From db3bd0f9f8ec250de7790e3df1ba1dd1290560c1 Mon Sep 17 00:00:00 2001 From: Margarita Manterola Date: Thu, 17 Sep 2020 15:36:03 +0200 Subject: [PATCH 1/2] coreos-base/google-oslogin: Update to 20200910 This change updates to the latest oslogin version provided by Google. Since our last update, this was split into a different repo and the directory structure changed significantly. It also added group support, which needed to be added to the nsswitch.conf file that we ship. Flatcar users require docker group permissions, so ensure oslogin gives that permission by shipping a separate group.conf file that gets installed when oslogin is enabled. --- .../oem-gce/files/bin/enable-oslogin | 1 + .../sys-auth/google-oslogin/Manifest | 2 +- ...am_module-use-var-lib-instead-of-var.patch | 16 +++++++------- .../sys-auth/google-oslogin/files/group.conf | 2 ++ .../google-oslogin/files/nsswitch.conf | 2 +- .../sys-auth/google-oslogin/files/pam_sshd | 11 ++++++---- ...uild => google-oslogin-20200910.00.ebuild} | 22 +++++++++++-------- 7 files changed, 33 insertions(+), 23 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/group.conf rename sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/{google-oslogin-20180611.ebuild => google-oslogin-20200910.00.ebuild} (57%) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin index 9830d34951..abf9899b67 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin @@ -27,3 +27,4 @@ ln -f -s '/usr/share/google-oslogin/pam_sshd' '/etc/pam.d/sshd' ln -f -s '/usr/share/google-oslogin/nsswitch.conf' '/etc/nsswitch.conf' ln -f -s '/usr/share/google-oslogin/sshd_config' '/etc/ssh/sshd_config' ln -f -s '/usr/share/google-oslogin/oslogin-sudoers' '/etc/sudoers.d/oslogin-sudoers' +ln -f -s '/usr/share/google-oslogin/group.conf' '/etc/security/group.conf' diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/Manifest index cd11d66d4f..f1bedb2e82 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/Manifest @@ -1 +1 @@ -DIST 20180611.tar.gz 143678 SHA256 f71bdc6d01cff014bb4d066096be9a6e067fd3028c730cc4c9557001ec99ab6e SHA512 9e94cdda66f9b45dbb0ade25ce2dabbcc38c96b7c6f94a09bfef80f1611e7fe0233578ccc55f76530dca16f4ee261a22c05ae12b76ce527734be50b856caca3e WHIRLPOOL f37f980686924003570567e77ec1b740a7ce538a03917d01757f2599a595c17f8babd32184ca26b6075df14de1e5da2876f5eb3111141d442c1571e043350b8d +DIST 20200910.00.tar.gz 42599 BLAKE2B 6c2917f03277834e54050e5bf94943dc311c70e3150247b91cee5835b09fb197686788373ab8cdff4f3f8e4baa85dd515bcb22a99530475bd7c3991d1d272ece SHA512 575813becdd7046b9c5813f33aad440737df6d0fa1d9345f8f4340fda4bc348b27860231ed163196cf06609fd3311fe2bbf45486c260c45a0a38795a95f09834 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/0001-pam_module-use-var-lib-instead-of-var.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/0001-pam_module-use-var-lib-instead-of-var.patch index fda3244f12..65fae86284 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/0001-pam_module-use-var-lib-instead-of-var.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/0001-pam_module-use-var-lib-instead-of-var.patch @@ -4,14 +4,14 @@ Date: Fri, 6 Jul 2018 15:54:40 -0700 Subject: [PATCH] pam_module: use /var/lib/ instead of /var --- - google_compute_engine_oslogin/pam_module/pam_oslogin_admin.cc | 2 +- - google_compute_engine_oslogin/pam_module/pam_oslogin_login.cc | 2 +- + guest-oslogin/src/pam/pam_oslogin_admin.cc | 2 +- + guest-oslogin/src/pam/pam_oslogin_login.cc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) -diff --git a/google_compute_engine_oslogin/pam_module/pam_oslogin_admin.cc