libre #smartos

8 Sep 2022

SmartOS -- A Modern, Open Source, Datacenter Operating System | smartos.org | github.com/TritonDataCenter/smartos-live | github.com/TritonDataCenter/triton | Security -- TritonDataCenter.com/security-issues | Channel logs - log.omnios.org/smartos

• 14:20
  Smithx10
  zlogin -C doesn't work with KVM?
• 14:22
  bahamat
  Eh...it depends?
• 14:22
  Smithx10
  udnerstood
• 14:22
  bahamat
  The guest needs to have the console explicitly configured
• 14:23
  Smithx10
  Someone left a team and no one has access to a bunch of their VMs, is there a way to do a startup script assuming they have the smartos tools / cloud-init running in the instnace?
• 14:23
  bahamat
  I'm pretty sure (though, now on reflection not 100%) that we do have zlogin -C wired up to the serial port so that if the guest also sets it up it would work.
• 14:24
  bahamat
  Well, there's a couple of things.
• 14:24
  bahamat
  There's some stuff for overwriting ssh keys, but I'm not sure that works with the cloud-init stuff anymore.
• 14:27
  Smithx10
  What was the way to overwrite ssh keys without cloud-init
• 14:28
  bahamat
  You could write a special metadata key that would signal our start up script to replace the authorized_keys file
• 14:28
  bahamat
  I'm trying to find the code for it
• 14:28
  Smithx10
  Thanks
• 14:31
  bahamat
  Ok, here's where it used to be: github.com/TritonDataCenter/sdc-vmt…ib/smartdc/set-root-authorized-keys
• 14:32
  Smithx10
  so set overwrite_root_akeys to "OVERWRITE" yea?
• 14:32
  bahamat
  Yeah
• 14:32
  bahamat
  But I don't think we ship that on modern images.
• 14:32
  bahamat
  I can't find it anywhere on any of my bhyve systems
• 14:33
  bahamat
  We actually probably should, because it's a nice failsafe to have.
• 14:33
  bahamat
  The other option is to get on the vnc console and interrupt grub, which is always a pain in the ass.
• 14:34
  Smithx10
  yea
• 14:52
  Smithx10
  the idea of smartlogin was cool
• 14:53
  Smithx10
  but with VM i can see the pain
• 17:52
  bahamat
  Smithx10: With newer OpenSSH you can have AuthorizedKeysCommand, and have that mget the keys
• 17:52
  bahamat
  But you have to set that up yourself.
• 17:53
  bahamat
  I've considered several ways of putting that into images, but there's no clear way to do it "right" that won't be broken by the distro when upgrading the package.
• 17:56
  bahamat
  Oh, actually, even newer ones have `Include /etc/ssh/sshd_config.d` by default.
• 18:10
  Smithx10
  Yeah, we <3 AuthorizedKeysCommand but the issue is the BUs are kinda on their own for this
• 18:10
  Smithx10
  until we can be authorized to govern their instances
• 18:10
  Smithx10
  exactly, we use it for all our stuff in our accounts for ops
• 18:10
  Smithx10
  but.... its that line between them having freedom vs having to work with us
• 18:11
  Smithx10
  maybe I should have had images always populate from mdata on bounce
• 18:12
  Smithx10
  Not sure if you saw things like "Boundary" or WarpGate
• 18:12
  Smithx10
  github.com/hashicorp/boundary
• 18:12
  Smithx10
  github.com/warp-tech/warpgate
• 18:12
  Smithx10
  seems pretty cool
• 19:27
  bahamat
  Yeah, I've seen them, but like how much should we customize images for customers? I'm in favor of very little
• 19:54
  Smithx10
  same