Merge branch 'development'

.travis.yml

@@ -1,7 +1,6 @@
 language: python
 sudo: true
 python:
-- 2.6
 - 2.7
 - 3.3
 - 3.4

README.md

@@ -236,30 +236,32 @@ that do not override user configuration during package update.
 
 The following are valid user configuration options.
 
-Section           | Option               | Value
------------------ | -------------------- | -----
-Accounts          | deprovision\_remove   | `true` makes deprovisioning a user destructive.
-Accounts          | groups               | Comma separated list of groups for newly provisioned users.
-Accounts          | useradd\_cmd          | Command string to create a new user.
-Accounts          | userdel\_cmd          | Command string to delete a user.
-Accounts          | usermod\_cmd          | Command string to modify a user's groups.
-Accounts          | groupadd\_cmd         | Command string to create a new group.
-Daemons           | accounts\_daemon      | `false` disables the accounts daemon.
+Section           | Option                 | Value
+----------------- | ---------------------- | -----
+Accounts          | deprovision\_remove    | `true` makes deprovisioning a user destructive.
+Accounts          | groups                 | Comma separated list of groups for newly provisioned users.
+Accounts          | useradd\_cmd           | Command string to create a new user.
+Accounts          | userdel\_cmd           | Command string to delete a user.
+Accounts          | usermod\_cmd           | Command string to modify a user's groups.
+Accounts          | groupadd\_cmd          | Command string to create a new group.
+Daemons           | accounts\_daemon       | `false` disables the accounts daemon.
 Daemons           | clock\_skew\_daemon    | `false` disables the clock skew daemon.
 Daemons           | ip\_forwarding\_daemon | `false` disables the IP forwarding daemon.
+InstanceSetup     | host\_key\_types       | Comma separated list of host key types to generate.
 InstanceSetup     | optimize\_local\_ssd   | `false` prevents optimizing for local SSD.
-InstanceSetup     | network\_enabled      | `false` skips instance setup functions that require metadata.
+InstanceSetup     | network\_enabled       | `false` skips instance setup functions that require metadata.
 InstanceSetup     | set\_boto\_config      | `false` skips setting up a `boto` config.
 InstanceSetup     | set\_host\_keys        | `false` skips generating host keys on first boot.
-InstanceSetup     | set\_multiqueue       | `false` skips multiqueue driver support.
+InstanceSetup     | set\_multiqueue        | `false` skips multiqueue driver support.
 IpForwarding      | ethernet\_proto\_id    | Protocol ID string for daemon added routes.
-IpForwarding      | ip\_aliases           | `false` disables setting up alias IP routes.
+IpForwarding      | ip\_aliases            | `false` disables setting up alias IP routes.
 IpForwarding      | target\_instance\_ips  | `false` disables internal IP address load balancing.
-MetadataScripts   | run\_dir              | String base directory where metadata scripts are executed.
-MetadataScripts   | startup              | `false` disables startup script execution.
-MetadataScripts   | shutdown             | `false` disables shutdown script execution.
-NetworkInterfaces | dhcp\_command         | String to execute to enable network interfaces.
-NetworkInterfaces | setup                | `false` disables network interface setup.
+MetadataScripts   | run\_dir               | String base directory where metadata scripts are executed.
+MetadataScripts   | startup                | `false` disables startup script execution.
+MetadataScripts   | shutdown               | `false` disables shutdown script execution.
+NetworkInterfaces | dhclient\_script       | String path to a dhclient script used by dhclient.
+NetworkInterfaces | dhcp\_command          | String to execute to enable network interfaces.
+NetworkInterfaces | setup                  | `false` disables network interface setup.
 
 Setting `network_enabled` to `false` will skip setting up host keys and the
 `boto` config in the guest. The setting may also prevent startup and shutdown

debian/changelog

@@ -1,3 +1,10 @@
+google-compute-image-packages (2.7.2-1) stable; urgency=low
+
+  * Generate SSH host keys when none are present.
+  * Improve logging when activating OS Login.
+
+ -- Google Cloud Team <gc-team@google.com>  Wed, 29 Nov 2017 12:00:00 -0700
+
 google-compute-image-packages (2.7.1-1) stable; urgency=low
 
   * Update set_hostname file name to prevent conflict.

