From 7f521ceda9485d18a0948ea79af4f009dba9ce93 Mon Sep 17 00:00:00 2001
From: Brett Smith <brett@curoverse.com>
Date: Mon, 24 Nov 2014 15:53:00 -0500
Subject: [PATCH] 4027: Revamp SSH use in our Docker images.

* Don't install or run SSH in most of our Docker images.  `docker
  exec` is now preferred to inspect running images.

* Do run SSH on the API server, always, for Gitolite.

There is a feature regression here: the user's SSH key is not
automatically installed on the shell account.  This needs to be fixed
another way.  In the meantime, it's not difficult to run
`docker exec -ti --user=self shell /bin/bash`, and you can clone the
repository from the host system.
---
 docker/api/Dockerfile                  |  3 +--
 docker/api/ssh.sh                      | 10 ----------
 docker/api/supervisor.conf             |  2 +-
 docker/arvdock                         | 23 +----------------------
 docker/base/Dockerfile                 |  6 +-----
 docker/build_tools/build.rb            | 17 -----------------
 docker/build_tools/config.rb           |  9 ---------
 docker/compute/Dockerfile              |  1 -
 docker/compute/ssh.sh                  | 10 ----------
 docker/compute/supervisor.conf         |  5 -----
 docker/config.yml.example              |  6 ------
 docker/doc/apache2_foreground.sh       |  5 -----
 docker/shell/Dockerfile                |  2 +-
 docker/shell/setup.sh.in               |  2 --
 docker/slurm/supervisor.conf           |  7 -------
 docker/sso/apache2_foreground.sh       |  5 -----
 docker/workbench/apache2_foreground.sh |  7 +------
 17 files changed, 6 insertions(+), 114 deletions(-)
 delete mode 100755 docker/api/ssh.sh
 delete mode 100755 docker/compute/ssh.sh

diff --git a/docker/api/Dockerfile b/docker/api/Dockerfile
index ee9198e7c3..abd2114302 100644
--- a/docker/api/Dockerfile
+++ b/docker/api/Dockerfile
@@ -8,7 +8,7 @@ RUN apt-get update -qq
 RUN apt-get install -qqy \
     procps postgresql postgresql-server-dev-9.1 apache2 slurm-llnl munge \
     supervisor sudo libwww-perl libio-socket-ssl-perl libcrypt-ssleay-perl \
-    libjson-perl cron
+    libjson-perl cron openssh-server
 
 ADD munge.key /etc/munge/
 RUN chown munge:munge /etc/munge/munge.key && chmod 600 /etc/munge/munge.key
@@ -71,7 +71,6 @@ ADD update-gitolite.rb /usr/local/arvados/
 
 # Supervisor.
 ADD supervisor.conf /etc/supervisor/conf.d/arvados.conf
-ADD ssh.sh /usr/local/bin/ssh.sh
 ADD generated/setup.sh /usr/local/bin/setup.sh
 ADD generated/setup-gitolite.sh /usr/local/bin/setup-gitolite.sh
 ADD crunch-dispatch-run.sh /usr/local/bin/crunch-dispatch-run.sh
diff --git a/docker/api/ssh.sh b/docker/api/ssh.sh
deleted file mode 100755
index 664414b1c6..0000000000
--- a/docker/api/ssh.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-
-echo $ENABLE_SSH
-
-# Start ssh daemon if requested via the ENABLE_SSH env variable
-if [[ ! "$ENABLE_SSH" =~ (0|false|no|f|^$) ]]; then
-echo "STARTING"
-  /etc/init.d/ssh start
-fi
-
diff --git a/docker/api/supervisor.conf b/docker/api/supervisor.conf
index e684ff8c12..b01dc1c110 100644
--- a/docker/api/supervisor.conf
+++ b/docker/api/supervisor.conf
@@ -1,6 +1,6 @@
 [program:ssh]
 user=root
-command=/usr/local/bin/ssh.sh
+command=/etc/init.d/ssh start
 startsecs=0
 
 [program:postgres]
diff --git a/docker/arvdock b/docker/arvdock
index 31e405bb41..142ba27e31 100755
--- a/docker/arvdock
+++ b/docker/arvdock
@@ -1,6 +1,5 @@
 #!/bin/bash
 
