tools: add command 'stx control keys-add'
From https://review.opendev.org/c/starlingx/root/+/868920, build process for signed image is as below: (1) Prepare keys on dockers and signing server to setup access to signing server without password: Use "ssh-keygen -t rsa" to create a ssh key pair, e.g. id_rsa.pub and id_rsa. Prepare on lat docker (default user is root): mkdir ~/.ssh copy id_rsa to ~/.ssh directory Prepare on builder docker: mkdir ~/.ssh copy id_rsa to ~/.ssh directory sudo mkdir /root/.ssh sudo copy id_rsa to /root/.ssh directory Prepare on signing server: append id_rsa.pub to the file on signing server: /home/${signing_user}/.ssh/authorized_keys (2) Run on builder docker: export SIGNING_SERVER="signing_user@signing_server_ip" <PATH>/sign-secure-boot_debian build-image The <PATH> is: /localdisk/designer/${USER}/stx/cgcs-root/build-tools An extension to the 'stx' tool to inject keys into the relevant containers is added as 'stx control keys-add --key-type=signing-server --key=[key file]' which can replace all the work on dockers in (1). Test plan: - PASS: run 'stx control keys-add --key-type=signing-server --key=[key file]' after containers start up, and check the keys mentioned above are right in containers. - PASS: run the complete build process as below and get a bootable iso with secure boot enabled: stx control keys-add --key-type=signing-server --key=[key file] stx shell export SIGNING_SERVER="signing_user@signing_server_ip" <PATH>/sign-secure-boot_debian build-image Story: 2009221 Task: 47097 Signed-off-by: Li Zhou <li.zhou@windriver.com> Change-Id: Id84c5d96b8565a7c7d8da018730f2591d86e2d24
This commit is contained in:
parent
c181eda91b
commit
c87e465a01
@ -267,6 +267,70 @@ stx-pkgbuilder/configmap/')
|
||||
def handleEnterTask(self, args):
|
||||
self.shell.cmd_control_enter(args)
|
||||
|
||||
def run_pod_cmd(self, podname, maincmd, remotecmd):
|
||||
# Run command on pod in this format: kubectl+maincmd+podname+remotecmd
|
||||
cmd = self.config.kubectl() + maincmd + podname + remotecmd
|
||||
self.logger.info('run pod cmd: %s', cmd)
|
||||
subprocess.call(cmd, shell=True)
|
||||
|
||||
def add_keys_for_signing_server(self, args):
|
||||
self.logger.info('Prepare keys for accessing signing server!')
|
||||
buildername = 'builder'
|
||||
latname = 'lat'
|
||||
username = getpass.getuser()
|
||||
if not args.key:
|
||||
args.key = '~/.ssh/id_rsa'
|
||||
if not os.path.exists(os.path.expanduser(args.key)):
|
||||
self.logger.error("The key file doesn't exist!")
|
||||
sys.exit(1)
|
||||
|
||||
pod_name = self.k8s.get_pod_name(buildername)
|
||||
if pod_name:
|
||||
# Prepare and run commands:
|
||||
# kubectl exec -ti [pod_name_builder] -- mkdir /home/[user_name]/.ssh
|
||||
# kubectl exec -ti [pod_name_builder] -- mkdir /root/.ssh
|
||||
# kubectl cp [key] [pod_name_builder]:/home/[user_name]/.ssh
|
||||
# kubectl cp [key] [pod_name_builder]:/root/.ssh
|
||||
main_cmd = ' exec -ti '
|
||||
remote_cmd = ' -- mkdir /home/' + username + '/.ssh'
|
||||
self.run_pod_cmd(pod_name, main_cmd, remote_cmd)
|
||||
remote_cmd = ' -- mkdir /root/.ssh'
|
||||
self.run_pod_cmd(pod_name, main_cmd, remote_cmd)
|
||||
main_cmd = ' cp ' + args.key + ' '
|
||||
remote_cmd = ':/home/' + username + '/.ssh'
|
||||
self.run_pod_cmd(pod_name, main_cmd, remote_cmd)
|
||||
remote_cmd = ':/root/.ssh'
|
||||
self.run_pod_cmd(pod_name, main_cmd, remote_cmd)
|
||||
else:
|
||||
self.logger.error('Failed to prepare for signing builds because \
|
||||
no builder container is available!')
