diff --git a/.github/workflows/pr-check-build-che-code-image.yaml b/.github/workflows/pr-check-build-che-code-image.yaml index 7ebb8470bf2..89d2a4e0308 100644 --- a/.github/workflows/pr-check-build-che-code-image.yaml +++ b/.github/workflows/pr-check-build-che-code-image.yaml @@ -16,96 +16,96 @@ name: Pull Request Check on: [pull_request] jobs: - build: - name: build - runs-on: ubuntu-22.04 - strategy: - fail-fast: false - matrix: - dist: [ 'musl', 'libc' ] - arch: ['amd64'] - steps: - - - name: Checkout che-code source code - uses: actions/checkout@v3 - - - name: Compile che-code - run: | - docker buildx build \ - --platform linux/${{matrix.arch}} \ - --progress=plain \ - -f build/dockerfiles/linux-${{matrix.dist}}.Dockerfile \ - -t linux-${{matrix.dist}}-${{matrix.arch}} . - - - name: Upload image - uses: ishworkh/docker-image-artifact-upload@v1 - with: - image: "linux-${{matrix.dist}}-${{matrix.arch}}" - - assemble: - name: assemble - runs-on: ubuntu-22.04 - needs: build - steps: - - - name: Checkout che-code source code - uses: actions/checkout@v3 - - - name: Cleanup docker images - run: | - docker system prune -af - - - name: Download linux-libc-amd64 image - uses: ishworkh/docker-image-artifact-download@v1 - with: - image: "linux-libc-amd64" - - - name: Download linux-musl-amd64 image - uses: ishworkh/docker-image-artifact-download@v1 - with: - image: "linux-musl-amd64" - - - name: Login to Quay.io - uses: docker/login-action@v2 - with: - registry: quay.io - username: ${{ secrets.QUAY_PULL_REQUESTS_USERNAME }} - password: ${{ secrets.QUAY_PULL_REQUESTS_PASSWORD }} - - - name: Display docker images - run: | - docker images - - - name: Assemble che-code - run: | - PR_NUMBER="${{ github.event.number }}" - echo "Pull request $PR_NUMBER" - - IMAGE_NAME="quay.io/che-incubator-pull-requests/che-code:pr-$PR_NUMBER-amd64" - echo "_IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV - - docker buildx build \ - --platform linux/amd64 \ - --progress=plain \ - --push \ - -f build/dockerfiles/assembly.Dockerfile \ - -t ${IMAGE_NAME} . - - - name: Display docker images (final) - run: | - docker images - - - name: 'Comment PR' - uses: actions/github-script@v6 - with: - script: | - const { repo: { owner, repo } } = context; - await github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: `Pull Request Che-Code image published:\nšŸ‘‰ [${process.env._IMAGE_NAME}](https://${process.env._IMAGE_NAME})` - }) + # build: + # name: build + # runs-on: ubuntu-22.04 + # strategy: + # fail-fast: false + # matrix: + # dist: [ 'musl', 'libc' ] + # arch: ['amd64'] + # steps: + + # - name: Checkout che-code source code + # uses: actions/checkout@v3 + + # - name: Compile che-code + # run: | + # docker buildx build \ + # --platform linux/${{matrix.arch}} \ + # --progress=plain \ + # -f build/dockerfiles/linux-${{matrix.dist}}.Dockerfile \ + # -t linux-${{matrix.dist}}-${{matrix.arch}} . + + # - name: Upload image + # uses: ishworkh/docker-image-artifact-upload@v1 + # with: + # image: "linux-${{matrix.dist}}-${{matrix.arch}}" + + # assemble: + # name: assemble + # runs-on: ubuntu-22.04 + # needs: build + # steps: + + # - name: Checkout che-code source code + # uses: actions/checkout@v3 + + # - name: Cleanup docker images + # run: | + # docker system prune -af + + # - name: Download linux-libc-amd64 image + # uses: ishworkh/docker-image-artifact-download@v1 + # with: + # image: "linux-libc-amd64" + + # - name: Download linux-musl-amd64 image + # uses: ishworkh/docker-image-artifact-download@v1 + # with: + # image: "linux-musl-amd64" + + # - name: Login to Quay.io + # uses: docker/login-action@v2 + # with: + # registry: quay.io + # username: ${{ secrets.QUAY_PULL_REQUESTS_USERNAME }} + # password: ${{ secrets.QUAY_PULL_REQUESTS_PASSWORD }} + + # - name: Display docker images + # run: | + # docker images + + # - name: Assemble che-code + # run: | + # PR_NUMBER="${{ github.event.number }}" + # echo "Pull request $PR_NUMBER" + + # IMAGE_NAME="quay.io/che-incubator-pull-requests/che-code:pr-$PR_NUMBER-amd64" + # echo "_IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV + + # docker buildx build \ + # --platform linux/amd64 \ + # --progress=plain \ + # --push \ + # -f build/dockerfiles/assembly.Dockerfile \ + # -t ${IMAGE_NAME} . + + # - name: Display docker images (final) + # run: | + # docker images + + # - name: 'Comment PR' + # uses: actions/github-script@v6 + # with: + # script: | + # const { repo: { owner, repo } } = context; + # await github.rest.issues.createComment({ + # issue_number: context.issue.number, + # owner: context.repo.owner, + # repo: context.repo.repo, + # body: `Pull Request Che-Code image published:\nšŸ‘‰ [${process.env._IMAGE_NAME}](https://${process.env._IMAGE_NAME})` + # }) dev: name: dev @@ -135,7 +135,7 @@ jobs: --platform linux/amd64 \ --progress=plain \ --push \ - -f build/dockerfiles/dev.Dockerfile \ + -f build/dockerfiles/dev.ssh.Dockerfile \ -t ${DEV_IMAGE_NAME} . - name: Display docker images diff --git a/.github/workflows/smoke-test-pr-check.yaml b/.github/workflows/smoke-test-pr-check.yaml.disabled similarity index 100% rename from .github/workflows/smoke-test-pr-check.yaml rename to .github/workflows/smoke-test-pr-check.yaml.disabled diff --git a/build/dockerfiles/dev.ssh.Dockerfile b/build/dockerfiles/dev.ssh.Dockerfile new file mode 100644 index 00000000000..31edfd23e66 --- /dev/null +++ b/build/dockerfiles/dev.ssh.Dockerfile @@ -0,0 +1,70 @@ +# Copyright (c) 2022 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# + +FROM quay.io/devfile/universal-developer-image:latest + +USER 0 + +RUN dnf -y install libsecret openssh-server dropbear && \ + dnf -y clean all --enablerepo='*' + +# Follow the sample https://www.golinuxcloud.com/run-sshd-as-non-root-user-without-sudo/ + +# Step 1. Generate SSH Host keys + +RUN mkdir /opt/ssh + +RUN ssh-keygen -q -N "" -t dsa -f /opt/ssh/ssh_host_dsa_key && \ + ssh-keygen -q -N "" -t rsa -b 4096 -f /opt/ssh/ssh_host_rsa_key && \ + ssh-keygen -q -N "" -t ecdsa -f /opt/ssh/ssh_host_ecdsa_key && \ + ssh-keygen -q -N "" -t ed25519 -f /opt/ssh/ssh_host_ed25519_key + +RUN ls -l /opt/ssh/ + +# Step 2. Configure SSHH as non-root user + +RUN cp /etc/ssh/sshd_config /opt/ssh/ + +# Use a non-privileged port +RUN sed -i 's|#Port 22|Port 2022|' /opt/ssh/sshd_config + +# provide the new path containing these host keys +RUN sed -i 's|HostKey /etc/ssh/ssh_host_rsa_key|HostKey /opt/ssh/ssh_host_rsa_key|' /opt/ssh/sshd_config +RUN sed -i 's|HostKey /etc/ssh/ssh_host_ecdsa_key|HostKey /opt/ssh/ssh_host_ecdsa_key|' /opt/ssh/sshd_config +RUN sed -i 's|HostKey /etc/ssh/ssh_host_ed25519_key|HostKey /opt/ssh/ssh_host_ed25519_key|' /opt/ssh/sshd_config + +RUN sed -i 's|#PubkeyAuthentication yes|PubkeyAuthentication yes|' /opt/ssh/sshd_config +RUN sed -i 's|AuthorizedKeysFile .ssh/authorized_keys|AuthorizedKeysFile /home/user/ssh/authorized_keys|' /opt/ssh/sshd_config + +# Enable DEBUG log. You can ignore this but this may help you debug any issue while enabling SSHD for the first time +RUN sed -i 's|#LogLevel INFO|LogLevel DEBUG3|' /opt/ssh/sshd_config + +RUN sed -i 's|#StrictModes yes|StrictModes=no|' /opt/ssh/sshd_config + + +# Provide a path to store PID file which is accessible by normal user for write purpose +RUN sed -i 's|#PidFile /var/run/sshd.pid|PidFile /opt/ssh/sshd.pid|' /opt/ssh/sshd_config + +RUN echo "account include base-account" > /etc/pam.d/sshd.pam + + +# Add script to start and stop the service +COPY --chown=0:0 /build/sshd.start / +COPY --chown=0:0 /build/sshd.connect / + + +# Step 4. Fix permissions +RUN chmod 644 /opt/ssh/* +RUN chmod 664 /opt/ssh/sshd_config +RUN chown -R user:root /opt/ssh/ + +RUN chmod 774 /opt/ssh + +EXPOSE 2022 + +USER 10001 diff --git a/build/sshd.connect b/build/sshd.connect new file mode 100755 index 00000000000..412978ef6d7 --- /dev/null +++ b/build/sshd.connect @@ -0,0 +1,6 @@ +#!/bin/bash + +rm -rf /home/user/.ssh +mkdir -p /home/user/.ssh + +ssh -l user -p 2022 -i /home/user/ssh/host_ed25519_key 127.0.0.1 diff --git a/build/sshd.start b/build/sshd.start new file mode 100755 index 00000000000..8069718ae1c --- /dev/null +++ b/build/sshd.start @@ -0,0 +1,13 @@ +#!/bin/bash + +# should prepare ssh keys +rm -rf /home/user/ssh +mkdir -p /home/user/ssh +ssh-keygen -q -N "" -t ed25519 -f /home/user/ssh/host_ed25519_key +cp /home/user/ssh/host_ed25519_key.pub /home/user/ssh/authorized_keys + +# start +/usr/sbin/sshd -D -f /opt/ssh/sshd_config -E /tmp/sshd.log + +# stop +# /usr/sbin/sshd -t -f /opt/ssh/sshd_config -E /tmp/sshd.log diff --git a/devfile.pr-327.yaml b/devfile.pr-327.yaml new file mode 100644 index 00000000000..d2685211c43 --- /dev/null +++ b/devfile.pr-327.yaml @@ -0,0 +1,45 @@ +# +# Copyright (c) 2022 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# + +schemaVersion: 2.1.0 +metadata: + name: ssh-test + +projects: + - name: recommended-extensions-sample + git: + remotes: + origin: https://github.com/vitaliy-guliy/recommended-extensions-sample + checkoutFrom: + revision: master + +components: + + - name: dev + container: + image: quay.io/che-incubator-pull-requests/che-code-dev:pr-327-dev-amd64 + memoryLimit: 8Gi + memoryRequest: 512Mi + cpuRequest: 500m + cpuLimit: 3500m + endpoints: + - exposure: public + name: dev + secure: true + protocol: http + targetPort: 8000 + + - exposure: public + name: sshd + targetPort: 2022 + protocol: tcp + + - name: projects + volume: + size: 7Gi diff --git a/devfile.yaml b/devfile.yaml index 14479042904..ccd7c79b7cc 100644 --- a/devfile.yaml +++ b/devfile.yaml @@ -10,6 +10,7 @@ schemaVersion: 2.1.0 metadata: name: che-code + components: - name: dev