meta-phosphor: fix openssh key generation on read-only-rootfs types
Some of our file system layouts enable the `read-only-rootfs` feature,
which happens to trigger some code in rootfs-postcommands.bbclass that
moves the SSH key location from `/etc` to `/var`. For Dropbear, the
default was to move it to `/var/lib`, which we happen to put into an
overlay, but for OpenSSH it moved it to `/var/run`. The result of this
is that the SSH key is regenerated on each reboot.
In order to bypass this code that expects the SSH key to be in a
volatile file system, Yocto provides the `overlayfs-etc` IMAGE_FEATURE
as well. We need to enable this, but this feature as a side-effect
generates an alternative `/sbin/init` similar to what we do for
pre-mounting the overlay. We need to disable this aspect so I've set
some variables and appends to cause `overlay-etc.bbclass` to have no
effect.
Lastly, the result of all of this is that the location for the dropbear
key moves from `/var/lib` to `/etc` (which is what the default is on
the jffs2-based layouts already). Add some migration services that
will move existing keys in the old location over to `/etc` so that
users do not notice a host key change as part of this.
Tested: Tested on Bletchley (OpenSSH) and Witherspoon (Dropbear).
Bletchley no longer regenerates the SSH key on each reboot.
Witherspoon has the key location in `/etc/dropbear` as expected and
the migration service successfully runs before the
`dropbearkey.service`.
```
May 05 21:46:40 witherspoon systemd[1]: Starting SSH Key Generation...
May 05 21:46:41 witherspoon sh[268]: Generating 2048 bit rsa key, this may take a while...
May 05 21:47:13 witherspoon sh[268]: Public key portion is:
May 05 21:47:13 witherspoon sh[268]: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgiywAIF3RleqNphZZuUjNCXDI10ChEAoPI02/g9F8CiXI2Pc55nFHh/hrTn7niawydpEc8FH62rf1WpoA5hYkKrj/j6i2Iv1UrGFZX4q9IwlFcd3...
May 05 21:47:13 witherspoon sh[268]: Fingerprint: SHA256:tsjx4PBtcaiLnUCFh4XESPRnTXoGsgujVrbdJD4INMY
May 05 21:47:13 witherspoon systemd[1]: Finished SSH Key Generation.
```
Manually moved the key to `/var/lib` and rebooted and observed the same
key moved back to `/etc` (on Witherspoon).
```
May 05 21:49:01 witherspoon systemd[1]: Starting Migrate dropbear keys from /var/lib to /etc...
May 05 21:49:02 witherspoon migrate-key-location[194]: Migrating Dropbear key from /var/lib to /etc.
May 05 21:49:11 witherspoon systemd[1]: Finished Migrate dropbear keys from /var/lib to /etc.
May 05 21:49:14 witherspoon systemd[1]: Starting SSH Key Generation...
May 05 21:49:18 witherspoon systemd[1]: Finished SSH Key Generation.
```
After one last reboot, the key in `/etc` is reused:
```
May 05 21:51:44 witherspoon systemd[1]: Starting SSH Key Generation...
May 05 21:51:45 witherspoon systemd[1]: Finished SSH Key Generation.
```
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I68b6c383f91931995e3d3203e5aafd8fdc23f750
diff --git a/meta-phosphor/recipes-core/dropbear/dropbear/dropbear-migrate-key-location.service b/meta-phosphor/recipes-core/dropbear/dropbear/dropbear-migrate-key-location.service
new file mode 100644
index 0000000..f8c12bf
--- /dev/null
+++ b/meta-phosphor/recipes-core/dropbear/dropbear/dropbear-migrate-key-location.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Migrate dropbear keys from /var/lib to /etc
+Before=dropbearkey.service
+ConditionPathExists=/var/lib/dropbear/dropbear_rsa_host_key
+
+[Service]
+RemainAfterExit=yes
+Type=oneshot
+ExecStart=/usr/libexec/dropbear/migrate-key-location
+
+[Install]
+WantedBy=dropbearkey.service
diff --git a/meta-phosphor/recipes-core/dropbear/dropbear/migrate-key-location b/meta-phosphor/recipes-core/dropbear/dropbear/migrate-key-location
new file mode 100644
index 0000000..ce96894
--- /dev/null
+++ b/meta-phosphor/recipes-core/dropbear/dropbear/migrate-key-location
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+if [ ! -e /etc/dropbear/dropbear_rsa_host_key ]; then
+ if [ -e /var/lib/dropbear/dropbear_rsa_host_key ]; then
+ echo "Migrating Dropbear key from /var/lib to /etc."
