1.5.1-1.fc40.x86_64.rpm
 3e35525e9224d3427f10343c98036b251fac34bf67c9007335561d846736d0d5  containers-common-0.61.0-1.fc40.noarch.rpm
 b0740195d12d356e5637b83ece8650fc3f764f37e734678a07cb637fb14faf7d  containers-common-extra-0.61.0-1.fc40.noarch.rpm
+621302b0ea9cdd73d5eea4d30935cb415143df1649cd8e92424e967ea98fc34d  container-selinux-2.234.2-1.fc40.noarch.rpm
 299d3e7e1cbc110d9ae8a47f6ca95142c3e3783cb1464bfbd6bc550c414b97ec  coreutils-single-9.4-9.fc40.x86_64.rpm
 d941a78ffb6e2e0b4c24d0097d0351ced8796edde90208b4bddee459bce0a949  cpio-2.15-1.fc40.x86_64.rpm
 faa23cb6a7a612c0a6e874c788c5add967c5e193bd38c2e6093b82b38a162f81  cracklib-2.9.11-5.fc40.i686.rpm
@@ -68,11 +67,11 @@ a6f2098fc2ed16df92c9325bd7459cc41479e17306a4f9cddfd5df8a1b80d0f8  file-5.45-4.fc
 f76684ee78408660db83ab9932978a1346b280f4210cd744524b00b2e5891fe1  file-libs-5.45-4.fc40.x86_64.rpm
 063af3db3808bea0d5c07dbb2d8369b275e1d05ad0850c80a8fec0413f47cd64  filesystem-3.18-8.fc40.x86_64.rpm
 21725de2a93e1ea19f8d298e32a2428a3a08b9c98f22561cc778a807ed43639f  findutils-4.9.0-9.fc40.x86_64.rpm
+2d6631d65e3b5c91afdb100a51ee8e50294f0e074a944c1662008d878d47456e  fuse3-3.16.2-3.fc40.x86_64.rpm
+a9c6502a5b190aaf169e93afd337c009e0b2e235e31f3da23d29c7d063ad2ff9  fuse3-libs-3.16.2-3.fc40.x86_64.rpm
 f4c2d51c7b4577f7b7ef498f8e2afb1b007da2de00cca28e220f50129c40a48c  fuse-common-3.16.2-3.fc40.x86_64.rpm
 f94315e447afb7442033b7b82e43a4ed62754f603afda53930280300855e46c7  fuse-libs-2.9.9-21.fc40.x86_64.rpm
 8fe84b7e0319afcc9c9eb28130b74e0cd7c675667a6ce075eb7ee2ec1b0014c2  fuse-overlayfs-1.13-1.fc40.x86_64.rpm
-2d6631d65e3b5c91afdb100a51ee8e50294f0e074a944c1662008d878d47456e  fuse3-3.16.2-3.fc40.x86_64.rpm
-a9c6502a5b190aaf169e93afd337c009e0b2e235e31f3da23d29c7d063ad2ff9  fuse3-libs-3.16.2-3.fc40.x86_64.rpm
 6c80dfdaf7b27ea92c1276856b8b2ae5fde1ae5c391b773805be725515fdc1ac  gawk-5.3.0-3.fc40.x86_64.rpm
 c4cc69bf3a2655b9ee9ac23492d377bac57811c5b4f81fbf43537520ee33c7af  gawk-all-langpacks-5.3.0-3.fc40.x86_64.rpm
 21470eb4ec55006c9efeee84c97772462008fceda1ab332e58d2caddfdaa0d1e  gdbm-1.23-6.fc40.x86_64.rpm
@@ -81,12 +80,12 @@ c4cc69bf3a2655b9ee9ac23492d377bac57811c5b4f81fbf43537520ee33c7af  gawk-all-langp
 554a68e692ccdd0cf71ea67a4c550bac910685465f17eee503732d48ccda9c90  gettext-libs-0.22.5-4.fc40.x86_64.rpm
 046971e9f5f0c88737854e1c9e02cce8f5854633575984b235cf3f8b11ec7b91  gettext-runtime-0.22.5-4.fc40.x86_64.rpm
 0a32c6874ce180375c2c0b1e2f0c8fed38131a598e5c4ba3866cf3aee1f3f5fc  glib2-2.80.3-1.fc40.x86_64.rpm
-fa3fca50d3f8a89109443218fda069d6051a9acd9734213f424b0cd4baf907a9  glibc-2.39-32.fc40.i686.rpm
-a0ada3273c02d2c5bb362e5c4227c2af42066257c93946af446be34abe68535b  glibc-2.39-32.fc40.x86_64.rpm
-4f16dbcaddad818777d4959456bbd39b705aa0460c4e3a7d00854006eb517e81  glibc-common-2.39-32.fc40.x86_64.rpm
