tools: add command 'stx control keys-add'

From https://review.opendev.org/c/starlingx/root/+/868920, build process for signed image is as below: (1) Prepare keys on dockers and signing server to setup access to signing server without password: Use "ssh-keygen -t rsa" to create a ssh key pair, e.g. id_rsa.pub and id_rsa. Prepare on lat docker (default user is root): mkdir ~/.ssh copy id_rsa to ~/.ssh directory Prepare on builder docker: mkdir ~/.ssh copy id_rsa to ~/.ssh directory sudo mkdir /root/.ssh sudo copy id_rsa to /root/.ssh directory Prepare on signing server: append id_rsa.pub to the file on signing server: /home/${signing_user}/.ssh/authorized_keys (2) Run on builder docker: export SIGNING_SERVER="signing_user@signing_server_ip" <PATH>/sign-secure-boot_debian build-image The <PATH> is: /localdisk/designer/${USER}/stx/cgcs-root/build-tools An extension to the 'stx' tool to inject keys into the relevant containers is added as 'stx control keys-add --key-type=signing-server --key=[key file]' which can replace all the work on dockers in (1). Test plan: - PASS: run 'stx control keys-add --key-type=signing-server --key=[key file]' after containers start up, and check the keys mentioned above are right in containers. - PASS: run the complete build process as below and get a bootable iso with secure boot enabled: stx control keys-add --key-type=signing-server --key=[key file] stx shell export SIGNING_SERVER="signing_user@signing_server_ip" <PATH>/sign-secure-boot_debian build-image Story: 2009221 Task: 47097 Signed-off-by: Li Zhou <li.zhou@windriver.com> Change-Id: Id84c5d96b8565a7c7d8da018730f2591d86e2d24
2023-02-06 16:57:01 +08:00 · 2023-02-06 16:57:01 +08:00 · c87e465a01
commit c87e465a01
parent c181eda91b
2 changed files with 80 additions and 3 deletions
--- a/stx/lib/stx/stx_control.py
+++ b/stx/lib/stx/stx_control.py
@ -267,6 +267,70 @@ stx-pkgbuilder/configmap/')
    def handleEnterTask(self, args):
        self.shell.cmd_control_enter(args)

+    def run_pod_cmd(self, podname, maincmd, remotecmd):
+        # Run command on pod in this format: kubectl+maincmd+podname+remotecmd
+        cmd = self.config.kubectl() + maincmd + podname + remotecmd
+        self.logger.info('run pod cmd: %s', cmd)
+        subprocess.call(cmd, shell=True)
+
+    def add_keys_for_signing_server(self, args):
+        self.logger.info('Prepare keys for accessing signing server!')
+        buildername = 'builder'
+        latname = 'lat'
+        username = getpass.getuser()
+        if not args.key:
+            args.key = '~/.ssh/id_rsa'
+        if not os.path.exists(os.path.expanduser(args.key)):
+            self.logger.error("The key file doesn't exist!")
+            sys.exit(1)
+
+        pod_name = self.k8s.get_pod_name(buildername)
+        if pod_name:
+            # Prepare and run commands:
+            #  kubectl exec -ti [pod_name_builder] -- mkdir /home/[user_name]/.ssh
+            #  kubectl exec -ti [pod_name_builder] -- mkdir /root/.ssh
+            #  kubectl cp [key] [pod_name_builder]:/home/[user_name]/.ssh
+            #  kubectl cp [key] [pod_name_builder]:/root/.ssh
+            main_cmd = ' exec -ti '
+            remote_cmd = ' -- mkdir /home/' + username + '/.ssh'
+            self.run_pod_cmd(pod_name, main_cmd, remote_cmd)
+            remote_cmd = ' -- mkdir /root/.ssh'
+            self.run_pod_cmd(pod_name, main_cmd, remote_cmd)
+            main_cmd = ' cp ' + args.key + ' '
+            remote_cmd = ':/home/' + username + '/.ssh'
+            self.run_pod_cmd(pod_name, main_cmd, remote_cmd)
+            remote_cmd = ':/root/.ssh'
+            self.run_pod_cmd(pod_name, main_cmd, remote_cmd)
+        else:
+            self.logger.error('Failed to prepare for signing builds because \
+no builder container is available!')
+            sys.exit(1)
+
+        pod_name = self.k8s.get_pod_name(latname)
+        if pod_name:
+            # Prepare and run commands:
+            #  kubectl exec -ti [pod_name_lat] -- mkdir /root/.ssh
+            #  kubectl cp [key] [pod_name_lat]:/root/.ssh
+            main_cmd = ' exec -ti '
+            remote_cmd = ' -- mkdir /root/.ssh'
+            self.run_pod_cmd(pod_name, main_cmd, remote_cmd)
+            main_cmd = ' cp ' + args.key + ' '
+            remote_cmd = ':/root/.ssh'
+            self.run_pod_cmd(pod_name, main_cmd, remote_cmd)
+        else:
+            self.logger.error('Failed to prepare for signing builds because \
+no lat container is available!')
+            sys.exit(1)
+
+    def handleKeysTask(self, args):
+        if not args.key_type:
+            args.key_type = 'signing-server'
+        if args.key_type == 'signing-server':
+            self.add_keys_for_signing_server(args)
+        else:
+            self.logger.error('Unsupported key-type!')
+            sys.exit(1)
+
    def handleControl(self, args):

        self.logger.setLevel(args.loglevel)
@ -286,6 +350,9 @@ stx-pkgbuilder/configmap/')
        elif args.ctl_task == 'enter':
            self.handleEnterTask(args)

+        elif args.ctl_task == 'keys-add':
+            self.handleKeysTask(args)
+
        elif args.ctl_task == 'status':
            self.k8s.get_helm_info()
            self.k8s.get_deployment_info()
--- a/stx/lib/stx/stx_main.py
+++ b/stx/lib/stx/stx_main.py
@ -56,11 +56,12 @@ Use %(prog)s --help to get help for all of parameters\n\n''')

        control_subparser = subparsers.add_parser('control',
                                                  help='Execute the control \
-task.\t\teg: [start|enter|stop|status|upgrade]')
+task.\t\teg: [start|enter|stop|status|upgrade|keys-add]')
        control_subparser.add_argument('ctl_task',
                                       help='[ start|stop|enter|status|upgrade\
-                                       ]: Create or Stop or Enter or List or \
-                                       Upgrade the stx-builder/obs/lat/pulp \
+                                       |keys-add ]: Create or Stop or Enter or \
+                                       List or Upgrade or Add keys on \
+                                       the stx-builder/obs/lat/pulp \
                                       containers.\n\n')
        control_subparser.add_argument('--dockername',
                                       help='[ builder|pkgbuilder|repomgr|' +
@ -68,6 +69,15 @@ task.\t\teg: [start|enter|stop|status|upgrade]')
                                       'container name to enter, ' +
                                       'default: builder\n\n',
                                       required=False)
+        control_subparser.add_argument('--key-type',
+                                       help='[ signing-server ]: ' +
+                                       'key-type name to enter, ' +
+                                       'default: signing-server\n\n',
+                                       required=False)
+        control_subparser.add_argument('--key',
+                                       help='key file to enter, ' +
+                                       'default: ~/.ssh/id_rsa\n\n',
+                                       required=False)
        control_subparser.set_defaults(handle=self.handlecontrol.handleControl)

        config_subparser = subparsers.add_parser('config',