зеркало из https://github.com/microsoft/oe-engine.git
added ssh support for Windows VMs (#8)
This commit is contained in:
Родитель
a92a0bba8d
Коммит
61fdec1429
14
parts/vars.t
14
parts/vars.t
|
@ -70,6 +70,20 @@
|
||||||
"sourceAddressPrefix": "*"
|
"sourceAddressPrefix": "*"
|
||||||
},
|
},
|
||||||
"name": "rdp"
|
"name": "rdp"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"properties": {
|
||||||
|
"priority": 210,
|
||||||
|
"access": "Allow",
|
||||||
|
"direction": "Inbound",
|
||||||
|
"destinationPortRange": "22",
|
||||||
|
"sourcePortRange": "*",
|
||||||
|
"destinationAddressPrefix": "*",
|
||||||
|
"protocol": "Tcp",
|
||||||
|
"description": "Allow SSH",
|
||||||
|
"sourceAddressPrefix": "*"
|
||||||
|
},
|
||||||
|
"name": "ssh"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"securityRules": "[if(equals(parameters('osImageName'), 'WindowsServer_2016'), variables('windowsSecurityRules'), variables('linuxSecurityRules'))]",
|
"securityRules": "[if(equals(parameters('osImageName'), 'WindowsServer_2016'), variables('windowsSecurityRules'), variables('linuxSecurityRules'))]",
|
||||||
|
|
|
@ -2,6 +2,68 @@
|
||||||
mkdir c:/tmp
|
mkdir c:/tmp
|
||||||
cd c:/tmp
|
cd c:/tmp
|
||||||
|
|
||||||
|
function InstallOpenSSH()
|
||||||
|
{
|
||||||
|
$sshPubKey = "SSH_PUB_KEY"
|
||||||
|
if (!$sshPubKey) {
|
||||||
|
Write-Output "SSH public key is omitted. Skipping OpenSSH installation."
|
||||||
|
return
|
||||||
|
}
|
||||||
|
Write-Output "Installing OpenSSH"
|
||||||
|
|
||||||
|
try {
|
||||||
|
$rslt = ( get-service | where { $_.name -like "sshd" } )
|
||||||
|
if ($rslt.count -eq 0) {
|
||||||
|
$list = (Get-WindowsCapability -Online | ? Name -like 'OpenSSH.Server*')
|
||||||
|
if ($list) {
|
||||||
|
Add-WindowsCapability -Online -Name $list.Name
|
||||||
|
Install-Module -Force OpenSSHUtils
|
||||||
|
} else {
|
||||||
|
$open_ssh_uri = "https://github.com/PowerShell/Win32-OpenSSH/releases/download/v7.7.2.0p1-Beta/OpenSSH-Win64.zip"
|
||||||
|
$open_ssh_file = "C:/tmp/OpenSSH-Win64.zip"
|
||||||
|
& curl.exe -L -o $open_ssh_file $open_ssh_uri
|
||||||
|
& 7z x $open_ssh_file -oC:/tmp
|
||||||
|
c:/tmp/OpenSSH-Win64/install-sshd.ps1
|
||||||
|
}
|
||||||
|
}
|
||||||
|
Start-Service sshd
|
||||||
|
& netsh advfirewall firewall add rule name="SSH TCP Port 22" dir=in action=allow protocol=TCP localport=22
|
||||||
|
|
||||||
|
Write-Output "Creating authorized key"
|
||||||
|
$path = "C:\AzureData\authorized_keys"
|
||||||
|
Set-Content -Path $path -Value $sshPubKey -Encoding Ascii
|
||||||
|
|
||||||
|
(Get-Content C:\ProgramData\ssh\sshd_config) -replace "AuthorizedKeysFile(\s+).ssh/authorized_keys", "AuthorizedKeysFile $path" | Set-Content C:\ProgramData\ssh\sshd_config
|
||||||
|
$acl = Get-Acl -Path $path
|
||||||
|
$acl.SetAccessRuleProtection($True, $True)
|
||||||
|
$acl | Set-Acl -Path $path
|
||||||
|
|
||||||
|
$acl = Get-Acl -Path $path
|
||||||
|
$rules = $acl.Access
|
||||||
|
$usersToRemove = @("Everyone","BUILTIN\Users","NT AUTHORITY\Authenticated Users")
|
||||||
|
foreach ($u in $usersToRemove) {
|
||||||
|
$targetrule = $rules | where IdentityReference -eq $u
|
||||||
|
if ($targetrule) {
|
||||||
|
$acl.RemoveAccessRule($targetrule)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
$acl | Set-Acl -Path $path
|
||||||
|
|
||||||
|
Restart-Service sshd
|
||||||
|
|
||||||
|
$sshStartCmd = "C:\AzureData\OpenSSHStart.ps1"
|
||||||
|
Set-Content -Path $sshStartCmd -Value "Start-Service sshd"
|
||||||
|
|
||||||
|
& schtasks.exe /CREATE /F /SC ONSTART /RU SYSTEM /RL HIGHEST /TN "SSH start" /TR "powershell.exe -ExecutionPolicy Bypass -File $sshStartCmd"
|
||||||
|
if ($LASTEXITCODE -ne 0) {
|
||||||
|
