Loading nixos/modules/virtualisation/azure-agent.nix +7 −2 Original line number Diff line number Diff line Loading @@ -61,7 +61,7 @@ in # Which provisioning agent to use. Supported values are "auto" (default), "waagent", # "cloud-init", or "disabled". Provisioning.Agent=disabled Provisioning.Agent=auto # Password authentication for root account will be unavailable. Provisioning.DeleteRootPassword=n Loading Loading @@ -246,7 +246,7 @@ in pkgs.bash # waagent's Microsoft.OSTCExtensions.VMAccessForLinux needs Python 3 pkgs.python3 pkgs.python39 # waagent's Microsoft.CPlat.Core.RunCommandLinux needs lsof pkgs.lsof Loading @@ -259,5 +259,10 @@ in }; }; # waagent will generate files under /etc/sudoers.d during provisioning security.sudo.extraConfig = '' #includedir /etc/sudoers.d ''; }; } nixos/modules/virtualisation/azure-image.nix +0 −37 Original line number Diff line number Diff line Loading @@ -37,42 +37,5 @@ in inherit config lib pkgs; }; # Azure metadata is available as a CD-ROM drive. fileSystems."/metadata".device = "/dev/sr0"; systemd.services.fetch-ssh-keys = { description = "Fetch host keys and authorized_keys for root user"; wantedBy = [ "sshd.service" "waagent.service" ]; before = [ "sshd.service" "waagent.service" ]; path = [ pkgs.coreutils ]; script = '' eval "$(cat /metadata/CustomData.bin)" if ! [ -z "$ssh_host_ecdsa_key" ]; then echo "downloaded ssh_host_ecdsa_key" echo "$ssh_host_ecdsa_key" > /etc/ssh/ssh_host_ed25519_key chmod 600 /etc/ssh/ssh_host_ed25519_key fi if ! [ -z "$ssh_host_ecdsa_key_pub" ]; then echo "downloaded ssh_host_ecdsa_key_pub" echo "$ssh_host_ecdsa_key_pub" > /etc/ssh/ssh_host_ed25519_key.pub chmod 644 /etc/ssh/ssh_host_ed25519_key.pub fi if ! [ -z "$ssh_root_auth_key" ]; then echo "downloaded ssh_root_auth_key" mkdir -m 0700 -p /root/.ssh echo "$ssh_root_auth_key" > /root/.ssh/authorized_keys chmod 600 /root/.ssh/authorized_keys fi ''; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; serviceConfig.StandardError = "journal+console"; serviceConfig.StandardOutput = "journal+console"; }; }; } pkgs/applications/networking/cluster/waagent/default.nix +8 −3 Original line number Diff line number Diff line Loading @@ -10,7 +10,7 @@ openssl, parted, procps, # for pidof, python3, python39, # the latest python version that waagent test against according to https://github.com/Azure/WALinuxAgent/blob/28345a55f9b21dae89472111635fd6e41809d958/.github/workflows/ci_pr.yml#L75 shadow, # for useradd, usermod util-linux, # for (u)mount, fdisk, sfdisk, mkswap }: Loading @@ -19,7 +19,7 @@ let inherit (lib) makeBinPath; in python3.pkgs.buildPythonPackage rec { python39.pkgs.buildPythonPackage rec { pname = "waagent"; version = "2.8.0.11"; src = fetchFromGitHub { Loading @@ -28,9 +28,14 @@ python3.pkgs.buildPythonPackage rec { rev = "04ded9f0b708cfaf4f9b68eead1aef4cc4f32eeb"; sha256 = "0fvjanvsz1zyzhbjr2alq5fnld43mdd776r2qid5jy5glzv0xbhf"; }; patches = [ # Suppress the following error when waagent try to configure sshd: # Read-only file system: '/etc/ssh/sshd_config' ./dont-configure-sshd.patch ]; doCheck = false; buildInputs = with python3.pkgs; [ distro ]; buildInputs = with python39.pkgs; [ distro ]; runtimeDeps = [ findutils gnugrep Loading pkgs/applications/networking/cluster/waagent/dont-configure-sshd.patch 0 → 100644 +23 −0 Original line number Diff line number Diff line From 383e7c826906baedcd12ae7c20a4a5d4b32b104a Mon Sep 17 00:00:00 2001 From: "Yang, Bo" <bo@preemo.io> Date: Wed, 8 Nov 2023 23:08:07 +0000 Subject: [PATCH] Don't configure sshd --- azurelinuxagent/pa/provision/default.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/azurelinuxagent/pa/provision/default.py b/azurelinuxagent/pa/provision/default.py index 91fe04edab..48edf01490 100644 --- a/azurelinuxagent/pa/provision/default.py +++ b/azurelinuxagent/pa/provision/default.py @@ -237,9 +237,6 @@ def config_user_account(self, ovfenv): self.osutil.conf_sudoer(ovfenv.username, nopasswd=ovfenv.user_password is None) - logger.info("Configure sshd") - self.osutil.conf_sshd(ovfenv.disable_ssh_password_auth) - self.deploy_ssh_pubkeys(ovfenv) self.deploy_ssh_keypairs(ovfenv) Loading
