rootfs: Fetch SSH known hosts file

Jenkins agents need to have a pre-built cache of SSH public keys for any host jobs need to access. This file is typically bind-mounted into jobs' containers. For the older Fedora-based agent nodes, the `ssh_known_hosts` file is populated by Ansible. That mechanism will not work for agent nodes using the immutable root filesystem created by this project, so we need an alternative. To that end, the `fetch-ssh-knownhosts` service downloads the keys from another machine using HTTPS when the system boots up and then periodically while it is running.
2022-03-15 14:38:05 -05:00 · 2022-03-15 14:38:05 -05:00 · 4e05173ae1
parent ca71b88227
commit 4e05173ae1
4 changed files with 30 additions and 0 deletions
--- a/rootfs/overlay/etc/ssh/ssh_known_hosts
+++ b/rootfs/overlay/etc/ssh/ssh_known_hosts
--- a/rootfs/overlay/usr/lib/systemd/system/fetch-ssh-knownhosts.service
+++ b/rootfs/overlay/usr/lib/systemd/system/fetch-ssh-knownhosts.service
@ -0,0 +1,12 @@
+[Unit]
+Description=Fetch SSH known host keys
+Wants=network-online.target
+After=network-online.target
+After=time-sync.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/fetch-ssh-knownhosts.sh
+
+[Install]
+WantedBy=multi-user.target
--- a/rootfs/overlay/usr/lib/systemd/system/fetch-ssh-knownhosts.timer
+++ b/rootfs/overlay/usr/lib/systemd/system/fetch-ssh-knownhosts.timer
@ -0,0 +1,10 @@
+[Unit]
+Description=Update SSH known hosts daily
+
+[Timer]
+OnCalendar=daily
+AccuracySec=1h
+RandomizedDelaySec=6000
+
+[Install]
+WantedBy=timers.target
--- a/rootfs/overlay/usr/libexec/fetch-ssh-knownhosts.sh
+++ b/rootfs/overlay/usr/libexec/fetch-ssh-knownhosts.sh
@ -0,0 +1,8 @@
+#!/bin/sh
+
+: "${KNOWN_HOSTS_URL=https://files.pyrocufflink.blue/ssh_known_hosts}"
+
+curl -fsSL -o /run/ssh_known_hosts "${KNOWN_HOSTS_URL}" || exit $?
+if ! mountpoint -q /etc/ssh/ssh_known_hosts; then
+    mount -o bind /run/ssh_known_hosts /etc/ssh/ssh_known_hosts
+fi