Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

install: Add support for --root-ssh-authorized-keys #296

Merged
merged 2 commits into from
Feb 5, 2024
Merged

install: Add support for --root-ssh-authorized-keys #296

merged 2 commits into from
Feb 5, 2024

Commits on Feb 2, 2024

  1. install: Rename clashing variable 

    I will need to access the outer `state` here in a later PR.

Signed-off-by: Colin Walters <walters@verbum.org>
    @cgwalters
    cgwalters committed Feb 2, 2024
    Configuration menu
    Copy the full SHA
    fe1d470 View commit details
    Browse the repository at this point in the history

  2. install: Add support for --root-ssh-authorized-keys 

    The current `bootc install` model is VERY opinionated: we install
the running container image to disk, and that is (almost!) it.

The only non-container out of band state that we support injecting right now
is kargs (via `--karg`) - we know we need this for machine local
kernel arguments.

(We do have a current outstanding PR to add a highly generic mechanism
 to inject arbitrary files in `/etc`, but I want to think about that more)

THis current strict stance is quite painful for
a use case like "take a generic container image and bootc install to-filesystem --alongside"
in a cloud environment, because the generic container may not
have cloud-init.

With this change it becomes extremely convenient to:

- Boot generic cloud image (e.g. AMI with apt/dnf + cloud-init)
- cloud-init fetches SSH keys from hypervisor (instance metadata)
- podman run -v /root/.ssh/authorized_keys:/keys:ro <image> bootc install ... --root-ssh-authorized-keys=/keys`

And then the instance will carry forward those hypervisor-provided
keys but without a dependency on cloud-init.

Another use case for this of course is being the backend of things
like Anaconda's kickstart verbs which support injecting SSH keys.

Signed-off-by: Colin Walters <walters@verbum.org>
    @cgwalters
    cgwalters committed Feb 2, 2024
    Configuration menu
    Copy the full SHA
    e477e4f View commit details
    Browse the repository at this point in the history