debian/control

@@ -27,7 +27,7 @@ Depends: google-compute-engine-oslogin,
          ${misc:Depends},
          python-google-compute-engine (= ${source:Version}),
          python3-google-compute-engine (= ${source:Version}),
-         chrony | ntp | time-daemon,
+         chrony | ntp | time-daemon | systemd,
          systemd
 Recommends: google-cloud-sdk
 Conflicts: google-compute-engine-jessie,

google_compute_engine/accounts/oslogin_utils.py

@@ -82,9 +82,9 @@ def UpdateOsLogin(self, enable):
 
     if enable:
       action = 'activate'
-      self.logger.warning('Activating OS Login.')
+      self.logger.info('Activating OS Login.')
     else:
       action = 'deactivate'
-      self.logger.warning('Deactivating OS Login.')
+      self.logger.info('Deactivating OS Login.')
 
     return self._RunOsLoginControl(action)

google_compute_engine/accounts/tests/oslogin_utils_test.py

@@ -128,7 +128,7 @@ def testUpdateOsLoginActivate(self):
     oslogin_utils.OsLoginUtils.UpdateOsLogin(self.mock_oslogin, True)
     expected_calls = [
         mock.call.oslogin._GetStatus(),
-        mock.call.logger.warning(mock.ANY),
+        mock.call.logger.info(mock.ANY),
         mock.call.oslogin._RunOsLoginControl('activate'),
     ]
     self.assertEqual(mocks.mock_calls, expected_calls)
@@ -143,7 +143,7 @@ def testUpdateOsLoginDeactivate(self):
     oslogin_utils.OsLoginUtils.UpdateOsLogin(self.mock_oslogin, False)
     expected_calls = [
         mock.call.oslogin._GetStatus(),
-        mock.call.logger.warning(mock.ANY),
+        mock.call.logger.info(mock.ANY),
         mock.call.oslogin._RunOsLoginControl('deactivate'),
     ]
     self.assertEqual(mocks.mock_calls, expected_calls)

google_compute_engine/instance_setup/instance_config.py

@@ -72,6 +72,7 @@ class InstanceConfig(config_manager.ConfigManager):
           'instance_id': '0',
       },
       'InstanceSetup': {
+          'host_key_types': 'ecdsa,ed25519,rsa',
           'optimize_local_ssd': 'true',
           'network_enabled': 'true',
           'set_boto_config': 'true',

google_compute_engine/instance_setup/instance_setup.py

@@ -27,7 +27,6 @@
 from google_compute_engine import file_utils
 from google_compute_engine import logger
 from google_compute_engine import metadata_watcher
-
 from google_compute_engine.boto import boto_config
 from google_compute_engine.instance_setup import instance_config
 
@@ -55,7 +54,9 @@ def __init__(self, debug=False):
       self.instance_config = instance_config.InstanceConfig(
           logger=self.logger, instance_config_metadata=instance_config_metadata)
       if self.instance_config.GetOptionBool('InstanceSetup', 'set_host_keys'):
-        self._SetSshHostKeys()
+        host_key_types = self.instance_config.GetOptionString(
+            'InstanceSetup', 'host_key_types')
+        self._SetSshHostKeys(host_key_types=host_key_types)
       if self.instance_config.GetOptionBool('InstanceSetup', 'set_boto_config'):
         self._SetupBotoConfig()
     if self.instance_config.GetOptionBool(
@@ -155,13 +156,16 @@ def _StartSshd(self):
       subprocess.call(['service', 'sshd', 'start'])
       subprocess.call(['service', 'sshd', 'reload'])
 
-  def _SetSshHostKeys(self):
+  def _SetSshHostKeys(self, host_key_types=None):
     """Regenerates SSH host keys when the VM is restarted with a new IP address.
 
     Booting a VM from an image with a known SSH key allows a number of attacks.
     This function will regenerating the host key whenever the IP address
     changes. This applies the first time the instance is booted, and each time
     the disk is used to boot a new instance.
+
+    Args:
+      host_key_types: string, a comma separated list of host key types.
     """
     section = 'Instance'
     instance_id = self._GetInstanceId()
@@ -171,7 +175,9 @@ def _SetSshHostKeys(self):
       file_regex = re.compile(r'ssh_host_(?P<type>[a-z0-9]*)_key\Z')
       key_dir = '/etc/ssh'
       key_files = [f for f in os.listdir(key_dir) if file_regex.match(f)]
-      for key_file in key_files:
+      key_types = host_key_types.split(',') if host_key_types else []
+      key_types_files = ['ssh_host_%s_key' % key_type for key_type in key_types]
+      for key_file in set(key_files) | set(key_types_files):
         key_type = file_regex.match(key_file).group('type')
         key_dest = os.path.join(key_dir, key_file)
         self._GenerateSshKey(key_type, key_dest)

