Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

customization: sshkeys #1277

Closed
wants to merge 4 commits into from
Closed

customization: sshkeys #1277

wants to merge 4 commits into from

Conversation

supakeen
Copy link
Member

@supakeen supakeen commented Mar 1, 2025
edited
Loading

On Matrix it was figured out that our documented SSHKey customization doesn't work. After taking a look it seems like it wasn't actually ever plumbed through...

Since we've documented it I assume we want to support it so here's an initial PR that does just that. This PR would close osbuild/image-builder-cli#142

After this PR the stages get injected to create files and directories:

$ cat sshkey.toml 
[[customizations.sshkey]]
user = "testuser"
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKNh/u8oWHfYwr01X8G8ijSC3hPfKfLpK8MISxg2mq1O [email protected]"
$ ./image-builder manifest --distro fedora-43 --blueprint sshkey.toml minimal-raw-zst | jq . | rg testuser
                "path": "/home/testuser/.ssh",
                "to": "tree:///home/testuser/.ssh/authorized_keys",
                "to": "tree:///home/testuser/.ssh/authorized_keys",

Note that setting the SSH key for a nonexistent user will lead to a build failure.

As draft now as it needs tests, defensiveness in the customization parsing so we can fail earlier, and to move the filesystem generation to a helper function.

@achilleas-k how do we (or should we) handle the ostree case here? I see authorized keys is normally punted to a firstboot script.

supakeen added 3 commits March 1, 2025 08:44
@supakeen
customization: plumb sshkey
84e89ce 
The `sshkey` customization is documented [1] but was never plumbed
through. Add it to the customizations struct initially.

Signed-off-by: Simon de Vlieger <[email protected]>
@supakeen
customizations: add sshkeys to OSCustomizations
f90857d 
Create a new `SSHKey` type in the customizations and allow it to be set on
the `OSCustomizations` struct.

Signed-off-by: Simon de Vlieger <[email protected]>
@supakeen
customizations: set for SSHKeys
7454d1d 
Make the various distros set the values for the ssh keys customizations
based on the content in the blueprint.

Signed-off-by: Simon de Vlieger <[email protected]>
@supakeen supakeen force-pushed the sshkey-customization branch 2 times, most recently from 8018e98 to 3b5af13 Compare March 1, 2025 08:44
@supakeen
manifest: apply ssh key customizations
2de4592 
Apply the ssh key customizations from the os customizations if present
to create relevant files and directories at the correct modes.

Signed-off-by: Simon de Vlieger <[email protected]>
@supakeen supakeen force-pushed the sshkey-customization branch from 3b5af13 to 2de4592 Compare March 1, 2025 08:50
FrostyX added a commit to fedora-copr/copr-image-builder that referenced this pull request Mar 1, 2025
@FrostyX
Add a workaround until the customizations.sshkey issue gets fixed
b040d4f 
See osbuild/image-builder-cli#142
See osbuild/images#1277
@achilleas-k
Copy link
Member

This was removed from images a while ago on purpose as a way to simplify the backend blueprint implementation. It remains in osbuild-composer for backwards compatibility.

I don't know how I feel about bringing it back. You can see the full reasoning here: #928

The idea was that frontends should be responsible for defining what they support wrt the blueprint. I would much rather we say this option is not supported anywhere (except in composer) than bring it back here.

@supakeen
Copy link
Member Author

supakeen commented Mar 1, 2025

This was removed from images a while ago on purpose as a way to simplify the backend blueprint implementation. It remains in osbuild-composer for backwards compatibility.

I don't know how I feel about bringing it back. You can see the full reasoning here: #928

The idea was that frontends should be responsible for defining what they support wrt the blueprint. I would much rather we say this option is not supported anywhere (except in composer) than bring it back here.

The important bit here is that this is supported by the user customization; which will modify pre-existing users or create new ones when necessary so:

[[customizations.user]]
user = "name"
keys = ["ssh-edsa XXX"]

Will customize the user if it exists (and thus add the SSH keys) or create it if not (and add the SSH keys).

In that case the above is purely due to the documentation not being super clear about this so I'll create PRs there instead.

@supakeen supakeen closed this Mar 1, 2025
@supakeen supakeen mentioned this pull request Mar 1, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

sshkey customization is ignored
2 participants
@supakeen @achilleas-k