From 3e3448a7df115b3102014fa4a55b2d652a63bc59 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 21 Jan 2010 08:03:58 +0000 Subject: [PATCH] * Added an Upstart job to fetch the SSH key for logging into the root account of the VM. However, it doesn't work yet (the machine doesn't boot properly and there is no console output). So use a hard-coded password for now (very dangerous!). svn path=/nixos/trunk/; revision=19589 --- modules/virtualisation/amazon-image.nix | 65 +++++++++++++++++++++++-- tests/amazon.nix | 16 ------ 2 files changed, 62 insertions(+), 19 deletions(-) diff --git a/modules/virtualisation/amazon-image.nix b/modules/virtualisation/amazon-image.nix index e834b392c6f..f0f2545993b 100644 --- a/modules/virtualisation/amazon-image.nix +++ b/modules/virtualisation/amazon-image.nix @@ -3,7 +3,7 @@ with pkgs.lib; { - system.build.ext2Image = + system.build.amazonImage = pkgs.vmTools.runInLinuxVM ( pkgs.runCommand "amazon-image" { preVM = @@ -12,7 +12,7 @@ with pkgs.lib; diskImage=$out/nixos.img qemu-img create -f raw $diskImage "1024M" ''; - buildInputs = [ pkgs.utillinux pkgs.perl pkgs.rsync ]; + buildInputs = [ pkgs.utillinux pkgs.perl ]; exportReferencesGraph = [ "closure" config.system.build.toplevel ]; } @@ -26,7 +26,7 @@ with pkgs.lib; storePaths=$(perl ${pkgs.pathsFromGraph} $ORIG_TMPDIR/closure) mkdir -p /mnt/nix/store - rsync -av $storePaths /mnt/nix/store/ + cp -prvd $storePaths /mnt/nix/store/ # Amazon assumes that there is a /sbin/init, so symlink it # to the stage 2 init script. Since we cannot set the path @@ -36,8 +36,67 @@ with pkgs.lib; ln -s ${config.system.build.bootStage2} /mnt/sbin/init ln -s ${config.system.build.toplevel} /mnt/system + set -x + sync umount /mnt + sync '' ); + # On EC2 we don't get to supply our own kernel, so we can't load any + # modules. However, dhclient fails if the ipv6 module isn't loaded, + # unless it's compiled without IPv6 support. So do that. + nixpkgs.config.packageOverrides = pkgsOld: + { dhcp = pkgs.lib.overrideDerivation pkgsOld.dhcp (oldAttrs: + { configureFlags = "--disable-dhcpv6"; + }); + }; + + # The root filesystem is mounted by Amazon's kernel/initrd. + fileSystems = [ ]; + + swapDevices = + [ { device = "/dev/sda2"; } ]; + + # There are no virtual consoles. + services.mingetty.ttys = [ ]; + + # Allow root logins only using the SSH key that the user specified + # at instance creation time. + services.sshd.enable = true; + #services.sshd.permitRootLogin = "without-password"; + + boot.postBootCommands = + '' + echo xyzzy_foobar | ${pkgs.pwdutils}/bin/passwd --stdin + ''; + + # Obtain the SSH key at startup time. + /* + jobs.fetchSSHKey = + { name = "fetch-ssh-key"; + + startOn = "ip-up"; + + task = true; + + script = + '' + set -x + echo "obtaining SSH key..." + mkdir -p /root/.ssh + ${pkgs.curl}/bin/curl --retry 3 --retry-delay 0 --fail \ + -o /root/key.pub \ + http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key + if [ $? -eq 0 -a -e /root/key.pub ]; then + if ! grep -q -f /root/key.pub /root/.ssh/authorized_keys; then + cat /root/key.pub >> /root/.ssh/authorized_keys + echo "new key added to authorized_keys" + fi + chmod 600 /root/.ssh/authorized_keys + rm -f /root/key.pub + fi + ''; + }; + */ } diff --git a/tests/amazon.nix b/tests/amazon.nix index a016b8947d1..223bfb947d1 100644 --- a/tests/amazon.nix +++ b/tests/amazon.nix @@ -7,22 +7,6 @@ rec { services.httpd.enable = true; services.httpd.adminAddr = "e.dolstra@tudelft.nl"; services.httpd.documentRoot = "${pkgs.valgrind}/share/doc/valgrind/html"; - - nixpkgs.config.packageOverrides = pkgsOld: - { dhcp = pkgs.lib.overrideDerivation pkgsOld.dhcp (oldAttrs: - { configureFlags = "--disable-dhcpv6"; - }); - }; - - fileSystems = [ ]; - - swapDevices = - [ { device = "/dev/sda2"; } ]; - - services.sshd.enable = true; - services.sshd.permitRootLogin = "without-password"; - - services.mingetty.ttys = [ ]; }; config = (import ../lib/eval-config.nix {