lakitu: Fix ssh hostkey verification error
This CL fixes the error by including the following changes:
1. Include a patch to write hostkeys to the stateful partition.
Currently, the sshd fetches hostkeys from /mnt/stateful_partition/etc/ssh,
however the guest agent daemon generates and writes ssh hostkeys to /etc/ssh.
We need the guest agent to write ssh hostkeys to the stateful_partition
if we want to support publishing of hostkeys to instance metadata.
2. Modify fix-systemd-units-dependencies patch to have sshd.service
block on google-instance-setup.service. sshd.service currently has a
script which runs before sshd.service is launched which generates hostkeys
to the stateful partition. Since we need to use the hostkeys that
google-instance-setup.service is generating, we will need sshd.service
to run after google-instance-setup.service.
BUG=b:147559155
TEST=cos_tryjob
RELEASE_NOTE=Fix ssh hostkey verification error
Change-Id: I9b3a3afef7b8eb5b739ad6126a7983423ab7b090
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/overlays/board-overlays/+/2063380
Reviewed-by: Robert Kolchmeyer <rkolchmeyer@google.com>
Reviewed-by: Dexter Rivera <riverade@chromium.org>
Commit-Queue: Dexter Rivera <riverade@chromium.org>
Tested-by: Dexter Rivera <riverade@chromium.org>
(cherry picked from commit 8a80b6d7a4e99d55c1d1ec324baf02404e982d32)
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/overlays/board-overlays/+/2071061
diff --git a/overlay-lakitu/app-admin/compute-image-packages/compute-image-packages-20190801-r2.ebuild b/overlay-lakitu/app-admin/compute-image-packages/compute-image-packages-20190801-r3.ebuild
similarity index 100%
rename from overlay-lakitu/app-admin/compute-image-packages/compute-image-packages-20190801-r2.ebuild
rename to overlay-lakitu/app-admin/compute-image-packages/compute-image-packages-20190801-r3.ebuild
diff --git a/overlay-lakitu/app-admin/compute-image-packages/compute-image-packages-20190801.ebuild b/overlay-lakitu/app-admin/compute-image-packages/compute-image-packages-20190801.ebuild
index fe82b7f..33a4b3f 100644
--- a/overlay-lakitu/app-admin/compute-image-packages/compute-image-packages-20190801.ebuild
+++ b/overlay-lakitu/app-admin/compute-image-packages/compute-image-packages-20190801.ebuild
@@ -39,7 +39,8 @@
epatch "${FILESDIR}/20190304-homedir-uid-fix.patch"
epatch "${FILESDIR}/20190801-no-boto.patch"
epatch "${FILESDIR}/20190801-fix-systemd-units-dependencies.patch"
- popd
+ epatch "${FILESDIR}/20190801-write-hostkeys-to-stateful-partition.patch"
+ popd || return
distutils-r1_python_prepare_all
}
@@ -62,7 +63,7 @@
# Backports the get-metadata-value script from older version of this
# package (1.3.3).
exeinto /usr/share/google/
- newexe ${FILESDIR}/1.3.3-get_metadata_value get_metadata_value
+ newexe "${FILESDIR}/1.3.3-get_metadata_value" get_metadata_value
# Install distro specific default configuration.
insinto /etc/default/
diff --git a/overlay-lakitu/app-admin/compute-image-packages/files/20190801-fix-systemd-units-dependencies.patch b/overlay-lakitu/app-admin/compute-image-packages/files/20190801-fix-systemd-units-dependencies.patch
index 6e2b49c..4adfa49 100644
--- a/overlay-lakitu/app-admin/compute-image-packages/files/20190801-fix-systemd-units-dependencies.patch
+++ b/overlay-lakitu/app-admin/compute-image-packages/files/20190801-fix-systemd-units-dependencies.patch
@@ -1,30 +1,14 @@
-From f87b65f54e2a01a0be5e723289419b06870a8faf Mon Sep 17 00:00:00 2001
-From: Daniel Wang <wonderfly@google.com>
-Date: Wed, 28 Aug 2019 13:24:20 -0700
+From c3703674dc73b19cabd9388c828931dc52b13232 Mon Sep 17 00:00:00 2001
+From: Dexter Rivera <riverade@google.com>
+Date: Wed, 19 Feb 2020 13:45:23 -0800
Subject: [PATCH] Fix systemd units dependencies
-The unit definitions from upstream don't work for COS very well.
