You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Ian Service <is...@ts2.ca> on 2013/06/18 15:53:21 UTC
Review Request: modify cloud-set-guest-sshkey.in initscript to handle
SELinux configuration
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/11934/
-----------------------------------------------------------
Review request for cloudstack.
Description
-------
With SELinux enabled on a CentOS VM template the automatic creation process of ~/.ssh and ~/.ssh/authorized_keys doesn't contain the metadata required for those files to be used for public key authentication. Running "restorecon -R -v ~/.ssh" restores the configuration and allows public key authentication to function with SELinux in the enforcing state.
This patch checks for the existence of /sbin/restorecon when /etc/init.d/cloud-set-guest-sshkey.in is run, after it would have updated the .ssh directory and if it exists it restores the configuration.
Diffs
-----
setup/bindir/cloud-set-guest-sshkey.in 15008b8
Diff: https://reviews.apache.org/r/11934/diff/
Testing
-------
Tested on latest CentOS 6.4 template. Without this modification, machines generated with with Cloudstack API's deployVirtualMachine and the keypair parameter which have SELinux enabled still prompt for password even if the correct private key is supplied to SSH. Once this patch is applied those same VMs will allow login via public key.
Thanks,
Ian Service
Re: Review Request: CLOUDSTACK-3054 modify cloud-set-guest-sshkey.in
initscript to handle SELinux configuration
Posted by David Nalley <da...@gnsa.us>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/11934/#review22064
-----------------------------------------------------------
Ship it!
Thanks for the patch
commit 025f682e93edd662a0867bebbfc089039922df86
Author: Ian Service <is...@ts2.ca>
Date: Tue Jun 18 10:39:31 2013 -0400
CLOUDSTACK-3054 - Have ssh key initscript handle SELinux permissions
- David Nalley
On June 18, 2013, 2:41 p.m., Ian Service wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/11934/
> -----------------------------------------------------------
>
> (Updated June 18, 2013, 2:41 p.m.)
>
>
> Review request for cloudstack.
>
>
> Description
> -------
>
> With SELinux enabled on a CentOS VM template the automatic creation process of ~/.ssh and ~/.ssh/authorized_keys doesn't contain the metadata required for those files to be used for public key authentication. Running "restorecon -R -v ~/.ssh" restores the configuration and allows public key authentication to function with SELinux in the enforcing state.
>
> This patch checks for the existence of /sbin/restorecon when /etc/init.d/cloud-set-guest-sshkey.in is run, after it would have updated the .ssh directory and if it exists it restores the configuration.
>
>
> Diffs
> -----
>
> setup/bindir/cloud-set-guest-sshkey.in 15008b8
>
> Diff: https://reviews.apache.org/r/11934/diff/
>
>
> Testing
> -------
>
> Tested on latest CentOS 6.4 template. Without this modification, machines generated with with Cloudstack API's deployVirtualMachine and the keypair parameter which have SELinux enabled still prompt for password even if the correct private key is supplied to SSH. Once this patch is applied those same VMs will allow login via public key.
>
>
> Thanks,
>
> Ian Service
>
>
Re: Review Request: CLOUDSTACK-3054 modify cloud-set-guest-sshkey.in
initscript to handle SELinux configuration
Posted by David Nalley <da...@gnsa.us>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/11934/
-----------------------------------------------------------
(Updated June 18, 2013, 2:41 p.m.)
Review request for cloudstack.
Summary (updated)
-----------------
CLOUDSTACK-3054 modify cloud-set-guest-sshkey.in initscript to handle SELinux configuration
Description
-------
With SELinux enabled on a CentOS VM template the automatic creation process of ~/.ssh and ~/.ssh/authorized_keys doesn't contain the metadata required for those files to be used for public key authentication. Running "restorecon -R -v ~/.ssh" restores the configuration and allows public key authentication to function with SELinux in the enforcing state.
This patch checks for the existence of /sbin/restorecon when /etc/init.d/cloud-set-guest-sshkey.in is run, after it would have updated the .ssh directory and if it exists it restores the configuration.
Diffs
-----
setup/bindir/cloud-set-guest-sshkey.in 15008b8
Diff: https://reviews.apache.org/r/11934/diff/
Testing
-------
Tested on latest CentOS 6.4 template. Without this modification, machines generated with with Cloudstack API's deployVirtualMachine and the keypair parameter which have SELinux enabled still prompt for password even if the correct private key is supplied to SSH. Once this patch is applied those same VMs will allow login via public key.
Thanks,
Ian Service
Re: Review Request: modify cloud-set-guest-sshkey.in initscript to handle
SELinux configuration
Posted by Ian Service <is...@ts2.ca>.
> On June 18, 2013, 1:58 p.m., David Nalley wrote:
> > Would you mind creating a bug for this??
> >
> > --David
Not at all, not sure what detail was required, let me know if I need to update it.
https://issues.apache.org/jira/browse/CLOUDSTACK-3054
- Ian
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/11934/#review22060
-----------------------------------------------------------
On June 18, 2013, 1:53 p.m., Ian Service wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/11934/
> -----------------------------------------------------------
>
> (Updated June 18, 2013, 1:53 p.m.)
>
>
> Review request for cloudstack.
>
>
> Description
> -------
>
> With SELinux enabled on a CentOS VM template the automatic creation process of ~/.ssh and ~/.ssh/authorized_keys doesn't contain the metadata required for those files to be used for public key authentication. Running "restorecon -R -v ~/.ssh" restores the configuration and allows public key authentication to function with SELinux in the enforcing state.
>
> This patch checks for the existence of /sbin/restorecon when /etc/init.d/cloud-set-guest-sshkey.in is run, after it would have updated the .ssh directory and if it exists it restores the configuration.
>
>
> Diffs
> -----
>
> setup/bindir/cloud-set-guest-sshkey.in 15008b8
>
> Diff: https://reviews.apache.org/r/11934/diff/
>
>
> Testing
> -------
>
> Tested on latest CentOS 6.4 template. Without this modification, machines generated with with Cloudstack API's deployVirtualMachine and the keypair parameter which have SELinux enabled still prompt for password even if the correct private key is supplied to SSH. Once this patch is applied those same VMs will allow login via public key.
>
>
> Thanks,
>
> Ian Service
>
>
Re: Review Request: modify cloud-set-guest-sshkey.in initscript to handle
SELinux configuration
Posted by David Nalley <da...@gnsa.us>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/11934/#review22060
-----------------------------------------------------------
Would you mind creating a bug for this??
--David
- David Nalley
On June 18, 2013, 1:53 p.m., Ian Service wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/11934/
> -----------------------------------------------------------
>
> (Updated June 18, 2013, 1:53 p.m.)
>
>
> Review request for cloudstack.
>
>
> Description
> -------
>
> With SELinux enabled on a CentOS VM template the automatic creation process of ~/.ssh and ~/.ssh/authorized_keys doesn't contain the metadata required for those files to be used for public key authentication. Running "restorecon -R -v ~/.ssh" restores the configuration and allows public key authentication to function with SELinux in the enforcing state.
>
> This patch checks for the existence of /sbin/restorecon when /etc/init.d/cloud-set-guest-sshkey.in is run, after it would have updated the .ssh directory and if it exists it restores the configuration.
>
>
> Diffs
> -----
>
> setup/bindir/cloud-set-guest-sshkey.in 15008b8
>
> Diff: https://reviews.apache.org/r/11934/diff/
>
>
> Testing
> -------
>
> Tested on latest CentOS 6.4 template. Without this modification, machines generated with with Cloudstack API's deployVirtualMachine and the keypair parameter which have SELinux enabled still prompt for password even if the correct private key is supplied to SSH. Once this patch is applied those same VMs will allow login via public key.
>
>
> Thanks,
>
> Ian Service
>
>