-98e2276a957fb2466e66754ed3ec963fd20fbb2dd8706fa089cd3e02aa86bb40  glibc-gconv-extra-2.39-32.fc40.i686.rpm
-d7641656bc65f1a154211a8b6d46ff3f48c8f63a01dfcec719f966d17e1a06df  glibc-gconv-extra-2.39-32.fc40.x86_64.rpm
-8e11c9a11d2c327b62604ffca15e0dea590ec077b4c5185f798cf9db2cf96050  glibc-minimal-langpack-2.39-32.fc40.x86_64.rpm
+4a0cc12fb936afe9bafa10e65a2382ceb5d3527dca31edf6f582730c06c6cbe3  glibc-2.39-33.fc40.i686.rpm
+7e6ec3b69b313065f0552ba72636b49ae1504aa13a18e98899c6dfea64e81698  glibc-2.39-33.fc40.x86_64.rpm
+61a7a7eed34433eb05a5ce2156ca3e85afe5b9f26bbf69e4acac77139b430068  glibc-common-2.39-33.fc40.x86_64.rpm
+2e3c0ce27ffa93e3af48bab5a0e3e3903026b6cab09e4b12c1ca5e0454292da6  glibc-gconv-extra-2.39-33.fc40.i686.rpm
+11b66a6b5a32492854bb51e6b58bc3b6a5a96ad0bdbe1a59c208786306053784  glibc-gconv-extra-2.39-33.fc40.x86_64.rpm
+97833431611221385a39324253a72fb12a696dedf031c479455c5a8a637f56e7  glibc-minimal-langpack-2.39-33.fc40.x86_64.rpm
 b054d6a9ee3477e935686b327aa47379bd1909eac4ce06c4c45dff1a201ecb49  gmp-6.2.1-8.fc40.x86_64.rpm
 0a8b1b3fb625e4d1864ad6726f583e2db5db7f10d9f3564b5916ca7fed1b71cb  gnupg2-2.4.4-1.fc40.x86_64.rpm
 4425dbd35ab65f25b092d12ac56c4b565371a1c52ac882c8896dbeae7d52bbb1  gnupg2-smime-2.4.4-1.fc40.x86_64.rpm
@@ -221,8 +220,8 @@ b8add82e1794a5624bf6b6dbbc6ad96e542e6215dbdc96ab3dc1c547c70d3257  libxcrypt-4.4.
 fdc08da848ae56ce326ef900b6d2532c046bf7d4719e84d4be073bf58d623b47  libxcrypt-4.4.36-12.fc40.x86_64.rpm
 a17f9a8894a00ee97a42219b3b21d64bfb850d74059d89ae299210bc477e8967  libxkbcommon-1.6.0-2.fc40.i686.rpm
 1f1d0c1e1132016735acc6fc3390102b35f9eb257244547c7b61c32a9c2314cc  libxkbcommon-1.6.0-2.fc40.x86_64.rpm
-302104acbc7b094958be4f764c14f738462fdb381fc38aac63e0e7eaedaa82a7  libxml2-2.12.8-1.fc40.i686.rpm
-ed8d18570524445954dae5aff6239d9cc987cf8b3313fcd48c42f1b79b8eb247  libxml2-2.12.8-1.fc40.x86_64.rpm
+db2c5422aeef81940a186b597df582b75a0f156e481262bef262f1b69ea1b799  libxml2-2.12.9-1.fc40.i686.rpm
+1d33dae8642a772dc8fae5c8e2e81010d0536e8158f8fafb27e51fa1ee645df0  libxml2-2.12.9-1.fc40.x86_64.rpm
 cd866911efd52e3a70655df3da9d71ad2f4a326463aeaa381493a7547e14871d  libzstd-1.5.6-1.fc40.i686.rpm
 bed3075b9ff919eded25cb45e9e03b8a7c63bcc8e893ec28c999aecaa68c51d3  libzstd-1.5.6-1.fc40.x86_64.rpm
 81409455da42a5ffdcf5b8cc711632ce037fec25d5ae00cbfda5010c9db04157  lua-libs-5.4.6-5.fc40.x86_64.rpm
@@ -245,6 +244,8 @@ c425cdd1d0889edb688809ccc2a35a96e67a7dedc119ad540ddd05f8a8997b5e  netavark-1.13.
 784e0fbc9ccb7087c10f4c41edbed13904f94244ff658f308614abe48cdf0d42  npth-1.7-1.fc40.x86_64.rpm
 f814bc09b50daaab468715088ec056373dbc209a5075306e4ce76f5c55eb2b42  nvme-cli-2.8-1.fc40.x86_64.rpm
 deed5caa94b7590e42976c73944e882ac6be7ac94b87ea8d476a7dfe4e56c427  openldap-2.6.8-1.fc40.x86_64.rpm
