Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move net-misc/openssh from overlay to portage-stable, configuration changes #945

Merged
merged 11 commits into from
Sep 29, 2023

Conversation

krnowak
Copy link
Member

@krnowak krnowak commented Jun 22, 2023

CI: http://jenkins.infra.kinvolk.io:8080/job/container/job/packages_all_arches/2034/cldsv

This does mainly two changes:

  • Move the package to portage-stable, so it will be automatically updates, and move the necessary modifications that we were doing to coreos-base/misc-files.
  • Start using configuration snippets in /etc/ssh/ssh{,d}_config.d/. Adapt other packages that were messing with sshd config to start using snippets instead.

The openssh ebuild changes are mostly dropping all the third-party high-performance patches that we weren't even using. In Gentoo, these patches were moved to a separate package, net-misc/openssh-contrib.

Fixes flatcar/Flatcar#1062.

Needs flatcar/init#98.

  • Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update)
  • Inspected CI output for image differences: /boot and /usr size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.

@krnowak krnowak added the main label Jun 22, 2023
@krnowak krnowak requested a review from a team June 22, 2023 15:00
doins "${FILESDIR}/50-flatcar-sshd.conf"

# Install our socket drop-in file that disables the rate
# limitting on the sshd socket.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll fix this on the next push:

Suggested change
# limitting on the sshd socket.
# limiting on the sshd socket.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will bump it to -r1 on the next push.

@krnowak
Copy link
Member Author

krnowak commented Jun 26, 2023

All tests failed, because both /etc/ssh/sshd_config and our config snippet in /etc/ssh/sshd_config.d/50-flatcar-sshd.conf specify the sftp subsystem and sshd is having none of that - just prints an error about sftp subsystem already being specified and quits. Which means, connecting to the machine via ssh won't work. Let's see if Gentoo accepts my addition of a USE flag that drops the Subsystem setting from /etc/ssh/sshd_config - gentoo/gentoo#31615.

@github-actions
Copy link

github-actions bot commented Jun 26, 2023

krnowak and others added 5 commits September 29, 2023 07:42
It's from Gentoo commit 5b974a3c903327b37f46a0212bf397ef634a67fd.
None of these modifications are Flatcar-specific. We are trying to
upstream them in gentoo/gentoo#31615. When
they reach Gentoo, we can move net-misc/openssh to portage-stable.
- Import and update configs for ssh client and daemon from the
  flatcar/init repository. These configs have now became snippets that
  the main configuration file will include.

- Install a drop-in file for the ssh.socket unit disabling the rate
  limiting.

- Install compatibility symlinks in old ssh config locations that will
  point to respective files in /usr/share/flatcar/etc.

- Make all these actions optional - openssh USE flag needs to be
  enabled. That way, generic images can pull those changes, while SDK
  can avoid doing so.
@krnowak krnowak force-pushed the krnowak/move-openssh branch from bba7041 to 03a9b9d Compare September 29, 2023 05:44
@krnowak krnowak marked this pull request as ready for review September 29, 2023 05:45
@krnowak krnowak requested review from a team and removed request for a team September 29, 2023 05:45
@krnowak
Copy link
Member Author

krnowak commented Sep 29, 2023

CI passed. The only test that has failed was some nvidia stuff on azure arm64. Looks unrelated.

Copy link
Member

@pothos pothos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, looks good, assuming tests pass and nothing unexpected shows up in the image changes

@krnowak
Copy link
Member Author

krnowak commented Sep 29, 2023

Hm, looks like I forgot to actually paste a link to the Jenkins build: http://jenkins.infra.kinvolk.io:8080/job/container/job/packages_all_arches/2610/cldsv/

Currently I'm rerunning image changes jobs with a fix, so I can see the full report.

@krnowak
Copy link
Member Author

krnowak commented Sep 29, 2023

Tests passed. The changes there are expected:

-net-misc/openssh-9.3_p2-r1::coreos
+net-misc/openssh-9.4_p1::coreos+/usr/lib/systemd/system/sshd.socket.d
+/usr/lib/systemd/system/sshd.socket.d/no-trigger-limit-burst.conf-/usr/lib/tmpfiles.d/ssh.conf
…
 /usr/share/flatcar/etc/ssh/ssh_config
+/usr/share/flatcar/etc/ssh/ssh_config.d
+/usr/share/flatcar/etc/ssh/ssh_config.d/50-flatcar-ssh.conf
+/usr/share/flatcar/etc/ssh/ssh_config.d/9999999gentoo-security.conf
+/usr/share/flatcar/etc/ssh/ssh_config.d/9999999gentoo.conf
 /usr/share/flatcar/etc/ssh/ssh_revoked_hosts
 /usr/share/flatcar/etc/ssh/sshd_config
+/usr/share/flatcar/etc/ssh/sshd_config.d
+/usr/share/flatcar/etc/ssh/sshd_config.d/50-flatcar-sshd.conf
+/usr/share/flatcar/etc/ssh/sshd_config.d/9999999gentoo-pam.conf
+/usr/share/flatcar/etc/ssh/sshd_config.d/9999999gentoo.conf
 /usr/share/flatcar/etc/ssl

Flatcar Buildbot and others added 6 commits September 29, 2023 13:47
The configs were moved to coreos-base/misc-files. In the meantime,
update python compatibility and drop unused USE flag and an obsolete
README file.
The sshd config provided by this package is now marked as provided for
compatibility only - it will be there in case there is still a symlink
in /etc pointing to it. The new config snippet will be used by the
enable oslogin stuff in the updated coreos-base/oem-gce package in
following commits.
This commit updates our Flatcar patch with a code that will install an
sshd config snippet instead of editing the main sshd config file if
snippets directory exists.
We will be installing an sshd config snippet instead of replacing the
whole sshd config. In order to pull this off, we need to make sure
that the snippets directory exists and the main sshd config file
actually includes the snippets in the directory.
The configs provided by the openssh and Gentoo projects usually keep
everything commented out, meaning that the default values will be
used. On top of that, they will also include snippets in the snippet
directory. As such, start installing the default configs. We only mask
a snippet that defines sftp subsystem, because we provide our own
config snippet from coreos-base/misc-files that defines it.
@krnowak krnowak force-pushed the krnowak/move-openssh branch from ae65a06 to cabc3c0 Compare September 29, 2023 11:48
@krnowak krnowak merged commit f44c3d3 into main Sep 29, 2023
1 check failed
@krnowak krnowak deleted the krnowak/move-openssh branch September 29, 2023 11:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[RFE] sshd default config should read drop-ins
2 participants