Skip to content
This repository has been archived by the owner on Jul 2, 2024. It is now read-only.

Commit

Permalink
Merge pull request #706 from jdeathe/centos-7-develop
Browse files Browse the repository at this point in the history 
Release changes for 2.5.0
  • Loading branch information
@jdeathe
jdeathe authored Jan 28, 2019
2 parents 76517ed + 1b3fb4f commit 3fcc789
Show file tree
Hide file tree
Showing 30 changed files with 3,287 additions and 2,037 deletions.
34 changes: 34 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,40 @@

Summary of release changes for Version 2 - CentOS-7

### 2.5.0 - 2019-01-28

- Updates `openssl` package to 1.0.2k-16.el7.
- Updates `sudo` package to 1.8.23-3.el7.
- Updates `yum-plugin-versionlock` package to 1.1.31-50.el7.
- Updates supervisor to 3.3.5.
- Updates validation for `SSH_USER_ID` to allow values in the system ID range.
- Updates and restructures Dockerfile to reduce number of layers in image.
- Updates container naming conventions for `scmi` making the node element optional.
- Updates container naming conventions and readability of `Makefile`.
- Updates `docker logs` output example in README document.
- Updates README instructions following review.
- Updates default HEALTHCHECK interval to 1 second from 0.5.
- Replaces awk with native bash regex when testing sudo user's have `NOPASSWD:ALL`.
- Fixes bootstrap errors regarding readonly `PASSWORD_LENGTH`.
- Fixes issue with redacted password when using `SSH_PASSWORD_AUTHENTICATION` in combination with `SSH_USER_FORCE_SFTP`.
- Fixes issue with unexpected published port in run templates when `DOCKER_PORT_MAP_TCP_22` is set to an empty string or 0.
- Fixes missing `SSH_TIMEZONE` from Makefile's install run template.
- Fixes validation of `SSH_TIMEZONE` values - set to defaults with warning and abort on error.
- Adds `SSH_USER_PRIVATE_KEY` to allow configuration of an RSA private key for `SSH_USER`.
- Adds placeholder replacement of `RELEASE_VERSION` docker argument to systemd service unit template.
- Adds error messages to healthcheck script and includes supervisord check.
- Adds a short sleep after bootstrap Details to work-around missing output on CI service's host.
- Adds port incrementation to Makefile's run template for container names with an instance suffix.
- Adds consideration for event lag into test cases for unhealthy health_status events.
- Adds feature to allow configuration of "root" `SSH_USER`.
- Adds validation of `SSH_SUDO` values.
- Removes use of `/etc/services-config` paths.
- Removes fleet `--manager` option in the `scmi` installer.
- Removes X-Fleet section from etcd register template unit-file.
- Removes the unused group element from the default container name.
- Removes the node element from the default container name.
- Removes undocumented `SSH_ROOT_PASSWORD` from bootstrap process.

### 2.4.1 - 2018-11-10

- Adds feature to set system time zone via `SSH_TIMEZONE`.
Expand Down
129 changes: 47 additions & 82 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
# =============================================================================
# jdeathe/centos-ssh
#
# CentOS-7 7.5.1804 x86_64 - SCL/EPEL/IUS Repos. / Supervisor / OpenSSH.
#
# =============================================================================
FROM centos:7.5.1804

ARG RELEASE_VERSION="2.5.0"

# -----------------------------------------------------------------------------
# Base Install + Import the RPM GPG keys for Repositories
# - Import the RPM GPG keys for repositories
# - Base install of required packages
# - Install supervisord (used to run more than a single process)
# - Install supervisor-stdout to allow output of services started by
# supervisord to be easily inspected with "docker logs".
# -----------------------------------------------------------------------------
RUN rpm --rebuilddb \
&& rpm --import \
Expand All @@ -25,10 +25,10 @@ RUN rpm --rebuilddb \
https://centos7.iuscommunity.org/ius-release.rpm \
openssh-clients-7.4p1-16.el7 \
openssh-server-7.4p1-16.el7 \
openssl-1.0.2k-12.el7 \
openssl-1.0.2k-16.el7 \
python-setuptools-0.9.8-7.el7 \
sudo-1.8.19p2-14.el7_5 \
yum-plugin-versionlock-1.1.31-46.el7_5 \
sudo-1.8.23-3.el7 \
yum-plugin-versionlock-1.1.31-50.el7 \
&& yum versionlock add \
openssh \
openssh-server \
Expand All @@ -37,50 +37,17 @@ RUN rpm --rebuilddb \
sudo \
yum-plugin-versionlock \
&& yum clean all \
&& easy_install \
'supervisor == 3.3.5' \
'supervisor-stdout == 0.1.1' \
&& mkdir -p \
/var/log/supervisor/ \
&& rm -rf /etc/ld.so.cache \
&& rm -rf /sbin/sln \
&& rm -rf /usr/{{lib,share}/locale,share/{man,doc,info,cracklib,i18n},{lib,lib64}/gconv,bin/localedef,sbin/build-locale-archive} \
&& rm -rf /{root,tmp,var/cache/{ldconfig,yum}}/* \
&& > /etc/sysconfig/i18n

# -----------------------------------------------------------------------------
# Install supervisord (required to run more than a single process in a container)
# Note: EPEL package lacks /usr/bin/pidproxy
# We require supervisor-stdout to allow output of services started by
# supervisord to be easily inspected with "docker logs".
# -----------------------------------------------------------------------------
RUN easy_install \
'supervisor == 3.3.4' \
'supervisor-stdout == 0.1.1' \
&& mkdir -p \
/var/log/supervisor/

