coreos-base/oem-gce: enable oslogin

Enable google cloud oslogin. Use a one-shot systemd unit with ConditionFirstBoot to enable oslogin by flipping some symlinks to oslogin specific ones. Don't do anything if the user has modified one of the files.
2025-08-21 06:21:08 +02:00 · 2018-07-03 10:20:25 -07:00 · 2018-07-03 10:20:25 -07:00 · 3fbb737589
commit 3fbb737589
parent 4ca2796803
4 changed files with 58 additions and 1 deletions
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/base/base.ign
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/base/base.ign
@ -1,6 +1,6 @@
 {
  "ignition": {
-    "version": "2.1.0"
+    "version": "2.2.0"
  },
  "storage": {
    "files": [
@ -12,6 +12,14 @@
        },
        "mode": 292
      },
+      {
+        "filesystem": "root",
+        "path": "/etc/systemd/system/oem-gce-enable-oslogin.service",
+        "contents": {
+          "source": "oem:///units/oem-gce-enable-oslogin.service"
+        },
+        "mode": 292
+      },
      {
        "filesystem": "root",
        "path": "/etc/hosts",
@ -39,6 +47,10 @@
      {
        "name": "oem-gce.service",
        "enabled": true
+      },
+      {
+        "name": "oem-gce-enable-oslogin.service",
+        "enabled": true
      }
    ]
  }
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/bin/enable-oslogin
@ -0,0 +1,29 @@
+#!/usr/bin/bash
+
+# Verify all the config files were not touched by the user. Do not try to
+# enable oslogin if the user has messed with them
+
+if [ -e '/etc/pam.d/sshd' ]; then
+	echo '/etc/pam.d/sshd already exists. Not enabling OS Login'
+	exit 0
+fi
+
+if [ "$(readlink -f /etc/nsswitch.conf)" != '/usr/share/baselayout/nsswitch.conf' ]; then
+	echo '/etc/nsswitch.conf is not a symlink to /usr/share/baselayout/nsswitch.conf. Not enabling OS Login'
+	exit 0
+fi
+
+if [ "$(readlink -f /etc/ssh/sshd_config)" != '/usr/share/ssh/sshd_config' ]; then
+	echo '/etc/ssh/sshd_config is not a symlink to /usr/share/ssh/sshd_config. Not enabling OS Login'
+	exit 0
+fi
+
+# Actually start enabling things. Die if we fail.
+set -e
+
+mkdir -m 0750 -p '/var/lib/google-sudoers.d'
+mkdir -m 0750 -p '/var/lib/google-users.d'
+ln -f -s '/usr/share/google-oslogin/pam_sshd' '/etc/pam.d/sshd'
+ln -f -s '/usr/share/google-oslogin/nsswitch.conf' '/etc/nsswitch.conf'
+ln -f -s '/usr/share/google-oslogin/sshd_config' '/etc/ssh/sshd_config'
+ln -f -s '/usr/share/google-oslogin/oslogin-sudoers' '/etc/sudoers.d/oslogin-sudoers'
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/units/oem-gce-enable-oslogin.service
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/files/units/oem-gce-enable-oslogin.service
@ -0,0 +1,14 @@
+[Unit]
+Description=Enable GCE OS Login
+After=local-fs.target
+ConditionFirstBoot=true
+Before=sshd.service
+Before=sshd.socket
+
+[Service]
+Type=oneshot
+
+ExecStart=/usr/share/oem/bin/enable-oslogin
+
+[Install]
+WantedBy=sysinit.target
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20170327-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20170327-r1.ebuild
@ -27,4 +27,6 @@ src_install() {
 	doins -r "${FILESDIR}/base"
 	doins -r "${FILESDIR}/files"
 	doins -r "${FILESDIR}/units"
+	exeinto "/usr/share/oem/bin"
+	doexe "${FILESDIR}/bin/enable-oslogin"
 }