|
||||
sys.exit(1)
|
||||
|
||||
pod_name = self.k8s.get_pod_name(latname)
|
||||
if pod_name:
|
||||
# Prepare and run commands:
|
||||
# kubectl exec -ti [pod_name_lat] -- mkdir /root/.ssh
|
||||
# kubectl cp [key] [pod_name_lat]:/root/.ssh
|
||||
main_cmd = ' exec -ti '
|
||||
remote_cmd = ' -- mkdir /root/.ssh'
|
||||
self.run_pod_cmd(pod_name, main_cmd, remote_cmd)
|
||||
main_cmd = ' cp ' + args.key + ' '
|
||||
remote_cmd = ':/root/.ssh'
|
||||
self.run_pod_cmd(pod_name, main_cmd, remote_cmd)
|
||||
else:
|
||||
self.logger.error('Failed to prepare for signing builds because \
|
||||
no lat container is available!')
|
||||
sys.exit(1)
|
||||
|
||||
def handleKeysTask(self, args):
|
||||
if not args.key_type:
|
||||
args.key_type = 'signing-server'
|
||||
if args.key_type == 'signing-server':
|
||||
self.add_keys_for_signing_server(args)
|
||||
else:
|
||||
self.logger.error('Unsupported key-type!')
|
||||
sys.exit(1)
|
||||
|
||||
def handleControl(self, args):
|
||||
|
||||
self.logger.setLevel(args.loglevel)
|
||||
@ -286,6 +350,9 @@ stx-pkgbuilder/configmap/')
|
||||
elif args.ctl_task == 'enter':
|
||||
self.handleEnterTask(args)
|
||||
|
||||
elif args.ctl_task == 'keys-add':
|
||||
self.handleKeysTask(args)
|
||||
|
||||
elif args.ctl_task == 'status':
|
||||
self.k8s.get_helm_info()
|
||||
self.k8s.get_deployment_info()
|
||||
|
@ -56,11 +56,12 @@ Use %(prog)s --help to get help for all of parameters\n\n''')
|
||||
|
||||
control_subparser = subparsers.add_parser('control',
|
||||
help='Execute the control \
|
||||
task.\t\teg: [start|enter|stop|status|upgrade]')
|
||||
task.\t\teg: [start|enter|stop|status|upgrade|keys-add]')
|
||||
control_subparser.add_argument('ctl_task',
|
||||
help='[ start|stop|enter|status|upgrade\
|
||||
]: Create or Stop or Enter or List or \
|
||||
Upgrade the stx-builder/obs/lat/pulp \
|
||||
|keys-add ]: Create or Stop or Enter or \
|
||||
List or Upgrade or Add keys on \
|
||||
the stx-builder/obs/lat/pulp \
|
||||
containers.\n\n')
|
||||
control_subparser.add_argument('--dockername',
|
||||
help='[ builder|pkgbuilder|repomgr|' +
|
||||
@ -68,6 +69,15 @@ task.\t\teg: [start|enter|stop|status|upgrade]')
|
||||
'container name to enter, ' +
|
||||
'default: builder\n\n',
|
||||
required=False)
|
||||
control_subparser.add_argument('--key-type',
|
||||
help='[ signing-server ]: ' +
|
||||
'key-type name to enter, ' +
|
||||
'default: signing-server\n\n',
|
||||
required=False)
|
||||
control_subparser.add_argument('--key',
|
||||
help='key file to enter, ' +
|
||||
'default: ~/.ssh/id_rsa\n\n',
|
||||
required=False)
|
||||
control_subparser.set_defaults(handle=self.handlecontrol.handleControl)
|
||||
|
||||
config_subparser = subparsers.add_parser('config',
|
||||
|
Loading…
x
Reference in New Issue
Block a user