From 1badfabc4ddb6b487005cf4a8447b5d1111cd72c Mon Sep 17 00:00:00 2001 From: Russell O'Connor Date: Mon, 9 Mar 2015 18:28:34 +0000 Subject: [PATCH 1/3] Use mktemp to create temporary files to hold ssh host keys and authorized keys when downloading them from the metadata server. --- .../virtualisation/google-compute-image.nix | 51 +++++++++++-------- 1 file changed, 29 insertions(+), 22 deletions(-) diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index eea6c646d48..25bdd9569de 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -143,34 +143,41 @@ in umask 077 # Don't download the SSH key if it has already been downloaded if ! [ -e /root/.ssh/authorized_keys ]; then - echo "obtaining SSH key..." - mkdir -m 0700 -p /root/.ssh - ${wget} -O /root/authorized-keys-metadata http://metadata.google.internal/0.1/meta-data/authorized-keys - if [ $? -eq 0 -a -e /root/authorized-keys-metadata ]; then - cat /root/authorized-keys-metadata | cut -d: -f2- > /root/key.pub - if ! grep -q -f /root/key.pub /root/.ssh/authorized_keys; then - cat /root/key.pub >> /root/.ssh/authorized_keys - echo "new key added to authorized_keys" - fi - chmod 600 /root/.ssh/authorized_keys + echo "obtaining SSH key..." + mkdir -m 0700 -p /root/.ssh + AUTH_KEYS=$(mktemp) && { + ${wget} -O $AUTH_KEYS http://metadata.google.internal/0.1/meta-data/authorized-keys + if [ $? -eq 0 -a -e $AUTH_KEYS ]; then + KEY_PUB=$(mktemp) && { + cat $AUTH_KEYS | cut -d: -f2- > $KEY_PUB + if ! grep -q -f $KEY_PUB /root/.ssh/authorized_keys; then + cat $KEY_PUB >> /root/.ssh/authorized_keys + echo "new key added to authorized_keys" + fi + chmod 600 /root/.ssh/authorized_keys + rm -f $KEY_PUB + } fi - rm -f /root/key.pub /root/authorized-keys-metadata + rm -f $AUTH_KEYS + } fi countKeys=0 ${flip concatMapStrings config.services.openssh.hostKeys (k : let kName = baseNameOf k.path; in '' - echo "trying to obtain SSH private host key ${kName}" - ${wget} -O /root/${kName} http://metadata.google.internal/0.1/meta-data/attributes/${kName} && : - if [ $? -eq 0 -a -e /root/${kName} ]; then - countKeys=$((countKeys+1)) - mv -f /root/${kName} ${k.path} - echo "downloaded ${k.path}" - chmod 600 ${k.path} - ${config.programs.ssh.package}/bin/ssh-keygen -y -f ${k.path} > ${k.path}.pub - chmod 644 ${k.path}.pub - fi - rm -f /root/${kName} + PRIV_KEY=$(mktemp) && { + echo "trying to obtain SSH private host key ${kName}" + ${wget} -O $PRIV_KEY http://metadata.google.internal/0.1/meta-data/attributes/${kName} && : + if [ $? -eq 0 -a -e $PRIV_KEY ]; then + countKeys=$((countKeys+1)) + mv -f $PRIV_KEY ${k.path} + echo "downloaded ${k.path}" + chmod 600 ${k.path} + ${config.programs.ssh.package}/bin/ssh-keygen -y -f ${k.path} > ${k.path}.pub + chmod 644 ${k.path}.pub + fi + rm -f $PRIV_KEY + } '' )} From 4744e3541ad2308625afd1d0ac53329efd947e6a Mon Sep 17 00:00:00 2001 From: Russell O'Connor Date: Mon, 23 Mar 2015 21:45:40 +0000 Subject: [PATCH 2/3] [GCE] Put temp files for fetch-ssh-keys service in /run --- nixos/modules/virtualisation/google-compute-image.nix | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 25bdd9569de..cdcd7e5a126 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -137,7 +137,8 @@ in after = [ "network-online.target" "ip-up.target" ]; wants = [ "network-online.target" "ip-up.target" ]; - script = let wget = "${pkgs.wget}/bin/wget --retry-connrefused -t 15 --waitretry=10 --header='Metadata-Flavor: Google'"; in + script = let wget = "${pkgs.wget}/bin/wget --retry-connrefused -t 15 --waitretry=10 --header='Metadata-Flavor: Google'"; + mktemp = "mktemp --tmpdir=/run"; in '' # When dealing with cryptographic keys, we want to keep things private. umask 077 @@ -145,10 +146,10 @@ in if ! [ -e /root/.ssh/authorized_keys ]; then echo "obtaining SSH