-ENABLE_SSH=false
 DOCKER=`which docker.io`
 
 if [[ "$DOCKER" == "" ]]; then
@@ -22,7 +21,6 @@ function usage {
     echo >&2 "  -v, --vm                      Shell server"
     echo >&2 "  -n, --nameserver              Nameserver"
     echo >&2 "  -k, --keep                    Keep servers"
-    echo >&2 "  --ssh                         Enable SSH access to server containers"
     echo >&2 "  -h, --help                    Display this help and exit"
     echo >&2
     echo >&2 "  If no options are given, the action is applied to all servers."
@@ -65,11 +63,6 @@ function start_container {
     fi
     local image=$5
 
-    if $ENABLE_SSH
-    then
-      args="$args -e ENABLE_SSH=$ENABLE_SSH"
-    fi
-
     `$DOCKER ps |grep -P "$name[^/]" -q`
     if [[ "$?" == "0" ]]; then
       echo "You have a running container with name $name -- skipping."
@@ -86,15 +79,6 @@ function start_container {
     if [ "$?" != "0" -o "$container" = "" ]; then
       echo "Unable to start container"
       exit 1
-    fi
-    if [ "$name" == "compute" -o "$ENABLE_SSH" != "false" ];
-    then
-      ip=$(ip_address $container )
-      echo
-      echo "You can ssh into the container with:"
-      echo
-      echo "    ssh root@$ip"
-      echo
     else
       echo "Started container: $container"
     fi
@@ -155,7 +139,7 @@ function do_start {
 
     # NOTE: This requires GNU getopt (part of the util-linux package on Debian-based distros).
     local TEMP=`getopt -o d::s::a::cw::nkvh \
-                  --long doc::,sso::,api::,compute,workbench::,nameserver,keep,vm,help,ssh \
+                  --long doc::,sso::,api::,compute,workbench::,nameserver,keep,vm,help \
                   -n "$0" -- "$@"`
 
     if [ $? != 0 ] ; then echo "Use -h for help"; exit 1 ; fi
@@ -206,11 +190,6 @@ function do_start {
                 start_keep=true
                 shift
                 ;;
-            --ssh)
-                # ENABLE_SSH is a global variable
-                ENABLE_SSH=true
-                shift
-                ;;
             --)
                 shift
                 break
diff --git a/docker/base/Dockerfile b/docker/base/Dockerfile
index 2959d503b0..325b7792a0 100644
--- a/docker/base/Dockerfile
+++ b/docker/base/Dockerfile
@@ -14,12 +14,11 @@ ADD apt.arvados.org.list /etc/apt/sources.list.d/
 RUN apt-key adv --keyserver pool.sks-keyservers.net --recv 1078ECD7
 RUN apt-get update -qq
 
-RUN apt-get install -qqy openssh-server apt-utils git curl \
+RUN apt-get install -qqy apt-utils git curl \
              libcurl3 libcurl3-gnutls libcurl4-openssl-dev locales \
              postgresql-server-dev-9.1 python-arvados-python-client
 
 RUN gpg --keyserver pool.sks-keyservers.net --recv-keys D39DC0E3 && \
-    /bin/mkdir -p /root/.ssh && \
     /bin/sed -ri 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \
     /usr/sbin/locale-gen && \
     curl -L https://get.rvm.io | bash -s stable && \
@@ -36,6 +35,3 @@ RUN /usr/local/rvm/bin/rvm-exec default gem update --system && \
     /usr/local/rvm/bin/rvm-exec default bundle install --gemfile=/usr/src/arvados/apps/workbench/Gemfile && \
     /usr/local/rvm/bin/rvm-exec default bundle install --gemfile=/usr/src/arvados/services/api/Gemfile && \
     /usr/local/rvm/bin/rvm-exec default bundle install --gemfile=/usr/src/arvados/doc/Gemfile
-
-ADD generated/id_rsa.pub /root/.ssh/authorized_keys
-RUN chown root:root /root/.ssh/authorized_keys
diff --git a/docker/build_tools/build.rb b/docker/build_tools/build.rb
index a79157fdb4..e8f58097d8 100755
--- a/docker/build_tools/build.rb
+++ b/docker/build_tools/build.rb
@@ -85,7 +85,6 @@ def main options
       config['ARVADOS_USER_NAME'] = user_name
       config['API_HOSTNAME'] = generate_api_hostname
       config['API_WORKBENCH_ADDRESS'] = 'false'
-      config['PUBLIC_KEY_PATH'] = find_or_create_ssh_key(config['API_HOSTNAME'])
       config.each_key do |var|
         config_out.write "#{var}: #{config[var]}\n"
       end
@@ -166,22 +165,6 @@ def docker_ok?(docker_path)
   return system "#{docker_path} images > /dev/null 2>&1"
 end
 
-# find_or_create_ssh_key arvados_name
-#   Returns the SSH public key appropriate for this Arvados instance,
-#   generating one if necessary.
-#
-def find_or_create_ssh_key arvados_name
-  ssh_key_file = "#{ENV['HOME']}/.ssh/arvados_#{arvados_name}_id_rsa"
-  unless File.exists? ssh_key_file
-    system 'ssh-keygen',
-           '-f', ssh_key_file,
-           '-C', "arvados@#{arvados_name}",
-           '-P', ''
-  end
-
-  return "#{ssh_key_file}.pub"
-end
-
 # install_docker
 #   Determines which Docker package is suitable for this Linux distro
 #   and installs it, resolving any dependencies.
diff --git a/docker/build_tools/config.rb b/docker/build_tools/config.rb
index d8bf256124..296bc206ff 100755
--- a/docker/build_tools/config.rb
+++ b/docker/build_tools/config.rb
@@ -72,12 +72,3 @@ Dir.glob(globdir + '/*.in') do |template_file|
     end
   end
 end
-
-# Copy the ssh public key file to base/generated (if a path is given)
-generated_dir = File.join('base/generated')
-Dir.mkdir(generated_dir) unless Dir.exists? generated_dir
-if (!config['PUBLIC_KEY_PATH'].nil? and
-    File.readable? config['PUBLIC_KEY_PATH'])
-  FileUtils.cp(config['PUBLIC_KEY_PATH'],
-               File.join(generated_dir, 'id_rsa.pub'))
-end
diff --git a/docker/compute/Dockerfile b/docker/compute/Dockerfile
index 1dd3889a1e..462115cab0 100644
--- a/docker/compute/Dockerfile
+++ b/docker/compute/Dockerfile
@@ -18,7 +18,6 @@ RUN addgroup --gid 4005 crunch && mkdir /home/crunch && useradd --uid 4005 --gid
 
 # Supervisor.
 ADD supervisor.conf /etc/supervisor/conf.d/arvados.conf
-ADD ssh.sh /usr/local/bin/ssh.sh
 ADD generated/setup.sh /usr/local/bin/setup.sh
 ADD wrapdocker /usr/local/bin/wrapdocker.sh
 
diff --git a/docker/compute/ssh.sh b/docker/compute/ssh.sh
deleted file mode 100755
index 664414b1c6..0000000000
--- a/docker/compute/ssh.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-
-echo $ENABLE_SSH
-
-# Start ssh daemon if requested via the ENABLE_SSH env variable
-if [[ ! "$ENABLE_SSH" =~ (0|false|no|f|^$) ]]; then
-echo "STARTING"
-  /etc/init.d/ssh start
-fi
-
diff --git a/docker/compute/supervisor.conf b/docker/compute/supervisor.conf
index 7fc34fc2c9..615e55a953 100644
--- a/docker/compute/supervisor.conf
+++ b/docker/compute/supervisor.conf
@@ -1,8 +1,3 @@
-[program:ssh]
-user=root
-command=/usr/local/bin/ssh.sh
-startsecs=0
-
 [program:munge]
 user=root
 command=/etc/init.d/munge start
diff --git a/docker/config.yml.example b/docker/config.yml.example
index 6ba5bcf311..4210ec3e16 100644
--- a/docker/config.yml.example
+++ b/docker/config.yml.example
@@ -1,12 +1,6 @@
 # Configuration for the Rails databases (database names,
 # usernames and passwords).
 
-# Path to a public ssh key you would like to have installed in the
-# root account of the generated images. This is useful for debugging.
-# To enable the SSH server, set the ENABLE_SSH environment variable to
-# true when starting the container.
-PUBLIC_KEY_PATH:
-
 # Username for your Arvados user. This will be used as your shell login name
 # as well as the name for your git repository.
 ARVADOS_USER_NAME:
diff --git a/docker/doc/apache2_foreground.sh b/docker/doc/apache2_foreground.sh
index c3facfe6f2..fc6028ea83 100755
--- a/docker/doc/apache2_foreground.sh
+++ b/docker/doc/apache2_foreground.sh
@@ -3,10 +3,5 @@
 read pid cmd state ppid pgrp session tty_nr tpgid rest < /proc/self/stat
 trap "kill -TERM -$pgrp; exit" EXIT TERM KILL SIGKILL SIGTERM SIGQUIT
 
-# Start ssh daemon if requested via the ENABLE_SSH env variable
-if [[ ! "$ENABLE_SSH" =~ (0|false|no|f|^$) ]]; then
-  /etc/init.d/ssh start
-fi
-
 source /etc/apache2/envvars
 /usr/sbin/apache2 -D FOREGROUND
diff --git a/docker/shell/Dockerfile b/docker/shell/Dockerfile
index 539ff942dd..8235159999 100644
--- a/docker/shell/Dockerfile
+++ b/docker/shell/Dockerfile
@@ -7,7 +7,7 @@ RUN apt-get update -qq
 RUN apt-get install -qqy \
     python-pip python-pyvcf python-gflags python-google-api-python-client \
     python-virtualenv libattr1-dev libfuse-dev python-dev python-llfuse fuse \
-    crunchstat python-arvados-fuse cron vim supervisor
+    crunchstat python-arvados-fuse cron vim supervisor openssh-server
 
 ADD fuse.conf /etc/fuse.conf
 RUN chmod 644 /etc/fuse.conf
diff --git a/docker/shell/setup.sh.in b/docker/shell/setup.sh.in
index 2815201614..03beb4b06b 100755
--- a/docker/shell/setup.sh.in
+++ b/docker/shell/setup.sh.in
@@ -5,8 +5,6 @@ USER_NAME="@@ARVADOS_USER_NAME@@"
 useradd $USER_NAME -s /bin/bash
 mkdir /home/$USER_NAME/.ssh -p
 
-cp ~root/.ssh/authorized_keys /home/$USER_NAME/.ssh/authorized_keys
-
 # Install our token
 mkdir -p /home/$USER_NAME/.config/arvados;
 echo "ARVADOS_API_HOST=api" >> /home/$USER_NAME/.config/arvados/settings.conf
diff --git a/docker/slurm/supervisor.conf b/docker/slurm/supervisor.conf
index 6563b547df..64f86b19e6 100644
--- a/docker/slurm/supervisor.conf
+++ b/docker/slurm/supervisor.conf
@@ -1,8 +1,3 @@
-[program:ssh]
-user=root
-command=/usr/local/bin/ssh.sh
-startsecs=0
-
 [program:munge]
 user=root
 command=/etc/init.d/munge start
@@ -10,5 +5,3 @@ command=/etc/init.d/munge start
 [program:slurm]
 user=root
 command=/etc/init.d/slurm-llnl start
-
-
diff --git a/docker/sso/apache2_foreground.sh b/docker/sso/apache2_foreground.sh
index c3facfe6f2..fc6028ea83 100755
--- a/docker/sso/apache2_foreground.sh
+++ b/docker/sso/apache2_foreground.sh
@@ -3,10 +3,5 @@
 read pid cmd state ppid pgrp session tty_nr tpgid rest < /proc/self/stat
 trap "kill -TERM -$pgrp; exit" EXIT TERM KILL SIGKILL SIGTERM SIGQUIT
 
-# Start ssh daemon if requested via the ENABLE_SSH env variable
-if [[ ! "$ENABLE_SSH" =~ (0|false|no|f|^$) ]]; then
-  /etc/init.d/ssh start
-fi
-
 source /etc/apache2/envvars
 /usr/sbin/apache2 -D FOREGROUND
diff --git a/docker/workbench/apache2_foreground.sh b/docker/workbench/apache2_foreground.sh
index 37650ab5da..5475ff0a19 100755
--- a/docker/workbench/apache2_foreground.sh
+++ b/docker/workbench/apache2_foreground.sh
@@ -3,13 +3,8 @@
 read pid cmd state ppid pgrp session tty_nr tpgid rest < /proc/self/stat
 trap "kill -TERM -$pgrp; exit" EXIT TERM KILL SIGKILL SIGTERM SIGQUIT
 
-# Start ssh daemon if requested via the ENABLE_SSH env variable
-if [[ ! "$ENABLE_SSH" =~ (0|false|no|f|^$) ]]; then
-  /etc/init.d/ssh start
-fi
-
 # Override the default API server address if necessary.
-if [[ "$API_PORT_443_TCP_ADDR" != "" ]]; then 
+if [[ "$API_PORT_443_TCP_ADDR" != "" ]]; then
   sed -i "s/localhost:9900/$API_PORT_443_TCP_ADDR/" /usr/src/arvados/apps/workbench/config/application.yml
 fi
 
-- 
2.30.2