From 0de04000223762974073e5907726d8d3df5d8e0f Mon Sep 17 00:00:00 2001 From: Jack Rubacha Date: Mon, 18 Mar 2024 15:40:29 -0400 Subject: [PATCH] Add secret management for root passwords (#131) * initial config (w/o gitignore) * Update .gitignore * update to example env * add more gitignore safeguards * Update README.md * add iroh * add source back to setup script * push workflow * fix path * make it rerun * try secrets * fix dir * env fixup * headless gpg * add client side decryption * try sourcing via shortcut * docs, cache ig? * build? * fix dumb dumb * fix nero --- .github/workflows/build_image.yml | 60 +++++++++++++++++++ .gitignore | 6 ++ odysseus/Dockerfile | 4 ++ odysseus/README.md | 14 +++++ odysseus/compose.yml | 9 +++ odysseus/docker_scripts/load-secrets.sh | 4 ++ odysseus/docker_scripts/setup_env.sh | 3 +- .../configs/raspberrypi3_64_ap_defconfig | 2 +- .../configs/raspberrypi3_64_iroh_defconfig | 2 +- .../configs/raspberrypi4_64_tpu_defconfig | 2 +- odysseus/odysseus_tree/sources/Nero-2.0 | 2 +- 11 files changed, 103 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/build_image.yml create mode 100755 odysseus/docker_scripts/load-secrets.sh diff --git a/.github/workflows/build_image.yml b/.github/workflows/build_image.yml new file mode 100644 index 00000000..149f72d5 --- /dev/null +++ b/.github/workflows/build_image.yml @@ -0,0 +1,60 @@ +# +name: Create and publish a Docker image + +# Configures this workflow to run every time a docker artificat is edited +on: + push: + paths: + - 'odysseus/Dockerfile' + - 'odysseus/docker_scripts/**' + +# Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds. +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +# There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu. +jobs: + build-and-push-image: + runs-on: ubuntu-latest + # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job. + permissions: + contents: read + packages: write + # + steps: + - name: Checkout repository + uses: actions/checkout@v4 + # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here. + - name: Log in to the Container registry + uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels. + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + - name: Encrypt and inject passwords + shell: bash + working-directory: ./odysseus + env: + ODY_AP_ROOT_PASSWORD: ${{ secrets.ODY_AP_ROOT_PASSWORD }} + ODY_TPU_ROOT_PASSWORD: ${{ secrets.ODY_TPU_ROOT_PASSWORD }} + ODY_IROH_ROOT_PASSWORD: ${{ secrets.ODY_IROH_ROOT_PASSWORD }} + MASTER_PASSWORD: ${{ secrets.ODY_MASTER_PASSWORD }} + run: for i in ODY_AP_ROOT_PASSWORD ODY_TPU_ROOT_PASSWORD ODY_IROH_ROOT_PASSWORD; do echo "$i=${!i}" >> SECRETS.env; done && gpg --batch --symmetric --passphrase "$MASTER_PASSWORD" --no-symkey-cache --cipher-algo AES256 SECRETS.env + # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages. + # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository. + # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step. + - name: Build and push Docker image + uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 + with: + context: ./odysseus + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} diff --git a/.gitignore b/.gitignore index 7a05c46b..9fe16b20 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,9 @@ .DS_Store odysseus/outputs/** + +# for passwords +odysseus/SECRETS.env +odysseus/SECRETS.env-example +# redundant safeguard for all env files named SECRETS.env in case it is renamed wrong +**/*SECRETS.env* diff --git a/odysseus/Dockerfile b/odysseus/Dockerfile index 9d39465b..b1cac4b6 100644 --- a/odysseus/Dockerfile +++ b/odysseus/Dockerfile @@ -41,8 +41,12 @@ WORKDIR /home/odysseus/build RUN git clone https://gitlab.com/buildroot.org/buildroot.git && cd ./buildroot && git checkout 2024.02 + WORKDIR /home/odysseus/outputs/ COPY ./docker_scripts /home/odysseus/scripts RUN echo "source /home/odysseus/scripts/setup_env.sh" >> ~/.bashrc +# install password using wildcard so failures arent deadly +COPY ./SECRETS.env.* /home/odysseus/ + ENTRYPOINT "/bin/bash" diff --git a/odysseus/README.md b/odysseus/README.md index d1cb51a4..213ceaa8 100644 --- a/odysseus/README.md +++ b/odysseus/README.md @@ -32,6 +32,11 @@ Download and install to PATH git and docker. git clone https://github.com/Northeastern-Electric-Racing/Siren.git git submodule update --init --recursive cd ./odysseus +``` +At this point, copy the file `SECRETS.env-example` to `SECRETS.env`, if you want to use non-default passwords edit this file. + +Once that is done, run: +``` docker compose run --rm --build odysseus # Future launches can omit `--build` for time savings and space savings, but it should be used if the Dockerfile or docker_out_of_tree.sh files change. ``` Now you are in the docker container. To build cd into the defconfig directory (either ap, or tpu), then run the make command alias: @@ -84,6 +89,15 @@ Notes about docker: - Launch time is longer - Space is used up by rebuilds, prune often or omit `--build` +### Passwords +Root passwords are stored via Github secrets and an encrypted file within a ghcr docker image. Below are the steps to load and decrypt such passwords for use by buildroot. Requirements are you know the team's master password and are running x86_64. + +1. Authenticate with ghcr. First make a [classic PAT](https://github.com/settings/tokens/new) with the permission `read:packages`. Make sure to copy the token, then run `sudo docker login ghcr.io -u -p ` +2. cd into odysseus folder and `docker compose pull` +3. Run `docker compose run odysseus` to enter the docker image. At this point the image should be identical to a locally built one, but it is less preferable for development purposes. +4. Run `load-secrets` and enter the master password. Consult Odysseus lead if you need this info. Now your passwords are loaded (can be viewed with `env | grep ODY`), and will be set when you make the sdcard.img. Note this step must be repeated on each `docker compose run odysseus`, and if the passwords change on Github steps 2 and 3 must be rerun as well. + + See below to learn more about developing, and check confluence for most info. Once in the docker image, all the normal make commands (in an out-of-tree context only) apply. diff --git a/odysseus/compose.yml b/odysseus/compose.yml index 76dfd2bb..4ccccc50 100644 --- a/odysseus/compose.yml +++ b/odysseus/compose.yml @@ -2,9 +2,11 @@ version: "3.8" services: odysseus: build: . + image: ghcr.io/northeastern-electric-racing/odysseus:52-root-secrets command: /bin/bash privileged: true tty: true + stdin_open: true # for fakeroot failure ulimits: nofile: @@ -17,7 +19,14 @@ services: environment: - BR2_DL_DIR=/home/odysseus/shared_data/dl - BR2_CCACHE_DIR=/home/odysseus/shared_data/ccache + - ODY_TPU_ROOT_PASSWORD=password + - ODY_IROH_ROOT_PASSWORD=password + - ODY_AP_ROOT_PASSWORD=password + volumes: shared_data: labels: com.northeastern_electric_racing.description: "Shared output between buildroot runs" + + + diff --git a/odysseus/docker_scripts/load-secrets.sh b/odysseus/docker_scripts/load-secrets.sh new file mode 100755 index 00000000..8a8956b1 --- /dev/null +++ b/odysseus/docker_scripts/load-secrets.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +# must be sourced for this to work +eval "$(gpg -d --no-symkey-cache --cipher-algo AES256 /home/odysseus/SECRETS.env.gpg)" diff --git a/odysseus/docker_scripts/setup_env.sh b/odysseus/docker_scripts/setup_env.sh index d768b088..f56fc71f 100755 --- a/odysseus/docker_scripts/setup_env.sh +++ b/odysseus/docker_scripts/setup_env.sh @@ -1,8 +1,9 @@ #!/bin/bash alias make-current="/home/odysseus/scripts/make-current.sh" +alias load-secrets="source /home/odysseus/scripts/load-secrets.sh" -# for each defconfig make output subdirectory +# for each defconfig make output subdirectory make -C /home/odysseus/build/buildroot O=/home/odysseus/outputs/tpu BR2_EXTERNAL=/home/odysseus/build/odysseus_tree raspberrypi4_64_tpu_defconfig make -C /home/odysseus/build/buildroot O=/home/odysseus/outputs/ap BR2_EXTERNAL=/home/odysseus/build/odysseus_tree raspberrypi3_64_ap_defconfig make -C /home/odysseus/build/buildroot O=/home/odysseus/outputs/iroh BR2_EXTERNAL=/home/odysseus/build/odysseus_tree raspberrypi3_64_iroh_defconfig diff --git a/odysseus/odysseus_tree/configs/raspberrypi3_64_ap_defconfig b/odysseus/odysseus_tree/configs/raspberrypi3_64_ap_defconfig index feace6f2..25b0dbf0 100644 --- a/odysseus/odysseus_tree/configs/raspberrypi3_64_ap_defconfig +++ b/odysseus/odysseus_tree/configs/raspberrypi3_64_ap_defconfig @@ -6,7 +6,7 @@ BR2_GLOBAL_PATCH_DIR="$(BR2_EXTERNAL_ODY_TREE_PATH)/patches" BR2_PER_PACKAGE_DIRECTORIES=y BR2_TARGET_GENERIC_HOSTNAME="raspberrypi-ap" BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_EUDEV=y -BR2_TARGET_GENERIC_ROOT_PASSWD="password" +BR2_TARGET_GENERIC_ROOT_PASSWD="$(ODY_AP_ROOT_PASSWORD)" BR2_ROOTFS_OVERLAY="$(BR2_EXTERNAL_ODY_TREE_PATH)/overlays/rootfs_overlay_common $(BR2_EXTERNAL_ODY_TREE_PATH)/overlays/rootfs_overlay_nrc_common $(BR2_EXTERNAL_ODY_TREE_PATH)/overlays/rootfs_overlay_ap" BR2_ROOTFS_PRE_BUILD_SCRIPT="$(BR2_EXTERNAL_ODY_TREE_PATH)/pre-make-ap.sh" BR2_ROOTFS_POST_BUILD_SCRIPT="board/raspberrypi3-64/post-build.sh" diff --git a/odysseus/odysseus_tree/configs/raspberrypi3_64_iroh_defconfig b/odysseus/odysseus_tree/configs/raspberrypi3_64_iroh_defconfig index dbaeb232..c71ddba4 100644 --- a/odysseus/odysseus_tree/configs/raspberrypi3_64_iroh_defconfig +++ b/odysseus/odysseus_tree/configs/raspberrypi3_64_iroh_defconfig @@ -6,7 +6,7 @@ BR2_GLOBAL_PATCH_DIR="$(BR2_EXTERNAL_ODY_TREE_PATH)/patches" BR2_PER_PACKAGE_DIRECTORIES=y BR2_TARGET_GENERIC_HOSTNAME="raspberrypi-iroh" BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_EUDEV=y -BR2_TARGET_GENERIC_ROOT_PASSWD="password" +BR2_TARGET_GENERIC_ROOT_PASSWD="$(ODY_IROH_ROOT_PASSWORD)" BR2_TARGET_TZ_INFO=y BR2_TARGET_LOCALTIME="America/New_York" BR2_ROOTFS_OVERLAY="$(BR2_EXTERNAL_ODY_TREE_PATH)/overlays/rootfs_overlay_iroh" diff --git a/odysseus/odysseus_tree/configs/raspberrypi4_64_tpu_defconfig b/odysseus/odysseus_tree/configs/raspberrypi4_64_tpu_defconfig index b2b481b5..7d8dddd2 100644 --- a/odysseus/odysseus_tree/configs/raspberrypi4_64_tpu_defconfig +++ b/odysseus/odysseus_tree/configs/raspberrypi4_64_tpu_defconfig @@ -7,7 +7,7 @@ BR2_GLOBAL_PATCH_DIR="$(BR2_EXTERNAL_ODY_TREE_PATH)/patches" BR2_PER_PACKAGE_DIRECTORIES=y BR2_TARGET_GENERIC_HOSTNAME="raspberrypi-sta" BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_EUDEV=y -BR2_TARGET_GENERIC_ROOT_PASSWD="password" +BR2_TARGET_GENERIC_ROOT_PASSWD="$(ODY_TPU_ROOT_PASSWORD)" BR2_TARGET_TZ_INFO=y BR2_TARGET_LOCALTIME="America/New_York" BR2_ROOTFS_OVERLAY="$(BR2_EXTERNAL_ODY_TREE_PATH)/overlays/rootfs_overlay_common $(BR2_EXTERNAL_ODY_TREE_PATH)/overlays/rootfs_overlay_nrc_common $(BR2_EXTERNAL_ODY_TREE_PATH)/overlays/rootfs_overlay_tpu" diff --git a/odysseus/odysseus_tree/sources/Nero-2.0 b/odysseus/odysseus_tree/sources/Nero-2.0 index 9289c311..f93979d2 160000 --- a/odysseus/odysseus_tree/sources/Nero-2.0 +++ b/odysseus/odysseus_tree/sources/Nero-2.0 @@ -1 +1 @@ -Subproject commit 9289c3115f623829cecccb767196398ff0d03523 +Subproject commit f93979d2a255216e12798e5daad1b13485d27f9c