This is to test the changes made in https://review.opendev.org/c/zuul/zuul-jobs/+/773474

Change-Id: I4aeed61e5c016519d4ad02ea5cbb9b9e495c962c
2021-03-24 17:25:20 -04:00 · 2021-03-24 17:25:20 -04:00 · 53b90cb177
commit 53b90cb177
parent 9cb192eba6
11 changed files with 164 additions and 2 deletions
--- a/playbooks/base-test/post.yaml
+++ b/playbooks/base-test/post.yaml
@ -8,4 +8,4 @@
  # successful jobs.
  ignore_errors: yes
  roles:
-    - remove-build-sshkey
+    - remove-build-sshkey-fork
--- a/playbooks/base-test/pre.yaml
+++ b/playbooks/base-test/pre.yaml
@ -21,7 +21,7 @@
      command: journalctl -u growroot

  roles:
-    - add-build-sshkey
+    - add-build-sshkey-fork
    - start-zuul-console
    - ensure-output-dirs

--- a/roles/add-build-sshkey-fork/README.rst
+++ b/roles/add-build-sshkey-fork/README.rst
@ -0,0 +1,40 @@
+Generate and install a build-local SSH key on all hosts
+
+This role is intended to be run on the Zuul Executor at the start of
+every job.  It generates an SSH keypair and installs the public key in
+the authorized_keys file of every host in the inventory.  It then
+removes the Zuul master key from this job's SSH agent so that the
+original key used to log into all of the hosts is no longer accessible
+(any per-project keys, if present, remain available), then adds the
+newly generated private key.
+
+**Role Variables**
+
+.. zuul:rolevar:: zuul_temp_ssh_key
+   :default: ``{{ zuul.executor.work_root }}/{{ zuul.build }}_id_rsa``
+
+   Where to put the newly-generated SSH private key.
+
+.. zuul:rolevar:: zuul_ssh_key_dest
+   :default: ``id_{{ zuul_ssh_key_algorithm }}``
+
+   File name for the the newly-generated SSH private key.
+
+.. zuul:rolevar:: zuul_build_sshkey_cleanup
+   :default: false
+
+   Remove previous build sshkey. Set it to true for single use static node.
+   Do not set it to true for multi-slot static nodes as it removes the
+   build key configured by other jobs.
+
+.. zuul:rolevar:: zuul_ssh_key_algorithm
+   :default: rsa
+
+   The digital signature algorithm to be used to generate the key. Default value
+   'rsa'.
+
+.. zuul:rolevar:: zuul_ssh_key_size
+   :default: 3072
+
+   Specifies the number of bits in the key to create. The default length is
+   3072 bits (RSA).
--- a/roles/add-build-sshkey-fork/tasks/create-key-and-replace.yaml
+++ b/roles/add-build-sshkey-fork/tasks/create-key-and-replace.yaml
@ -0,0 +1,33 @@
+- name: Create Temp SSH key
+  command: ssh-keygen -t {{ zuul_ssh_key_algorithm }} -N '' -C 'zuul-build-sshkey' -f {{ zuul_temp_ssh_key }} -b {{ zuul_ssh_key_size }}
+  delegate_to: localhost
+  run_once: true
+
+- name: Remote setup ssh keys (linux)
+  include_tasks: remote-linux.yaml
+  when: ansible_os_family != "Windows"
+
+- name: Remote setup ssh keys (windows)
+  include_tasks: remote-windows.yaml
+  when: ansible_os_family == "Windows"
+
+- import_role:
+    name: remove-zuul-sshkey
+
+- name: Add back temp key
+  command: ssh-add {{ zuul_temp_ssh_key }}
+  delegate_to: localhost
+  run_once: true
+
+- name: Verify we can still SSH to all nodes
+  ping:
+  when: ansible_os_family != "Windows"
+
+- name: Verify we can still SSH to all nodes (windows)
+  command: ssh -o BatchMode=yes -o ConnectTimeout=10 {{ ansible_user }}@{{ ansible_host }} echo success
+  delegate_to: localhost
+  when:
+    - ansible_os_family == "Windows"
+    # Only run if we successfully configured the host. If not the host doesn't support
+    # ssh and the check shall not break them.
+    - windows_remote_ssh is succeeded
--- a/roles/add-build-sshkey-fork/tasks/main.yaml
+++ b/roles/add-build-sshkey-fork/tasks/main.yaml
@ -0,0 +1,11 @@
+- name: Check to see if ssh key was already created for this build
+  stat:
+    path: "{{ zuul_temp_ssh_key }}"
+  register: zuul_temp_ssh_key_stat
+  delegate_to: localhost
+  run_once: true
+  failed_when: false
+
+- name: Create a new key in workspace based on build UUID
