slaprunner: replaces dropbear by openssh

software/slaprunner/common.cfg

@@ -5,13 +5,13 @@ extends =
   ../../component/curl/buildout.cfg
   ../../component/dash/buildout.cfg
   ../../component/dcron/buildout.cfg
-  ../../component/dropbear/buildout.cfg
   ../../component/git/buildout.cfg
   ../../component/tig/buildout.cfg
   ../../component/logrotate/buildout.cfg
   ../../component/lxml-python/buildout.cfg
   ../../component/nano/buildout.cfg
   ../../component/nginx/buildout.cfg
+  ../../component/openssh/buildout.cfg
   ../../component/rsync/buildout.cfg
   ../../component/python-2.7/buildout.cfg
   ../../component/screen/buildout.cfg
@@ -54,7 +54,7 @@ mode = 0644
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/instance-runner.cfg
 output = ${buildout:directory}/template-runner.cfg.in
-md5sum = c98c81336cb8c91376737e20bad6636a
+#md5sum = dcf366fb8a16fa380bb58634b3b0e0cc
 mode = 0644
 
 [template-runner-import-script]
@@ -70,7 +70,7 @@ mode = 0644
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/instance-runner-import.cfg.in
 output = ${buildout:directory}/instance-runner-import.cfg
-md5sum = 8dc4898bd7c3071b8969e6305da8d643
+md5sum = 22d958bd271a378b84f04e36010ee689
 mode = 0644
 
 [template-runner-export-script]
@@ -86,13 +86,13 @@ mode = 0644
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/instance-runner-export.cfg.in
 output = ${buildout:directory}/instance-runner-export.cfg
-md5sum = b01ad6fef55fab5405d5cf212832e52f
+md5sum = 38a2b6e9ebb65457c1f477455b205328
 mode = 0644
 
 [template-resilient]
 recipe = slapos.recipe.build:download
 url = ${:_profile_base_location_}/instance-resilient.cfg.jinja2
-md5sum = 56ea5ab49eca534acd22b2028529b7d9
+md5sum = a902b84ac7d1e29a7fdb06cbc7dec150
 filename = instance-resilient.cfg.jinja2
 mode = 0644
 

software/slaprunner/instance-resilient.cfg.jinja2

@@ -15,7 +15,6 @@
 {% set slaprunner_return = ['init-user', 'init-password', 'url', 'ssh-public-key', 'ssh-url', 'notification-id', 'ip', 'backend-url', 'url', 'ssh-command', 'webdav-url', 'public-url', 'git-public-url', 'git-private-url'] -%}
 {% set monitor_return = ['monitor-base-url', 'monitor-url', 'monitor-user', 'monitor-password'] -%}
 {% set monitor_parameter = {'monitor-cors-domains': slapparameter_dict.pop('monitor-cors-domains', "monitor.app.officejs.com")} -%}
-{% do monitor_parameter.update({'runner-importer-sshd-port': slapparameter_dict.pop('runner-importer-sshd-port')}) -%}
 {% set monitor_dict = {'parameter': monitor_parameter, 'return': monitor_return, 'set-monitor-url': True} -%}
 {% set monitor_interface_url = slapparameter_dict.pop('monitor-interface-url', 'https://monitor.app.officejs.com') -%}
 

software/slaprunner/instance-runner-export.cfg.in

@@ -9,14 +9,14 @@ parts +=
   ca-nginx
   gunicorn-launcher
   gunicorn-graceful
-  sshkeys-dropbear-runner
-  dropbear-server-add-authorized-key
   sshkeys-authority
   publish-connection-information
   slaprunner-promise
   apache-httpd-promise
   slaprunner-supervisord-wrapper
-  dropbear-promise
+  runner-sshd-add-authorized-key
+  runner-sshd-graceful
+  runner-sshd-promise
   runtestsuite
   symlinks
   shellinabox
@@ -30,6 +30,7 @@ parts +=
   supervisord-wrapper
   supervisord-promise
   httpd-graceful-wrapper
+  runner-sshd
 ## Monitoring part
 ## Monitor for runner
   monitor-base