throw "Failed to add scheduled task $sshStartCmd"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch {
|
||||||
|
Write-Output "OpenSSH install failed: $_"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
##
|
##
|
||||||
# Install git not only for git but also mingw64 including curl
|
# Install git not only for git but also mingw64 including curl
|
||||||
#
|
#
|
||||||
|
@ -24,6 +86,9 @@ $seven_zip_file = "c:/tmp/7z1805-x64.msi"
|
||||||
& curl.exe -o $seven_zip_file $seven_zip_uri
|
& curl.exe -o $seven_zip_file $seven_zip_uri
|
||||||
Start-Process -Wait -FilePath $seven_zip_file -ArgumentList " /quiet /passive"
|
Start-Process -Wait -FilePath $seven_zip_file -ArgumentList " /quiet /passive"
|
||||||
|
|
||||||
|
# Install OpenSSH
|
||||||
|
InstallOpenSSH
|
||||||
|
|
||||||
# Install the intel sgx drivers
|
# Install the intel sgx drivers
|
||||||
& curl.exe -o "c:/tmp/sgx_base.cab" "http://download.windowsupdate.com/d/msdownload/update/driver/drvs/2018/01/af564f2c-2bc5-43be-a863-437a5a0008cb_61e7ba0c2e17c87caf4d5d3cdf1f35f6be462b38.cab"
|
& curl.exe -o "c:/tmp/sgx_base.cab" "http://download.windowsupdate.com/d/msdownload/update/driver/drvs/2018/01/af564f2c-2bc5-43be-a863-437a5a0008cb_61e7ba0c2e17c87caf4d5d3cdf1f35f6be462b38.cab"
|
||||||
& 7z x c:/tmp/sgx_base.cab -o"c:/tmp/sgx_base" -y
|
& 7z x c:/tmp/sgx_base.cab -o"c:/tmp/sgx_base" -y
|
||||||
|
@ -87,5 +152,3 @@ $ocaml_uri = "http://www.ocamlpro.com/pub/ocpwin/ocpwin-builds/ocpwin64/2016011
|
||||||
& 7z x $ocaml_file -o"c:/Program Files/ocpwin64"
|
& 7z x $ocaml_file -o"c:/Program Files/ocpwin64"
|
||||||
pushd "C:\Program Files\ocpwin64\4.02.1+ocp1-msvc64-20160113\bin"
|
pushd "C:\Program Files\ocpwin64\4.02.1+ocp1-msvc64-20160113\bin"
|
||||||
& ./ocpwin -in
|
& ./ocpwin -in
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -51,6 +51,7 @@ type CustomNodesDNS struct {
|
||||||
type WindowsProfile struct {
|
type WindowsProfile struct {
|
||||||
AdminUsername string `json:"adminUsername"`
|
AdminUsername string `json:"adminUsername"`
|
||||||
AdminPassword string `json:"adminPassword"`
|
AdminPassword string `json:"adminPassword"`
|
||||||
|
SSHPubKey string `json:"sshPublicKey"`
|
||||||
ImageVersion string `json:"imageVersion"`
|
ImageVersion string `json:"imageVersion"`
|
||||||
WindowsImageSourceURL string `json:"windowsImageSourceURL"`
|
WindowsImageSourceURL string `json:"windowsImageSourceURL"`
|
||||||
WindowsPublisher string `json:"windowsPublisher"`
|
WindowsPublisher string `json:"windowsPublisher"`
|
||||||
|
|
|
@ -6,6 +6,7 @@ import (
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"runtime/debug"
|
"runtime/debug"
|
||||||
|
"strings"
|
||||||
"text/template"
|
"text/template"
|
||||||
|
|
||||||
"github.com/Microsoft/oe-engine/pkg/api"
|
"github.com/Microsoft/oe-engine/pkg/api"
|
||||||
|
@ -136,11 +137,10 @@ func (t *TemplateGenerator) getTemplateFuncMap(cs *api.OpenEnclave) template.Fun
|
||||||
if err != nil {
|
if err != nil {
|
||||||
// this should never happen and this is a bug
|
// this should never happen and this is a bug
|
||||||
panic(fmt.Sprintf("BUG: %s", err.Error()))
|
panic(fmt.Sprintf("BUG: %s", err.Error()))
|
||||||
} else {
|
}
|
||||||
//fmt.Printf(" get windows custom data from asset %s\n", b);
|
|
||||||
}
|
|
||||||
csStr := string(b)
|
csStr := string(b)
|
||||||
return getBase64CustomScriptFromStr(csStr)
|
csStr = strings.Replace(csStr, "SSH_PUB_KEY", cs.Properties.WindowsProfile.SSHPubKey, -1)
|
||||||
|
return getBase64CustomScriptFromStr(csStr)
|
||||||
},
|
},
|
||||||
"GetAllowedVMSizes": func() string {
|
"GetAllowedVMSizes": func() string {
|
||||||
return api.GetAllowedVMSizes()
|
return api.GetAllowedVMSizes()
|
||||||
|
|
Загрузка…
Ссылка в новой задаче