---
- .../src/lib/systemd/system/google-instance-setup.service | 4 ++--
- .../src/lib/systemd/system/google-network-daemon.service | 3 ++-
- .../src/lib/systemd/system/google-shutdown-scripts.service | 3 ++-
- .../src/lib/systemd/system/google-startup-scripts.service | 3 ++-
- 4 files changed, 8 insertions(+), 5 deletions(-)
+ .../src/lib/systemd/system/google-network-daemon.service | 3 ++-
+ .../src/lib/systemd/system/google-shutdown-scripts.service | 3 ++-
+ .../src/lib/systemd/system/google-startup-scripts.service | 3 ++-
+ 3 files changed, 6 insertions(+), 3 deletions(-)
-diff --git a/packages/google-compute-engine/src/lib/systemd/system/google-instance-setup.service b/packages/google-compute-engine/src/lib/systemd/system/google-instance-setup.service
-index ee987b2..5069b41 100644
---- a/packages/google-compute-engine/src/lib/systemd/system/google-instance-setup.service
-+++ b/packages/google-compute-engine/src/lib/systemd/system/google-instance-setup.service
-@@ -1,7 +1,7 @@
- [Unit]
- Description=Google Compute Engine Instance Setup
--After=network-online.target network.target rsyslog.service
--Before=sshd.service
-+After=network-online.target
-+Wants=network-online.target
-
- [Service]
- Type=oneshot
diff --git a/packages/google-compute-engine/src/lib/systemd/system/google-network-daemon.service b/packages/google-compute-engine/src/lib/systemd/system/google-network-daemon.service
index 71745d4..b4dd4bc 100644
--- a/packages/google-compute-engine/src/lib/systemd/system/google-network-daemon.service
@@ -68,5 +52,5 @@
[Service]
ExecStart=/usr/bin/google_metadata_script_runner --script-type startup
--
-2.23.0.187.g17f5b7556c-goog
+2.25.0.265.gbab2e86ba0-goog
diff --git a/overlay-lakitu/app-admin/compute-image-packages/files/20190801-write-hostkeys-to-stateful-partition.patch b/overlay-lakitu/app-admin/compute-image-packages/files/20190801-write-hostkeys-to-stateful-partition.patch
new file mode 100644
index 0000000..844449f
--- /dev/null
+++ b/overlay-lakitu/app-admin/compute-image-packages/files/20190801-write-hostkeys-to-stateful-partition.patch
@@ -0,0 +1,50 @@
+From 41a305c3b87e959db833afa4a4c7643cd1600106 Mon Sep 17 00:00:00 2001
+From: Dexter Rivera <riverade@google.com>
+Date: Fri, 21 Feb 2020 16:31:52 -0800
+Subject: [PATCH] Write keys to the stateful partition
+
+---
+ .../instance_setup/instance_setup.py | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/packages/python-google-compute-engine/google_compute_engine/instance_setup/instance_setup.py b/packages/python-google-compute-engine/google_compute_engine/instance_setup/instance_setup.py
+index cb1a2a6..42c242f 100755
+--- a/packages/python-google-compute-engine/google_compute_engine/instance_setup/instance_setup.py
++++ b/packages/python-google-compute-engine/google_compute_engine/instance_setup/instance_setup.py
+@@ -207,11 +207,19 @@ class InstanceSetup(object):
+ """
+ section = 'Instance'
+ instance_id = self._GetInstanceId()
+- if instance_id != self.instance_config.GetOptionString(
+- section, 'instance_id'):
++ prev_instance_id = None
++
++ instance_id_file = '/mnt/stateful_partition/.instance_id'
++ if os.path.isfile(instance_id_file):
++ with open(instance_id_file, 'rb') as f:
++ prev_instance_id = f.read().strip()
++
++ if not prev_instance_id or prev_instance_id != instance_id:
+ self.logger.info('Generating SSH host keys for instance %s.', instance_id)
+ file_regex = re.compile(r'ssh_host_(?P<type>[a-z0-9]*)_key\Z')
+- key_dir = '/etc/ssh'
++ key_dir = '/mnt/stateful_partition/etc/ssh'
++ if not os.path.isdir(key_dir):
++ os.makedirs(key_dir)
+ key_files = [f for f in os.listdir(key_dir) if file_regex.match(f)]
+ key_types = host_key_types.split(',') if host_key_types else []
+ key_types_files = ['ssh_host_%s_key' % key_type for key_type in key_types]
+@@ -224,6 +232,10 @@ class InstanceSetup(object):
+ self._StartSshd()
+ self.instance_config.SetOption(section, 'instance_id', str(instance_id))
+
++ # Write the instance_id to the stateful partition
++ with open(instance_id_file, 'wb') as f:
++ f.write(instance_id)
++
+ def _GetNumericProjectId(self):
+ """Get the numeric project ID.
+
+--
+2.25.0.265.gbab2e86ba0-goog
+
