Merge pull request #706 from jdeathe/centos-7-develop

Release changes for 2.5.0

Author: jdeathe

CHANGELOG.md

@@ -4,6 +4,40 @@
 
 Summary of release changes for Version 2 - CentOS-7
 
+### 2.5.0 - 2019-01-28
+
+- Updates `openssl` package to 1.0.2k-16.el7.
+- Updates `sudo` package to 1.8.23-3.el7.
+- Updates `yum-plugin-versionlock` package to 1.1.31-50.el7.
+- Updates supervisor to 3.3.5.
+- Updates validation for `SSH_USER_ID` to allow values in the system ID range.
+- Updates and restructures Dockerfile to reduce number of layers in image.
+- Updates container naming conventions for `scmi` making the node element optional.
+- Updates container naming conventions and readability of `Makefile`.
+- Updates `docker logs` output example in README document.
+- Updates README instructions following review.
+- Updates default HEALTHCHECK interval to 1 second from 0.5.
+- Replaces awk with native bash regex when testing sudo user's have `NOPASSWD:ALL`.
+- Fixes bootstrap errors regarding readonly `PASSWORD_LENGTH`.
+- Fixes issue with redacted password when using `SSH_PASSWORD_AUTHENTICATION` in combination with `SSH_USER_FORCE_SFTP`.
+- Fixes issue with unexpected published port in run templates when `DOCKER_PORT_MAP_TCP_22` is set to an empty string or 0.
+- Fixes missing `SSH_TIMEZONE` from Makefile's install run template.
+- Fixes validation of `SSH_TIMEZONE` values - set to defaults with warning and abort on error.
+- Adds `SSH_USER_PRIVATE_KEY` to allow configuration of an RSA private key for `SSH_USER`.
+- Adds placeholder replacement of `RELEASE_VERSION` docker argument to systemd service unit template.
+- Adds error messages to healthcheck script and includes supervisord check.
+- Adds a short sleep after bootstrap Details to work-around missing output on CI service's host.
+- Adds port incrementation to Makefile's run template for container names with an instance suffix.
+- Adds consideration for event lag into test cases for unhealthy health_status events.
+- Adds feature to allow configuration of "root" `SSH_USER`.
+- Adds validation of `SSH_SUDO` values.
+- Removes use of `/etc/services-config` paths.
+- Removes fleet `--manager` option in the `scmi` installer.
+- Removes X-Fleet section from etcd register template unit-file.
+- Removes the unused group element from the default container name.
+- Removes the node element from the default container name.
+- Removes undocumented `SSH_ROOT_PASSWORD` from bootstrap process.
+
 ### 2.4.1 - 2018-11-10
 
 - Adds feature to set system time zone via `SSH_TIMEZONE`.

Dockerfile

@@ -1,13 +1,13 @@
-# =============================================================================
-# jdeathe/centos-ssh
-#
-# CentOS-7 7.5.1804 x86_64 - SCL/EPEL/IUS Repos. / Supervisor / OpenSSH.
-# 
-# =============================================================================
 FROM centos:7.5.1804
 
+ARG RELEASE_VERSION="2.5.0"
+
 # -----------------------------------------------------------------------------
-# Base Install + Import the RPM GPG keys for Repositories
+# - Import the RPM GPG keys for repositories
+# - Base install of required packages
+# - Install supervisord (used to run more than a single process)
+# - Install supervisor-stdout to allow output of services started by
+#  supervisord to be easily inspected with "docker logs".
 # -----------------------------------------------------------------------------
 RUN rpm --rebuilddb \
 	&& rpm --import \
@@ -25,10 +25,10 @@ RUN rpm --rebuilddb \
 		https://centos7.iuscommunity.org/ius-release.rpm \
 		openssh-clients-7.4p1-16.el7 \
 		openssh-server-7.4p1-16.el7 \
-		openssl-1.0.2k-12.el7 \
+		openssl-1.0.2k-16.el7 \
 		python-setuptools-0.9.8-7.el7 \
-		sudo-1.8.19p2-14.el7_5 \
-		yum-plugin-versionlock-1.1.31-46.el7_5 \
+		sudo-1.8.23-3.el7 \
+		yum-plugin-versionlock-1.1.31-50.el7 \
 	&& yum versionlock add \
 		openssh \
 		openssh-server \
@@ -37,50 +37,17 @@ RUN rpm --rebuilddb \
 		sudo \
 		yum-plugin-versionlock \
 	&& yum clean all \
+	&& easy_install \
+		'supervisor == 3.3.5' \
+		'supervisor-stdout == 0.1.1' \
+	&& mkdir -p \
+		/var/log/supervisor/ \
 	&& rm -rf /etc/ld.so.cache \
 	&& rm -rf /sbin/sln \
 	&& rm -rf /usr/{{lib,share}/locale,share/{man,doc,info,cracklib,i18n},{lib,lib64}/gconv,bin/localedef,sbin/build-locale-archive} \
 	&& rm -rf /{root,tmp,var/cache/{ldconfig,yum}}/* \
 	&& > /etc/sysconfig/i18n
 