# -----------------------------------------------------------------------------
# UTC Timezone & Networking
# -----------------------------------------------------------------------------
RUN ln -sf \
/usr/share/zoneinfo/UTC \
/etc/localtime \
&& echo "NETWORKING=yes" > /etc/sysconfig/network

# -----------------------------------------------------------------------------
# Configure SSH for non-root public key authentication
# -----------------------------------------------------------------------------
RUN sed -i \
-e 's~^PasswordAuthentication yes~PasswordAuthentication no~g' \
-e 's~^#PermitRootLogin yes~PermitRootLogin no~g' \
-e 's~^#UseDNS yes~UseDNS no~g' \
-e 's~^\(.*\)/usr/libexec/openssh/sftp-server$~\1internal-sftp~g' \
/etc/ssh/sshd_config

# -----------------------------------------------------------------------------
# Enable the wheel sudoers group
# -----------------------------------------------------------------------------
RUN sed -i \
-e 's~^# %wheel\tALL=(ALL)\tALL~%wheel\tALL=(ALL) ALL~g' \
-e 's~\(.*\) requiretty$~#\1requiretty~' \
/etc/sudoers

# -----------------------------------------------------------------------------
# Copy files into place
# -----------------------------------------------------------------------------
Expand All @@ -90,40 +57,38 @@ ADD src/usr/sbin \
/usr/sbin/
ADD src/opt/scmi \
/opt/scmi/
ADD src/etc/systemd/system \
/etc/systemd/system/
ADD src/etc/services-config/ssh/authorized_keys \
src/etc/services-config/ssh/sshd-bootstrap.conf \
src/etc/services-config/ssh/sshd-bootstrap.env \
/etc/services-config/ssh/
ADD src/etc/services-config/supervisor/supervisord.conf \
/etc/services-config/supervisor/
ADD src/etc/services-config/supervisor/supervisord.d \
/etc/services-config/supervisor/supervisord.d/
ADD src/etc \
/etc/

RUN mkdir -p \
/etc/supervisord.d/ \
&& cp -pf \
/etc/ssh/sshd_config \
/etc/services-config/ssh/ \
&& ln -sf \
/etc/services-config/ssh/sshd_config \
# -----------------------------------------------------------------------------
# Provisioning
# - UTC Timezone
# - Networking
# - Configure SSH defaults for non-root public key authentication
# - Enable the wheel sudoers group
# - Replace placeholders with values in systemd service unit template
# - Set permissions
# -----------------------------------------------------------------------------
RUN ln -sf \
/usr/share/zoneinfo/UTC \
/etc/localtime \
&& echo "NETWORKING=yes" \
> /etc/sysconfig/network \
&& sed -i \
-e 's~^PasswordAuthentication yes~PasswordAuthentication no~g' \
-e 's~^#PermitRootLogin yes~PermitRootLogin no~g' \
-e 's~^#UseDNS yes~UseDNS no~g' \
-e 's~^\(.*\)/usr/libexec/openssh/sftp-server$~\1internal-sftp~g' \
/etc/ssh/sshd_config \
&& ln -sf \
/etc/services-config/ssh/sshd-bootstrap.conf \
/etc/sshd-bootstrap.conf \
&& ln -sf \
/etc/services-config/ssh/sshd-bootstrap.env \
/etc/sshd-bootstrap.env \
&& ln -sf \
/etc/services-config/supervisor/supervisord.conf \
/etc/supervisord.conf \
&& ln -sf \
/etc/services-config/supervisor/supervisord.d/sshd-wrapper.conf \
/etc/supervisord.d/sshd-wrapper.conf \
&& ln -sf \
/etc/services-config/supervisor/supervisord.d/sshd-bootstrap.conf \
/etc/supervisord.d/sshd-bootstrap.conf \
&& sed -i \
-e 's~^# %wheel\tALL=(ALL)\tALL~%wheel\tALL=(ALL) ALL~g' \
-e 's~\(.*\) requiretty$~#\1requiretty~' \
/etc/sudoers \
&& sed -i \
-e "s~{{RELEASE_VERSION}}~${RELEASE_VERSION}~g" \
/etc/systemd/system/[email protected] \
&& chmod 644 \
/etc/{sshd-bootstrap.{conf,env},supervisord.conf,supervisord.d/sshd-{bootstrap,wrapper}.conf} \
&& chmod 700 \
/usr/{bin/healthcheck,sbin/{scmi,sshd-{bootstrap,wrapper}}}

Expand All @@ -146,12 +111,12 @@ ENV SSH_AUTHORIZED_KEYS="" \
SSH_USER_ID="500:500" \
SSH_USER_PASSWORD="" \
SSH_USER_PASSWORD_HASHED="false" \
SSH_USER_PRIVATE_KEY="" \
SSH_USER_SHELL="/bin/bash"

# -----------------------------------------------------------------------------
# Set image metadata
# -----------------------------------------------------------------------------
ARG RELEASE_VERSION="2.4.1"
LABEL \
maintainer="James Deathe <[email protected]>" \
install="docker run \
Expand Down Expand Up @@ -183,7 +148,7 @@ jdeathe/centos-ssh:${RELEASE_VERSION} \
org.deathe.description="CentOS-7 7.5.1804 x86_64 - SCL, EPEL and IUS Repositories / Supervisor / OpenSSH."

HEALTHCHECK \
--interval=0.5s \
--interval=1s \
--timeout=1s \
--retries=5 \
CMD ["/usr/bin/healthcheck"]
Expand Down
Loading

0 comments on commit 3fcc789

Please sign in to comment.