[openstack-nova/f17] support injecting ssh keys to SELinux enabled guests
Pádraig Brady
pbrady at fedoraproject.org
Wed Jun 27 13:54:00 UTC 2012
commit d8fe797daf8aeda9fee056072720d8cb84b904d1
Author: Pádraig Brady <P at draigBrady.com>
Date: Wed Jun 27 14:50:37 2012 +0100
support injecting ssh keys to SELinux enabled guests
This was tested with a Fedora 16 jeos
...ect-SELinux-context-for-injected-ssh-keys.patch | 78 ++++++++++++++++++++
openstack-nova.spec | 3 +
2 files changed, 81 insertions(+), 0 deletions(-)
---
diff --git a/0010-set-correct-SELinux-context-for-injected-ssh-keys.patch b/0010-set-correct-SELinux-context-for-injected-ssh-keys.patch
new file mode 100644
index 0000000..d2baf54
--- /dev/null
+++ b/0010-set-correct-SELinux-context-for-injected-ssh-keys.patch
@@ -0,0 +1,78 @@
+From 43bcb2febf73a1420c8e3e0ad8c88ce076403c21 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?P=C3=A1draig=20Brady?= <pbrady at redhat.com>
+Date: Wed, 27 Jun 2012 10:29:57 +0100
+Subject: [PATCH] set correct SELinux context for injected ssh keys
+
+Instruct guests to ensure at boot, that the correct
+SELinux context is set for /root/.ssh/.
+This will cater for keys injected by nova from hosts
+without SELinux (enabled) or using libguestfs which
+currently doesn't support setting extended attributes.
+
+Suggested-by: David Naori <dnaori at redhat.com>
+Change-Id: Ibf3869e3ee477e91623e0c030838c1ec8a6128a6
+---
+ nova/rootwrap/compute.py | 4 ++++
+ nova/virt/disk/api.py | 27 +++++++++++++++++++++++++++
+ 2 files changed, 31 insertions(+), 0 deletions(-)
+
+diff --git a/nova/rootwrap/compute.py b/nova/rootwrap/compute.py
+index bb53abc..0d43caa 100755
+--- a/nova/rootwrap/compute.py
++++ b/nova/rootwrap/compute.py
+@@ -182,6 +182,10 @@ filterlist = [
+ # nova/virt/libvirt/utils.py: 'qemu-img'
+ filters.CommandFilter("/usr/bin/qemu-img", "root"),
+
++ # nova/virt/disk/api.py: 'readlink', '-e'
++ filters.CommandFilter("/usr/bin/readlink", "root"),
++ filters.CommandFilter("/bin/readlink", "root"),
++
+ # nova/virt/disk/api.py: 'touch', target
+ filters.CommandFilter("/usr/bin/touch", "root"),
+
+diff --git a/nova/virt/disk/api.py b/nova/virt/disk/api.py
+index 6756ac2..ce3df1b 100644
+--- a/nova/virt/disk/api.py
++++ b/nova/virt/disk/api.py
+@@ -311,6 +311,31 @@ def _inject_metadata_into_fs(metadata, fs):
+ process_input=json.dumps(metadata), run_as_root=True)
+
+
++def _setup_selinux_for_keys(fs):
++ """Get selinux guests to ensure correct context on injected keys."""
++
++ rclocal = os.path.join(fs, 'etc', 'rc.local')
++
++ # Support systemd based systems
++ rc_d = os.path.join(fs, 'etc', 'rc.d')
++ rclocal_e, _err = utils.trycmd('readlink', '-e', rclocal, run_as_root=True)
++ rc_d_e, _err = utils.trycmd('readlink', '-e', rc_d, run_as_root=True)
++ if not rclocal_e and rc_d_e:
++ rclocal = os.path.join(rc_d, 'rc.local')
++
++ # Note some systems end rc.local with "exit 0"
++ # and so to append there you'd need something like:
++ # utils.execute('sed', '-i', '${/^exit 0$/d}' rclocal, run_as_root=True)
++ restorecon = [
++ '#!/bin/sh\n',
++ '# Added by Nova to ensure injected ssh keys have the right context\n',
++ 'restorecon -RF /root/.ssh/ 2>/dev/null || :\n',
++ ]
++ utils.execute('tee', '-a', rclocal,
++ process_input=''.join(restorecon), run_as_root=True)
++ utils.execute('chmod', 'a+x', rclocal, run_as_root=True)
++
++
+ def _inject_key_into_fs(key, fs):
+ """Add the given public ssh key to root's authorized_keys.
+
+@@ -332,6 +357,8 @@ def _inject_key_into_fs(key, fs):
+ utils.execute('tee', '-a', keyfile,
+ process_input=''.join(key_data), run_as_root=True)
+
++ _setup_selinux_for_keys(fs)
++
+
+ def _inject_net_into_fs(net, fs):
+ """Inject /etc/network/interfaces into the filesystem rooted at fs.
diff --git a/openstack-nova.spec b/openstack-nova.spec
index cccfc5a..a088626 100644
--- a/openstack-nova.spec
+++ b/openstack-nova.spec
@@ -40,6 +40,7 @@ Patch0006: 0006-fix-useexisting-deprecation-warnings.patch
Patch0007: 0007-support-a-configurable-libvirt-injection-partition.patch
Patch0008: 0008-repeat-fusermount-to-avoid-business.patch
Patch0009: 0009-only-mount-guest-image-once-when-injecting-files.patch
+Patch0010: 0010-set-correct-SELinux-context-for-injected-ssh-keys.patch
BuildArch: noarch
BuildRequires: intltool
@@ -165,6 +166,7 @@ This package contains documentation files for nova.
%patch0007 -p1
%patch0008 -p1
%patch0009 -p1
+%patch0010 -p1
find . \( -name .gitignore -o -name .placeholder \) -delete
@@ -364,6 +366,7 @@ fi
%changelog
* Wed Jun 27 2012 Pádraig Brady <P at draigBrady.com> - 2012.1.1-2
- Update to latest essex stable branch
+- Support injecting new .ssh/authorized_keys files to SELinux enabled guests
* Fri Jun 22 2012 Pádraig Brady <P at draigBrady.com> - 2012.1.1-1
- Update to essex stable release 2012.1.1
More information about the scm-commits
mailing list