From 1e0b6d2aa995646bb9326dbb7f1871566a385ad4 Mon Sep 17 00:00:00 2001
From: Vlastimil Holer <vholer@opennebula.systems>
Date: Thu, 23 Apr 2020 19:37:27 +0200
Subject: [PATCH] F #2152: Add OpenNebula SSH agent support (#4597)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Petr Ospalý <pospaly@opennebula.io>

Co-authored-by: Petr Ospalý <pospaly@opennebula.io>
---
 .../roles/opennebula-ssh/defaults/main.yml    |  3 +++
 .../opennebula-ssh/tasks/deploy_local.yml     | 12 +++++++++-
 .../systemd/opennebula-ssh-agent.service      | 23 +++++++++++++++++++
 .../pkgs/services/systemd/opennebula.service  |  3 +++
 src/mad/sh/scripts_common.sh                  |  4 ++--
 5 files changed, 42 insertions(+), 3 deletions(-)
 create mode 100644 share/pkgs/services/systemd/opennebula-ssh-agent.service

diff --git a/share/oneprovision/ansible/roles/opennebula-ssh/defaults/main.yml b/share/oneprovision/ansible/roles/opennebula-ssh/defaults/main.yml
index 35338c6324..9a14032e9c 100644
--- a/share/oneprovision/ansible/roles/opennebula-ssh/defaults/main.yml
+++ b/share/oneprovision/ansible/roles/opennebula-ssh/defaults/main.yml
@@ -11,3 +11,6 @@ opennebula_ssh_sshd_permitrootlogin: 'without-password'
 
 # Deploy local oneadmin's SSH key to remote host
 opennebula_ssh_deploy_local: True
+
+# Deploy local oneadmin's SSH private key to remote host
+opennebula_ssh_deploy_private_key: False
diff --git a/share/oneprovision/ansible/roles/opennebula-ssh/tasks/deploy_local.yml b/share/oneprovision/ansible/roles/opennebula-ssh/tasks/deploy_local.yml
index c7f3c1270d..e2dbb27c7d 100644
--- a/share/oneprovision/ansible/roles/opennebula-ssh/tasks/deploy_local.yml
+++ b/share/oneprovision/ansible/roles/opennebula-ssh/tasks/deploy_local.yml
@@ -26,6 +26,16 @@
     group: 9869
     mode: "{{ item.mode }}"
   with_items:
-    - { name: 'id_rsa',      mode: '0600' }
     - { name: 'id_rsa.pub',  mode: '0644' }
     - { name: 'known_hosts', mode: '0644' }
+
+- name: Copy local private SSH keys
+  copy:
+    src: /var/lib/one/.ssh/{{ item.name }}
+    dest: /var/lib/one/.ssh/{{ item.name }}
+    owner: 9869
+    group: 9869
+    mode: "{{ item.mode }}"
+  with_items:
+    - { name: 'id_rsa',      mode: '0600' }
+  when: opennebula_ssh_deploy_private_key == True
diff --git a/share/pkgs/services/systemd/opennebula-ssh-agent.service b/share/pkgs/services/systemd/opennebula-ssh-agent.service
new file mode 100644
index 0000000000..b9d50c2a5e
--- /dev/null
+++ b/share/pkgs/services/systemd/opennebula-ssh-agent.service
@@ -0,0 +1,23 @@
+[Unit]
+Description=OpenNebula SSH agent
+
+[Service]
+Type=forking
+Group=oneadmin
+User=oneadmin
+Environment=SSH_AUTH_SOCK=/run/one/ssh-agent.sock
+# ssh-agent is executed via shell wrapper to workaround a SELinux issue
+ExecStartPre=/bin/sh -c "echo SSH_AUTH_SOCK=$SSH_AUTH_SOCK > /run/one/ssh-agent.env"
+ExecStart=/bin/sh -c "exec /usr/bin/ssh-agent -a $SSH_AUTH_SOCK"
+ExecStartPost=/bin/sh -c "/usr/bin/ssh-add"
+ExecStopPost=/usr/bin/rm -f /run/one/ssh-agent.env
+ExecReload=/bin/sh -c "/usr/bin/ssh-add -D && /usr/bin/ssh-add"
+Restart=on-failure
+# NOTE: ssh-agent returns "2" as the exit code on SIGTERM or on termination via:
+#   SSH_AGENT_PID=??? ssh-agent -k
+# without this following directive the "systemctl stop" would fail and cleanup
+# (ExecStopPost) would not be triggered...
+SuccessExitStatus=2
+
+[Install]
+WantedBy=default.target
diff --git a/share/pkgs/services/systemd/opennebula.service b/share/pkgs/services/systemd/opennebula.service
index 9c9c41e41b..b0a931c2ca 100644
--- a/share/pkgs/services/systemd/opennebula.service
+++ b/share/pkgs/services/systemd/opennebula.service
@@ -2,12 +2,15 @@
 Description=OpenNebula Cloud Controller Daemon
 After=syslog.target network.target remote-fs.target
 After=mariadb.service mysql.service
+After=opennebula-ssh-agent.service
 Wants=opennebula-scheduler.service opennebula-hem.service
+Wants=opennebula-ssh-agent.service
 
 [Service]
 Type=notify
 Group=oneadmin
 User=oneadmin
+EnvironmentFile=-/run/one/ssh-agent.env
 ExecStartPre=-/usr/sbin/logrotate -f /etc/logrotate.d/opennebula -s /var/lib/one/.logrotate.status
 ExecStart=/usr/bin/oned -f
 ExecStopPost=/usr/share/one/follower_cleanup
diff --git a/src/mad/sh/scripts_common.sh b/src/mad/sh/scripts_common.sh
index 7660e77800..8db51d7126 100644
--- a/src/mad/sh/scripts_common.sh
+++ b/src/mad/sh/scripts_common.sh
@@ -45,9 +45,9 @@ RBD=${RBD:-rbd}
 READLINK=${READLINK:-readlink}
 RM=${RM:-rm}
 CP=${CP:-cp}
-SCP=${SCP:-scp}
+SCP=${SCP:-scp -o ForwardAgent=yes}
 SED=${SED:-sed}
-SSH=${SSH:-ssh}
+SSH=${SSH:-ssh -o ForwardAgent=yes}
 SUDO=${SUDO:-sudo -n}
 SYNC=${SYNC:-sync}
 TAR=${TAR:-tar}