added ssh support for Windows VMs (#8)

This commit is contained in:
dmitsh 2018-10-23 10:42:16 -07:00 коммит произвёл GitHub
Родитель a92a0bba8d
Коммит 61fdec1429
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
4 изменённых файлов: 84 добавлений и 6 удалений

Просмотреть файл

@ -70,6 +70,20 @@
"sourceAddressPrefix": "*" "sourceAddressPrefix": "*"
}, },
"name": "rdp" "name": "rdp"
},
{
"properties": {
"priority": 210,
"access": "Allow",
"direction": "Inbound",
"destinationPortRange": "22",
"sourcePortRange": "*",
"destinationAddressPrefix": "*",
"protocol": "Tcp",
"description": "Allow SSH",
"sourceAddressPrefix": "*"
},
"name": "ssh"
} }
], ],
"securityRules": "[if(equals(parameters('osImageName'), 'WindowsServer_2016'), variables('windowsSecurityRules'), variables('linuxSecurityRules'))]", "securityRules": "[if(equals(parameters('osImageName'), 'WindowsServer_2016'), variables('windowsSecurityRules'), variables('linuxSecurityRules'))]",

Просмотреть файл

@ -2,6 +2,68 @@
mkdir c:/tmp mkdir c:/tmp
cd c:/tmp cd c:/tmp
function InstallOpenSSH()
{
$sshPubKey = "SSH_PUB_KEY"
if (!$sshPubKey) {
Write-Output "SSH public key is omitted. Skipping OpenSSH installation."
return
}
Write-Output "Installing OpenSSH"
try {
$rslt = ( get-service | where { $_.name -like "sshd" } )
if ($rslt.count -eq 0) {
$list = (Get-WindowsCapability -Online | ? Name -like 'OpenSSH.Server*')
if ($list) {
Add-WindowsCapability -Online -Name $list.Name
Install-Module -Force OpenSSHUtils
} else {
$open_ssh_uri = "https://github.com/PowerShell/Win32-OpenSSH/releases/download/v7.7.2.0p1-Beta/OpenSSH-Win64.zip"
$open_ssh_file = "C:/tmp/OpenSSH-Win64.zip"
& curl.exe -L -o $open_ssh_file $open_ssh_uri
& 7z x $open_ssh_file -oC:/tmp
c:/tmp/OpenSSH-Win64/install-sshd.ps1
}
}
Start-Service sshd
& netsh advfirewall firewall add rule name="SSH TCP Port 22" dir=in action=allow protocol=TCP localport=22
Write-Output "Creating authorized key"
$path = "C:\AzureData\authorized_keys"
Set-Content -Path $path -Value $sshPubKey -Encoding Ascii
(Get-Content C:\ProgramData\ssh\sshd_config) -replace "AuthorizedKeysFile(\s+).ssh/authorized_keys", "AuthorizedKeysFile $path" | Set-Content C:\ProgramData\ssh\sshd_config
$acl = Get-Acl -Path $path
$acl.SetAccessRuleProtection($True, $True)
$acl | Set-Acl -Path $path
$acl = Get-Acl -Path $path
$rules = $acl.Access
$usersToRemove = @("Everyone","BUILTIN\Users","NT AUTHORITY\Authenticated Users")
foreach ($u in $usersToRemove) {
$targetrule = $rules | where IdentityReference -eq $u
if ($targetrule) {
$acl.RemoveAccessRule($targetrule)
}
}
$acl | Set-Acl -Path $path
Restart-Service sshd
$sshStartCmd = "C:\AzureData\OpenSSHStart.ps1"
Set-Content -Path $sshStartCmd -Value "Start-Service sshd"
& schtasks.exe /CREATE /F /SC ONSTART /RU SYSTEM /RL HIGHEST /TN "SSH start" /TR "powershell.exe -ExecutionPolicy Bypass -File $sshStartCmd"
if ($LASTEXITCODE -ne 0) {
throw "Failed to add scheduled task $sshStartCmd"
}
}
catch {
Write-Output "OpenSSH install failed: $_"
}
}
## ##
# Install git not only for git but also mingw64 including curl # Install git not only for git but also mingw64 including curl
# #
@ -24,6 +86,9 @@ $seven_zip_file = "c:/tmp/7z1805-x64.msi"
& curl.exe -o $seven_zip_file $seven_zip_uri & curl.exe -o $seven_zip_file $seven_zip_uri
Start-Process -Wait -FilePath $seven_zip_file -ArgumentList " /quiet /passive" Start-Process -Wait -FilePath $seven_zip_file -ArgumentList " /quiet /passive"
# Install OpenSSH
InstallOpenSSH
# Install the intel sgx drivers # Install the intel sgx drivers
& curl.exe -o "c:/tmp/sgx_base.cab" "http://download.windowsupdate.com/d/msdownload/update/driver/drvs/2018/01/af564f2c-2bc5-43be-a863-437a5a0008cb_61e7ba0c2e17c87caf4d5d3cdf1f35f6be462b38.cab" & curl.exe -o "c:/tmp/sgx_base.cab" "http://download.windowsupdate.com/d/msdownload/update/driver/drvs/2018/01/af564f2c-2bc5-43be-a863-437a5a0008cb_61e7ba0c2e17c87caf4d5d3cdf1f35f6be462b38.cab"
& 7z x c:/tmp/sgx_base.cab -o"c:/tmp/sgx_base" -y & 7z x c:/tmp/sgx_base.cab -o"c:/tmp/sgx_base" -y
@ -87,5 +152,3 @@ $ocaml_uri = "http://www.ocamlpro.com/pub/ocpwin/ocpwin-builds/ocpwin64/2016011
& 7z x $ocaml_file -o"c:/Program Files/ocpwin64" & 7z x $ocaml_file -o"c:/Program Files/ocpwin64"
pushd "C:\Program Files\ocpwin64\4.02.1+ocp1-msvc64-20160113\bin" pushd "C:\Program Files\ocpwin64\4.02.1+ocp1-msvc64-20160113\bin"
& ./ocpwin -in & ./ocpwin -in

