Re: Putting a file into system image ~user/ but not on reconfigure

[Efraim Flashner <efraim@flashner.co.il>]

[-- Attachment #1: Type: text/plain, Size: 2784 bytes --]

On Thu, Aug 17, 2023 at 09:30:24PM +0200, Hartmut Goebel wrote:
> Hello Efraim,
> 
> Am 13.08.23 um 16:58 schrieb Efraim Flashner:
> > I feel compelled to ask if the key must be in
> > ~vagrant/.ssh/authorized_keys or if /etc/ssh/authorized_keys.d/vagrant
> > is acceptable.
> 
> I'm afraid it needs to be in ~vagrant/.ssh/authorized_keys: When first
> booting the machine, Vagrant logs into it and replaces the key. Thus the
> user vagrant must be allowed to change the respective file.
> 
> Why are you asking? What would be easier (in respect of not re-installing
> the key), if putting the key into /etc/ssh/authorized_keys.d/vagrant would
> work?

There's already tooling available to place a key in
/etc/ssh/authorized_keys.d/vagrant, and when you include an os-config in
the image you can leave that line out. That way it'll be there in the
initial image when it is created (and when /etc is populated on first
boot) but it would disappear on reconfigure.

I suppose another option would be a one-off service that checks if
~vagrant/.ssh/authorized_keys exists, and if it doesn't then create one
with the desired key and chown and chmod ~/.ssh to vagrant.

> > Also, could you use /etc/services or another file in /etc/static as a
> > marker that the system has been booted at least once before?
> 
> Such a marker would be okay. Anyhow to make this work, some respective new
> service would need to detect this quite early, before /etc/service gets
> linked. Otherwise the service could not distinguish between "first" and "at
> least once"- Or did I misse something?
> 
> Is there some means of ordering service execution/start?

I'd have to dive into the internals of system bring up a bit, but if I
understand correctly before first boot there's a series of derivations
that get combined together during boot to create the actual running
system. Then after first boot they "actually live in their final
locations", and get swapped out on reconfigure. So before first boot
there's a bunch of files in /etc that aren't actually present yet, but
after first boot they've been linked into place.

I mostly got this from building system images so its definitely possible
that I've understood it incorrectly. Also as I think about it more,
other than depending on some filesystem service, I'm not sure what you
could depend on that would definitely slot in correctly to run on
first-boot. I suppose /etc/ssh/ssh_host_ed25519_key won't be there on
first boot, but you'd still basically be racing the openssh-service.

-- 
Efraim Flashner   <efraim@flashner.co.il>   רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]