fix: Upgrade base image to 0.1.5: clean all authorized_keys

.github/scripts/aws-delete-ci-resources.sh

@@ -9,12 +9,20 @@ REGION="eu-west-1"
 instance_ids=$(aws ec2 describe-instances --query 'Reservations[].Instances[].InstanceId' --region "$REGION" --output text)
 # Loop through each instance ID and terminate it
 for instance_id in $instance_ids; do
-  echo "Listing instance: $instance_name ($instance_id)"
   instance_name=$(aws ec2 describe-tags --filters "Name=resource-id,Values=$instance_id" "Name=key,Values=Name" --region "$REGION" --output=text | cut -f5)
+  echo "Listing instance: $instance_name ($instance_id)"
   if [[ $instance_name == *"packer"* ]] || [[ $instance_name == *"gh-ci"* ]]; then
     echo "--> Terminating instance: $instance_name ($instance_id)"
     aws ec2 terminate-instances --instance-ids "$instance_id" --region "$REGION"
   fi
+
+   # Get SSH key name
+  ssh_key_name=$(aws ec2 describe-instances --instance-ids "$instance_id" --query 'Reservations[].Instances[].KeyName' --region "$REGION" --output text)
+  echo "Listing SSH key: $ssh_key_name"
+  if [[ $ssh_key_name == *"packer"* ]]; then
+    echo "--> Terminating instance: $ssh_key_name ($instance_id)"
+    aws ec2 terminate-instances --instance-ids "$instance_id" --region "$REGION"
+  fi
 done
 
 # List all EBS volume IDs and extract their IDs

.github/scripts/azure-new-instance.sh

@@ -53,3 +53,6 @@ else
 fi
 
 az vm open-port -g packer-snp -n "$NAME" --priority 100 --port 5555,443,22
+
+HOST=$(az vm show -d -g packer-snp -n "$NAME" --query publicIps -o tsv)
+echo "$HOST"

.github/workflows/aws_base_main.yml

@@ -22,4 +22,4 @@ jobs:
       techno: sev
       distrib: ${{ matrix.distrib }}
       product: ${{ matrix.product }}
-      base-version: 0.1.4
+      base-version: 0.1.5

.github/workflows/aws_main.yml

@@ -30,7 +30,7 @@ jobs:
       product: ${{ matrix.product }}
       kms-version: 4.16.0
       ai-runner-version: 0.3.0
-      base-version: 0.1.4
+      base-version: 0.1.5
 
   post-clean-resources:
     if: success() || cancelled()

.github/workflows/azure_ansible.yml

@@ -110,7 +110,7 @@ jobs:
           for i in {1..1}
           do
             echo "Iteration: $i"
-            ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u cosmian -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }}
+            ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u cosmian -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }} --skip-tags role-cleanup
           done
 
       - name: Stop and delete Azure instance

.github/workflows/azure_base_main.yml

@@ -26,6 +26,6 @@ jobs:
       techno: ${{ matrix.techno }}
       distrib: ${{ matrix.distrib }}
       product: ${{ matrix.product }}
-      base-version: 0.1.4
+      base-version: 0.1.5
       kms-version: 0.0.0
       ai-runner-version: 0.0.0

.github/workflows/gcp_base_main.yml

@@ -26,4 +26,4 @@ jobs:
       techno: ${{ matrix.techno }}
       distrib: ${{ matrix.distrib }}
       product: ${{ matrix.product }}
-      base-version: 0.1.4
+      base-version: 0.1.5

.github/workflows/nightly_aws_main.yml

@@ -35,7 +35,7 @@ jobs:
       product: ${{ matrix.product }}
       kms-version: 4.16.0
       ai-runner-version: 0.3.0
-      base-version: 0.1.4
+      base-version: 0.1.5
 