nixos/modules/virtualisation/azure-agent.nix +7 −2 Original line number Diff line number Diff line Loading @@ -61,7 +61,7 @@ in # Which provisioning agent to use. Supported values are "auto" (default), "waagent", # "cloud-init", or "disabled". Provisioning.Agent=disabled Provisioning.Agent=auto # Password authentication for root account will be unavailable. Provisioning.DeleteRootPassword=n Loading Loading @@ -246,7 +246,7 @@ in pkgs.bash # waagent's Microsoft.OSTCExtensions.VMAccessForLinux needs Python 3 pkgs.python3 pkgs.python39 # waagent's Microsoft.CPlat.Core.RunCommandLinux needs lsof pkgs.lsof Loading @@ -259,5 +259,10 @@ in }; }; # waagent will generate files under /etc/sudoers.d during provisioning security.sudo.extraConfig = '' #includedir /etc/sudoers.d ''; }; }
nixos/modules/virtualisation/azure-image.nix +0 −37 Original line number Diff line number Diff line Loading @@ -37,42 +37,5 @@ in inherit config lib pkgs; }; # Azure metadata is available as a CD-ROM drive. fileSystems."/metadata".device = "/dev/sr0"; systemd.services.fetch-ssh-keys = { description = "Fetch host keys and authorized_keys for root user"; wantedBy = [ "sshd.service" "waagent.service" ]; before = [ "sshd.service" "waagent.service" ]; path = [ pkgs.coreutils ]; script = '' eval "$(cat /metadata/CustomData.bin)" if ! [ -z "$ssh_host_ecdsa_key" ]; then echo "downloaded ssh_host_ecdsa_key" echo "$ssh_host_ecdsa_key" > /etc/ssh/ssh_host_ed25519_key chmod 600 /etc/ssh/ssh_host_ed25519_key fi if ! [ -z "$ssh_host_ecdsa_key_pub" ]; then echo "downloaded ssh_host_ecdsa_key_pub" echo "$ssh_host_ecdsa_key_pub" > /etc/ssh/ssh_host_ed25519_key.pub chmod 644 /etc/ssh/ssh_host_ed25519_key.pub fi if ! [ -z "$ssh_root_auth_key" ]; then echo "downloaded ssh_root_auth_key" mkdir -m 0700 -p /root/.ssh echo "$ssh_root_auth_key" > /root/.ssh/authorized_keys chmod 600 /root/.ssh/authorized_keys fi ''; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; serviceConfig.StandardError = "journal+console"; serviceConfig.StandardOutput = "journal+console"; }; }; }
pkgs/applications/networking/cluster/waagent/default.nix +8 −3 Original line number Diff line number Diff line Loading @@ -10,7 +10,7 @@ openssl, parted, procps, # for pidof, python3, python39, # the latest python version that waagent test against according to https://github.com/Azure/WALinuxAgent/blob/28345a55f9b21dae89472111635fd6e41809d958/.github/workflows/ci_pr.yml#L75 shadow, # for useradd, usermod util-linux, # for (u)mount, fdisk, sfdisk, mkswap }: Loading @@ -19,7 +19,7 @@ let inherit (lib) makeBinPath; in python3.pkgs.buildPythonPackage rec { python39.pkgs.buildPythonPackage rec { pname = "waagent"; version = "2.8.0.11"; src = fetchFromGitHub { Loading @@ -28,9 +28,14 @@ python3.pkgs.buildPythonPackage rec { rev = "04ded9f0b708cfaf4f9b68eead1aef4cc4f32eeb"; sha256 = "0fvjanvsz1zyzhbjr2alq5fnld43mdd776r2qid5jy5glzv0xbhf"; }; patches = [ # Suppress the following error when waagent try to configure sshd: # Read-only file system: '/etc/ssh/sshd_config' ./dont-configure-sshd.patch ]; doCheck = false; buildInputs = with python3.pkgs; [ distro ]; buildInputs = with python39.pkgs; [ distro ]; runtimeDeps = [ findutils gnugrep Loading
pkgs/applications/networking/cluster/waagent/dont-configure-sshd.patch 0 → 100644 +23 −0 Original line number Diff line number Diff line From 383e7c826906baedcd12ae7c20a4a5d4b32b104a Mon Sep 17 00:00:00 2001 From: "Yang, Bo" <bo@preemo.io> Date: Wed, 8 Nov 2023 23:08:07 +0000 Subject: [PATCH] Don't configure sshd --- azurelinuxagent/pa/provision/default.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/azurelinuxagent/pa/provision/default.py b/azurelinuxagent/pa/provision/default.py index 91fe04edab..48edf01490 100644 --- a/azurelinuxagent/pa/provision/default.py +++ b/azurelinuxagent/pa/provision/default.py @@ -237,9 +237,6 @@ def config_user_account(self, ovfenv): self.osutil.conf_sudoer(ovfenv.username, nopasswd=ovfenv.user_password is None) - logger.info("Configure sshd") - self.osutil.conf_sshd(ovfenv.disable_ssh_password_auth) - self.deploy_ssh_pubkeys(ovfenv) self.deploy_ssh_keypairs(ovfenv)
