generate ssh keypair for each connection

314ce699 · istmxrein · 7b03b930 · 7b03b930 · 314ce699 · 314ce699
Commit 314ce699 authored 2 years ago by istmxrein
--- a/Containerfile
+++ b/Containerfile
-ARG GITLAB_RUNNER_VERSION=v13.12.0
-FROM registry.access.redhat.com/ubi8:8.5 AS builder
-ARG GITLAB_RUNNER_VERSION
-ENV GITLAB_REPO=https://gitlab.com/gitlab-org/gitlab-runner.git \
-    PATH=$PATH:/root/go/bin/
-RUN dnf install -y git-core make go ncurses && \
-    git clone --depth=1 --branch=${GITLAB_RUNNER_VERSION} ${GITLAB_REPO} && \
-    cd gitlab-runner && \
-    make runner-bin-host && \
-    chmod a+x out/binaries/gitlab-runner && \
-    out/binaries/gitlab-runner --version
-FROM registry.access.redhat.com/ubi8:8.5
-ARG GITLAB_RUNNER_VERSION
-COPY --from=builder /gitlab-runner/out/binaries/gitlab-runner /usr/bin
-ENV HOME=/home/gitlab-runner \
-    VENV=/openstack_driver_venv
-ENV PATH="$VENV/bin:$PATH"
-LABEL maintainer="Dmitry Misharov <misharov@redhat.com>" \
-      io.openshift.tags="gitlab,ci,runner" \
-      name="openstack-gitlab-runner" \
-      io.k8s.display-name="GitLab runner" \
-      summary="GitLab runner" \
-      description="A GitLab runner image with openstack custom executor." \
-      io.k8s.description="A GitLab runner image with openstack custom executor."
-WORKDIR $HOME
-COPY cleanup.py env.py config.sh prepare.py run.py requirements.txt start.sh ./
-RUN dnf install -y --nodocs python38-pip git-core && \
-    pip3 install dumb-init && \
-    python3.8 -m venv $VENV && \
-    pip install wheel && \
-    pip install -r requirements.txt && \
-    dnf remove -y git-core && \
-    dnf clean all -y
-RUN chgrp -R 0 $HOME && \
-    chmod +x cleanup.py config.sh prepare.py run.py start.sh && \
-    chmod -R g=u $HOME
-USER 1001
-ENTRYPOINT ["dumb-init", "--"]
-CMD ["./start.sh"]
--- a/cleanup.py
+++ b/cleanup.py
@@ -8,7 +8,7 @@ def main() -> None:
    conn = openstack.connect()
    for server in conn.compute.servers(name=env.VM_NAME):
        conn.compute.delete_server(server)
+    conn.delete_keypair(env.KEY_PAIR_NAME)
 if __name__ == "__main__":
    main()
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -12,8 +12,6 @@ if [[ "$TLS_CA_CERT" ]]; then
    echo "$TLS_CA_CERT" > "$HOME"/.gitlab-runner/certs/$(echo "$CI_SERVER_URL" | cut -d'/' -f3 | cut -d':' -f1).crt
 fi
-echo "$PRIVATE_KEY" > "$HOME"/priv_key
 gitlab-runner register --non-interactive \
                       --executor=custom \
                       --custom-config-exec=/data/config.sh \

--- a/env.py
+++ b/env.py
@@ -5,7 +5,7 @@ VM_NAME = f"gitlab-builder-{os.getenv('CUSTOM_ENV_CI_RUNNER_ID')}-project-{os.ge
 FLAVOR = os.getenv("CUSTOM_ENV_FLAVOR") or os.getenv("FLAVOR")
 BUILDER_IMAGE = os.getenv("CUSTOM_ENV_BUILDER_IMAGE") or os.getenv("BUILDER_IMAGE")
 NETWORK = os.getenv("CUSTOM_ENV_NETWORK") or os.getenv("NETWORK")
-KEY_PAIR_NAME = os.getenv("CUSTOM_ENV_KEY_PAIR_NAME") or os.getenv("KEY_PAIR_NAME")
+KEY_PAIR_NAME = f'key-{VM_NAME}'
 SECURITY_GROUPS = os.getenv("CUSTOM_ENV_SECURITY_GROUPS") or os.getenv("SECURITY_GROUPS")
 USERNAME = os.getenv("CUSTOM_ENV_USERNAME") or os.getenv("USERNAME")
 PRIVATE_KEY_PATH = f"{os.getenv('HOME')}/priv_key"

--- a/prepare.py
+++ b/prepare.py
 #!/usr/bin/env python
 import sys
 import traceback
+import os
 import openstack
 import paramiko
 from tenacity import retry
 from tenacity import RetryCallState
 from tenacity import stop_after_attempt
 from tenacity import wait_fixed
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.backends import default_backend
 import env
 def provision_server(
    conn: openstack.connection.Connection,
+    public_key: str
 ) -> openstack.compute.v2.server.Server:
+    conn.create_keypair(env.KEY_PAIR_NAME, public_key=public_key)
    image = conn.compute.find_image(env.BUILDER_IMAGE)
    flavor = conn.compute.find_flavor(env.FLAVOR)
    network = conn.network.find_network(env.NETWORK)
@@ -75,6 +79,27 @@ def check_ssh(ip: str) -> None:
    ssh_client.close()
+def generate_rsa_keypair():
+    # generate private/public key pair
+    key = rsa.generate_private_key(backend=default_backend(), public_exponent=65537, \
+        key_size=2048)
+    # get public key in OpenSSH format
+    public_key = key.public_key().public_bytes(serialization.Encoding.OpenSSH, \
+        serialization.PublicFormat.OpenSSH)
+    # get private key in PEM container format
+    pem = key.private_bytes(encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.TraditionalOpenSSL,
+        encryption_algorithm=serialization.NoEncryption())
+    with open(env.PRIVATE_KEY_PATH, 'wb') as content_file:
+        content_file.write(pem.decode('utf-8'))    
+    public_key_str = public_key.decode('utf-8')
+    print(f'Public Key: {public_key_str}')
+    return public_key_str
 def main() -> None:
    print(
        "Source code of this driver https://github.com/RedHatQE/openstack-gitlab-executor",
@@ -84,7 +109,8 @@ def main() -> None:
    try:
        conn = openstack.connect()
        print(f"Provisioning an instance {env.VM_NAME}", flush=True)
-        server = provision_server(conn)
+        public_key = generate_rsa_keypair()
+        server = provision_server(conn, public_key)
        ip = get_server_ip(conn, server)
        print(f"Instance {env.VM_NAME} is running on address {ip}", flush=True)
        conn.close()