AlmaLinux / cloud-images

Packer templates and other tools for building AlmaLinux images for various cloud platforms.
MIT License
161 stars 48 forks source link

Cloud Provider Specific Changelogs? #173

Closed klesher-versatile closed 3 months ago

klesher-versatile commented 6 months ago

Hi!

I just hit a (very) minor ssh-key authentication issue caused by ec2-instance-connect being installed when we updated our base image from AWS Image AlmaLinux OS 9.3.20231116 x86_64 (ami-07bc349330a94a4e3) to AlmaLinux OS 9.3.20240303 x86_64(ami-097220738e8385b2f).

Doing some searching across the AlmaLinux GitHub org, all I really I came across https://github.com/AlmaLinux/cloud-images/pull/171 and some wiki doc updates. I also don't see that this has been merged yet, and I'm having difficulty finding any change logs indicating this was added (https://wiki.almalinux.org/release-notes/9.3.html doesn't include it, but of course with this being AWS-specific, I probably wouldn't expect it to be there).

Are there any cloud-provider specific change logs that covers this type of change? Admittedly I would have updated with no second thoughts if I saw this was being installed, but I may have gotten to the root of my issue a bit quicker. Any guidance is much appreciated!

codyro commented 6 months ago

I'm not sure if there is a canonical changelog available currently; however, taking a peek at https://github.com/AlmaLinux/cloud-images/tree/master/ansible/roles/ami_9_x86_64/tasks may shed some light on what's being modified/done to build the images themselves.

@LKHN will be able to give you a better answer, though :)

LKHN commented 6 months ago

@klesher-versatile , Thanks a lot opening this issue. I aksed @sboldyreva from Documentation SIG for this changelog. We started to work on it already and will publish very soon and once we define the format and place of it. We will maintain it when we do any changes to our Cloud, Container or other images.

After including the EC2 Instance Connect to our Amazon Machine Images we also published a dedicated page on our wiki how to use it.

Please, let me know about the issue you faced with the recent changes.

See: https://wiki.almalinux.org/cloud/EC2-instance-connect.html

klesher-versatile commented 6 months ago

That sounds great, thanks for the info! Using EC2 Instance Connect is definitely a step we want to take at some point, so I'm happy to see it baked into the base image for when we're ready.

We're currently making use of SSSD + LDAP to provide centrally managed SSH public keys for our SSH users. To achieve this, we add the following to /etc/ssh/sshd_config during our image build to direct sshd to use the SSSD service to query LDAP for a user’s public key:

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

The EC2 Instance connect installation installs the following at/etc/ssh/sshd_config.d/60-ec2-instance-connect.conf which ends up overriding our existing configuration in /etc/ssh/sshd_config:

AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys %u %f
AuthorizedKeysCommandUser ec2-instance-connect

I'll work around this by putting our config into a /etc/ssh/sshd_config.d/99-custom.conf (which is something I probably should have been doing from the start 😄 ).

LKHN commented 3 months ago

I am happy that we did not end up breaking anything but finding the best practices about how to handle the OpenSSH Server configurations using the drop-in configuration files. :sweat_smile:

Here is a dedicated page about the changes on the cloud images.

https://wiki.almalinux.org/cloud/cloud-changelog.html

klesher-versatile commented 3 months ago

Thank you @LKHN! This is great to have. Much appreciated!