Merge pull request #11 from balena-os/kyle/addusers

klutchell · web-flow · commit ca682e0d393d · 2023-11-21T10:00:24.000-05:00
Create users and run ssh server
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -4,13 +4,17 @@ services:
   yocto-build-env:
     build: yocto-build-env
     privileged: true
+    ports:
+      - 22:22
     tmpfs:
       - /tmp
       - /run
     volumes:
-      - work:/work
+      - home:/home
       - docker:/var/lib/docker
+      - ssh:/etc/ssh
 
 volumes:
-  work: {}
+  home: {}
   docker: {}
+  ssh: {}
diff --git a/yocto-build-env/Dockerfile b/yocto-build-env/Dockerfile
@@ -22,7 +22,7 @@ ENV LANG en_US.UTF-8
 # Additional host packages required by balena
 # hadolint ignore=DL3008
 RUN apt-get update \
-    && apt-get install -y --no-install-recommends apt-transport-https ca-certificates curl git gnupg lsb-release sudo uidmap \
+    && apt-get install -y --no-install-recommends apt-transport-https ca-certificates curl git gnupg lsb-release openssh-server sudo uidmap \
     && rm -rf /var/lib/apt/lists/*
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
@@ -84,21 +84,17 @@ RUN tar -C / -Jxpf /tmp/s6-overlay-x86_64.tar.xz
 
 ENV S6_KEEP_ENV 1
 ENV S6_READ_ONLY_ROOT 1
+ENV S6_CMD_WAIT_FOR_SERVICES_MAXTIME 0
 
 # install s6-overlay
 COPY s6-overlay /etc/s6-overlay
+RUN chmod +x /etc/s6-overlay/scripts/*
 
-RUN adduser --disabled-password --gecos "" --uid 1000 nonroot \
-    && usermod -aG sudo nonroot \
-    && usermod -aG docker nonroot \
-    && echo "%sudo   ALL=(ALL:ALL) NOPASSWD:ALL" > /etc/sudoers \
+# allow sudo without password
+RUN echo "%sudo   ALL=(ALL:ALL) NOPASSWD:ALL" > /etc/sudoers \
     && echo "Defaults env_keep += \"DEBIAN_FRONTEND\"" >> /etc/sudoers
 
-WORKDIR /work
-
-RUN chown -R nonroot:nonroot /work
-
-# do not switch to nonroot for s6-overlay
-# see https://github.com/just-containers/s6-overlay#user-directive
+VOLUME /home
+VOLUME /etc/ssh
 
 ENTRYPOINT [ "/init" ]
diff --git a/yocto-build-env/s6-overlay/s6-rc.d/addusers/dependencies.d/base b/yocto-build-env/s6-overlay/s6-rc.d/addusers/dependencies.d/base
diff --git a/yocto-build-env/s6-overlay/s6-rc.d/addusers/type b/yocto-build-env/s6-overlay/s6-rc.d/addusers/type
@@ -0,0 +1 @@
+oneshot
diff --git a/yocto-build-env/s6-overlay/s6-rc.d/addusers/up b/yocto-build-env/s6-overlay/s6-rc.d/addusers/up
@@ -0,0 +1 @@
+/etc/s6-overlay/scripts/addusers
diff --git a/yocto-build-env/s6-overlay/s6-rc.d/dockerd/finish b/yocto-build-env/s6-overlay/s6-rc.d/dockerd/finish
@@ -1,9 +1,3 @@
 #!/usr/bin/env bash
 
 rm -f /var/run/docker.pid
-
-# # halt the container if dockerd stops
-# if [ "$1" -ne 0 ]; then
-#   echo "$1" >/run/s6-linux-init-container-results/exitcode
-#   /run/s6/basedir/bin/halt
-# fi
diff --git a/yocto-build-env/s6-overlay/s6-rc.d/dockerd/run b/yocto-build-env/s6-overlay/s6-rc.d/dockerd/run
@@ -1,8 +1,8 @@
 #!/usr/bin/env bash
 
-set -ae
+set -euo pipefail
 
-[[ ${VERBOSE,,} =~ true|yes|on|1 ]] && set -x
+[[ ${VERBOSE:-,,} =~ true|yes|on|1 ]] && set -x
 