google_compute_engine/instance_setup/tests/instance_setup_test.py

@@ -49,6 +49,7 @@ def testInstanceSetup(self, mock_logger, mock_watcher, mock_config):
     mock_watcher.MetadataWatcher.return_value = mock_watcher_instance
     mock_config_instance = mock.Mock()
     mock_config_instance.GetOptionBool.return_value = True
+    mock_config_instance.GetOptionString.return_value = 'type'
     mock_config.InstanceConfig.return_value = mock_config_instance
     mock_setup._GetInstanceConfig.return_value = 'config'
 
@@ -70,7 +71,9 @@ def testInstanceSetup(self, mock_logger, mock_watcher, mock_config):
         # Setup for SSH host keys if necessary.
         mock.call.config.InstanceConfig().GetOptionBool(
             'InstanceSetup', 'set_host_keys'),
-        mock.call.setup._SetSshHostKeys(),
+        mock.call.config.InstanceConfig().GetOptionString(
+            'InstanceSetup', 'host_key_types'),
+        mock.call.setup._SetSshHostKeys(host_key_types='type'),
         # Setup for the boto config if necessary.
         mock.call.config.InstanceConfig().GetOptionBool(
             'InstanceSetup', 'set_boto_config'),
@@ -325,21 +328,23 @@ def testSetSshHostKeysFirstBoot(self, mock_listdir):
     self.mock_setup._GenerateSshKey = mock_generate_key
     mock_listdir.return_value = [
         'ssh_config',
-        'ssh_host_rsa_key',
+        'ssh_host_dsa_key',
         'ssh_host_dsa_key.pub',
         'ssh_host_ed25519_key',
         'ssh_host_ed25519_key.pub',
         'ssh_host_rsa_key',
         'ssh_host_rsa_key.pub',
     ]
 
-    instance_setup.InstanceSetup._SetSshHostKeys(self.mock_setup)
+    instance_setup.InstanceSetup._SetSshHostKeys(
+        self.mock_setup, host_key_types='rsa,dsa,abc')
     expected_calls = [
-        mock.call('rsa', '/etc/ssh/ssh_host_rsa_key'),
+        mock.call('abc', '/etc/ssh/ssh_host_abc_key'),
+        mock.call('dsa', '/etc/ssh/ssh_host_dsa_key'),
         mock.call('ed25519', '/etc/ssh/ssh_host_ed25519_key'),
         mock.call('rsa', '/etc/ssh/ssh_host_rsa_key'),
     ]
-    self.assertEqual(mock_generate_key.mock_calls, expected_calls)
+    self.assertEqual(sorted(mock_generate_key.mock_calls), expected_calls)
     self.mock_instance_config.SetOption.assert_called_once_with(
         'Instance', 'instance_id', '123')
 

google_compute_engine/ip_forwarding/ip_forwarding_daemon.py

@@ -36,7 +36,6 @@
 from google_compute_engine import logger
 from google_compute_engine import metadata_watcher
 from google_compute_engine import network_utils
-
 from google_compute_engine.ip_forwarding import ip_forwarding_utils
 
 LOCKFILE = constants.LOCALSTATEDIR + '/lock/google_ip_forwarding.lock'

google_compute_engine/metadata_scripts/script_manager.py

@@ -23,7 +23,6 @@
 
 from google_compute_engine import config_manager
 from google_compute_engine import logger
-
 from google_compute_engine.metadata_scripts import script_executor
 from google_compute_engine.metadata_scripts import script_retriever
 

google_compute_engine_oslogin/Makefile

@@ -4,18 +4,21 @@ BASENAME = oslogin
 NAME = google-compute-engine-$(BASENAME)
 MAJOR = 1
 MINOR = 1
-REVISION = 1
+REVISION = 2
 
 NSS_LIBRARY_NAME = libnss_$(NAME)-$(MAJOR).$(MINOR).$(REVISION).so
 NSS_LIBRARY_SONAME = libnss_$(BASENAME).so.2
 NSS_INSTALL_PATH = /lib
 PAM_INSTALL_PATH = /lib/security
 AUTHKEYS_INSTALL_PATH = /usr/bin
 
