fix(ansible): allow rsa public keys (#271)

* fix(ansible): allow rsa public keys * feat(devkit): use alpine for devkit * fix: spelling for goss ditr * fix: goss install typo last place * fix(devkit): fix ANSIBLE_PATH Co-authored-by: Faiq <faiq@users.noreply.github.com>
mesosphere · Mar 24, 2022 · 291e922 · 291e922
1 parent 1faf7a9
commit 291e922
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 32 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -4,8 +4,7 @@ ARG BASE=mesosphere/konvoy-image-builder:latest-devkit
 # hadolint ignore=DL3006
 FROM ${BASE} as devkit
 
-# DO NOT BUMP TO 3.15.0 https://githubmemory.com/repo/atmoz/sftp/issues/296
-FROM alpine:3.14.2
+FROM alpine:3.15.2
 
 ARG ANSIBLE_VERSION=2.10.7
 ENV ANSIBLE_PATH=/usr

diff --git a/Dockerfile.devkit b/Dockerfile.devkit
@@ -4,19 +4,18 @@ FROM golangci/golangci-lint:v1.44.2-alpine as golangci-lint
 FROM goreleaser/goreleaser:v1.7.0 as goreleaser
 FROM docker:20.10 as docker
 
-FROM golang:1.17.8 as builder
+FROM golang:1.17.8-alpine3.15 as builder
 
 # NOTE(jkoelker) since this is a multistage build we
 #                can have an explosion at the layer
 #                factory to help with caching
 
 RUN mkdir -p /tools
 
-# NOTE(jkoelker) Ignore "Pin versions in apt get install.
-# hadolint ignore=DL3008
-RUN apt-get update \
-    && apt-get install --no-install-recommends -y \
-        p7zip-full
+# NOTE(jkoelker) Ignore "Multiple consecutive `RUN` | Pin versions in apk add."
+# hadolint ignore=DL3059,DL3018
+RUN apk add --no-cache \
+        p7zip
 
 ARG PACKER_GOSS_VERSION=3.0.3
 ARG PACKER_GOSS_SHA265=1994069f78d44a76d463b76fef42c7e4ab412df14703a51643642ecdefa2c029
@@ -56,11 +55,11 @@ RUN wget \
     && chmod +x /tools/gocover-cobertura
 
 # NOTE(jkoelker) From here we care about layers
-FROM golang:1.17.8
+FROM golang:1.17.8-alpine3.15
 
 ARG ANSIBLE_VERSION=2.10.7
 ARG DOCKER_PY_VERSION=5.0.3
-ENV ANSIBLE_PATH=/usr/local
+ENV ANSIBLE_PATH=/usr
 ENV PYTHON_PATH=/usr
 
 ARG USER_NAME=root
@@ -70,57 +69,60 @@ ARG GROUP_ID=0
 ARG DOCKER_GID=0
 
 # NOTE(jkoelker) Ignore "Pin versions in [pip | apk add]"
-# hadolint ignore=DL3013,DL3008
-RUN apt-get update \
-    && apt-get install --no-install-recommends -y \
-        libc-dev \
+# hadolint ignore=DL3013,DL3018
+RUN apk add --no-cache \
+        bash \
+        curl \
         git \
         gcc \
         jq \
+        libc6-compat \
+        musl-dev \
         make \
-        bash \
         openssl \
         openssh-client \
         python3 \
-        unzip \
-        gettext-base \
-        python3-cryptography \
-        python3-pip \
-        python3-setuptools \
-        python3-wheel \
+        python3-dev \
+        gettext \
+        py3-cffi \
+        py3-cryptography \
+        py3-pynacl \
+        py3-pip\
+        py3-psutil \
+        py3-setuptools \
+        py3-wheel \
     && pip3 install --no-cache-dir \
         ansible=="${ANSIBLE_VERSION}" \
         awscli \
         azure-cli \
         docker=="${DOCKER_PY_VERSION}" \
         netaddr \
     && rm -rf \
-        /root/.cache \
-        /var/lib/apt/lists/*
+        /root/.cache
 
-# hadolint ignore=DL3059,DL4006
-RUN  curl -fsSL https://goss.rocks/install | GOSS_VER=v0.3.16 GOSS_DST=/usr/local/bin sh
+RUN  curl -fsSL --output /tmp/goss.install  https://goss.rocks/install \
+    && GOSS_VER=v0.3.16 GOSS_DST=/usr/local/bin bash /tmp/goss.install \
+    && rm /tmp/goss.install
 COPY --from=packer /bin/packer /usr/local/bin/
 COPY --from=golangci-lint /usr/bin/golangci-lint /usr/local/bin/
 COPY --from=goreleaser /usr/bin/goreleaser /usr/local/bin/
 COPY --from=docker /usr/local/bin/docker /usr/local/bin/
 COPY --from=builder /tools /usr/local/bin
 
 RUN getent group "${GROUP_ID}" > /dev/null 2>&1 \
-    || addgroup --system --gid "${GROUP_ID}" "${GROUP_NAME}"
+    || addgroup -S -g "${GROUP_ID}" "${GROUP_NAME}"
 