+  include_tasks: create-key-and-replace.yaml
+  when: not zuul_temp_ssh_key_stat.stat.exists
--- a/roles/add-build-sshkey-fork/tasks/remote-linux.yaml
+++ b/roles/add-build-sshkey-fork/tasks/remote-linux.yaml
@ -0,0 +1,32 @@
+- name: Remove previously added zuul-build-sshkey
+  lineinfile:
+    path: "~/.ssh/authorized_keys"
+    regexp: ".* zuul-build-sshkey$"
+    state: absent
+  when: zuul_build_sshkey_cleanup
+
+- name: Enable access via build key on all nodes
+  authorized_key:
+    user: "{{ ansible_ssh_user }}"
+    state: present
+    key: "{{ lookup('file', zuul_temp_ssh_key + '.pub') }}"
+
+- name: Make sure user has a .ssh
+  file:
+    state: directory
+    path: "~/.ssh"
+    mode: 0700
+
+- name: Install build private key as SSH key on all nodes
+  copy:
+    src: "{{ zuul_temp_ssh_key }}"
+    dest: "~/.ssh/{{ zuul_ssh_key_dest }}"
+    mode: 0600
+    force: no
+
+- name: Install build public key as SSH key on all nodes
+  copy:
+    src: "{{ zuul_temp_ssh_key }}.pub"
+    dest: "~/.ssh/{{ zuul_ssh_key_dest }}.pub"
+    mode: 0644
+    force: no
--- a/roles/add-build-sshkey-fork/tasks/remote-windows.yaml
+++ b/roles/add-build-sshkey-fork/tasks/remote-windows.yaml
@ -0,0 +1,25 @@
+- name: Configure ssh on remote node
+  delegate_to: localhost
+  shell: |+
+    set -eu
+
+    echo "Add node to known_hosts"
+    ssh -o BatchMode=yes -o ConnectTimeout=10 -o StrictHostKeyChecking=no {{ ansible_user }}@{{ ansible_host }} echo success
+
+    echo
+
+    # We use scp here as this is much more performant than ansible copy
+    echo "Copy build ssh keys to node"
+    ssh -o BatchMode=yes -o ConnectTimeout=10 -o StrictHostKeyChecking=no {{ ansible_user }}@{{ ansible_host }} powershell "md -Force -Path .ssh"
+    scp -B {{ zuul_temp_ssh_key }} {{ ansible_user }}@{{ ansible_host }}:.ssh/{{ zuul_ssh_key_dest }}
+    scp -B {{ zuul_temp_ssh_key }}.pub {{ ansible_user }}@{{ ansible_host }}:.ssh/{{ zuul_ssh_key_dest }}.pub
+
+    echo "Add build ssh keys to authorized_keys"
+    {% if win_admin_ssh | default(false) %}
+    ssh -o BatchMode=yes {{ ansible_user }}@{{ ansible_host }} cmd /c "type .ssh\\{{ zuul_ssh_key_dest }}.pub >> %programdata%\\ssh\\administrators_authorized_keys"
+    {% else %}
+    ssh -o BatchMode=yes {{ ansible_user }}@{{ ansible_host }} cmd /c "type .ssh\\{{ zuul_ssh_key_dest }}.pub >> .ssh\\authorized_keys"
+    {% endif %}
+  register: windows_remote_ssh
+  # Ignore errors here because this should not break non-ssh enabled windows hosts
+  ignore_errors: true
--- a/roles/add-build-sshkey-fork/vars/main.yaml
+++ b/roles/add-build-sshkey-fork/vars/main.yaml
@ -0,0 +1,5 @@
+zuul_build_sshkey_cleanup: false
+zuul_ssh_key_algorithm: "rsa"
+zuul_ssh_key_size: "3072"
+zuul_ssh_key_dest: "id_{{ zuul_ssh_key_algorithm }}"
+zuul_temp_ssh_key: "{{ zuul.executor.work_root }}/{{ zuul.build }}_id_{{ zuul_ssh_key_algorithm }}"
--- a/roles/remove-build-sshkey-fork/README.rst
+++ b/roles/remove-build-sshkey-fork/README.rst
@ -0,0 +1,10 @@
+Remove the per-build SSH key from all hosts
+
+The complement to :zuul:role:`add-build-sshkey-fork`.  It removes the
+build's SSH key from the authorized_keys files of all remote hosts.
+
+**Role Variables**
+
+.. zuul:rolevar:: zuul_temp_ssh_key
+
+   Where the per-build SSH private key was stored.
--- a/roles/remove-build-sshkey-fork/tasks/main.yaml
+++ b/roles/remove-build-sshkey-fork/tasks/main.yaml
@ -0,0 +1,5 @@
+- name: Remove the build SSH key from all nodes
+  authorized_key:
+    user: "{{ ansible_ssh_user }}"
+    key: "{{ lookup('file', zuul_temp_ssh_key + '.pub') }}"
+    state: absent
--- a/roles/remove-build-sshkey-fork/vars/main.yaml
+++ b/roles/remove-build-sshkey-fork/vars/main.yaml
@ -0,0 +1 @@
+zuul_temp_ssh_key: "{{ zuul.executor.src_root }}/../{{ zuul.build }}_id_{{ zuul_ssh_key_algorithm }}"
				`@ -0,0 +1 @@`
				`zuul_temp_ssh_key: "{{ zuul.executor.src_root }}/../{{ zuul.build }}_id_{{ zuul_ssh_key_algorithm }}"`