+JSON_INCLUDE_PATH = /usr/include/json-c
+INCLUDE_FLAGS = -I$(JSON_INCLUDE_PATH)
+
 CXX = g++
 CXXFLAGS += -fPIC# -Wall
-PAMFLAGS = $(LDFLAGS) -shared
-NSSFLAGS = $(LDFLAGS) -shared -Wl,-soname,$(NSS_LIBRARY_SONAME)
+PAMFLAGS = $(LDFLAGS) $(INCLUDE_FLAGS) -shared
+NSSFLAGS = $(LDFLAGS) $(INCLUDE_FLAGS) -shared -Wl,-soname,$(NSS_LIBRARY_SONAME)
 
 # UTILS
 UTILS_DIR = utils
@@ -86,10 +89,10 @@ $(PAM_ADMIN_OBJ): $(PAM_ADMIN_SRC)
 	$(CXX) $(CXXFLAGS) -c $(PAM_ADMIN_SRC) -o $(PAM_ADMIN_OBJ)
 
 $(AUTHKEYS_BIN): $(AUTHKEYS_SRC) $(UTILS_SRC)
-	$(CXX) $(LDFLAGS) -o $(AUTHKEYS_BIN) $(AUTHKEYS_SRC) $(UTILS_SRC) $(LIBS)
+	$(CXX) $(LDFLAGS) $(INCLUDE_FLAGS) -o $(AUTHKEYS_BIN) $(AUTHKEYS_SRC) $(UTILS_SRC) $(LIBS)
 
 $(UTILS): $(UTILS_SRC)
-	$(CXX) $(CXXFLAGS) -c $(UTILS_SRC) -o $(UTILS)
+	$(CXX) $(CXXFLAGS) $(INCLUDE_FLAGS) -c $(UTILS_SRC) -o $(UTILS)
 
 $(SELINUX_MOD_FILE): $(SELINUX_MODULE_SRC)
 	checkmodule -M -m -o $(SELINUX_MOD_FILE) $(SELINUX_MODULE_SRC)

google_compute_engine_oslogin/bin/google_oslogin_control

@@ -85,9 +85,9 @@ add_to_nss_config() {
 
 add_to_pam_config() {
   remove_from_config ${pam_config}
-  sed -i "/pam_nologin.so/ a${added_comment}\n${pam_admin}" ${pam_config}.new
-  sed -i "/pam_nologin.so/ a${added_comment}\n${pam_login}" ${pam_config}.new
-  sed -i "/pam_selinux.so close/ a${pam_homedir}" ${pam_config}.new
+  sed -i "/account.*pam_nologin.so/ a${added_comment}\n${pam_admin}" ${pam_config}.new
+  sed -i "/account.*pam_nologin.so/ a${added_comment}\n${pam_login}" ${pam_config}.new
+  sed -i "/pam_loginuid.so/ a${added_comment}\n${pam_homedir}" ${pam_config}.new
 }
 
 restart_service() {

google_compute_engine_oslogin/packaging/debian8/changelog

@@ -1,3 +1,10 @@
+google-compute-engine-oslogin (1.1.2-1+deb8) unstable; urgency=low
+
+  * Fix parsing logic for expiration time on SSH public keys.
+  * Fix home directory creation PAM config.
+
+ -- MAINTAINER <gc-team@google.com>  Wed, 29 Nov 2017 12:00:00 -0700
+
 google-compute-engine-oslogin (1.1.1-1+deb8) unstable; urgency=low
 
   * Remove logging when checking OS Login status.

google_compute_engine_oslogin/packaging/debian8/google-compute-engine-oslogin.links

@@ -1 +1 @@
-/lib/libnss_google-compute-engine-oslogin-1.1.1.so /lib/libnss_oslogin.so.2
+/lib/libnss_google-compute-engine-oslogin-1.1.2.so /lib/libnss_oslogin.so.2

google_compute_engine_oslogin/packaging/debian9/changelog

@@ -1,3 +1,10 @@
+google-compute-engine-oslogin (1.1.2-1+deb9) unstable; urgency=low
+
+  * Fix parsing logic for expiration time on SSH public keys.
+  * Fix home directory creation PAM config.
+
+ -- MAINTAINER <gc-team@google.com>  Wed, 29 Nov 2017 12:00:00 -0700
+
 google-compute-engine-oslogin (1.1.1-1+deb9) unstable; urgency=low
 
   * Remove logging when checking OS Login status.

google_compute_engine_oslogin/packaging/debian9/google-compute-engine-oslogin.links