 # NOTE(jkoelker) Ignore "Multiple consecutive `RUN`"
 # hadolint ignore=DL3059
 RUN getent passwd "${USER_ID}" > /dev/null 2>&1 \
-    || adduser --system --disabled-password \
-        --uid "${USER_ID}" --gid "${GROUP_ID}" "${USER_NAME}"
+    || adduser -D -u "${USER_ID}" -G "${GROUP_NAME}" "${USER_NAME}"
 
 # NOTE(jkoelker) Ignore "A && B || C is not if-then-else"
 # NOTE(jkoelker) Ignore "Multiple consecutive `RUN`"
 # hadolint ignore=SC2015,DL3059
 RUN if [ "${DOCKER_GID}" -ne "${GROUP_ID}" ]; then \
         getent group "${DOCKER_GID}" > /dev/null 2>&1 \
-            || addgroup --system --gid "${DOCKER_GID}" "docker"; \
+            || addgroup -S -g "${DOCKER_GID}" "docker"; \
         getent group ${DOCKER_GID} >> /tmp/docker.group \
             && cut -d: -f1 /tmp/docker.group >> /tmp/docker.group_name \
             && addgroup "${USER_NAME}" "$(cat /tmp/docker.group_name)"; \

diff --git a/pkg/packer/manifests/aws/packer.json.tmpl b/pkg/packer/manifests/aws/packer.json.tmpl
@@ -77,6 +77,14 @@
       "iam_instance_profile": "{{user `iam_instance_profile`}}",
       "skip_profile_validation": "{{user `skip_profile_validation`}}",
       "ssh_username": "{{user `ssh_username`}}",
+      "ssh_key_exchange_algorithms": [
+        "curve25519-sha256@libssh.org",
+        "ecdh-sha2-nistp256",
+        "ecdh-sha2-nistp384",
+        "ecdh-sha2-nistp521",
+        "diffie-hellman-group14-sha1",
+        "diffie-hellman-group1-sha1"
+      ],
       "vpc_id": "{{ user `vpc_id` }}",
       "ssh_bastion_host": "{{ user `ssh_bastion_host` }}",
       "ssh_bastion_username": "{{ user  `ssh_bastion_username` }}",
@@ -193,7 +201,7 @@
       "playbook_file": "./ansible/provision.yaml",
       "user": "{{user `ssh_username`}}",
       "ansible_env_vars": [
-        "ANSIBLE_SSH_ARGS='{{user `existing_ansible_ssh_args`}} -o IdentitiesOnly=yes'",
+        "ANSIBLE_SSH_ARGS='{{user `existing_ansible_ssh_args`}} -o IdentitiesOnly=yes -o HostkeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa'",
         "ANSIBLE_REMOTE_TEMP='/tmp/.ansible/'"
       ],
       "extra_arguments": [

diff --git a/pkg/packer/manifests/azure/packer.json.tmpl b/pkg/packer/manifests/azure/packer.json.tmpl
@@ -172,7 +172,7 @@
       "playbook_file": "./ansible/provision.yaml",
       "user": "{{user `ssh_username`}}",
       "ansible_env_vars": [
-        "ANSIBLE_SSH_ARGS='{{user `existing_ansible_ssh_args`}} -o IdentitiesOnly=yes -o HostkeyAlgorithms=+ssh-rsa'",
+        "ANSIBLE_SSH_ARGS='{{user `existing_ansible_ssh_args`}} -o IdentitiesOnly=yes -o HostkeyAlgorithms=+ssh-rsa-o PubkeyAcceptedAlgorithms=+ssh-rsa'",
         "ANSIBLE_REMOTE_TEMP='/tmp/.ansible/'"
       ],
       "extra_arguments": [

diff --git a/pkg/packer/manifests/vsphere/packer.json.tmpl b/pkg/packer/manifests/vsphere/packer.json.tmpl
@@ -54,6 +54,14 @@
         "ssh_password": "{{user `ssh_password`}}",
         "ssh_timeout": "4h",
         "ssh_username": "{{user `ssh_username`}}",
+        "ssh_key_exchange_algorithms": [
+          "curve25519-sha256@libssh.org"
+          "ecdh-sha2-nistp256",
+          "ecdh-sha2-nistp384",
+          "ecdh-sha2-nistp521",
+          "diffie-hellman-group14-sha1",
+          "diffie-hellman-group1-sha1",
+        ],
         "template": "{{user `template`}}",
         "username": "{{user `username`}}",
         "vcenter_server": "{{user `vcenter_server`}}",
@@ -103,7 +111,7 @@
         "playbook_file": "./ansible/provision.yaml",
         "user": "{{user `ssh_username`}}",
         "ansible_env_vars": [
-          "ANSIBLE_SSH_ARGS='{{user `existing_ansible_ssh_args`}} -o IdentitiesOnly=yes'",
+          "ANSIBLE_SSH_ARGS='{{user `existing_ansible_ssh_args`}} -o IdentitiesOnly=yes -o HostkeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa'",
           "ANSIBLE_REMOTE_TEMP='/tmp/.ansible/'"
         ],
         "extra_arguments": [