diff --git a/.github/workflows/packMachines.yml b/.github/workflows/packMachines.yml index 2e76499..b55ab5a 100644 --- a/.github/workflows/packMachines.yml +++ b/.github/workflows/packMachines.yml @@ -77,7 +77,6 @@ jobs: echo "ARM_TENANT_ID=${{ secrets.AZURE_TENANT_ID }}" >> $GITHUB_ENV shell: bash - - name: Set up Packer uses: hashicorp/setup-packer@1aa358be5cf73883762b302a3a03abd66e75b232 with: @@ -180,24 +179,37 @@ jobs: echo "ARM_TENANT_ID=${{ secrets.AZURE_TENANT_ID }}" >> $GITHUB_ENV shell: bash + - name: Install QEMU + run: sudo apt-get update && sudo apt-get install -y qemu-system-x86 openssl whois + + - name: Generate user-data with hashed password + working-directory: ./packer/ubuntu-server + run: | + plain_pass=$(openssl rand -base64 12) + echo "Random password: $plain_pass" + echo "PLAIN_PASSWORD=$plain_pass" >> $GITHUB_ENV + hashed_pass=$(mkpasswd --method=SHA-512 "$plain_pass") + sed -i "s|{{password_hash}}|$hashed_pass|g" http/user-data + echo "user-data file is ready with hashed password." + - name: Set up Packer uses: hashicorp/setup-packer@1aa358be5cf73883762b302a3a03abd66e75b232 with: version: 1.11.2 - - name: Install QEMU - run: sudo apt-get update && sudo apt-get install -y qemu-system-x86 - + - name: Run `packer init ${{ inputs.service }}` working-directory: ./packer/ubuntu-server run: packer init . - name: Run `packer validate ${{ inputs.service }}` working-directory: ./packer/ubuntu-server - run: packer validate --var dibbs_service=${{ inputs.service }} --var dibbs_version=${{ inputs.version }} . + run: packer validate --var dibbs_service=${{ inputs.service }} --var dibbs_version=${{ inputs.version }} --var ssh_password='${{ env.PLAIN_PASSWORD }}' . + - name: Run `packer build ${{ inputs.service }}` working-directory: ./packer/ubuntu-server - run: packer build --var dibbs_service=${{ inputs.service }} --var dibbs_version=${{ inputs.version }} . + run: packer build --var dibbs_service=${{ inputs.service }} --var dibbs_version=${{ inputs.version }} --var ssh_password='${{ env.PLAIN_PASSWORD }}' . + ## TODO: Decide how to export artifact. \ No newline at end of file diff --git a/packer/ubuntu-server/jails/jail.local b/packer/ubuntu-server/jails/jail.local index e9c4d77..1263b8e 100644 --- a/packer/ubuntu-server/jails/jail.local +++ b/packer/ubuntu-server/jails/jail.local @@ -22,7 +22,7 @@ mta = sendmail # configured above. action_mw = %(action_)s %(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] -action = $(action_)s +action = iptables [ssh] diff --git a/packer/ubuntu-server/ubuntu.pkr.hcl b/packer/ubuntu-server/ubuntu.pkr.hcl index a0c4f06..d89252b 100644 --- a/packer/ubuntu-server/ubuntu.pkr.hcl +++ b/packer/ubuntu-server/ubuntu.pkr.hcl @@ -86,7 +86,7 @@ source "amazon-ebs" "aws-ami" { most_recent = true } - //TODO: CHANGE ME! Change the password to use the random one, too! + # Packer connects as ubuntu user during build, then we create dibbs-user via provisioning ssh_username = "ubuntu" launch_block_device_mappings { @@ -121,25 +121,48 @@ source "azure-arm" "azure-image" { managed_image_resource_group_name = "skylight-dibbs-vm1" os_type = "Linux" - //TODO: CHANGE ME! Change the password to use the random one, too! - ssh_username = "ubuntu" - + # Packer connects as ubuntu user during build, then we create dibbs-user via provisioning + ssh_username = "ubuntu" } build { name = "multi-cloud-build" sources = [ - "source.qemu.raw" - //"source.amazon-ebs.aws-ami", - //"source.azure-arm.azure-image" + "source.qemu.raw", + "source.amazon-ebs.aws-ami", + "source.azure-arm.azure-image" ] + # Create dibbs-user account on cloud instances during build + provisioner "shell" { + only = ["amazon-ebs.aws-ami", "azure-arm.azure-image"] + inline = [ + "sudo useradd -m -s /bin/bash -G sudo dibbs-user", + "echo 'dibbs-user:${var.ssh_password}' | sudo chpasswd", + "echo 'dibbs-user ALL=(ALL) ALL' | sudo tee /etc/sudoers.d/dibbs-user", + "sudo chmod 0440 /etc/sudoers.d/dibbs-user" , + "sudo gpasswd -d ubuntu docker || true" , + "echo 'ubuntu ALL=(ALL) NOPASSWD: ALL, !/usr/bin/docker' | sudo tee /etc/sudoers.d/ubuntu-docker-block", + "sudo chmod 0440 /etc/sudoers.d/ubuntu-docker-block" + ] + } + provisioner "file" { source = "./jails/jail.local" destination = "~/jail.local" } + # Wait for dibbs-user to be created on cloud instances + provisioner "shell" { + only = ["amazon-ebs.aws-ami", "azure-arm.azure-image"] + inline = [ + "while ! id dibbs-user >/dev/null 2>&1; do echo 'Waiting for dibbs-user...'; sleep 5; done", + "echo 'dibbs-user is ready'" + ] + } + + # Switch to dibbs-user for subsequent provisioning on cloud instances provisioner "shell" { only = ["azure-arm.azure-image"] scripts = [ @@ -153,9 +176,7 @@ build { "USE_SUDO=sudo", "BUILD_TYPE=azure" ] - - //TODO: Add new password here! - execute_command = "echo 'ubuntu' | {{.Vars}} sudo -S -E bash '{{.Path}}'" + execute_command = "echo '${var.ssh_password}' | {{.Vars}} sudo -S -E bash '{{.Path}}'" } provisioner "shell" { @@ -168,12 +189,10 @@ build { environment_vars = [ "DIBBS_SERVICE=${var.dibbs_service}", "DIBBS_VERSION=${var.dibbs_version}", - "USE_SUDO=", + "USE_SUDO=sudo", "BUILD_TYPE=aws" ] - - //TODO: Add new password here! - execute_command = "echo 'ubuntu' | {{.Vars}} sudo -S -E bash '{{.Path}}'" + execute_command = "echo '${var.ssh_password}' | {{.Vars}} sudo -S -E bash '{{.Path}}'" } provisioner "shell" { @@ -203,4 +222,4 @@ build { source = "./scripts/apt-updates.sh.home" destination = "~/apt-updates.sh" } -} +} \ No newline at end of file