Skip to content

Commit

Permalink
add make clean-kssh to actually delete all config files when the se…
Browse files Browse the repository at this point in the history
…rvice is stopped (#96)
mmou authored Apr 28, 2020
1 parent 4cfae45 commit 3fc2ba1
Showing 5 changed files with 36 additions and 5 deletions.
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -3,6 +3,8 @@ keybaseca.config
nohup.out
env.list
__pycache__
**/.mypy_cache/
tests/env.sh

# sphinx generated files:
_build
1 change: 1 addition & 0 deletions docker/Dockerfile-ca
Original file line number Diff line number Diff line change
@@ -44,6 +44,7 @@ COPY --from=builder --chown=keybase:keybase /bot-sshca/bin/keybaseca bin/
# copy in entrypoint scripts
COPY --chown=keybase:keybase ./docker/entrypoint-generate.sh ./
COPY --chown=keybase:keybase ./docker/entrypoint-server.sh ./
COPY --chown=keybase:keybase ./docker/entrypoint-cleanup.sh ./

# Run container as root but only to be able to chown the Docker bind-mount,
# then immediatetly step down to the keybase user via sudo in the entrypoint scripts
12 changes: 8 additions & 4 deletions docker/Makefile
Original file line number Diff line number Diff line change
@@ -21,7 +21,7 @@ endif

# Generate a new CA key
generate: env-file-exists build
docker run -e FORCE_WRITE=$(FORCE_WRITE) --env-file ./env.list -v $(CURDIR)/example-keybaseca-volume:/mnt:rw ca:latest ./entrypoint-generate.sh
docker run --init -e FORCE_WRITE=$(FORCE_WRITE) --env-file ./env.list -v $(CURDIR)/example-keybaseca-volume:/mnt:rw ca:latest ./entrypoint-generate.sh
@echo -e "\nRun these commands on each server that you wish to use with the CA chatbot\n"
@echo "useradd developer && mkdir -p /home/developer && chown developer:developer /home/developer # The user that will be used for non-root logins"
@echo "echo \"`cat $(CURDIR)/example-keybaseca-volume/keybase-ca-key.pub`\" > /etc/ssh/ca.pub"
@@ -33,17 +33,21 @@ generate: env-file-exists build

# Start the CA chatbot in the background
serve: env-file-exists ca-key-exists
docker run -d --restart unless-stopped --env-file ./env.list -v $(CURDIR)/example-keybaseca-volume:/mnt:rw ca:latest ./entrypoint-server.sh
docker run -d --init --restart unless-stopped --env-file ./env.list -v $(CURDIR)/example-keybaseca-volume:/mnt:rw ca:latest ./entrypoint-server.sh
@echo 'Started CA bot service in the background... Use `docker ps` and `docker logs` to monitor it'

# Stop the service
stop:
stop: clean-kssh
docker kill `docker ps -q --filter ancestor=ca`

# Restart the service (useful if you updated env.list)
restart: stop serve

# Wipe all data
# Delete all kssh config files
clean-kssh: env-file-exists
docker run --init -e FORCE_WRITE=$(FORCE_WRITE) --env-file ./env.list -v $(CURDIR)/example-keybaseca-volume:/mnt:rw ca:latest ./entrypoint-cleanup.sh

# Delete all CA data
clean: confirm-clean reset-permissions
@# Sudo since it is likely owned by another use since it was written from a docker container
sudo rm -rf example-keybaseca-volume/keybaseca*
18 changes: 18 additions & 0 deletions docker/entrypoint-cleanup.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
#!/bin/bash
set -euo pipefail
IFS=$'\n\t'

# chown as root
chown -R keybase:keybase /mnt

# Run everything else as the keybase user
sudo -i -u keybase bash << EOF
export "FORCE_WRITE=$FORCE_WRITE"
export "KEYBASE_USERNAME=$KEYBASE_USERNAME"
export "KEYBASE_PAPERKEY=$KEYBASE_PAPERKEY"
nohup bash -c "KEYBASE_RUN_MODE=prod kbfsfuse /keybase | grep -v 'ERROR Mounting the filesystem failed' &"
sleep ${KEYBASE_TIMEOUT:-5}
keybase oneshot
bin/keybaseca --wipe-all-configs
sleep ${KEYBASE_TIMEOUT:-5}
EOF
8 changes: 7 additions & 1 deletion src/cmd/keybaseca/keybaseca.go
Original file line number Diff line number Diff line change
@@ -42,7 +42,7 @@ func main() {
cli.BoolFlag{
Name: "wipe-all-configs",
Hidden: true,
Usage: "Used in the integration tests to clean all client configs from KBFS",
Usage: "Clean all client configs the CA Keybase user can find from KBFS",
},
cli.BoolFlag{
Name: "wipe-logs",
@@ -214,6 +214,8 @@ func mainAction(c *cli.Context) error {
semaphore := sync.WaitGroup{}
semaphore.Add(len(teams))
boundChan := make(chan interface{}, shared.BoundedParallelismLimit)
teamsFound := []string{}
teamsFoundMutex := sync.Mutex{}
for _, team := range teams {
go func(team string) {
// Blocks until there is room in boundChan
@@ -226,6 +228,9 @@ func mainAction(c *cli.Context) error {
if err != nil {
fmt.Printf("%v\n", err)
}
teamsFoundMutex.Lock()
teamsFound = append(teamsFound, team)
teamsFoundMutex.Unlock()
}
semaphore.Done()

@@ -234,6 +239,7 @@ func mainAction(c *cli.Context) error {
}(team)
}
semaphore.Wait()
fmt.Printf("Deleted configs found in these teams: %+v\n", teamsFound)
case c.Bool("wipe-logs"):
conf, err := loadServerConfig()
if err != nil {

0 comments on commit 3fc2ba1

Please sign in to comment.