[openstack-nova/f17] support injecting ssh keys to SELinux enabled guests

Pádraig Brady pbrady at fedoraproject.org
Wed Jun 27 13:54:00 UTC 2012 

commit d8fe797daf8aeda9fee056072720d8cb84b904d1
Author: Pádraig Brady <P at draigBrady.com>
Date:   Wed Jun 27 14:50:37 2012 +0100

    support injecting ssh keys to SELinux enabled guests
    
    This was tested with a Fedora 16 jeos

 ...ect-SELinux-context-for-injected-ssh-keys.patch |   78 ++++++++++++++++++++
 openstack-nova.spec                                |    3 +
 2 files changed, 81 insertions(+), 0 deletions(-)
---
diff --git a/0010-set-correct-SELinux-context-for-injected-ssh-keys.patch b/0010-set-correct-SELinux-context-for-injected-ssh-keys.patch
new file mode 100644
index 0000000..d2baf54
--- /dev/null
+++ b/0010-set-correct-SELinux-context-for-injected-ssh-keys.patch
@@ -0,0 +1,78 @@
+From 43bcb2febf73a1420c8e3e0ad8c88ce076403c21 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?P=C3=A1draig=20Brady?= <pbrady at redhat.com>
+Date: Wed, 27 Jun 2012 10:29:57 +0100
+Subject: [PATCH] set correct SELinux context for injected ssh keys
+
+Instruct guests to ensure at boot, that the correct
+SELinux context is set for /root/.ssh/.
+This will cater for keys injected by nova from hosts
+without SELinux (enabled) or using libguestfs which
+currently doesn't support setting extended attributes.
+
+Suggested-by: David Naori <dnaori at redhat.com>
+Change-Id: Ibf3869e3ee477e91623e0c030838c1ec8a6128a6
+---
+ nova/rootwrap/compute.py |    4 ++++
+ nova/virt/disk/api.py    |   27 +++++++++++++++++++++++++++
+ 2 files changed, 31 insertions(+), 0 deletions(-)
+
+diff --git a/nova/rootwrap/compute.py b/nova/rootwrap/compute.py
+index bb53abc..0d43caa 100755
+--- a/nova/rootwrap/compute.py
++++ b/nova/rootwrap/compute.py
+@@ -182,6 +182,10 @@ filterlist = [
+     # nova/virt/libvirt/utils.py: 'qemu-img'
+     filters.CommandFilter("/usr/bin/qemu-img", "root"),
+ 
++    # nova/virt/disk/api.py: 'readlink', '-e'
++    filters.CommandFilter("/usr/bin/readlink", "root"),
++    filters.CommandFilter("/bin/readlink", "root"),
++
+     # nova/virt/disk/api.py: 'touch', target
+     filters.CommandFilter("/usr/bin/touch", "root"),
+ 
+diff --git a/nova/virt/disk/api.py b/nova/virt/disk/api.py
+index 6756ac2..ce3df1b 100644
+--- a/nova/virt/disk/api.py
++++ b/nova/virt/disk/api.py
+@@ -311,6 +311,31 @@ def _inject_metadata_into_fs(metadata, fs):
+                   process_input=json.dumps(metadata), run_as_root=True)
+ 
+ 
++def _setup_selinux_for_keys(fs):
++    """Get selinux guests to ensure correct context on injected keys."""
++
++    rclocal = os.path.join(fs, 'etc', 'rc.local')
++
++    # Support systemd based systems
++    rc_d = os.path.join(fs, 'etc', 'rc.d')
++    rclocal_e, _err = utils.trycmd('readlink', '-e', rclocal, run_as_root=True)
++    rc_d_e, _err = utils.trycmd('readlink', '-e', rc_d, run_as_root=True)
++    if not rclocal_e and rc_d_e:
++        rclocal = os.path.join(rc_d, 'rc.local')
++
++    # Note some systems end rc.local with "exit 0"
++    # and so to append there you'd need something like:
++    #  utils.execute('sed', '-i', '${/^exit 0$/d}' rclocal, run_as_root=True)
++    restorecon = [
++        '#!/bin/sh\n',
++        '# Added by Nova to ensure injected ssh keys have the right context\n',
++        'restorecon -RF /root/.ssh/ 2>/dev/null || :\n',
++    ]
++    utils.execute('tee', '-a', rclocal,
++                  process_input=''.join(restorecon), run_as_root=True)
++    utils.execute('chmod', 'a+x', rclocal, run_as_root=True)
++
++
+ def _inject_key_into_fs(key, fs):
+     """Add the given public ssh key to root's authorized_keys.
+ 
+@@ -332,6 +357,8 @@ def _inject_key_into_fs(key, fs):
+     utils.execute('tee', '-a', keyfile,
+                   process_input=''.join(key_data), run_as_root=True)
+ 
++    _setup_selinux_for_keys(fs)
++
+ 
+ def _inject_net_into_fs(net, fs):
+     """Inject /etc/network/interfaces into the filesystem rooted at fs.
diff --git a/openstack-nova.spec b/openstack-nova.spec
index cccfc5a..a088626 100644
--- a/openstack-nova.spec
+++ b/openstack-nova.spec
@@ -40,6 +40,7 @@ Patch0006: 0006-fix-useexisting-deprecation-warnings.patch
 Patch0007: 0007-support-a-configurable-libvirt-injection-partition.patch
 Patch0008: 0008-repeat-fusermount-to-avoid-business.patch
 Patch0009: 0009-only-mount-guest-image-once-when-injecting-files.patch
+Patch0010: 0010-set-correct-SELinux-context-for-injected-ssh-keys.patch
 
 BuildArch:        noarch
 BuildRequires:    intltool
@@ -165,6 +166,7 @@ This package contains documentation files for nova.
 %patch0007 -p1
 %patch0008 -p1
 %patch0009 -p1
+%patch0010 -p1
 
 find . \( -name .gitignore -o -name .placeholder \) -delete
 
@@ -364,6 +366,7 @@ fi
 %changelog
 * Wed Jun 27 2012 Pádraig Brady <P at draigBrady.com> - 2012.1.1-2
 - Update to latest essex stable branch
+- Support injecting new .ssh/authorized_keys files to SELinux enabled guests
 
 * Fri Jun 22 2012 Pádraig Brady <P at draigBrady.com> - 2012.1.1-1
 - Update to essex stable release 2012.1.1

More information about the scm-commits mailing list