Create custom image that does not have ssh keys stored #343
Conversation
|
I am curious about why on |
.github/workflows/build-images.yml
Outdated
| uses: spilchen/switch-case-action@v2 | ||
| id: nosshkeys_vertica_image | ||
| with: | ||
| default: ghcr.io/${{ github.repository_owner }}/vertica-k8s:${{ github.sha }}-nosshkeys |
There was a problem hiding this comment.
You should rebase to pick up Duane's latest workflow change about needing the name to be lowercase. We will need to apply that change here too.
.github/workflows/build-images.yml
Outdated
|
|
||
| - name: Login to Docker Hub | ||
| uses: docker/login-action@v2 | ||
| if: ${{ inputs.full_vertica_image != '' && startsWith(inputs.full_vertica_image, 'docker.io') }} |
There was a problem hiding this comment.
This should be checking inputs.nosshkeys_vertica_image
| if: ${{ inputs.full_vertica_image != '' && startsWith(inputs.full_vertica_image, 'docker.io') }} | |
| if: ${{ inputs.nosshkeys_vertica_image != '' && startsWith(inputs.nosshkeys_vertica_image, 'docker.io') }} |
There was a problem hiding this comment.
Yes I will. This is related to my question above.
docker-vertica/Dockerfile
Outdated
| @@ -68,15 +70,15 @@ RUN set -x \ | |||
| # versions at once. | |||
There was a problem hiding this comment.
We should update this comment to explain what we are doing with NO_SSH_KEYS.
| # versions at once. | |
| # versions at once. This step is required if not including SSH keys because | |
| # conditional copy isn't a thing in Docker. If no SSH keys are to be included, | |
| # then the next RUN will remove the key we just added. |
docker-vertica/packages/cleanup.sh
Outdated
| @@ -23,6 +23,7 @@ | |||
| # | |||
| # wander around in the image looking for things you can remove | |||
| rm -r -f \ | |||
| /opt/vertica/config/* \ | |||
There was a problem hiding this comment.
This might be problematic for vertica-demo. They use the vertica-k8s image, and probably rely on the config directory to be set up. Can we change this to remove specific things in /config? The agent keys, the keys for the https_certs, etc.
There was a problem hiding this comment.
Ok I will delete specific keys files.
I think that is a bug. Can you fix it? |
I will. |
docker-vertica/packages/cleanup.sh
Outdated
| @@ -31,7 +32,9 @@ rm -r -f \ | |||
| /opt/vertica/oss/python*/lib/python*/site-packages/pip \ | |||
| /opt/vertica/oss/python*/lib/python*/config-[0-9]* \ | |||
| /opt/vertica/oss/python*/lib/python*/tkinter \ | |||
| /opt/vertica/oss/python*/lib/python*/idlelib | |||
| /opt/vertica/oss/python*/lib/python*/idlelib \ | |||
| /opt/vertica/oss/python*/lib/python*/site-packages/Cryptodome/SelfTest/PublicKey/test_vectors/ECC \ | |||
There was a problem hiding this comment.
As a general fix, could we remove all test directories for packages under site-package? We can match test and *Test.
docker-vertica/Dockerfile
Outdated
| && chmod 700 /home/dbadmin/.ssh \ | ||
| && chmod 600 /home/dbadmin/.ssh/* \ | ||
| && chown -R dbadmin:verticadba /home/dbadmin/ \ | ||
| && chmod go-w /etc/ssh/sshd_config.d/* /etc/ssh/ssh_config.d/* | ||
| && chmod go-w /etc/ssh/sshd_config.d/* /etc/ssh/ssh_config.d/* \ | ||
| && if [[ ($NO_SSH_KEYS == "YES" || $NO_SSH_KEYS == "yes") ]] ; then \ |
There was a problem hiding this comment.
Can we simplify this to do a case-insensitive compare?
| && if [[ ($NO_SSH_KEYS == "YES" || $NO_SSH_KEYS == "yes") ]] ; then \ | |
| && if [[ ${NO_SSH_KEYS^^} == "YES" ]] ; then \ |
There was a problem hiding this comment.
Ok. I can also do the same with MINIMAL.
There was a problem hiding this comment.
Yes, that would be good thanks.
All keys that were stored in the image have been removed.
For dbadmin ssh keys in particular, a new variable has been added (NO_SSH_KEYS) that will allow to create an image that do not have those static keys stored inside.
e2e-leg-1 as well as github actions have been modified to use that custom image.