Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keep ssh config #158

Closed
wants to merge 2 commits into from
Closed

Keep ssh config #158

wants to merge 2 commits into from

Conversation

yablacky
Copy link

@yablacky yablacky commented Sep 4, 2020

The -p prepare option is very useful to reduce size of shrinked image.
Unfortunately it removes ssh host keys after which it is not possible to connect to a running image with ssh.

Removing host keys renders the shrinked image incompatible compared to the original unshriked image.
Host keys are not garbage and should not by default be removed like temp files, logs etc.

This pull request adds functionality to prepare without removing host keys.
The existing option -p is changed and will no longer remove host keys.
The new option -P prepares with removing host keys like -p did before.

@framps
Copy link
Contributor

framps commented Sep 4, 2020

LGTM 👍

@cpascual
Copy link

cpascual commented Oct 20, 2022
edited
Loading

AFAIKT, the main use case for -P would be for images intended for distribution and/or "cloning" purposes, while -p would be used for "private" images (e.g backups) in which one wishes to maintain the identity of the machine after restoring.

In that case, maybe we should also remove /etc/machine-id when -P is used?

From the docs:

The machine ID is usually generated from a random source during system installation or first boot and stays constant for all subsequent boots.

(...) This ID uniquely identifies the host. It should be considered "confidential", and must not be exposed in untrusted environments, in particular on the network.

(...) For operating system images which are created once and used on multiple machines (...), /etc/machine-id should be either missing or an empty file in the generic file system image

Note this:

If /etc/machine-id does not exist, this is a first boot

(...) units with ConditionFirstBoot=yes will be run.

... so if ConditionFirstBoot=yes triggers generation of ssh host keys (I haven't checked), this would solve the issue of regenerating the host keys that affects the usage of -P (#224, #176, #51)

@cpascual
Copy link

if ConditionFirstBoot=yes triggers generation of ssh host keys

I just checked (I added echo "uninitialized" > $mountdir/etc/machine-id to the code of the -P option and it works fine to force a regeneration of the machine-id, but it does not trigger regeneration of the host keys.

@Drewsif
Copy link
Owner

Drewsif commented Feb 14, 2023

Im going to consider this out of scope. Any attempts to clean up images has resulted in unintended errors for users. See #256 for more details

@Drewsif Drewsif closed this Feb 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@yablacky @framps @cpascual @Drewsif