search

bottlerocket-os / bottlerocket-admin-container

A container for admin access to Bottlerocket
Other
58 stars 34 forks source link

Serial console access support #59

Closed etungsten closed 2 years ago

etungsten commented 2 years ago

Issue number: N/A

Description of changes:

    Serial console support

    This adds getty services for each serial console device on the host so
    users can get to the admin container via serial console connections.

    As part of this change, the sshd process is now managed by a
    user-managed instance of systemd running in the admin container.

    All the admin container user-managed services are "WantedBy" the
    admin.target.

    Users can specify a password hash for the console login in the admin
    host container's user-data.

Testing done: With no admin user-data specified. I was able to connect to the admin container via a serial console connection to my EC2 instance. sudo sheltie works, apiclient works. I can still SSH to the admin container.

$ ssh -i ~/pem/etung.pem i-01b9b773cfed7c6c9.port0@serial-console.ec2-instance-connect.us-west-2.aws
[   30.635206] host-ctr[1605]: Created symlink /root/.config/systemd/user/admin.target.wants/getty@tty0.service, pointing to /etc/systemd/user/getty@.service.
[   30.694509] host-ctr[1605]: Created symlink /root/.config/systemd/user/admin.target.wants/serial-getty@ttyS0.service, pointing to /etc/systemd/user/serial-getty@.service.
[   30.738476] host-ctr[1605]: Created symlink /root/.config/systemd/user/admin.target.wants/sshd.service, pointing to /etc/systemd/user/sshd.service.
[   30.776554] host-ctr[1605]: Startup finished in 66ms.

Last login: Wed Apr 27 23:59:41 on /.bottlerocket/rootfs/dev/tty0
          Welcome to Bottlerocket's admin container!
    ╱╲
   ╱┄┄╲   This container provides access to the Bottlerocket host
   │▗▖│   filesystems (see /.bottlerocket/rootfs) and contains common
  ╱│  │╲  tools for inspection and troubleshooting.  It is based on
  │╰╮╭╯│  Amazon Linux 2, and most things are in the same places you
    ╹╹    would find them on an AL2 host.

To permit more intrusive troubleshooting, including actions that mutate the
running state of the Bottlerocket host, we provide a tool called "sheltie"
(`sudo sheltie`).  When run, this tool drops you into a root shell in the
Bottlerocket host's root filesystem.
[ec2-user@admin]$ env
HOSTNAME=
TERM=xterm-256color
SHELL=/bin/bash
HISTSIZE=1000
NO_PROXY=localhost,127.0.0.1,....yl4.us-west-2.eks.amazonaws.com,.cluster.local
USER=ec2-user
LS_COLORS=....
MAIL=/var/spool/mail/ec2-user
PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/ec2-user/.local/bin:/home/ec2-user/bin
PWD=/home/ec2-user
HISTCONTROL=ignoredups
SHLVL=1
HOME=/home/ec2-user
no_proxy=localhost,127.0.0.1,....yl4.us-west-2.eks.amazonaws.com,.cluster.local
LOGNAME=ec2-user
_=/usr/bin/env
[ec2-user@admin]$ sudo sheltie
bash-5.1# exit
[ec2-user@admin]$ apiclient get settings.host-containers.admin
{
  "settings": {
    "host-containers": {
      "admin": {
        "enabled": true,
        "source": "...",
        "superpowered": true,
        "user-data": "...."
      }
    }
  }
}

I then set up a new bottlerocket host with admin container user-data containing a password-hash for the console login for my custom user: Userdata:

{
  "user": "erikson",
  "password-hash": "$6$rounds=1000$NER...",
  "ssh": {
    "authorized-keys...",
  }
}

Then trying to login via serial console:

ip-192-168-2-248 login: erikson
Password:
Last failed login: Thu Apr 28 00:33:17 UTC 2022 on /.bottlerocket/rootfs/dev/ttyS0
There were 2 failed login attempts since the last successful login.
          Welcome to Bottlerocket's admin container!
    ╱╲
   ╱┄┄╲   This container provides access to the Bottlerocket host
   │▗▖│   filesystems (see /.bottlerocket/rootfs) and contains common
  ╱│  │╲  tools for inspection and troubleshooting.  It is based on
  │╰╮╭╯│  Amazon Linux 2, and most things are in the same places you
    ╹╹    would find them on an AL2 host.

To permit more intrusive troubleshooting, including actions that mutate the
running state of the Bottlerocket host, we provide a tool called "sheltie"
(`sudo sheltie`).  When run, this tool drops you into a root shell in the
Bottlerocket host's root filesystem.
[erikson@admin]$

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

etungsten commented 2 years ago

Push above addresses comments.

etungsten commented 2 years ago

Push above fixes some lingering comments.

etungsten commented 2 years ago

Push above adds documentation about the new password-hash field in the README.

etungsten commented 2 years ago

Push above adds a change to remove surrounding quotes if there are surrounding quotes around the config values:

[erikson@admin]$ cat /proc/cmdline 
console="tty0" console="ttyS1,115200n8" ...
[erikson@admin]$   CONSOLES=()
[erikson@admin]$   for opt in $(cat /proc/cmdline) ; do
>      optarg="$(expr "${opt}" : '[^=]*=\(.*\)' ||:)"
>      optarg="${optarg%\"}"
>      optarg="${optarg#\"}"
>      case "${opt}" in
>         console=*) CONSOLES+=("${optarg%,*}") ;;
>      esac
>   done

[erikson@admin]$ echo ${CONSOLES[@]}
tty0 ttyS1
etungsten commented 2 years ago

Push above fixes an issue where user creation may fail when the host restarts and the user already exists. Push above also redirects some useless warnings/errors to /dev/null

etungsten commented 2 years ago

Push above prevents an jq invocation from failing the script. It also adds a change to make the admin container sleep forever if the host-container user-data is unset to prevent errors later on in the script that will make the container fail.