-# -----------------------------------------------------------------------------
-# Install supervisord (required to run more than a single process in a container)
-# Note: EPEL package lacks /usr/bin/pidproxy
-# We require supervisor-stdout to allow output of services started by 
-# supervisord to be easily inspected with "docker logs".
-# -----------------------------------------------------------------------------
-RUN easy_install \
-		'supervisor == 3.3.4' \
-		'supervisor-stdout == 0.1.1' \
-	&& mkdir -p \
-		/var/log/supervisor/
-
-# -----------------------------------------------------------------------------
-# UTC Timezone & Networking
-# -----------------------------------------------------------------------------
-RUN ln -sf \
-		/usr/share/zoneinfo/UTC \
-		/etc/localtime \
-	&& echo "NETWORKING=yes" > /etc/sysconfig/network
-
-# -----------------------------------------------------------------------------
-# Configure SSH for non-root public key authentication
-# -----------------------------------------------------------------------------
-RUN sed -i \
-	-e 's~^PasswordAuthentication yes~PasswordAuthentication no~g' \
-	-e 's~^#PermitRootLogin yes~PermitRootLogin no~g' \
-	-e 's~^#UseDNS yes~UseDNS no~g' \
-	-e 's~^\(.*\)/usr/libexec/openssh/sftp-server$~\1internal-sftp~g' \
-	/etc/ssh/sshd_config
-
-# -----------------------------------------------------------------------------
-# Enable the wheel sudoers group
-# -----------------------------------------------------------------------------
-RUN sed -i \
-	-e 's~^# %wheel\tALL=(ALL)\tALL~%wheel\tALL=(ALL) ALL~g' \
-	-e 's~\(.*\) requiretty$~#\1requiretty~' \
-	/etc/sudoers
-
 # -----------------------------------------------------------------------------
 # Copy files into place
 # -----------------------------------------------------------------------------
@@ -90,40 +57,38 @@ ADD src/usr/sbin \
 	/usr/sbin/
 ADD src/opt/scmi \
 	/opt/scmi/
-ADD src/etc/systemd/system \
-	/etc/systemd/system/
-ADD src/etc/services-config/ssh/authorized_keys \
-	src/etc/services-config/ssh/sshd-bootstrap.conf \
-	src/etc/services-config/ssh/sshd-bootstrap.env \
-	/etc/services-config/ssh/
-ADD src/etc/services-config/supervisor/supervisord.conf \
-	/etc/services-config/supervisor/
-ADD src/etc/services-config/supervisor/supervisord.d \
-	/etc/services-config/supervisor/supervisord.d/
+ADD src/etc \
+	/etc/
 
-RUN mkdir -p \
-		/etc/supervisord.d/ \
-	&& cp -pf \
-		/etc/ssh/sshd_config \
-		/etc/services-config/ssh/ \
-	&& ln -sf \
-		/etc/services-config/ssh/sshd_config \
+# -----------------------------------------------------------------------------
+# Provisioning
+# - UTC Timezone
+# - Networking
+# - Configure SSH defaults for non-root public key authentication
+# - Enable the wheel sudoers group
+# - Replace placeholders with values in systemd service unit template
+# - Set permissions
+# -----------------------------------------------------------------------------
+RUN ln -sf \
+		/usr/share/zoneinfo/UTC \
+		/etc/localtime \
+	&& echo "NETWORKING=yes" \
+		> /etc/sysconfig/network \
+	&& sed -i \
+		-e 's~^PasswordAuthentication yes~PasswordAuthentication no~g' \
+		-e 's~^#PermitRootLogin yes~PermitRootLogin no~g' \
+		-e 's~^#UseDNS yes~UseDNS no~g' \
+		-e 's~^\(.*\)/usr/libexec/openssh/sftp-server$~\1internal-sftp~g' \
 		/etc/ssh/sshd_config \
-	&& ln -sf \
-		/etc/services-config/ssh/sshd-bootstrap.conf \
-		/etc/sshd-bootstrap.conf \
-	&& ln -sf \
-		/etc/services-config/ssh/sshd-bootstrap.env \
-		/etc/sshd-bootstrap.env \
-	&& ln -sf \
-		/etc/services-config/supervisor/supervisord.conf \
-		/etc/supervisord.conf \
-	&& ln -sf \
-		/etc/services-config/supervisor/supervisord.d/sshd-wrapper.conf \
-		/etc/supervisord.d/sshd-wrapper.conf \
-	&& ln -sf \
-		/etc/services-config/supervisor/supervisord.d/sshd-bootstrap.conf \
-		/etc/supervisord.d/sshd-bootstrap.conf \
+	&& sed -i \
+		-e 's~^# %wheel\tALL=(ALL)\tALL~%wheel\tALL=(ALL) ALL~g' \
+		-e 's~\(.*\) requiretty$~#\1requiretty~' \
+		/etc/sudoers \
+	&& sed -i \
+		-e "s~{{RELEASE_VERSION}}~${RELEASE_VERSION}~g" \
+		/etc/systemd/system/centos-ssh@.service \
+	&& chmod 644 \
+		/etc/{sshd-bootstrap.{conf,env},supervisord.conf,supervisord.d/sshd-{bootstrap,wrapper}.conf} \
 	&& chmod 700 \
 		/usr/{bin/healthcheck,sbin/{scmi,sshd-{bootstrap,wrapper}}}
 
@@ -146,12 +111,12 @@ ENV SSH_AUTHORIZED_KEYS="" \
 	SSH_USER_ID="500:500" \
 	SSH_USER_PASSWORD="" \
 	SSH_USER_PASSWORD_HASHED="false" \
+	SSH_USER_PRIVATE_KEY="" \
 	SSH_USER_SHELL="/bin/bash"
 
 # -----------------------------------------------------------------------------
 # Set image metadata
 # -----------------------------------------------------------------------------
-ARG RELEASE_VERSION="2.4.1"
 LABEL \
 	maintainer="James Deathe <james.deathe@gmail.com>" \
 	install="docker run \
@@ -183,7 +148,7 @@ jdeathe/centos-ssh:${RELEASE_VERSION} \
 	org.deathe.description="CentOS-7 7.5.1804 x86_64 - SCL, EPEL and IUS Repositories / Supervisor / OpenSSH."
 
 HEALTHCHECK \
-	--interval=0.5s \
+	--interval=1s \
 	--timeout=1s \
 	--retries=5 \
 	CMD ["/usr/bin/healthcheck"]