+ mkdir -p /etc/dropbear
+ mv /var/lib/dropbear/dropbear_rsa_host_key /etc/dropbear
+ else
+ echo "No Dropbear key found in /var/lib."
+ fi
+fi
diff --git a/meta-phosphor/recipes-core/dropbear/dropbear_%.bbappend b/meta-phosphor/recipes-core/dropbear/dropbear_%.bbappend
index a3cbd1b..6448fbf 100644
--- a/meta-phosphor/recipes-core/dropbear/dropbear_%.bbappend
+++ b/meta-phosphor/recipes-core/dropbear/dropbear_%.bbappend
@@ -6,8 +6,21 @@
SRC_URI += "file://dropbearkey.service \
file://localoptions.h \
file://dropbear.default \
+ file://dropbear-migrate-key-location.service \
+ file://migrate-key-location \
"
# pull in OpenSSH's /usr/libexec/sftp-server so we don't have to rely
# on the crufty old scp protocol for file transfer
RDEPENDS:${PN} += "openssh-sftp-server"
+
+# Add service to migrate the dropbear keys from /var/lib to /etc.
+do_install:append() {
+ install -d ${D}${base_libdir}/systemd/system
+ install -m 0644 ${WORKDIR}/dropbear-migrate-key-location.service \
+ ${D}${base_libdir}/systemd/system
+
+ install -d ${D}${libexecdir}/${BPN}
+ install -m 0755 ${WORKDIR}/migrate-key-location ${D}${libexecdir}/${BPN}
+}
+SYSTEMD_SERVICE:${PN}:append = " dropbear-migrate-key-location.service"
diff --git a/meta-phosphor/recipes-phosphor/images/obmc-phosphor-image.bb b/meta-phosphor/recipes-phosphor/images/obmc-phosphor-image.bb
index 974b911..7759b7e 100644
--- a/meta-phosphor/recipes-phosphor/images/obmc-phosphor-image.bb
+++ b/meta-phosphor/recipes-phosphor/images/obmc-phosphor-image.bb
@@ -39,7 +39,7 @@
obmc-user-mgmt-ldap \
${@bb.utils.contains_any('DISTRO_FEATURES', \
'obmc-ubi-fs phosphor-mmc obmc-static-norootfs', \
- 'read-only-rootfs', '', d)} \
+ 'read-only-rootfs overlayfs-etc', '', d)} \
ssh-server-dropbear \
obmc-debug-collector \
obmc-network-mgmt \
@@ -49,3 +49,15 @@
# The shadow recipe provides the binaries(like useradd, usermod) needed by the
# phosphor-user-manager.
ROOTFS_RO_UNNEEDED:remove = "shadow"
+
+# We need to set overlayfs-etc so that the dropbear/openssh keys don't end up
+# in a volatile file system, but we always have our own init that sets these
+# up. Add enough bogus values here that rootfs-postcommands.bbclass does what
+# we want without overlayfs-etc.bbclass messing things up.
+OVERLAYFS_ETC_USE_ORIG_INIT_NAME="0"
+OVERLAYFS_ETC_MOUNT_POINT = "/this/is/unused"
+OVERLAYFS_ETC_FSTYPE = "not_a_fs_type"
+OVERLAYFS_ETC_DEVICE = "/dev/null"
+python create_overlayfs_etc_preinit:append() {
+ os.unlink(preinitPath)
+}