b/google_compute_engine_oslogin/pam_module/pam_oslogin_admin.cc +diff --git a/guest-oslogin/src/pam/pam_oslogin_admin.cc b/guest-oslogin/src/pam/pam_oslogin_admin.cc index 04d0808..376916e 100644 ---- a/google_compute_engine_oslogin/pam_module/pam_oslogin_admin.cc -+++ b/google_compute_engine_oslogin/pam_module/pam_oslogin_admin.cc +--- a/guest-oslogin/src/pam/pam_oslogin_admin.cc ++++ b/guest-oslogin/src/pam/pam_oslogin_admin.cc @@ -36,7 +36,7 @@ using oslogin_utils::ParseJsonToEmail; using oslogin_utils::UrlEncode; using oslogin_utils::kMetadataServerUrl; @@ -21,10 +21,10 @@ index 04d0808..376916e 100644 extern "C" { -diff --git a/google_compute_engine_oslogin/pam_module/pam_oslogin_login.cc b/google_compute_engine_oslogin/pam_module/pam_oslogin_login.cc +diff --git a/guest-oslogin/src/pam/pam_oslogin_login.cc b/guest-oslogin/src/pam/pam_oslogin_login.cc index 9e708f4..428600b 100644 ---- a/google_compute_engine_oslogin/pam_module/pam_oslogin_login.cc -+++ b/google_compute_engine_oslogin/pam_module/pam_oslogin_login.cc +--- a/guest-oslogin/src/pam/pam_oslogin_login.cc ++++ b/guest-oslogin/src/pam/pam_oslogin_login.cc @@ -36,7 +36,7 @@ using oslogin_utils::ParseJsonToEmail; using oslogin_utils::UrlEncode; using oslogin_utils::kMetadataServerUrl; diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/group.conf b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/group.conf new file mode 100644 index 0000000000..881c111e1d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/group.conf @@ -0,0 +1,2 @@ +# Instruct oslogin to add the docker group to user that login via ssh +sshd;*;*;Al0000-2400;docker diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/nsswitch.conf b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/nsswitch.conf index 0d67de1121..07af435bc0 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/nsswitch.conf +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/nsswitch.conf @@ -2,7 +2,7 @@ # Keep this in sync with nsswitch.conf from coreos/baselayout passwd: files usrfiles sss systemd cache_oslogin oslogin shadow: files usrfiles sss -group: files usrfiles sss systemd +group: files usrfiles sss systemd cache_oslogin oslogin hosts: files usrfiles dns myhostname networks: files usrfiles dns diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/pam_sshd b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/pam_sshd index 422a58c221..9452354ce5 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/pam_sshd +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/pam_sshd @@ -1,9 +1,12 @@ +# Needed for oslogin support (needs to be prepended) +auth [default=ignore] pam_group.so +auth [success=done perm_denied=die default=ignore] pam_oslogin_login.so +account [success=ok default=ignore] pam_oslogin_admin.so +account [success=ok ignore=ignore default=die] pam_oslogin_login.so +session [success=ok default=ignore] pam_mkhomedir.so + # Keep this file in sync with the net-misc/openssh/files/sshd.pam_include.2 auth include system-remote-login account include system-remote-login password include system-remote-login session include system-remote-login -# Needed for oslogin support -account requisite pam_oslogin_login.so -account optional pam_oslogin_admin.so -session optional pam_mkhomedir.so diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20180611.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00.ebuild similarity index 57% rename from sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20180611.