 DOCKER_REGISTRY_MIRROR_INTERNAL=${DOCKER_REGISTRY_MIRROR_INTERNAL:-""}
 DOCKER_REGISTRY_MIRROR=${DOCKER_REGISTRY_MIRROR:-""}
@@ -25,4 +25,4 @@ if [ -n "${DOCKER_REGISTRY_MIRROR}" ]; then
 fi
 
 # shellcheck disable=SC2086
-exec dockerd "${dockerd_args[@]}" ${EXTRA_DOCKERD_ARGS} 2>&1
+exec dockerd "${dockerd_args[@]}" ${EXTRA_DOCKERD_ARGS:-} 2>&1
diff --git a/yocto-build-env/s6-overlay/s6-rc.d/sshd/dependencies.d/base b/yocto-build-env/s6-overlay/s6-rc.d/sshd/dependencies.d/base
diff --git a/yocto-build-env/s6-overlay/s6-rc.d/sshd/finish b/yocto-build-env/s6-overlay/s6-rc.d/sshd/finish
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+rm -f /var/run/sshd.pid
diff --git a/yocto-build-env/s6-overlay/s6-rc.d/sshd/run b/yocto-build-env/s6-overlay/s6-rc.d/sshd/run
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+[[ ${VERBOSE:-,,} =~ true|yes|on|1 ]] && set -x
+
+mkdir -p /run/sshd
+
+ssh-keygen -A
+
+# run sshd in the foreground
+/usr/sbin/sshd -De \
+    -o "LogLevel=${SSHD_LOG_LEVEL:-INFO}" \
+    -o PermitRootLogin=no \
+    -o PasswordAuthentication=no \
+    -o PubkeyAuthentication=yes \
+    -o UsePAM=yes \
+    -o AcceptEnv="LANG LC_*" \
+    -o PrintMotd=no \
+    -o Banner=none
diff --git a/yocto-build-env/s6-overlay/s6-rc.d/sshd/type b/yocto-build-env/s6-overlay/s6-rc.d/sshd/type
@@ -0,0 +1 @@
+longrun
diff --git a/yocto-build-env/s6-overlay/s6-rc.d/user/contents.d/addusers b/yocto-build-env/s6-overlay/s6-rc.d/user/contents.d/addusers
diff --git a/yocto-build-env/s6-overlay/s6-rc.d/user/contents.d/sshd b/yocto-build-env/s6-overlay/s6-rc.d/user/contents.d/sshd
diff --git a/yocto-build-env/s6-overlay/scripts/addusers b/yocto-build-env/s6-overlay/scripts/addusers
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+[[ ${VERBOSE:-,,} =~ true|yes|on|1 ]] && set -x
+
+GH_HANDLES="${GH_HANDLES:-alexgg klutchell jakogut mtoman floion acostach majorz lmbarros}"
+
+fetch_ssh_keys() {
+    local _username="${1}"
+    local _home="${2}"
+    (
+        cd "${_home}" || exit 1
+        mkdir -p .ssh
+        curl -fsSL "https://github.com/${_username}.keys" >>.ssh/authorized_keys
+        chown -R "${_username}:${_username}" .ssh
+        chmod -R 700 .ssh
+    )
+}
+
+for username in ${GH_HANDLES:-}; do
+    home="$(eval echo ~"${username}")"
+
+    if [ -d "${home}" ]; then
+        # create the user with the same uid as the existing home directory
+        uid="$(stat -c "%u" "${home}")"
+        adduser --disabled-password --gecos "${username}" "${username}" --uid "${uid}"
+    else
+        # create a new user and home directory
+        adduser --disabled-password --gecos "${username}" "${username}"
+    fi
+
+    # add the user to the sudo and docker groups
+    usermod -aG sudo "${username}" || true
+    usermod -aG docker "${username}" || true
+
+    # fetch the user's ssh keys from github
+    fetch_ssh_keys "${username}" "${home}" || true
+done

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+#!/usr/bin/env bash`
	`2`	`+`
	`3`	`+rm -f /var/run/sshd.pid`