+7cc7617d495bdb6b5c06bef538068a53e7cec8209c674918fd30ac82fba95b11  openssh-9.6p1-1.fc40.4.x86_64.rpm
+a1142e22df88c6200a7378f20f6d92ec62908ac67aa3fbc223dba874bdf162ba  openssh-server-9.6p1-1.fc40.4.x86_64.rpm
 5df04d37e492e5f107cc21e547240f9f98b0b7613320467bc0b08f6aa1b0fb88  openssl-libs-3.2.2-3.fc40.i686.rpm
 e9fca52d76eb6277b9fec3238226faafc0938806318fad1143a527fdd28a16cf  openssl-libs-3.2.2-3.fc40.x86_64.rpm
 9f0336deb6f1b1524ec48d837622e7e2291995369b0356d7ad1e1d427f3b659a  os-prober-1.81-6.fc40.x86_64.rpm
@@ -275,10 +276,10 @@ c03ba1c46e0e2dda36e654941f307aaa0d6574ee5143d6fec6e9af2bdf3252a2  popt-1.19-6.fc
 af85755cda79959a19161ebc26a45e507003298bd97b472b9ab0d512afa5e46a  protobuf-c-1.5.0-3.fc40.x86_64.rpm
 45ff2e9814aa059f323b23710c73309d41d36306667a3004f5fbb86b0cab4484  psmisc-23.6-6.fc40.x86_64.rpm
 cca50802d4f75306bc37126feb92db79fed44dcdabf76c1556853334995b9d3b  publicsuffix-list-dafsa-20240107-3.fc40.noarch.rpm
-7c703b431508f44c5184b5c1df052ed0f49b7439d68aa3597a9a57a5b26bd648  python-pip-wheel-23.3.2-2.fc40.noarch.rpm
-86e17167996c17798e116974f42e63dc2e0ac6bce1c10a47416d421c785a5ea4  python-unversioned-command-3.12.8-2.fc40.noarch.rpm
 5526220160d59c64689dd2c017a03a26a909c5c50f7973c8bf3750f8f39ca114  python3-3.12.8-2.fc40.x86_64.rpm
 0905050a05fce20538191ad45e61bca86d61877f58da47df1b59465d034a4ae6  python3-libs-3.12.8-2.fc40.x86_64.rpm
+7c703b431508f44c5184b5c1df052ed0f49b7439d68aa3597a9a57a5b26bd648  python-pip-wheel-23.3.2-2.fc40.noarch.rpm
+86e17167996c17798e116974f42e63dc2e0ac6bce1c10a47416d421c785a5ea4  python-unversioned-command-3.12.8-2.fc40.noarch.rpm
 d50b24d1a217e5201b4f8350945b7a3bc3fa01a61a8dd8d28e1b9512295238e1  qemu-user-static-8.2.8-2.fc40.x86_64.rpm
 11f752c50493eca8f6dddf3140c694d3db4bc808771eaba25978ea2c309b2196  qemu-user-static-aarch64-8.2.8-2.fc40.x86_64.rpm
 8598fde32ac72cafcc57f30edbfed1f920c58001dbeecb6932f4de8ce76091ba  qemu-user-static-alpha-8.2.8-2.fc40.x86_64.rpm
@@ -343,6 +344,7 @@ b1aa4e816c01c08c18924865640f214f717cdfc66837e53a24b8edfb80a86f9d  util-linux-cor
 b00addd65b86713a3d5507c343cfc750ee9fe656130df464c109f9cd18aa7439  vim-data-9.1.919-1.fc40.noarch.rpm
 4eff285f016104291d5515cc103993ead80ba17bebd7b1f7814efb3565a30ea5  vim-enhanced-9.1.919-1.fc40.x86_64.rpm
 6642da315fd235087b3b4ee328b0264bc463536e900d6e01a93b70b96ef0d08e  vim-filesystem-9.1.919-1.fc40.noarch.rpm
+37abef83e8927b4b48f69fcbdcc249d349c6029cc669401676d01f0ea326999e  WALinuxAgent-udev-2.10.0.8-2.fc40.noarch.rpm
 5f4aef6a6f19712c142b3e592ff05bba03dee877a0a098df294d876063918805  wget2-2.2.0-1.fc40.x86_64.rpm
 a4119091a85b4aa4262a26f6ed2d6653de9b7c4def3636a2b0ad066436f29acd  wget2-libs-2.2.0-1.fc40.x86_64.rpm
 4948040a53814b1b4b76f6ec9d64ec21f3f2d1196a0a1c5b117f91fa58a267b1  wget2-wget-2.2.0-1.fc40.x86_64.rpm