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00.ebuild index 26351f0f7a..101ca35363 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20180611.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00.ebuild @@ -4,8 +4,8 @@ EAPI=6 DESCRIPTION="Components to support Google Cloud OS Login. This contains bits that belong in USR" -HOMEPAGE="https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/google_compute_engine_oslogin" -SRC_URI="https://github.com/GoogleCloudPlatform/compute-image-packages/archive/${PV}.tar.gz" +HOMEPAGE="https://github.com/GoogleCloudPlatform/guest-oslogin" +SRC_URI="https://github.com/GoogleCloudPlatform/guest-oslogin/archive/${PV}.tar.gz" LICENSE="Apache-2.0" SLOT="0" @@ -22,7 +22,7 @@ DEPEND=" RDEPEND="${DEPEND}" -S=${WORKDIR}/compute-image-packages-${PV}/google_compute_engine_oslogin +S=${WORKDIR}/guest-oslogin-${PV}/ src_prepare() { eapply -p2 "$FILESDIR/0001-pam_module-use-var-lib-instead-of-var.patch" @@ -30,18 +30,21 @@ src_prepare() { } src_compile() { - emake CC="$(tc-getCC)" CXX="$(tc-getCXX)" JSON_INCLUDE_PATH="${ROOT%/}/usr/include/json-c" + emake CC="$(tc-getCC)" CXX="$(tc-getCXX)" \ + VERSION=${PV} \ + JSON_INCLUDE_PATH="${ROOT%/}/usr/include/json-c" } src_install() { - dolib.so libnss_cache_google-compute-engine-oslogin-1.3.0.so - dolib.so libnss_google-compute-engine-oslogin-1.3.0.so + dolib.so src/libnss_cache_oslogin-${PV}.so + dolib.so src/libnss_oslogin-${PV}.so exeinto /usr/libexec - doexe google_authorized_keys + doexe src/google_authorized_keys + doexe src/google_oslogin_nss_cache - dopammod pam_oslogin_admin.so - dopammod pam_oslogin_login.so + dopammod src/pam_oslogin_admin.so + dopammod src/pam_oslogin_login.so # config files the base Ignition config will create links to insinto /usr/share/google-oslogin @@ -49,4 +52,5 @@ src_install() { doins "${FILESDIR}/nsswitch.conf" doins "${FILESDIR}/pam_sshd" doins "${FILESDIR}/oslogin-sudoers" + doins "${FILESDIR}/group.conf" } From 38935a5e75e5fe7690484b61ed820903bc6384b9 Mon Sep 17 00:00:00 2001 From: Margarita Manterola Date: Fri, 18 Sep 2020 15:36:17 +0200 Subject: [PATCH 2/2] coreos-base/oem-gce: add Python aliases GCE recommends images to ship Python in them. Instead of shipping the binaries inside our vendor partition, install an alias that will download the latest official container, for both python2 and python3. --- .../coreos-base/oem-gce/files/files/google-cloud-sdk.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/files/google-cloud-sdk.sh b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/files/google-cloud-sdk.sh index cff48e442e..9114c0d400 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/files/google-cloud-sdk.sh +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/files/google-cloud-sdk.sh @@ -1,3 +1,5 @@ #!/bin/sh alias gcloud="(docker images google/cloud-sdk || docker pull google/cloud-sdk) > /dev/null;docker run -ti --rm --net=host -v $HOME/.config:/root/.config -v /var/run/docker.sock:/var/run/docker.sock google/cloud-sdk gcloud" alias gsutil="(docker images google/cloud-sdk || docker pull google/cloud-sdk) > /dev/null;docker run -ti --rm --net=host -v $HOME/.config:/root/.config google/cloud-sdk gsutil" +alias python="(docker images python:2-slim || docker pull python:2-slim) > /dev/null;docker run -ti --rm --net=host -v $HOME/.config:/root/.config -v "$PWD":/usr/src/pyapp -w /usr/src/pyapp python:2-slim python" +alias python3="(docker images python:3-slim || docker pull python:3-slim) > /dev/null;docker run -ti --rm --net=host -v $HOME/.config:/root/.config -v "$PWD":/usr/src/pyapp -w /usr/src/pyapp python:3-slim python"