waagent: enable provisioning

2023-11-08 20:50:26 +00:00 · 2023-11-08 20:50:26 +00:00 · bff548fef1
commit bff548fef1
parent e1cb1dc257
4 changed files with 38 additions and 42 deletions
--- a/nixos/modules/virtualisation/azure-agent.nix
+++ b/nixos/modules/virtualisation/azure-agent.nix
@ -61,7 +61,7 @@ in

        # Which provisioning agent to use. Supported values are "auto" (default), "waagent",
        # "cloud-init", or "disabled".
-        Provisioning.Agent=disabled
+        Provisioning.Agent=auto

        # Password authentication for root account will be unavailable.
        Provisioning.DeleteRootPassword=n
@ -246,7 +246,7 @@ in
        pkgs.bash

        # waagent's Microsoft.OSTCExtensions.VMAccessForLinux needs Python 3
-        pkgs.python3
+        pkgs.python39

        # waagent's Microsoft.CPlat.Core.RunCommandLinux needs lsof
        pkgs.lsof
@ -259,5 +259,10 @@ in
      };
    };

+    # waagent will generate files under /etc/sudoers.d during provisioning
+    security.sudo.extraConfig = ''
+      #includedir /etc/sudoers.d
+    '';
+
  };
 }
--- a/nixos/modules/virtualisation/azure-image.nix
+++ b/nixos/modules/virtualisation/azure-image.nix
@ -37,42 +37,5 @@ in
      inherit config lib pkgs;
    };

-    # Azure metadata is available as a CD-ROM drive.
-    fileSystems."/metadata".device = "/dev/sr0";
-
-    systemd.services.fetch-ssh-keys = {
-      description = "Fetch host keys and authorized_keys for root user";
-
-      wantedBy = [ "sshd.service" "waagent.service" ];
-      before = [ "sshd.service" "waagent.service" ];
-
-      path  = [ pkgs.coreutils ];
-      script =
-        ''
-          eval "$(cat /metadata/CustomData.bin)"
-          if ! [ -z "$ssh_host_ecdsa_key" ]; then
-            echo "downloaded ssh_host_ecdsa_key"
-            echo "$ssh_host_ecdsa_key" > /etc/ssh/ssh_host_ed25519_key
-            chmod 600 /etc/ssh/ssh_host_ed25519_key
-          fi
-
-          if ! [ -z "$ssh_host_ecdsa_key_pub" ]; then
-            echo "downloaded ssh_host_ecdsa_key_pub"
-            echo "$ssh_host_ecdsa_key_pub" > /etc/ssh/ssh_host_ed25519_key.pub
-            chmod 644 /etc/ssh/ssh_host_ed25519_key.pub
-          fi
-
-          if ! [ -z "$ssh_root_auth_key" ]; then
-            echo "downloaded ssh_root_auth_key"
-            mkdir -m 0700 -p /root/.ssh
-            echo "$ssh_root_auth_key" > /root/.ssh/authorized_keys
-            chmod 600 /root/.ssh/authorized_keys
-          fi
-        '';
-      serviceConfig.Type = "oneshot";
-      serviceConfig.RemainAfterExit = true;
-      serviceConfig.StandardError = "journal+console";
-      serviceConfig.StandardOutput = "journal+console";
-    };
  };
 }
--- a/pkgs/applications/networking/cluster/waagent/default.nix
+++ b/pkgs/applications/networking/cluster/waagent/default.nix
@ -10,7 +10,7 @@
  openssl,
  parted,
  procps, # for pidof,
-  python3,
+  python39, # the latest python version that waagent test against according to https://github.com/Azure/WALinuxAgent/blob/28345a55f9b21dae89472111635fd6e41809d958/.github/workflows/ci_pr.yml#L75
  shadow, # for useradd, usermod
  util-linux, # for (u)mount, fdisk, sfdisk, mkswap
 }:
@ -19,7 +19,7 @@ let
  inherit (lib) makeBinPath;

 in
-python3.pkgs.buildPythonPackage rec {
+python39.pkgs.buildPythonPackage rec {
  pname = "waagent";
  version = "2.8.0.11";
  src = fetchFromGitHub {
@ -28,9 +28,14 @@ python3.pkgs.buildPythonPackage rec {
    rev = "04ded9f0b708cfaf4f9b68eead1aef4cc4f32eeb";
    sha256 = "0fvjanvsz1zyzhbjr2alq5fnld43mdd776r2qid5jy5glzv0xbhf";
  };
+  patches = [
+    # Suppress the following error when waagent try to configure sshd:
+    # Read-only file system: '/etc/ssh/sshd_config'
+    ./dont-configure-sshd.patch
+  ];
  doCheck = false;

-  buildInputs = with python3.pkgs; [ distro ];
+  buildInputs = with python39.pkgs; [ distro ];
  runtimeDeps = [
    findutils
    gnugrep
--- a/pkgs/applications/networking/cluster/waagent/dont-configure-sshd.patch
+++ b/pkgs/applications/networking/cluster/waagent/dont-configure-sshd.patch
@ -0,0 +1,23 @@
+From 383e7c826906baedcd12ae7c20a4a5d4b32b104a Mon Sep 17 00:00:00 2001
+From: "Yang, Bo" <bo@preemo.io>
+Date: Wed, 8 Nov 2023 23:08:07 +0000
+Subject: [PATCH] Don't configure sshd
+
+---
+ azurelinuxagent/pa/provision/default.py | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/azurelinuxagent/pa/provision/default.py b/azurelinuxagent/pa/provision/default.py
+index 91fe04edab..48edf01490 100644
+--- a/azurelinuxagent/pa/provision/default.py
+++ b/azurelinuxagent/pa/provision/default.py
+@@ -237,9 +237,6 @@ def config_user_account(self, ovfenv):
+         self.osutil.conf_sudoer(ovfenv.username,
+                                 nopasswd=ovfenv.user_password is None)
+ 
+-        logger.info("Configure sshd")
+-        self.osutil.conf_sshd(ovfenv.disable_ssh_password_auth)
+-
+         self.deploy_ssh_pubkeys(ovfenv)
+         self.deploy_ssh_keypairs(ovfenv)
+