diff --git a/ic-os/components/hostos.bzl b/ic-os/components/hostos.bzl index b41fe465e17..11f92d90f6f 100644 --- a/ic-os/components/hostos.bzl +++ b/ic-os/components/hostos.bzl @@ -89,8 +89,6 @@ component_files = { Label("ssh/setup-ssh-keys/setup-ssh-keys.service"): "/etc/systemd/system/setup-ssh-keys.service", Label("ssh/setup-ssh-account-keys/setup-ssh-account-keys.sh"): "/opt/ic/bin/setup-ssh-account-keys.sh", Label("ssh/setup-ssh-account-keys/setup-ssh-account-keys.service"): "/etc/systemd/system/setup-ssh-account-keys.service", - Label("ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.sh"): "/opt/ic/bin/deploy-updated-ssh-account-keys.sh", - Label("ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.service"): "/etc/systemd/system/deploy-updated-ssh-account-keys.service", # upgrade Label("upgrade/manageboot/manageboot.sh"): "/opt/ic/bin/manageboot.sh", diff --git a/ic-os/components/ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.service b/ic-os/components/ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.service deleted file mode 100644 index cc1b47ef93e..00000000000 --- a/ic-os/components/ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=Update ssh account keys -Before=setup-ssh-account-keys.service - -[Service] -Type=oneshot -RemainAfterExit=true -ExecStart=/opt/ic/bin/deploy-updated-ssh-account-keys.sh - -[Install] -RequiredBy=setup-ssh-account-keys.service -WantedBy=multi-user.target diff --git a/ic-os/components/ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.sh b/ic-os/components/ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.sh deleted file mode 100755 index 6bf2b739bb5..00000000000 --- a/ic-os/components/ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/bash - -set -e - -# Update configured ssh keys for the role accounts if a newer version -# is available. - -# Only update readonly and backup keys. -for ACCOUNT in backup readonly; do - echo "Checking authorized keys for ${ACCOUNT}" - ORIGIN="/opt/ic/share/authorized_keys/${ACCOUNT}" - if [ ! -r "${ORIGIN}" ]; then - continue - fi - TARGET="/boot/config/ssh_authorized_keys/${ACCOUNT}" - if [ ! -r "${TARGET}" ]; then - echo "${ORIGIN} keys exist, but no ${TARGET} keys are present, skipping" - continue - fi - ORIGIN_ENV=$(head -n 1 $ORIGIN) - TARGET_ENV=$(head -n 1 $TARGET) - if [ "${TARGET_ENV:0:1}" != "#" ]; then - echo "Authorized keys for ${ACCOUNT} have no environment header, updating" - cp "${ORIGIN}" "${TARGET}" - elif [ "${TARGET_ENV}" = "${ORIGIN_ENV}" ]; then - # Target's environment matches, check which is newer. - ORIGIN_TIME=$(head -n 2 $ORIGIN | tail -n 1 | cut -c 3- | date -f - +%s) - TARGET_TIME=$(head -n 2 $TARGET | tail -n 1 | cut -c 3- | date -f - +%s) - if [ $ORIGIN_TIME -gt $TARGET_TIME ]; then - echo "Authorized keys for ${ACCOUNT} are too old, updating: ${ORIGIN_TIME} vs ${TARGET_TIME}" - cp "${ORIGIN}" "${TARGET}" - fi - else - echo "The environments do not match, skipping: ${ORIGIN_ENV} vs ${TARGET_ENV}" - fi -done diff --git a/ic-os/guestos/docs/Boot.adoc b/ic-os/guestos/docs/Boot.adoc index bffa12bce7e..ec1afc08803 100644 --- a/ic-os/guestos/docs/Boot.adoc +++ b/ic-os/guestos/docs/Boot.adoc @@ -170,15 +170,6 @@ USB stick" attached to the VM that contains a tar file with initial configuratio for parts of the system. Required files in the +config+ partition as well as payload store are created. -== Deploy updated ssh account keys - -Service: +deploy-updated-ssh-account-keys.service+, +deploy-updated-ssh-account-keys.sh+. -Depends on +bootstrap-ic-node.service+, runs before +setup-ssh-account-keys.service+. - -Changes the keys held in the +config+ partition for the +backup+ and +readonly+ user. This -is a work-around due to not having a key management solution that updated keys are -deployed via system upgrades. - == Set up ssh account keys Service: +setup-ssh-account-keys.services+, script +/opt/ic/bin/setup-ssh-account-keys.sh+.