From 5c5411a4fa0d1a306ec034460195879dd4b12446 Mon Sep 17 00:00:00 2001 From: jrb Date: Wed, 3 Dec 2014 15:22:36 -0500 Subject: Adding initial support for loading a config from AWS EC2 user-data --- Makefile.am | 2 +- debian/vyatta-cfg-system.postinst.in | 4 +- etc/init.d/ec2-fetch-ssh-public-key | 126 ---------------------------- etc/init.d/ec2-vyos-init | 146 +++++++++++++++++++++++++++++++++ scripts/install/install-image-existing | 4 +- 5 files changed, 151 insertions(+), 131 deletions(-) delete mode 100644 etc/init.d/ec2-fetch-ssh-public-key create mode 100644 etc/init.d/ec2-vyos-init diff --git a/Makefile.am b/Makefile.am index dd9586b6..283f59c2 100644 --- a/Makefile.am +++ b/Makefile.am @@ -19,7 +19,7 @@ checkparamsonreboot_SCRIPTS = checkparamsonreboot_DATA = checkparamsonreboot_DATA += scripts/check-params-on-reboot.d/README -initd_SCRIPTS += etc/init.d/ec2-fetch-ssh-public-key +initd_SCRIPTS += etc/init.d/ec2-vyos-init initd_SCRIPTS += etc/init.d/vyatta-config-reboot-params initd_SCRIPTS += etc/init.d/vyos-intfwatchd checkparamsonreboot_SCRIPTS += scripts/check-params-on-reboot.d/ipv6_disable_blacklist diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 8c4b1534..37c19275 100755 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -214,8 +214,8 @@ update-rc.d vyatta-config-reboot-params start 20 S # set vyos-intfwatchd to start at boot update-rc.d vyos-intfwatchd start 2345 -# set ec2-fetch-ssh-public-key to start on boot -update-rc.d ec2-fetch-ssh-public-key start 2345 +# set ec2-vyos-init to start on boot +update-rc.d ec2-vyos-init start 2345 # Local Variables: # mode: shell-script diff --git a/etc/init.d/ec2-fetch-ssh-public-key b/etc/init.d/ec2-fetch-ssh-public-key deleted file mode 100644 index 9af8ba1d..00000000 --- a/etc/init.d/ec2-fetch-ssh-public-key +++ /dev/null @@ -1,126 +0,0 @@ -#!/bin/bash -### BEGIN INIT INFO -# Provides: ec2-fetch-ssh-public-key -# Required-Start: vyatta-router -# Required-Stop: -# Default-Start: 2 3 4 5 -# Default-Stop: -# Short-Description: AWS EC2 instance init script to fetch and load ssh public key -# Description: Retrieve user's public ssh key from EC2 instance metadata -# and load/set the key in config.boot -### END INIT INFO - -# Author: hydrajump -# -# Based on http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/building-shared-amis.html#public-amis-install-credentials -# https://github.com/andsens/bootstrap-vz/blob/master/providers/ec2/assets/init.d/ec2-get-credentials - -. /lib/lsb/init-functions - -# Are we running on AWS? -/opt/vyatta/sbin/ec2-check.pl -if [ $? != 0 ]; then - exit 0 -fi - -# Hack for config permissions stuff -if [ $(groups | awk '{print $1}') != 'vyattacfg' ]; then - sg vyattacfg $0 - exit -fi - -: ${vyatta_env:=/etc/default/vyatta} -source $vyatta_env - -# Configuration commands -SHELL_API=/bin/cli-shell-api -COMMIT=/opt/vyatta/sbin/my_commit -SAVE=/opt/vyatta/sbin/vyatta-save-config.pl -LOADKEY=/opt/vyatta/sbin/vyatta-load-user-key.pl - -public_key_url=http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key -username='vyos' -ssh_dir="/home/$username/.ssh" -authorized_keys="$ssh_dir/authorized_keys" -group='vyattacfg' - -# Obtain config session environment -session_env=$($SHELL_API getSessionEnv $PPID) -if [ $? -ne 0 ]; then - echo "An error occured while obtaining session environment!" - exit 0 -fi - -# Evaluate config environment string -eval $session_env - -# Setup the config session -$SHELL_API setupSession -if [ $? -ne 0 ]; then - echo "An error occured while setting