From fbaa509cce9b9160ec4e3474237026914eb00be0 Mon Sep 17 00:00:00 2001 From: liyuanr Date: Tue, 6 Jun 2023 16:01:23 +0800 Subject: [PATCH] KubeOS:Supports password setting for the admin container and hostshell binaryization. Users can set the password of the admin container using the secret in the YAML file. The hostshell is changed from the script to a binary file written in the Go language to ensure that users cannot change the hostshell. Signed-off-by: liyuanr --- Makefile | 4 ++ cmd/admin-container/main.go | 38 ++++++++++++++++++ scripts/admin-container/Dockerfile | 9 +++-- scripts/admin-container/setPasswd.service | 15 +++++++ .../{hostshell => setPasswd.sh} | 39 +++++++++---------- scripts/create/imageCreate.sh | 5 ++- scripts/kbimg.sh | 4 +- 7 files changed, 89 insertions(+), 25 deletions(-) create mode 100644 cmd/admin-container/main.go create mode 100644 scripts/admin-container/setPasswd.service rename scripts/admin-container/{hostshell => setPasswd.sh} (65%) diff --git a/Makefile b/Makefile index 27cf1751..0ea37508 100644 --- a/Makefile +++ b/Makefile @@ -50,6 +50,10 @@ agent: ${ENV} ${GO_BUILD} -tags "osusergo netgo static_build" -ldflags '$(LDFLAGS)' $(BUILDFLAGS) -o bin/os-agent cmd/agent/main.go strip bin/os-agent +hostshell: + ${ENV} ${GO_BUILD} -tags "osusergo netgo static_build" -ldflags '$(LDFLAGS)' $(BUILDFLAGS) -o bin/hostshell cmd/admin-container/main.go + strip bin/hostshell + test: $(GO) test $(shell go list ./... ) -race -cover -count=1 -timeout=300s diff --git a/cmd/admin-container/main.go b/cmd/admin-container/main.go new file mode 100644 index 00000000..399e8605 --- /dev/null +++ b/cmd/admin-container/main.go @@ -0,0 +1,38 @@ +/* + * Copyright (c) Huawei Technologies Co., Ltd. 2023. All rights reserved. + * KubeOS is licensed under the Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * http://license.coscl.org.cn/MulanPSL2 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR + * PURPOSE. + * See the Mulan PSL v2 for more details. + */ + +// Package main is the main.go of hostshell +package main + +import ( + "os" + "strconv" + "syscall" + + "github.com/sirupsen/logrus" +) + +func main() { + EUID := os.Geteuid() + rootEUID := 0 // 0 indicates that the process has the permission of the root user. + if EUID != rootEUID { + logrus.Error("please use root to run hostshell") + return + } + PPID := os.Getppid() + rootFsPath := "/proc/" + strconv.Itoa(PPID) + "/root" + bashPath := "/usr/bin/bash" + if err := syscall.Exec("/usr/bin/nsenter", []string{"nsenter", "-t", "1", "-a", + rootFsPath + bashPath}, os.Environ()); err != nil { + logrus.Error("nsenter excute error", err) + } +} diff --git a/scripts/admin-container/Dockerfile b/scripts/admin-container/Dockerfile index bcdad704..6d0ded81 100644 --- a/scripts/admin-container/Dockerfile +++ b/scripts/admin-container/Dockerfile @@ -17,9 +17,12 @@ RUN yum -y install openssh-clients util-linux ADD ./sysmaster-0.2.3-1.oe2203.aarch64.rpm /home RUN rpm -ivh /home/sysmaster-0.2.3-1.oe2203.aarch64.rpm -ADD ./hostshell /usr/bin/ +COPY ./hostshell /usr/bin/ +COPY ./setPasswd.sh /usr/local/bin +COPY ./setPasswd.service /usr/lib/sysmaster + EXPOSE 22 -# set sshd.service pulled up by default -RUN sed -i 's/sysinit.target/sysinit.target;sshd.service/g' /usr/lib/sysmaster/basic.target +# set sshd.service adn setPassed.service pulled up by default +RUN sed -i 's/sysinit.target/sysinit.target;sshd.service;setPasswd.service/g' /usr/lib/sysmaster/basic.target CMD ["/usr/lib/sysmaster/init"] diff --git a/scripts/admin-container/setPasswd.service b/scripts/admin-container/setPasswd.service new file mode 100644 index 00000000..023a6d31 --- /dev/null +++ b/scripts/admin-container/setPasswd.service @@ -0,0 +1,15 @@ +## Copyright (c) Huawei Technologies Co., Ltd. 2023. All rights reserved. + # KubeOS is licensed under the Mulan PSL v2. + # You can use this software according to the terms and conditions of the Mulan PSL v2. + # You may obtain a copy of Mulan PSL v2 at: + # http://license.coscl.org.cn/MulanPSL2 + # THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR + # IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR + # PURPOSE. +## See the Mulan PSL v2 for more details. + +[Unit] +Description="set root passwd according to the secret which is set by user" + +[Service] +ExecStart="/usr/local/bin/setPasswd.sh" \ No newline at end of file diff --git a/scripts/admin-container/hostshell b/scripts/admin-container/setPasswd.sh similarity index 65% rename from scripts/admin-container/hostshell rename to scripts/admin-container/setPasswd.sh index bc99fcc4..11df129f 100644 --- a/scripts/admin-container/hostshell +++ b/scripts/admin-container/setPasswd.sh @@ -1,20 +1,19 @@ -#!/bin/bash -## Copyright (c) Huawei Technologies Co., Ltd. 2023. All rights reserved. -# KubeOS is licensed under the Mulan PSL v2. -# You can use this software according to the terms and conditions of the Mulan PSL v2. -# You may obtain a copy of Mulan PSL v2 at: -# http://license.coscl.org.cn/MulanPSL2 -# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR -# PURPOSE. -## See the Mulan PSL v2 for more details. - -if [[ $EUID -ne 0 ]]; then - echo "please use root to run hostshell" - exit 1 -fi - -ROOT_FS_PATH="/proc/${PPID}/root" -BASH_PATH="/usr/bin/bash" - -nsenter -t 1 -a "${ROOT_FS_PATH}${BASH_PATH}" +#!/bin/bash +## Copyright (c) Huawei Technologies Co., Ltd. 2023. All rights reserved. +# KubeOS is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +## See the Mulan PSL v2 for more details. + +passwd=$(cat /etc/secret-volume/password) +str=`sed -n '/^root:/p' /etc/shadow | awk -F "root:" '{print $2}'` +umask 0666 +mv /etc/shadow /etc/shadow_bak +sed -i '/^root:/d' /etc/shadow_bak +echo "root:"${passwd}":"${str#*:} > /etc/shadow +cat /etc/shadow_bak >> /etc/shadow +rm -rf /etc/shadow_bak \ No newline at end of file diff --git a/scripts/create/imageCreate.sh b/scripts/create/imageCreate.sh index 8f75b04d..56f106f7 100644 --- a/scripts/create/imageCreate.sh +++ b/scripts/create/imageCreate.sh @@ -95,5 +95,8 @@ function create_vm_img() { function create_admin_img() { local DOCKERFILE="$1" local DOCKER_IMG="$2" - docker build -t ${DOCKER_IMG} -f ${DOCKERFILE} ./admin_container + local ADMIN_CONTAINER_DIR="$3" + cp ../bin/hostshell ${ADMIN_CONTAINER_DIR} + docker build -t ${DOCKER_IMG} -f ${DOCKERFILE} ${ADMIN_CONTAINER_DIR} + rm -rf ${ADMIN_CONTAINER_DIR}/hostshell } \ No newline at end of file diff --git a/scripts/kbimg.sh b/scripts/kbimg.sh index 3faa7016..2c93084f 100644 --- a/scripts/kbimg.sh +++ b/scripts/kbimg.sh @@ -19,6 +19,7 @@ PASSWD="" DOCKER_IMG="" DOCKERFILE="" LOCK=./test.lock +ADMIN_CONTAINER_DIR=./admin-container source common/globalVariables.sh &>/dev/null source common/log.sh &>/dev/null @@ -123,6 +124,7 @@ function clean_space() { delete_dir "${TMP_MOUNT_PATH}" delete_file os.tar rm -rf "${LOCK}" + delete_file ${ADMIN_CONTAINER_DIR}/hostshell } function clean_img() { @@ -345,7 +347,7 @@ function verify_create_input() { fi verify_admin_input "$@" check_docker_file "${DOCKERFILE}" - create_admin_img "${DOCKERFILE}" "${DOCKER_IMG}" + create_admin_img "${DOCKERFILE}" "${DOCKER_IMG}" "${ADMIN_CONTAINER_DIR}" ;; "-h"|"--help") show_create_usage -- Gitee