image/mirror/packages.txt

@@ -19,6 +19,7 @@ mokutil
 nano
 nano-default-editor
 nvme-cli
+openssh-server
 passt-selinux
 passwd
 podman

image/sysroot-tree/etc/ssh/sshd_config

@@ -0,0 +1,3 @@
+HostKey /run/ssh_host_ecdsa_key
+TrustedUserCAKeys /run/ssh_ca.pub
+PasswordAuthentication no

terraform/infrastructure/aws/main.tf

@@ -29,6 +29,7 @@ locals {
     { name = "recovery", port = "9999", health_check = "TCP" },
     { name = "join", port = "30090", health_check = "TCP" },
     var.debug ? [{ name = "debugd", port = "4000", health_check = "TCP" }] : [],
+    var.emergency_ssh ? [{ name = "ssh", port = "22", health_check = "TCP" }] : [],
   ])
   target_group_arns = {
     control-plane : [

terraform/infrastructure/aws/variables.tf

@@ -85,3 +85,9 @@ variable "additional_tags" {
   default     = {}
   description = "Additional tags that should be applied to created resources."
 }
+
+variable "emergency_ssh" {
+  type        = bool
+  default     = false
+  description = "Wether to deploy a load balancer to connect to nodes via ssh."
+}

terraform/infrastructure/azure/main.tf

@@ -40,6 +40,7 @@ locals {
     { name = "recovery", port = "9999", health_check_protocol = "Tcp", path = null, priority = 104 },
     { name = "join", port = "30090", health_check_protocol = "Tcp", path = null, priority = 105 },
     var.debug ? [{ name = "debugd", port = "4000", health_check_protocol = "Tcp", path = null, priority = 106 }] : [],
+    var.emergency_ssh ? [{ name = "ssh", port = "22", health_check_protocol = "Tcp", path = null, priority = 107 }] : [],
   ])
   // wildcard_lb_dns_name is the DNS name of the load balancer with a wildcard for the name.
   // example: given "name-1234567890.location.cloudapp.azure.com" it will return "*.location.cloudapp.azure.com"
@@ -295,3 +296,22 @@ data "azurerm_user_assigned_identity" "uaid" {
   name                = local.uai_name
   resource_group_name = local.uai_resource_group
 }
+
+# emergency ssh configuration files
+resource "local_file" "ssh_config" {
+  filename        = "./ssh_config"
+  file_permission = "0600"
+  content         = <<EOF
+Host proxy
+  HostName ${azurerm_public_ip.loadbalancer_ip[0].fqdn}
+  PreferredAuthentications publickey
+  IdentityFile ./emergency_ssh_key
+  User root
+
+Host 10.*
+  PreferredAuthentications publickey
+  IdentityFile ./emergency_ssh_key
+  User root
+  ProxyJump proxy
+EOF
+}

terraform/infrastructure/azure/variables.tf

@@ -101,3 +101,9 @@ variable "additional_tags" {
   default     = {}
   description = "Additional tags that should be applied to created resources."
 }
+
+variable "emergency_ssh" {
+  type        = bool
+  default     = false
+  description = "Wether to deploy a load balancer to connect to nodes via ssh."
+}

terraform/infrastructure/gcp/main.tf

@@ -40,6 +40,7 @@ locals {
     { name = "recovery", port = "9999", health_check = "TCP" },
     { name = "join", port = "30090", health_check = "TCP" },
     var.debug ? [{ name = "debugd", port = "4000", health_check = "TCP" }] : [],
+    var.emergency_ssh ? [{ name = "ssh", port = "22", health_check = "TCP" }] : [],
   ])
   node_groups_by_role = {
     for name, node_group in var.node_groups : node_group.role => name...

terraform/infrastructure/gcp/variables.tf

@@ -75,3 +75,9 @@ variable "additional_labels" {
   default     = {}
   description = "Additional labels that should be given to created recources."
 }
+
+variable "emergency_ssh" {
+  type        = bool
+  default     = false
+  description = "Wether to deploy a load balancer to connect to nodes via ssh."
+}

terraform/infrastructure/openstack/main.tf

@@ -43,6 +43,7 @@ locals {
     { name = "recovery", port = "9999", health_check = "TCP" },
     { name = "join", port = "30090", health_check = "TCP" },
     var.debug ? [{ name = "debugd", port = "4000", health_check = "TCP" }] : [],
+    var.emergency_ssh ? [{ name = "ssh", port = "22", health_check = "TCP" }] : [],
   ])
   cidr_vpc_subnet_nodes = "192.168.178.0/24"
   cidr_vpc_subnet_lbs   = "192.168.177.0/24"

terraform/infrastructure/openstack/variables.tf

@@ -71,3 +71,9 @@ variable "stackit_project_id" {
   type        = string
   description = "STACKIT project ID."
 }
+
+variable "emergency_ssh" {
+  type        = bool
+  default     = false
+  description = "Wether to deploy a load balancer to connect to nodes via ssh."
+}