up the configuration session!" - exit 0 -fi - -load_ssh_public_key () -{ - # Doesn't work. - # if [ -x $vyatta_sbindir/vyatta-load-user-key.pl ]; then - # log_action_msg "Loaded ssh public key for user $username" - # sg ${group} -c "$vyatta_sbindir/vyatta-load-user-key.pl $username $public_key" - # fi - - # Do this instead - # Obtain session environment - # Evaluate environment string - # Setup the session - # Commit and save config change - # Tear down the session - - log_action_msg "EC2: Loaded ssh public key for user $username" - $LOADKEY $username $public_key_url - - # Commit and save to config.boot - $COMMIT - $SAVE -} - -# Try to get the ssh public key from instance metadata -log_action_msg "EC2: -----BEGIN FETCH SSH PUBLIC KEY-----" -log_action_msg "EC2: Requesting ssh public key from EC2 instance metadata" -public_key=`/usr/bin/curl --silent -f $public_key_url` -if [ -n "$public_key" ]; then - log_action_msg "EC2: Downloaded ssh public key from EC2 instance metadata" - if [ ! -d $ssh_dir ]; then - mkdir -m 700 $ssh_dir - # chown $username:$username $ssh_dir - fi - - # Check if the ssh public key is already loaded - if ! grep -s -q "$public_key" $authorized_keys; then - load_ssh_public_key - # chmod 600 $authorized_keys - # chown $username:$username $authorized_keys - else - log_action_msg "EC2: Already loaded ssh public key for user $username" - fi -else - log_action_msg " - == WARNING == - No ssh public key found! - If you launch an instance without specifying a keypair, - you can't connect to the instance. - Please terminate this instance and launch a new EC2 instance. - - == IMPORTANT == - Don't forget to create a keypair or select an existing one - before you launch the new instance" -fi -log_action_msg "EC2: -----END FETCH SSH PUBLIC KEY-----" - -# Tear down the config session -$SHELL_API teardownSession -if [ $? -ne 0 ]; then - echo "An error occured while tearing down the session!" - exit 0 -fi -exit 0 diff --git a/etc/init.d/ec2-vyos-init b/etc/init.d/ec2-vyos-init new file mode 100644 index 00000000..271648bc --- /dev/null +++ b/etc/init.d/ec2-vyos-init @@ -0,0 +1,146 @@ +#!/bin/bash +### BEGIN INIT INFO +# Provides: ec2-vyos-init +# Required-Start: vyatta-router +# Required-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: +# Short-Description: AWS EC2 instance init script to fetch and load ssh public key +# Description: Retrieve user's public ssh key from EC2 instance metadata +# and load/set the key in config.boot +### END INIT INFO + +# Author: hydrajump +# +# Based on http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/building-shared-amis.html#public-amis-install-credentials +# https://github.com/andsens/bootstrap-vz/blob/master/providers/ec2/assets/init.d/ec2-get-credentials + +. /lib/lsb/init-functions + +# Are we running on AWS? +/opt/vyatta/sbin/ec2-check.pl +if [ $? != 0 ]; then + exit 0 +fi + +# Hack for config permissions stuff +if [ $(groups | awk '{print $1}') != 'vyattacfg' ]; then + sg vyattacfg $0 + exit +fi + +: ${vyatta_env:=/etc/default/vyatta} +source $vyatta_env + +# Configuration commands +SHELL_API=/bin/cli-shell-api +COMMIT=/opt/vyatta/sbin/my_commit +SAVE=/opt/vyatta/sbin/vyatta-save-config.pl +LOADKEY=/opt/vyatta/sbin/vyatta-load-user-key.pl +LOADCONFIG=/opt/vyatta/sbin/vyatta-load-config.pl + +userdata_url=http://169.254.169.254/latest/user-data +public_key_url=http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key +username='vyos' +ssh_dir="/home/$username/.ssh" +authorized_keys="$ssh_dir/authorized_keys" +group='vyattacfg' + +# Obtain