Просмотреть файл

@ -51,6 +51,7 @@ type CustomNodesDNS struct {
type WindowsProfile struct { type WindowsProfile struct {
AdminUsername string `json:"adminUsername"` AdminUsername string `json:"adminUsername"`
AdminPassword string `json:"adminPassword"` AdminPassword string `json:"adminPassword"`
SSHPubKey string `json:"sshPublicKey"`
ImageVersion string `json:"imageVersion"` ImageVersion string `json:"imageVersion"`
WindowsImageSourceURL string `json:"windowsImageSourceURL"` WindowsImageSourceURL string `json:"windowsImageSourceURL"`
WindowsPublisher string `json:"windowsPublisher"` WindowsPublisher string `json:"windowsPublisher"`

Просмотреть файл

@ -6,6 +6,7 @@ import (
"errors" "errors"
"fmt" "fmt"
"runtime/debug" "runtime/debug"
"strings"
"text/template" "text/template"
"github.com/Microsoft/oe-engine/pkg/api" "github.com/Microsoft/oe-engine/pkg/api"
@ -136,11 +137,10 @@ func (t *TemplateGenerator) getTemplateFuncMap(cs *api.OpenEnclave) template.Fun
if err != nil { if err != nil {
// this should never happen and this is a bug // this should never happen and this is a bug
panic(fmt.Sprintf("BUG: %s", err.Error())) panic(fmt.Sprintf("BUG: %s", err.Error()))
} else { }
//fmt.Printf(" get windows custom data from asset %s\n", b);
}
csStr := string(b) csStr := string(b)
return getBase64CustomScriptFromStr(csStr) csStr = strings.Replace(csStr, "SSH_PUB_KEY", cs.Properties.WindowsProfile.SSHPubKey, -1)
return getBase64CustomScriptFromStr(csStr)
}, },
"GetAllowedVMSizes": func() string { "GetAllowedVMSizes": func() string {
return api.GetAllowedVMSizes() return api.GetAllowedVMSizes()