   # Too many failures when rebooting EC2
   # ansible:

.github/workflows/nightly_azure_main.yml

@@ -37,7 +37,7 @@ jobs:
       product: ${{ matrix.product }}
       kms-version: 4.16.0
       ai-runner-version: 0.3.0
-      base-version: 0.1.4
+      base-version: 0.1.5
 
   ansible:
     if: startsWith(github.ref, 'refs/tags/') != true

.github/workflows/nightly_gcp_main.yml

@@ -55,7 +55,7 @@ jobs:
       product: ${{ matrix.product }}
       kms-version: 4.16.0
       ai-runner-version: 0.3.0
-      base-version: 0.1.4
+      base-version: 0.1.5
 
   ansible:
     if: startsWith(github.ref, 'refs/tags/') != true

CHANGELOG.md

@@ -2,6 +2,12 @@
 
 All notable changes to this project will be documented in this file.
 
+## [1.2.3] - 2024-06-15
+
+### Bug Fixes
+
+- Upgrade base image to 0.1.5: clean all authorized_keys ([#139](https://github.com/Cosmian/cosmian_vm/pull/139))
+
 ## [1.2.2] - 2024-06-13
 
 ### Bug Fixes

Cargo.toml

@@ -9,7 +9,7 @@ members = [
 resolver = "2"
 
 [workspace.package]
-version = "1.2.2"
+version = "1.2.3"
 edition = "2021"
 license = "BUSL-1.1"
 license-file = "LICENSE"

README.md

@@ -46,13 +46,13 @@ Our client CLI [cosmian_vm](https://github.com/Cosmian/cosmian_vm/tree/main/crat
 - [Snapshot of the system](#snapshot-of-the-system)
 - [Verification of the remote instance](#verification-of-the-remote-instance)
 - [Cloud providers support](#cloud-providers-support)
-  - [Marketplace Image content](#marketplace-image-content)
-  - [Configuration file](#configuration-file)
-  - [First Cosmian VM launch](#first-cosmian-vm-launch)
-  - [Handle Cosmian VM status](#handle-cosmian-vm-status)
-  - [Usage](#usage)
-  - [Provide secrets without SSH access](#provide-secrets-without-ssh-access)
-- [Other Cosmian Products base on Cosmian VM](#other-cosmian-products-base-on-cosmian-vm)
+  * [Marketplace Image content](#marketplace-image-content)
+  * [Configuration file](#configuration-file)
+  * [First Cosmian VM launch](#first-cosmian-vm-launch)
+  * [Handle Cosmian VM status](#handle-cosmian-vm-status)
+  * [Usage](#usage)
+  * [Provide secrets without SSH access](#provide-secrets-without-ssh-access)
+- [Other Cosmian Products based on Cosmian VM](#other-cosmian-products-based-on-cosmian-vm)
 
 <!-- tocstop -->
 
@@ -279,11 +279,12 @@ The `restart` subcommand can restart the application identified in `service_name
 cosmian_vm --url https://my_app.dev app restart
 ```
 
-## Other Cosmian Products base on Cosmian VM
+## Other Cosmian Products based on Cosmian VM
 
-| Cosmian VM | Cosmian KMS | Cosmian AI Runner |
-| ---------- | ----------- | ----------------- |
-| 1.2.2      | 4.16.0      | 0.3.0             |
-| 1.2.1      | 4.16.0      | 0.3.0             |
-| 1.2.0      | 4.16.0      | -                 |
-| 1.1.2      | 4.15.0      | -                 |
+| Base image | Cosmian VM | Cosmian KMS | Cosmian AI Runner |
+| ---------- | ---------- | ----------- | ----------------- |
+| 0.1.5      | 1.2.3      | 4.16.0      | 0.3.0             |
+| 0.1.4      | 1.2.2      | 4.16.0      | 0.3.0             |
+| 0.1.3      | 1.2.1      | 4.16.0      | 0.3.0             |
+|            | 1.2.0      | 4.16.0      | -                 |
+|            | 1.1.2      | 4.15.0      | -                 |

ansible/README.md

@@ -4,6 +4,10 @@
 
 ### Changelog
 
+## [0.1.5] - 2024-06-15
+
+- RHEL/Ubuntu: clean all authorized_keys ([#139](https://github.com/Cosmian/cosmian_vm/pull/139))
+
 ## [0.1.4] - 2024-06-12
 
 - RHEL:
@@ -102,8 +106,8 @@ export USERNAME=cosmian
 export HOST=35.204.83.49
 # Be sure to install deps: `pip install -r python_modules.txt` on your localhost
 cd ansible
-ansible-playbook cosmian-vm-playbook.yml -i ${HOST}, -u $USERNAME -e cosmian_vm_version=1.2.2
-ansible-playbook kms-playbook.yml -i ${HOST}, -u $USERNAME -e cosmian_vm_version=1.2.2 -e cosmian_kms_version=4.16.0
+ansible-playbook cosmian-vm-playbook.yml -i ${HOST}, -u $USERNAME -e cosmian_vm_version=1.2.3
+ansible-playbook kms-playbook.yml -i ${HOST}, -u $USERNAME -e cosmian_vm_version=1.2.3 -e cosmian_kms_version=4.16.0
 ```
 