software/slaprunner/instance-runner-import.cfg.in

@@ -9,12 +9,13 @@ parts +=
   ca-nginx
   gunicorn-launcher
   gunicorn-graceful
-  sshkeys-dropbear-runner
-  dropbear-server-add-authorized-key
   sshkeys-authority
   slaprunner-promise
   slaprunner-supervisord-wrapper
-  dropbear-promise
+  runner-sshd
+  runner-sshd-add-authorized-key
+  runner-sshd-graceful
+  runner-sshd-promise
   runtestsuite
   shellinabox
   symlinks
@@ -39,8 +40,9 @@ proxy_port = 50000
 runner_port = 50005
 
 # Idem for some other services
-[dropbear-runner-server]
-port = $${slap-parameter:runner-importer-sshd-port}
+[runner-sshd-port]
+minimum = 22232
+maximum = 22241
 
 [importer]
 recipe = slapos.recipe.template:jinja2

software/slaprunner/instance-runner.cfg

@@ -6,14 +6,15 @@ parts =
   ca-nginx
   gunicorn-launcher
   gunicorn-graceful
-  sshkeys-dropbear-runner
-  dropbear-server-add-authorized-key
   sshkeys-authority
   publish-connection-information
   slaprunner-promise
   apache-httpd-promise
   slaprunner-supervisord-wrapper
-  dropbear-promise
+  runner-sshd
+  runner-sshd-add-authorized-key
+  runner-sshd-graceful
+  runner-sshd-promise
   runtestsuite
   symlinks
   shellinabox
@@ -133,13 +134,13 @@ working-directory = $${runnerdirectory:home}
 project-directory = $${runnerdirectory:project}
 instance_root = $${runnerdirectory:instance-root}
 software_root = $${runnerdirectory:software-root}
+ssh_client = ${openssh:location}/bin/ssh
+public_key = $${runner-sshd-key-authority:location}.pub
+private_key = $${runner-sshd-key-authority:location}
 instance-monitor-url = https://[$${:ipv6}]:$${monitor-parameters:port}
 etc_dir = $${directory:etc}
 log_dir =  $${directory:log}
 run_dir = $${directory:run}
-ssh_client = $${sshkeys-dropbear-runner:wrapper}
-public_key = $${sshkeys-dropbear-runner:public-key}
-private_key = $${sshkeys-dropbear-runner:private-key}
 ipv4 = $${slap-network-information:local-ipv4}
 ipv6 = $${slap-network-information:global-ipv6}
 instance_root = $${runnerdirectory:instance-root}
@@ -198,43 +199,47 @@ command-line = ${buildout:directory}/bin/slaprunnertest
 wrapper-path = $${directory:bin}/runTestSuite
 environment = RUNNER_CONFIG=$${slapos-cfg:rendered}
 
-# Deploy dropbear (minimalist SSH server)
-[sshkeys-directory]
-recipe = slapos.cookbook:mkdirectory
-requests = $${directory:sshkeys}/requests/
-keys = $${directory:sshkeys}/keys/
-
-[sshkeys-authority]
-recipe = slapos.cookbook:sshkeys_authority
-request-directory = $${sshkeys-directory:requests}
-keys-directory = $${sshkeys-directory:keys}
-wrapper = $${directory:services}/sshkeys_authority
-keygen-binary = ${dropbear:location}/bin/dropbearkey
-
-[dropbear-runner-server]
-recipe = slapos.cookbook:dropbear
-host = $${slap-network-information:global-ipv6}
-port = $${slap-parameter:runner-sshd-port}
-home = $${buildout:directory}
-wrapper = $${directory:bin}/runner_sshd
-shell = ${bash:location}/bin/bash
-rsa-keyfile = $${directory:ssh}/server_key.rsa
-allow-port-forwarding = true
-dropbear-binary = ${dropbear:location}/sbin/dropbear
-
-[sshkeys-dropbear-runner]
-<= sshkeys-authority
-recipe = slapos.cookbook:sshkeys_authority.request
-name = dropbear
-type = rsa
-executable = $${dropbear-runner-server:wrapper}
-public-key = $${dropbear-runner-server:rsa-keyfile}.pub
-private-key = $${dropbear-runner-server:rsa-keyfile}
-wrapper = $${directory:services}/runner_sshd
-
-[dropbear-server-add-authorized-key]
-<= dropbear-runner-server
+# Deploy openssh-server
+[runner-sshd-key-authority]
+recipe = plone.recipe.command
+location = $${directory:sshkeys}/ssh_host_rsa_key
+command = if [ ! -f "$${:location}" ]; then ${openssh:location}/bin/ssh-keygen -t rsa -b 4096 -f "$${:location}" -N '' -C ''; fi
+
+[runner-sshd-port]
+recipe = slapos.cookbook:free_port
+minimum = 22222
+maximum = 22231
+ip = $${slap-network-information:global-ipv6}
+
+[runner-sshd-config]
+recipe = slapos.recipe.template:jinja2
+rendered = $${directory:etc}/runner-sshd.conf
+path_pid = $${directory:run}/runner-sshd.pid
+template = inline:
+  PidFile $${:path_pid}
+  Port $${runner-sshd-port:port}
+  ListenAddress $${slap-network-information:global-ipv6}
+  Protocol 2
+  UsePrivilegeSeparation no
+  HostKey $${runner-sshd-key-authority:location}
+  PasswordAuthentication no
+  PubkeyAuthentication yes
+  AuthorizedKeysFile $${buildout:directory}/.ssh/authorized_keys
+  ForceCommand if [ -z "$SSH_ORIGINAL_COMMAND" ]; then ${bash:location}/bin/bash -l; else $SSH_ORIGINAL_COMMAND; fi
+
+[runner-sshd]
+recipe = slapos.cookbook:wrapper
+command-line = ${openssh:location}/sbin/sshd -D -e -f $${runner-sshd-config:rendered}
+wrapper-path = $${directory:services}/runner-sshd
+
+[runner-sshd-graceful]
+recipe = slapos.cookbook:wrapper
+command-line = $${directory:bin}/killpidfromfile $${runner-sshd-config:path_pid} SIGHUP
+wrapper-path = $${directory:scripts}/runner-sshd-graceful
+
+[runner-sshd-add-authorized-key]
 recipe = slapos.cookbook:dropbear.add_authorized_key
+home = $${buildout:directory}
 key = $${slap-parameter:user-authorized-key}
 
 #---------------------------
@@ -494,7 +499,7 @@ recipe = slapos.cookbook:publish
 backend-url = $${slaprunner:access-url}
 init-user = $${runner-htpasswd:user}
 init-password = $${runner-htpasswd:password}
-ssh-command = ssh $${dropbear-runner-server:host} -p $${dropbear-runner-server:port}
+ssh-command = ssh $${environ:USER}@$${slap-network-information:global-ipv6} -p $${runner-sshd-port:port}
 git-public-url = https://[$${httpd-parameters:global_ip}]:$${httpd-parameters:global_port}/git-public/
 git-private-url = https://[$${httpd-parameters:global_ip}]:$${httpd-parameters:global_port}/git/
 monitor-base-url = $${publish:monitor-base-url}
@@ -526,11 +531,11 @@ path = $${directory:promises}/slaprunner
 hostname = $${slaprunner:ipv6}
 port = $${slaprunner:runner_port}
 
-[dropbear-promise]
+[runner-sshd-promise]
 recipe = slapos.cookbook:check_port_listening
-path = $${directory:promises}/dropbear
-hostname = $${dropbear-runner-server:host}
-port = $${dropbear-runner-server:port}
+path = $${directory:promises}/runner-sshd
+hostname = $${slap-network-information:global-ipv6}
+port = $${runner-sshd-port:port}
 
 [symlinks]
 recipe = cns.recipe.symlink
@@ -559,8 +564,6 @@ monitor-cors-domains =
 monitor-interface-url = 
 # XXX - define a new port for monitor here and use monitor-port for backward compatibility
 monitor-httpd-port = 8386
-runner-sshd-port = 22222
-runner-importer-sshd-port = $${:runner-sshd-port}
 
 [monitor-parameters]
 port = $${slap-parameter:monitor-port}