Inject keys into systemvm.iso using bsdtar (related to #3536)

debian/control

@@ -9,7 +9,7 @@ Homepage: http://www.cloudstack.org/
 
 Package: cloudstack-common
 Architecture: all
-Depends: ${misc:Depends}, ${python3:Depends}, genisoimage, nfs-common, python3-pip, python3-distutils | python3-distutils-extra, python3-netaddr, uuid-runtime
+Depends: ${misc:Depends}, ${python:Depends}, genisoimage, nfs-common, bsdtar, python3-pip, python3-distutils | python3-distutils-extra, python3-netaddr, uuid-runtime
 Conflicts: cloud-scripts, cloud-utils, cloud-system-iso, cloud-console-proxy, cloud-daemonize, cloud-deps, cloud-python, cloud-setup
 Description: A common package which contains files which are shared by several CloudStack packages
 

packaging/centos7/cloud.spec

@@ -94,6 +94,7 @@ management, and intelligence in CloudStack.
 Summary: Apache CloudStack common files and scripts
 Requires: python
 Requires: python3
+Requires: bsdtar
 Requires: python3-pip
 Group:   System Environment/Libraries
 %description common

scripts/vm/systemvm/injectkeys.sh

@@ -6,9 +6,9 @@
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
-# 
+#
 #   http://www.apache.org/licenses/LICENSE-2.0
-# 
+#
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
@@ -30,35 +30,32 @@ TMPDIR=${TMP}/cloud/systemvm
 umask 022
 
 clean_up() {
-  $SUDO umount $MOUNTPATH
+  rm -rf --preserve-root $MOUNTPATH
+}
+
+backup_iso() {
+  $SUDO cp -b ${systemvmpath} ${systemvmpath}.bak
 }
 
 inject_into_iso() {
   local isofile=${systemvmpath}
   local newpubkey=$2
-  local backup=${isofile}.bak
   local tmpiso=${TMP}/$1
-  mkdir -p $MOUNTPATH
+  rm -rf --preserve-root $MOUNTPATH
+  mkdir $MOUNTPATH
   [ ! -f $isofile ] && echo "$(basename $0): Could not find systemvm iso patch file $isofile" && return 1
-  $SUDO mount -o loop $isofile $MOUNTPATH 
-  [ $? -ne 0 ] && echo "$(basename $0): Failed to mount original iso $isofile" && clean_up && return 1
+  bsdtar -C $MOUNTPATH -xf $isofile
+  [ $? -ne 0 ] && echo "$(basename $0): Failed to extract original iso $isofile" && clean_up && return 1
   diff -q $MOUNTPATH/authorized_keys $newpubkey &> /dev/null && echo "New public key is the same as the one in the systemvm.iso, not injecting it, not modifying systemvm.iso" && clean_up && return 0
-  $SUDO cp -b $isofile $backup
+  backup_iso
   [ $? -ne 0 ] && echo "$(basename $0): Failed to backup original iso $isofile" && clean_up && return 1
-  rm -rf $TMPDIR
-  mkdir -p $TMPDIR
-  [ ! -d $TMPDIR  ] && echo "$(basename $0): Could not find/create temporary dir $TMPDIR" && clean_up && return 1
-  $SUDO cp -fr $MOUNTPATH/* $TMPDIR/
-  [ $? -ne 0 ] && echo "$(basename $0): Failed to copy from original iso $isofile" && clean_up && return 1
-  $SUDO cp $newpubkey $TMPDIR/authorized_keys
+  $SUDO cp $newpubkey $MOUNTPATH/authorized_keys
   [ $? -ne 0 ] && echo "$(basename $0): Failed to copy key $newpubkey from original iso to new iso " && clean_up && return 1
-  mkisofs -quiet -r -o $tmpiso $TMPDIR
-  [ $? -ne 0 ] && echo "$(basename $0): Failed to create new iso $tmpiso from $TMPDIR" && clean_up && return 1
-  $SUDO umount $MOUNTPATH
-  [ $? -ne 0 ] && echo "$(basename $0): Failed to unmount old iso from $MOUNTPATH" && return 1
+  mkisofs -quiet -r -o $tmpiso $MOUNTPATH
+  [ $? -ne 0 ] && echo "$(basename $0): Failed to create new iso $tmpiso from $MOUNTPATH" && clean_up && return 1
   $SUDO cp -f $tmpiso $isofile
   [ $? -ne 0 ] && echo "$(basename $0): Failed to overwrite old iso $isofile with $tmpiso" && return 1
-  rm -rf $TMPDIR
+  clean_up
 }
 
 copy_priv_key() {
@@ -74,7 +71,7 @@ then
    SUDO="sudo -n "
 fi
 
-$SUDO mkdir -p $MOUNTPATH
+mkdir -p $MOUNTPATH
 
 [ $# -ne 3 ] && echo "Usage: $(basename $0)  <new public key file> <new private key file> <systemvm iso path>" && exit 3
 newpubkey=$1
@@ -85,17 +82,8 @@ systemvmpath=$3
 
 command -v mkisofs > /dev/null   || (echo "$(basename $0): mkisofs not found, please install or ensure PATH is accurate" ; exit 4)
 
-# if running into Docker as unprivileges, skip ssh verification as iso cannot be mounted due to missing loop device.
-if [ -f /.dockerenv ]; then
-  if [ -e /dev/loop0 ]; then
-    # it's a docker instance with privileges.
-    inject_into_iso systemvm.iso $newpubkey
-    [ $? -ne 0 ] && exit 5
-    copy_priv_key $newprivkey
-  else
-    # this mean it's a docker instance, ssh key cannot be verify.
-    echo "We run inside Docker, skipping ssh key insertion in systemvm.iso"
-  fi
+if [ ! -x "$(command -v bsdtar)" ]; then
+  echo "bsdtar is unavailable. Skipping ssh key insertion in systemvm.iso"
 else
   inject_into_iso systemvm.iso $newpubkey
   [ $? -ne 0 ] && exit 5