Merge pull request #172 from axsh/executor-hostkey

Changing the timing of key generation from run time to installation time

Author: Masahiro Fujiwara

.idea/libraries/GOPATH__openvdc_.xml

@@ -186,7 +186,11 @@ Environment Variables:
 	// Build main binaries
 	cmd("go", "build", "-i", "./vendor/...")
 	cmd("go", "build", "-ldflags", LDFLAGS, "-v", "./cmd/openvdc")
-	cmd("go", "build", "-ldflags", LDFLAGS+"-X 'main.DefaultConfPath=/etc/openvdc/executor.toml'", "-v", "./cmd/openvdc-executor")
+	cmd("go", "build", "-ldflags", LDFLAGS+
+		" -X 'main.HostRsaKeyPath=/etc/openvdc/ssh/host_rsa_key'" +
+		" -X 'main.HostEcdsaKeyPath=/etc/openvdc/ssh/host_ecdsa_key'" +
+		" -X 'main.HostEd25519KeyPath=/etc/openvdc/ssh/host_ed25519_key'" +
+		" -X 'main.DefaultConfPath=/etc/openvdc/executor.toml'", "-v", "./cmd/openvdc-executor")
 	cmd("go", "build", "-ldflags", LDFLAGS+"-X 'main.DefaultConfPath=/etc/openvdc/scheduler.toml'", "-v", "./cmd/openvdc-scheduler")
 
 	//Build lxc-template

build.go

@@ -2,20 +2,15 @@ package main
 
 import (
 	"crypto"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/rsa"
 	"fmt"
 	"io"
 	"net"
-
 	log "github.com/Sirupsen/logrus"
 	"github.com/axsh/openvdc/hypervisor"
 	"github.com/axsh/openvdc/model"
 	"github.com/pkg/errors"
-	"golang.org/x/crypto/ed25519"
 	"golang.org/x/crypto/ssh"
+	"io/ioutil"
 	"golang.org/x/net/context"
 )
 
@@ -40,31 +35,29 @@ func NewSSHServer(provider hypervisor.HypervisorProvider, ctx context.Context) *
 
 type HostKeyGen func(rand io.Reader) (crypto.Signer, error)
 
-var KeyGenList = []HostKeyGen{
-	func(rand io.Reader) (crypto.Signer, error) {
-		_, priv, err := ed25519.GenerateKey(rand)
-		return priv, err
-	},
-	func(rand io.Reader) (crypto.Signer, error) {
-		return ecdsa.GenerateKey(elliptic.P521(), rand)
-	},
-	func(rand io.Reader) (crypto.Signer, error) {
-		return rsa.GenerateKey(rand, 2048)
-	},
-}
+var HostRsaKeyPath string
+var HostEcdsaKeyPath string
+var HostEd25519KeyPath string
 
+var KeyGenPathList = []string{
+	HostRsaKeyPath,
+	HostEcdsaKeyPath,
+	HostEd25519KeyPath,
+}
 func (sshd *SSHServer) Setup() error {
 	if model.GetBackendCtx(sshd.ctx) == nil {
 		return errors.New("Context does not have model connection")
 	}
-	for _, gen := range KeyGenList {
-		priv, err := gen(rand.Reader)
+	for _, path := range KeyGenPathList {
+		// Reading key file
+		buf, err := ioutil.ReadFile(path)
 		if err != nil {
-			return errors.Wrap(err, "Failed to generate host key")
+			return errors.Wrap(err, path + " doesn't exist")
 		}
-		sshSigner, err := ssh.NewSignerFromSigner(priv)
+		// Check integrity of pem file
+		sshSigner, err := ssh.ParsePrivateKey(buf)
 		if err != nil {
-			return errors.Wrap(err, "Failed to convert to ssh.Signer")
+			return errors.Wrap(err, path + " is not a valid pem file")
 		}
 		sshd.config.AddHostKey(sshSigner)
 	}

cmd/openvdc-executor/sshd.go

@@ -50,6 +50,7 @@ mkdir -p "$RPM_BUILD_ROOT"/opt/axsh/openvdc/bin
 mkdir -p "$RPM_BUILD_ROOT"%{_unitdir}
 mkdir -p "$RPM_BUILD_ROOT"/etc/openvdc
 mkdir -p "$RPM_BUILD_ROOT"/etc/openvdc/scripts
+mkdir -p "$RPM_BUILD_ROOT"/etc/openvdc/ssh
 mkdir -p "$RPM_BUILD_ROOT"/usr/bin
 ln -sf /opt/axsh/openvdc/bin/openvdc  "$RPM_BUILD_ROOT"/usr/bin
 cp openvdc "$RPM_BUILD_ROOT"/opt/axsh/openvdc/bin
@@ -93,6 +94,12 @@ OpenVDC executor common package.
 /opt/axsh/openvdc/share/mesos-slave/attributes.lxc
 /opt/axsh/openvdc/share/lxc-templates/lxc-openvdc
 %dir /etc/openvdc
+%dir /etc/openvdc/ssh
+
+%post executor
+test ! -f /etc/openvdc/ssh/host_rsa_key && /usr/bin/ssh-keygen -q -t rsa -f /etc/openvdc/ssh/host_rsa_key -b 4096 -C '' -N '' >&/dev/null;
+test ! -f /etc/openvdc/ssh/host_ecdsa_key && /usr/bin/ssh-keygen -q -t ecdsa -f /etc/openvdc/ssh/host_ecdsa_key -C '' -N '' >&/dev/null;
+test ! -f /etc/openvdc/ssh/host_ed25519_key && /usr/bin/ssh-keygen -q -t ed25519 -f /etc/openvdc/ssh/host_ed25519_key -C '' -N '' >&/dev/null;
 
 %package executor-null
 Summary: OpenVDC executor (null driver)