config session environment +session_env=$($SHELL_API getSessionEnv $PPID) +if [ $? -ne 0 ]; then + echo "An error occured while obtaining session environment!" + exit 0 +fi + +# Evaluate config environment string +eval $session_env + +# Setup the config session +$SHELL_API setupSession +if [ $? -ne 0 ]; then + echo "An error occured while setting up the configuration session!" + exit 0 +fi + +load_user_data () +{ + $LOADCONFIG $userdata_url + $COMMIT + $SAVE +} + +load_ssh_public_key () +{ + # Doesn't work. + # if [ -x $vyatta_sbindir/vyatta-load-user-key.pl ]; then + # log_action_msg "Loaded ssh public key for user $username" + # sg ${group} -c "$vyatta_sbindir/vyatta-load-user-key.pl $username $public_key" + # fi + + # Do this instead + # Obtain session environment + # Evaluate environment string + # Setup the session + # Commit and save config change + # Tear down the session + + log_action_msg "EC2: Loaded ssh public key for user $username" + $LOADKEY $username $public_key_url + + # Commit and save to config.boot + $COMMIT + $SAVE +} + +# Try to load config from instance user-data +log_action_msg "EC2: -----BEGIN FETCH CONFIG-----" +log_action_msg "EC2: Requesting config from EC2 instance user-data" +if (curl --silent -f $userdata_url | grep 'vyatta-config-version' >/dev/null); then + log_action_msg "EC2: Found Vyos config in EC2 instance user-data" + load_user_data +else + log_action_msg "EC2: No Vyos config found in EC2 instance user-data" +fi + +log_action_msg "EC2: -----END FETCH CONFIG-----" +# Try to get the ssh public key from instance metadata +log_action_msg "EC2: -----BEGIN FETCH SSH PUBLIC KEY-----" +log_action_msg "EC2: Requesting ssh public key from EC2 instance metadata" +public_key=`/usr/bin/curl --silent -f $public_key_url` +if [ -n "$public_key" ]; then + log_action_msg "EC2: Downloaded ssh public key from EC2 instance metadata" + if [ ! -d $ssh_dir ]; then + mkdir -m 700 $ssh_dir + # chown $username:$username $ssh_dir + fi + + # Check if the ssh public key is already loaded + if ! grep -s -q "$public_key" $authorized_keys; then + load_ssh_public_key + # chmod 600 $authorized_keys + # chown $username:$username $authorized_keys + else + log_action_msg "EC2: Already loaded ssh public key for user $username" + fi +else + log_action_msg " + == WARNING == + No ssh public key found! + If you launch an instance without specifying a keypair, + you can't connect to the instance. + Please terminate this instance and launch a new EC2 instance. + + == IMPORTANT == + Don't forget to create a keypair or select an existing one + before you launch the new instance" +fi +log_action_msg "EC2: -----END FETCH SSH PUBLIC KEY-----" + +# Tear down the config session +$SHELL_API teardownSession +if [ $? -ne 0 ]; then + echo "An error occured while tearing down the session!" + exit 0 +fi +exit 0 diff --git a/scripts/install/install-image-existing b/scripts/install/install-image-existing index 2705ce5c..7d58cd96 100755 --- a/scripts/install/install-image-existing +++ b/scripts/install/install-image-existing @@ -49,8 +49,8 @@ is_amazon_ec2_ami () { if [ -n "$ami_id" ]; then echo "Installing on VyOS AMI" - # Create init script links for /etc/init.d/ec2-fetch-ssh-public-key - chroot $INST_ROOT update-rc.d ec2-fetch-ssh-public-key defaults &>/dev/null + # Create init script links for /etc/init.d/ec2-vyos-init + chroot $INST_ROOT update-rc.d ec2-vyos-init defaults &>/dev/null # Dijkstra, forgive us! return 0 -- cgit v1.2.3