key..." mkdir -m 0700 -p /root/.ssh - AUTH_KEYS=$(mktemp) && { + AUTH_KEYS=$(${mktemp}) && { ${wget} -O $AUTH_KEYS http://metadata.google.internal/0.1/meta-data/authorized-keys if [ $? -eq 0 -a -e $AUTH_KEYS ]; then - KEY_PUB=$(mktemp) && { + KEY_PUB=$(${mktemp}) && { cat $AUTH_KEYS | cut -d: -f2- > $KEY_PUB if ! grep -q -f $KEY_PUB /root/.ssh/authorized_keys; then cat $KEY_PUB >> /root/.ssh/authorized_keys @@ -165,7 +166,7 @@ in countKeys=0 ${flip concatMapStrings config.services.openssh.hostKeys (k : let kName = baseNameOf k.path; in '' - PRIV_KEY=$(mktemp) && { + PRIV_KEY=$(${mktemp}) && { echo "trying to obtain SSH private host key ${kName}" ${wget} -O $PRIV_KEY http://metadata.google.internal/0.1/meta-data/attributes/${kName} && : if [ $? -eq 0 -a -e $PRIV_KEY ]; then From 29b7d76ec81b1ba6536d72415a853ff596d7b6b2 Mon Sep 17 00:00:00 2001 From: Russell O'Connor Date: Tue, 28 Apr 2015 21:28:16 +0000 Subject: [PATCH 3/3] Remove use of && in fetch-ssh-keys service. Scripts are run with -e so will abort when a command fails. --- .../virtualisation/google-compute-image.nix | 60 ++++++++++--------- 1 file changed, 31 insertions(+), 29 deletions(-) diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index cdcd7e5a126..fcc71773dea 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -143,42 +143,44 @@ in # When dealing with cryptographic keys, we want to keep things private. umask 077 # Don't download the SSH key if it has already been downloaded - if ! [ -e /root/.ssh/authorized_keys ]; then + if ! [ -s /root/.ssh/authorized_keys ]; then echo "obtaining SSH key..." mkdir -m 0700 -p /root/.ssh - AUTH_KEYS=$(${mktemp}) && { - ${wget} -O $AUTH_KEYS http://metadata.google.internal/0.1/meta-data/authorized-keys - if [ $? -eq 0 -a -e $AUTH_KEYS ]; then - KEY_PUB=$(${mktemp}) && { - cat $AUTH_KEYS | cut -d: -f2- > $KEY_PUB - if ! grep -q -f $KEY_PUB /root/.ssh/authorized_keys; then - cat $KEY_PUB >> /root/.ssh/authorized_keys - echo "new key added to authorized_keys" - fi - chmod 600 /root/.ssh/authorized_keys - rm -f $KEY_PUB - } - fi - rm -f $AUTH_KEYS - } + AUTH_KEYS=$(${mktemp}) + ${wget} -O $AUTH_KEYS http://metadata.google.internal/0.1/meta-data/authorized-keys + if [ -s $AUTH_KEYS ]; then + KEY_PUB=$(${mktemp}) + cat $AUTH_KEYS | cut -d: -f2- > $KEY_PUB + if ! grep -q -f $KEY_PUB /root/.ssh/authorized_keys; then + cat $KEY_PUB >> /root/.ssh/authorized_keys + echo "New key added to authorized_keys." + fi + chmod 600 /root/.ssh/authorized_keys + rm -f $KEY_PUB + else + echo "Downloading http://metadata.google.internal/0.1/meta-data/authorized-keys failed." + false + fi + rm -f $AUTH_KEYS fi countKeys=0 ${flip concatMapStrings config.services.openssh.hostKeys (k : let kName = baseNameOf k.path; in '' - PRIV_KEY=$(${mktemp}) && { - echo "trying to obtain SSH private host key ${kName}" - ${wget} -O $PRIV_KEY http://metadata.google.internal/0.1/meta-data/attributes/${kName} && : - if [ $? -eq 0 -a -e $PRIV_KEY ]; then - countKeys=$((countKeys+1)) - mv -f $PRIV_KEY ${k.path} - echo "downloaded ${k.path}" - chmod 600 ${k.path} - ${config.programs.ssh.package}/bin/ssh-keygen -y -f ${k.path} > ${k.path}.pub - chmod 644 ${k.path}.pub - fi - rm -f $PRIV_KEY - } + PRIV_KEY=$(${mktemp}) + echo "trying to obtain SSH private host key ${kName}" + ${wget} -O $PRIV_KEY http://metadata.google.internal/0.1/meta-data/attributes/${kName} && : + if [ $? -eq 0 -a -s $PRIV_KEY ]; then + countKeys=$((countKeys+1)) + mv -f $PRIV_KEY ${k.path} + echo "Downloaded ${k.path}" + chmod 600 ${k.path} + ${config.programs.ssh.package}/bin/ssh-keygen -y -f ${k.path} > ${k.path}.pub + chmod 644 ${k.path}.pub + else + echo "Downloading http://metadata.google.internal/0.1/meta-data/attributes/${kName} failed." + fi + rm -f $PRIV_KEY '' )}