From 647cdb834693e84499f31be99a31edcf6ffe5b70 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Wed, 17 Jan 2024 15:59:26 -0600 Subject: [PATCH] ssh-host-certs: Run sshca-cli from a container Installing packages on the host system via `rpm-ostree` is _insanely_ slow, especially on Raspberry Pi devices. The main reason I chose to go that route for managing the SSH host certificates was to avoid having to maintain the systemd units in multiple places. I think the trade-off is worth it, though; bringing up a new Raspberry Pi is significantly faster, by 15+ minutes, if we do not have to wait for `rpm-ostree` at all. --- ssh-host-cert-sign@.container | 22 ++++++++++++++++++++++ ssh-host-certs-renew.target | 7 +++++++ ssh-host-certs-renew.timer | 12 ++++++++++++ ssh-host-certs.service | 12 ++++++++++++ ssh-host-certs.yaml | 31 ++++++++++++++++++------------- 5 files changed, 71 insertions(+), 13 deletions(-) create mode 100644 ssh-host-cert-sign@.container create mode 100644 ssh-host-certs-renew.target create mode 100644 ssh-host-certs-renew.timer create mode 100644 ssh-host-certs.service diff --git a/ssh-host-cert-sign@.container b/ssh-host-cert-sign@.container new file mode 100644 index 0000000..4855bbf --- /dev/null +++ b/ssh-host-cert-sign@.container @@ -0,0 +1,22 @@ +[Unit] +Description=Request %I SSH Host Certificate +After=network-online.target +Wants=network-online.target +Before=ssh-host-certs.service + +[Service] +Type=oneshot + +[Container] +Image=git.pyrocufflink.net/containerimages/sshca-cli +Pull=newer +EnvironmentFile=/etc/sysconfig/ssh-host-cert-sign +Exec=host sign --output /etc/ssh/ssh_host_%I_key-cert.pub /etc/ssh/ssh_host_%I_key.pub +Volume=/etc/ssh:/etc/ssh:rw +Volume=/sys/firmware:/sys/firmware:ro +Volume=/sys/class/dmi/id:/sys/class/dmi/id:ro +Network=host +SecurityLabelDisable=yes +ContainerName=%p-%i +PodmanArgs=--uts=host +PodmanArgs=--security-opt=unmask=/sys/firmware diff --git a/ssh-host-certs-renew.target b/ssh-host-certs-renew.target new file mode 100644 index 0000000..9e54f1b --- /dev/null +++ b/ssh-host-certs-renew.target @@ -0,0 +1,7 @@ +# vim: set ft=systemd : +[Unit] +Description=Request SSH Host Certificates +StopWhenUnneeded=yes +Wants=ssh-host-cert-sign@ed25519.service +Wants=ssh-host-cert-sign@rsa.service +Wants=ssh-host-cert-sign@ecdsa.service diff --git a/ssh-host-certs-renew.timer b/ssh-host-certs-renew.timer new file mode 100644 index 0000000..3f6f728 --- /dev/null +++ b/ssh-host-certs-renew.timer @@ -0,0 +1,12 @@ +# vim: set ft=systemd : +[Unit] +Description=Periodically renew SSH host certificates + +[Timer] +Unit=%N.target +OnCalendar=Tue *-*-* 00:00:00 +RandomizedDelaySec=48h +Persistent=yes + +[Install] +WantedBy=timers.target diff --git a/ssh-host-certs.service b/ssh-host-certs.service new file mode 100644 index 0000000..b5372c2 --- /dev/null +++ b/ssh-host-certs.service @@ -0,0 +1,12 @@ +# vim: set ft=systemd : +[Unit] +Description=Request SSH Host Certificates +ConditionFirstBoot=yes +Wants=ssh-host-certs-renew.target + +[Service] +Type=oneshot +ExecStart=/usr/bin/systemctl disable %n + +[Install] +WantedBy=multi-user.target diff --git a/ssh-host-certs.yaml b/ssh-host-certs.yaml index 0c43c85..6866fa5 100644 --- a/ssh-host-certs.yaml +++ b/ssh-host-certs.yaml @@ -1,18 +1,12 @@ variant: fcos version: 1.4.0 -ignition: - config: - merge: - - local: dch-repo.ign - storage: files: - - path: /etc/ignition/packages.d/sshca + - path: /etc/containers/systemd/ssh-host-cert-sign@.container mode: 0644 contents: - inline: | - sshca-cli-systemd + local: ssh-host-cert-sign@.container - path: /etc/ssh/sshd_config.d/10-hostcertificate.conf mode: 0644 @@ -28,13 +22,24 @@ storage: inline: | SSHCA_SERVER=https://sshca.pyrocufflink.blue - links: - - path: /etc/systemd/system/after-install.target.wants/ssh-host-certs.target - target: /usr/lib/systemd/system/ssh-host-certs.target - - path: /etc/systemd/system/after-install.target.wants/ssh-host-certs-renew.timer - target: /usr/lib/systemd/system/ssh-host-certs-renew.timer + - path: /etc/systemd/system/ssh-host-certs-renew.timer + mode: 0644 + contents: + local: ssh-host-certs-renew.timer + + - path: /etc/systemd/system/ssh-host-certs-renew.target + mode: 0644 + contents: + local: ssh-host-certs-renew.target + + - path: /etc/systemd/system/ssh-host-certs.service + mode: 0644 + contents: + local: ssh-host-certs.service systemd: units: + - name: ssh-host-certs.service + enabled: true - name: ssh-host-certs-renew.timer enabled: true