 The machine has been configured

ansible/base-image-packer-playbook.yml

@@ -3,13 +3,14 @@
   hosts: all
   become: true
   roles:
-    - role: configure_ima
-      tags: configure_ima
+    - role: upgrade
+      tags: role-upgrade
     - tpm
     - instance_configs # GCP only
     - intel
-    - upgrade
     - no_updates
+    - role: configure_ima
+      tags: role-configure-ima
 
 - name: Reboot after GRUB changes, Linux updates and TPM support installation
   hosts: all
@@ -43,3 +44,10 @@
         - name: Display Security updates
           ansible.builtin.debug:
             var: dnf_security_update
+
+- name: Clean base image
+  hosts: all
+  become: true
+  roles:
+    - role: cleanup
+      tags: role-cleanup

ansible/group_vars/all.yml

@@ -1,5 +1,5 @@
 ---
-cosmian_vm_version: 1.2.2
+cosmian_vm_version: 1.2.3
 cosmian_kms_version: 4.16.0
 cosmian_ai_runner_version: 0.3.0
 

ansible/roles/cleanup/tasks/main.yml

@@ -0,0 +1,39 @@
+---
+# tasks file for ansible/roles/kms
+
+- name: Check OS distribution
+  ansible.builtin.debug:
+    var: ansible_distribution
+
+- name: Find all authorized_keys files
+  ansible.builtin.find:
+    paths:
+      - /home
+      - /root
+    recurse: true
+    patterns: authorized_keys
+  register: authorized_keys
+
+- name: Display authorized_keys authorized_keys
+  ansible.builtin.debug:
+    var: authorized_keys
+
+- name: Remove found authorized_keys files
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: absent
+  loop: "{{ authorized_keys.files }}"
+  when: authorized_keys.matched > 0
+
+- name: Find all authorized_keys files
+  ansible.builtin.find:
+    paths:
+      - /home
+      - /root
+    recurse: true
+    patterns: authorized_keys
+  register: authorized_keys
+
+- name: Display authorized_keys authorized_keys
+  ansible.builtin.debug:
+    var: authorized_keys

ansible/roles/configure_ima/tasks/main.yml

@@ -1,6 +1,9 @@
 ---
 # tasks file for ansible/roles/configure_ima
 
+- name: Gathering facts
+  ansible.builtin.gather_facts:
+
 - name: Check OS distribution
   ansible.builtin.debug:
     var: ansible_distribution

ansible/roles/no_updates/tasks/main.yml

@@ -80,7 +80,7 @@
         backup: true
       when: __dnf_automatic_conf.stat.exists
 
-    - name: Clean dnf metadata
+    - name: Clean DNF metadata
       ansible.builtin.command: dnf clean all
       register: cmd_output
       changed_when: cmd_output.rc != 0

ansible/roles/upgrade/tasks/main.yml

@@ -2,6 +2,9 @@
 
 # tasks file for upgrade
 
+- name: Gathering facts
+  ansible.builtin.gather_facts:
+
 - name: Update and upgrade apt packages
   when: ansible_distribution == 'Ubuntu'
   block: