trusty-*-tcwg: fix user's .ssh directory permission

use /etc/skel to install .ssh with the correct permissions. Change-Id: I571416a717339780b4a438ff45ff33fa3159ff07 Signed-off-by: Fathi Boudra <fathi.boudra@linaro.org>
author: Fathi Boudra <fathi.boudra@linaro.org> 2016-09-13 15:35:17 +0300
committer: Fathi Boudra <fathi.boudra@linaro.org> 2016-09-13 15:35:17 +0300
commit: 13c1cdbafc8734827b470206e4612a5a11954179 (patch)
tree: b75fa0367346b1949041224174b6d1d62f5e5060
parent: 17504ef60129b3eea6d319240370975cc7429a8d (diff)
6 files changed, 48 insertions, 52 deletions
diff --git a/trusty-amd64-tcwg/Dockerfile b/trusty-amd64-tcwg/Dockerfile
index f9f3f93..a4cf8b2 100644
--- a/trusty-amd64-tcwg/Dockerfile
+++ b/trusty-amd64-tcwg/Dockerfile
@@ -1,7 +1,7 @@
 FROM ubuntu:trusty
 
 COPY *.list *.key /etc/apt/sources.list.d/
-COPY tcwg-buildslave/.ssh /home/tcwg-buildslave/.ssh
+COPY tcwg-buildslave/.ssh /etc/skel/.ssh
 
 RUN dpkg --add-architecture i386 \
  && apt-key add /etc/apt/sources.list.d/*.key \
@@ -66,11 +66,12 @@ RUN dpkg --add-architecture i386 \
  /tmp/* \
  /var/tmp/*
 
-RUN groupadd -g 9000 tcwg-infra \
+RUN chmod 0700 /etc/skel/.ssh \
+ && groupadd -g 9000 tcwg-infra \
  && useradd -m -g tcwg-infra -u 11827 tcwg-buildslave \
+ && rm -rf /etc/skel/.ssh \
  && echo 'tcwg-buildslave ALL = NOPASSWD: ALL' > /etc/sudoers.d/jenkins \
  && chmod 440 /etc/sudoers.d/jenkins \
- && chown -R tcwg-buildslave:tcwg-infra /home/tcwg-buildslave/.ssh/ \
  && install -D -p -m0755 /usr/share/doc/git/contrib/workdir/git-new-workdir /usr/local/bin/git-new-workdir \
  && sed -i -e 's:^session *required *pam_loginuid.so:# session required pam_loginuid.so:' /etc/pam.d/sshd \
  && mkdir -p /var/run/sshd
diff --git a/trusty-arm64-tcwg-test/Dockerfile b/trusty-arm64-tcwg-test/Dockerfile
index 647e641..8668467 100644
--- a/trusty-arm64-tcwg-test/Dockerfile
+++ b/trusty-arm64-tcwg-test/Dockerfile
@@ -1,6 +1,8 @@
 FROM quay.io/fathi_boudra/ubuntu:trusty-arm64
 
 COPY *.list *.key /etc/apt/sources.list.d/
+COPY tcwg-buildslave/.ssh /etc/skel/.ssh
+COPY tcwg-buildslave/.ssh /root/.ssh
 
 RUN echo 'deb http://ports.ubuntu.com/ubuntu-ports trusty main universe' > /etc/apt/sources.list \
  && apt-key add /etc/apt/sources.list.d/*.key \
@@ -19,33 +21,28 @@ RUN echo 'deb http://ports.ubuntu.com/ubuntu-ports trusty main universe' > /etc/
  /tmp/* \
  /var/tmp/*
 
-RUN groupadd -g 9000 tcwg-infra \
+RUN chmod 0700 /etc/skel/.ssh \
+ && groupadd -g 9000 tcwg-infra \
  && useradd -m -g tcwg-infra -u 11827 tcwg-buildslave \
+ && rm -rf /etc/skel/.ssh \
  && echo 'tcwg-buildslave ALL = NOPASSWD: ALL' > /etc/sudoers.d/jenkins \
  && chmod 440 /etc/sudoers.d/jenkins \
  && sed -i -e 's:^session *required *pam_loginuid.so:# session required pam_loginuid.so:' /etc/pam.d/sshd \
- && mkdir -p /var/run/sshd
-
-# Increase the limit for concurrent connections and for connection sharing,
-# and enable root login.
-RUN sed -i \
-	-e "/.*MaxStartups.*/d" \
-	-e "/.*MaxSesssions.*/d" \
-	-e "/.*PermitRootLogin.*/d" /etc/ssh/sshd_config \
+ && mkdir -p /var/run/sshd \
+ && sed -i \
+ -e "/.*MaxStartups.*/d" \
+ -e "/.*MaxSesssions.*/d" \
+ -e "/.*PermitRootLogin.*/d" /etc/ssh/sshd_config \
  && echo "MaxStartups 256" >> /etc/ssh/sshd_config \
  && echo "MaxSessions 256" >> /etc/ssh/sshd_config \
  && echo "PermitRootLogin without-password" >> /etc/ssh/sshd_config
 
-EXPOSE 22
-CMD ["/usr/sbin/sshd", "-D"]
-
-COPY tcwg-buildslave/.ssh /root/.ssh
-COPY tcwg-buildslave/.ssh /home/tcwg-buildslave/.ssh
-RUN chown -R tcwg-buildslave:tcwg-infra /home/tcwg-buildslave/.ssh/
-
 # We use ssh multiplexing, which creates sockets in /tmp.  Overlayfs,
 # which docker is using can't host sockets, so we use a scratch mount
 # for /tmp.  This requires that we add --rm option to "docker run"
 # invocations (e.g., mark "Remove volumes" checkbox in docker plugin) to
 # cleanup host directories used for the scratch mounts.
 VOLUME /tmp
+
+EXPOSE 22
+CMD ["/usr/sbin/sshd", "-D"]
diff --git a/trusty-arm64-tcwg/Dockerfile b/trusty-arm64-tcwg/Dockerfile
index daf68b5..77a9741 100644
--- a/trusty-arm64-tcwg/Dockerfile
+++ b/trusty-arm64-tcwg/Dockerfile
@@ -1,6 +1,7 @@
 FROM quay.io/fathi_boudra/ubuntu:trusty-arm64
 
 COPY *.list *.key /etc/apt/sources.list.d/
+COPY tcwg-buildslave/.ssh /etc/skel/.ssh
 
 RUN echo 'deb http://ports.ubuntu.com/ubuntu-ports trusty main universe' > /etc/apt/sources.list \
  && apt-key add /etc/apt/sources.list.d/*.key \
@@ -61,20 +62,16 @@ RUN echo 'deb http://ports.ubuntu.com/ubuntu-ports trusty main universe' > /etc/
  /tmp/* \
  /var/tmp/*
 
-RUN groupadd -g 9000 tcwg-infra \
+RUN chmod 0700 /etc/skel/.ssh \
+ && groupadd -g 9000 tcwg-infra \
  && useradd -m -g tcwg-infra -u 11827 tcwg-buildslave \
+ && rm -rf /etc/skel/.ssh \
  && echo 'tcwg-buildslave ALL = NOPASSWD: ALL' > /etc/sudoers.d/jenkins \
  && chmod 440 /etc/sudoers.d/jenkins \
  && install -D -p -m0755 /usr/share/doc/git/contrib/workdir/git-new-workdir /usr/local/bin/git-new-workdir \
  && sed -i -e 's:^session *required *pam_loginuid.so:# session required pam_loginuid.so:' /etc/pam.d/sshd \
  && mkdir -p /var/run/sshd
 
-EXPOSE 22
-CMD ["/usr/sbin/sshd", "-D"]
-
-COPY tcwg-buildslave/.ssh /home/tcwg-buildslave/.ssh
-RUN chown -R tcwg-buildslave:tcwg-infra /home/tcwg-buildslave/.ssh/
-
 # Unfortunately, VOLUME doesn't support bind-mounts for portability reasons.
 # Therefore, the bind-mounts for the following paths are configured in
 # the ci.linaro.org's docker plugin.
@@ -89,3 +86,6 @@ RUN chown -R tcwg-buildslave:tcwg-infra /home/tcwg-buildslave/.ssh/
 # invocations (e.g., mark "Remove volumes" checkbox in docker plugin) to
 # cleanup host directories used for the scratch mounts.
 VOLUME /tmp
+
+EXPOSE 22
+CMD ["/usr/sbin/sshd", "-D"]
diff --git a/trusty-armhf-tcwg-test/Dockerfile b/trusty-armhf-tcwg-test/Dockerfile
index f567a0b..303c71a 100644
--- a/trusty-armhf-tcwg-test/Dockerfile
+++ b/trusty-armhf-tcwg-test/Dockerfile
@@ -1,6 +1,8 @@
 FROM quay.io/fathi_boudra/ubuntu:trusty-armhf
 
 COPY *.list *.key /etc/apt/sources.list.d/
+COPY tcwg-buildslave/.ssh /etc/skel/.ssh
+COPY tcwg-buildslave/.ssh /root/.ssh
 
 RUN echo 'deb http://ports.ubuntu.com/ubuntu-ports trusty main universe' > /etc/apt/sources.list \
  && apt-key add /etc/apt/sources.list.d/*.key \
@@ -19,33 +21,28 @@ RUN echo 'deb http://ports.ubuntu.com/ubuntu-ports trusty main universe' > /etc/
  /tmp/* \
  /var/tmp/*
 
-RUN groupadd -g 9000 tcwg-infra \
+RUN chmod 0700 /etc/skel/.ssh \
+ && groupadd -g 9000 tcwg-infra \
  && useradd -m -g tcwg-infra -u 11827 tcwg-buildslave \
+ && rm -rf /etc/skel/.ssh \
  && echo 'tcwg-buildslave ALL = NOPASSWD: ALL' > /etc/sudoers.d/jenkins \
  && chmod 440 /etc/sudoers.d/jenkins \
  && sed -i -e 's:^session *required *pam_loginuid.so:# session required pam_loginuid.so:' /etc/pam.d/sshd \
- && mkdir -p /var/run/sshd
-
-# Increase the limit for concurrent connections and for connection sharing,
-# and enable root login.
-RUN sed -i \
-	-e "/.*MaxStartups.*/d" \
-	-e "/.*MaxSesssions.*/d" \
-	-e "/.*PermitRootLogin.*/d" /etc/ssh/sshd_config \
+ && mkdir -p /var/run/sshd \
+ && sed -i \
+ -e "/.*MaxStartups.*/d" \
+ -e "/.*MaxSesssions.*/d" \
+ -e "/.*PermitRootLogin.*/d" /etc/ssh/sshd_config \
  && echo "MaxStartups 256" >> /etc/ssh/sshd_config \
  && echo "MaxSessions 256" >> /etc/ssh/sshd_config \
  && echo "PermitRootLogin without-password" >> /etc/ssh/sshd_config
 
-EXPOSE 22
-CMD ["/usr/sbin/sshd", "-D"]
-
-COPY tcwg-buildslave/.ssh /root/.ssh
-COPY tcwg-buildslave/.ssh /home/tcwg-buildslave/.ssh
-RUN chown -R tcwg-buildslave:tcwg-infra /home/tcwg-buildslave/.ssh/
-
 # We use ssh multiplexing, which creates sockets in /tmp.  Overlayfs,
 # which docker is using can't host sockets, so we use a scratch mount
 # for /tmp.  This requires that we add --rm option to "docker run"
 # invocations (e.g., mark "Remove volumes" checkbox in docker plugin) to
 # cleanup host directories used for the scratch mounts.
 VOLUME /tmp
+
+EXPOSE 22
+CMD ["/usr/sbin/sshd", "-D"]
diff --git a/trusty-armhf-tcwg/Dockerfile b/trusty-armhf-tcwg/Dockerfile
index a9b6dbb..529a17d 100644
--- a/trusty-armhf-tcwg/Dockerfile
+++ b/trusty-armhf-tcwg/Dockerfile
@@ -1,6 +1,7 @@
 FROM quay.io/fathi_boudra/ubuntu:trusty-armhf
 
 COPY *.list *.key /etc/apt/sources.list.d/
+COPY tcwg-buildslave/.ssh /etc/skel/.ssh
 
 RUN echo 'deb http://ports.ubuntu.com/ubuntu-ports trusty main universe' > /etc/apt/sources.list \
  && apt-key add /etc/apt/sources.list.d/*.key \
@@ -61,20 +62,16 @@ RUN echo 'deb http://ports.ubuntu.com/ubuntu-ports trusty main universe' > /etc/
  /tmp/* \
  /var/tmp/*
 
-RUN groupadd -g 9000 tcwg-infra \
+RUN chmod 0700 /etc/skel/.ssh \
+ && groupadd -g 9000 tcwg-infra \
  && useradd -m -g tcwg-infra -u 11827 tcwg-buildslave \
+ && rm -rf /etc/skel/.ssh \
  && echo 'tcwg-buildslave ALL = NOPASSWD: ALL' > /etc/sudoers.d/jenkins \
  && chmod 440 /etc/sudoers.d/jenkins \
  && install -D -p -m0755 /usr/share/doc/git/contrib/workdir/git-new-workdir /usr/local/bin/git-new-workdir \
  && sed -i -e 's:^session *required *pam_loginuid.so:# session required pam_loginuid.so:' /etc/pam.d/sshd \
  && mkdir -p /var/run/sshd
 
-EXPOSE 22
-CMD ["/usr/sbin/sshd", "-D"]
-
-COPY tcwg-buildslave/.ssh /home/tcwg-buildslave/.ssh
-RUN chown -R tcwg-buildslave:tcwg-infra /home/tcwg-buildslave/.ssh/
-
 # Unfortunately, VOLUME doesn't support bind-mounts for portability reasons.
 # Therefore, the bind-mounts for the following paths are configured in
 # the ci.linaro.org's docker plugin.
@@ -89,3 +86,6 @@ RUN chown -R tcwg-buildslave:tcwg-infra /home/tcwg-buildslave/.ssh/
 # invocations (e.g., mark "Remove volumes" checkbox in docker plugin) to
 # cleanup host directories used for the scratch mounts.
 VOLUME /tmp
+
+EXPOSE 22
+CMD ["/usr/sbin/sshd", "-D"]
diff --git a/trusty-i386-tcwg/Dockerfile b/trusty-i386-tcwg/Dockerfile
index e689272..be2cfed 100644
--- a/trusty-i386-tcwg/Dockerfile
+++ b/trusty-i386-tcwg/Dockerfile
@@ -1,7 +1,7 @@
 FROM quay.io/fathi_boudra/ubuntu:trusty-i386
 
 COPY *.list *.key /etc/apt/sources.list.d/
-COPY tcwg-buildslave/.ssh /home/tcwg-buildslave/.ssh
+COPY tcwg-buildslave/.ssh /etc/skel/.ssh
 
 RUN apt-key add /etc/apt/sources.list.d/*.key \
  && apt-get update \
@@ -67,11 +67,12 @@ RUN apt-key add /etc/apt/sources.list.d/*.key \
  /tmp/* \
  /var/tmp/*
 
-RUN groupadd -g 9000 tcwg-infra \
+RUN chmod 0700 /etc/skel/.ssh \
+ && groupadd -g 9000 tcwg-infra \
  && useradd -m -g tcwg-infra -u 11827 tcwg-buildslave \
+ && rm -rf /etc/skel/.ssh \
  && echo 'tcwg-buildslave ALL = NOPASSWD: ALL' > /etc/sudoers.d/jenkins \
  && chmod 440 /etc/sudoers.d/jenkins \
- && chown -R tcwg-buildslave:tcwg-infra /home/tcwg-buildslave/.ssh/ \
  && install -D -p -m0755 /usr/share/doc/git/contrib/workdir/git-new-workdir /usr/local/bin/git-new-workdir \
  && sed -i -e 's:^session *required *pam_loginuid.so:# session required pam_loginuid.so:' /etc/pam.d/sshd \
  && mkdir -p /var/run/sshd
author	Fathi Boudra <fathi.boudra@linaro.org>	2016-09-13 15:35:17 +0300
committer	Fathi Boudra <fathi.boudra@linaro.org>	2016-09-13 15:35:17 +0300
commit	13c1cdbafc8734827b470206e4612a5a11954179 (patch)
tree	b75fa0367346b1949041224174b6d1d62f5e5060
parent	17504ef60129b3eea6d319240370975cc7429a8d (diff)