@@ -1 +1 @@
-/lib/libnss_google-compute-engine-oslogin-1.1.1.so /lib/libnss_oslogin.so.2
+/lib/libnss_google-compute-engine-oslogin-1.1.2.so /lib/libnss_oslogin.so.2

google_compute_engine_oslogin/packaging/rpmbuild/SPECS/google-compute-engine-oslogin.spec

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 Name:           google-compute-engine-oslogin
-Version:        1.1.1
+Version:        1.1.2
 Release:        1%{?dist}
 Summary:        OS Login Functionality for Google Compute Engine
 

google_compute_engine_oslogin/packaging/setup_deb.sh

@@ -20,7 +20,7 @@
 
 # Run from the top of the source directory.
 NAME="google-compute-engine-oslogin"
-VERSION="1.1.1"
+VERSION="1.1.2"
 
 working_dir=${PWD}
 

google_compute_engine_oslogin/packaging/setup_rpm.sh

@@ -20,7 +20,7 @@
 
 # Run from the top of the source directory.
 NAME="google-compute-engine-oslogin"
-VERSION="1.1.1"
+VERSION="1.1.2"
 
 working_dir=${PWD}
 rpm_working_dir=/tmp/rpmpackage/${NAME}-${VERSION}

google_compute_engine_oslogin/utils/oslogin_utils.cc

@@ -15,7 +15,7 @@
 // Requires libcurl4-openssl-dev libjson0 and libjson0-dev
 #include <curl/curl.h>
 #include <errno.h>
-#include <json-c/json.h>
+#include <json.h>
 #include <stdio.h>
 #include <time.h>
 #include <cstring>
@@ -279,7 +279,7 @@ std::vector<string> ParseJsonToSshKeys(string response) {
         }
         key_to_add = (char*)json_object_get_string(val);
       }
-      if (string_key == "expiration_time_usec") {
+      if (string_key == "expirationTimeUsec") {
         if (val_type == json_type_int || val_type == json_type_string) {
           uint64_t expiry_usec = (uint64_t)json_object_get_int64(val);
           struct timeval tp;

google_compute_engine_oslogin/utils/oslogin_utils_test.cc

@@ -372,7 +372,7 @@ TEST(ParseJsonSshKeyTest, ParseJsonToSshKeysFiltersExpiredKeys) {
   string test_user =
       "{\"loginProfiles\":[{\"name\":\"foo@example.com\",\"sshPublicKeys\":"
       "{\"fingerprint\": {\"key\": \"test_key\"}, \"fingerprint2\": {\"key\": "
-      "\"test_key2\", \"expiration_time_usec\": 0}}}]}";
+      "\"test_key2\", \"expirationTimeUsec\": 0}}}]}";
 
   size_t buflen = 200;
   char* buffer = (char*)malloc(buflen * sizeof(char));
@@ -388,7 +388,7 @@ TEST(ParseJsonSshKeyTest, ParseJsonToSshKeysFiltersMalformedExpiration) {
   string test_user =
       "{\"loginProfiles\":[{\"name\":\"foo@example.com\",\"sshPublicKeys\":"
       "{\"fingerprint\": {\"key\": \"test_key\"}, \"fingerprint2\": {\"key\": "
-      "\"test_key2\", \"expiration_time_usec\": \"bad_stuff\"}}}]}";
+      "\"test_key2\", \"expirationTimeUsec\": \"bad_stuff\"}}}]}";
 
   size_t buflen = 200;
   char* buffer = (char*)malloc(buflen * sizeof(char));

google_compute_engine_oslogin/utils/run_tests.sh

@@ -14,6 +14,6 @@
 # limitations under the License.
 
 # Unit tests require gtest to be installed.
-g++ -o test_runner oslogin_utils_test.cc oslogin_utils.cc -lcurl -ljson -lgtest -lpthread
+g++ -o test_runner oslogin_utils_test.cc oslogin_utils.cc -I/usr/include/json-c -lcurl -ljson -lgtest -lpthread
 ./test_runner
 rm ./test_runner

setup.py

@@ -32,7 +32,7 @@
     packages=setuptools.find_packages(),
     scripts=glob.glob('scripts/*'),
     url='https://github.com/GoogleCloudPlatform/compute-image-packages',
-    version='2.7.1',
+    version='2.7.2',
     # Entry points create scripts in /usr/bin that call a function.
     entry_points={
         'console_scripts': [