Generate sshd_config by go template

Author: niusmallnan

cmd/control/console_init.go

@@ -7,9 +7,10 @@ import (
 	"os"
 	"os/exec"
 	"path"
-	"regexp"
+	"strconv"
 	"strings"
 	"syscall"
+	"text/template"
 
 	"github.com/rancher/os/cmd/cloudinitexecute"
 	"github.com/rancher/os/config"
@@ -318,37 +319,26 @@ func writeRespawn(user string, sshd, recovery bool) error {
 }
 
 func modifySshdConfig(cfg *config.CloudConfig) error {
-	sshdConfig, err := ioutil.ReadFile("/etc/ssh/sshd_config")
+	os.Remove("/etc/ssh/sshd_config")
+	sshdTpl, err := template.ParseFiles("/etc/ssh/sshd_config.tpl")
 	if err != nil {
 		return err
 	}
-	sshdConfigString := string(sshdConfig)
-
-	modifiedLines := []string{
-		"UseDNS no",
-		"PermitRootLogin no",
-		"ServerKeyBits 2048",
-		"AllowGroups docker",
+	f, err := os.OpenFile("/etc/ssh/sshd_config", os.O_WRONLY|os.O_CREATE, 0644)
+	if err != nil {
+		return err
 	}
+	defer f.Close()
 
+	config := map[string]string{}
 	if cfg.Rancher.SSH.Port > 0 && cfg.Rancher.SSH.Port < 65355 {
-		modifiedLines = append(modifiedLines, fmt.Sprintf("Port %d", cfg.Rancher.SSH.Port))
+		config["Port"] = strconv.Itoa(cfg.Rancher.SSH.Port)
 	}
 	if cfg.Rancher.SSH.ListenAddress != "" {
-		modifiedLines = append(modifiedLines, fmt.Sprintf("ListenAddress %s", cfg.Rancher.SSH.ListenAddress))
-	}
-
-	for _, item := range modifiedLines {
-		match, err := regexp.Match("^"+item, sshdConfig)
-		if err != nil {
-			return err
-		}
-		if !match {
-			sshdConfigString += fmt.Sprintf("%s\n", item)
-		}
+		config["ListenAddress"] = cfg.Rancher.SSH.ListenAddress
 	}
 
-	return ioutil.WriteFile("/etc/ssh/sshd_config", []byte(sshdConfigString), 0644)
+	return sshdTpl.Execute(f, config)
 }
 
 func setupSSH(cfg *config.CloudConfig) error {

images/02-console/Dockerfile

@@ -1,10 +1,13 @@
 FROM rancher/os-base
 COPY build/lsb-release /etc/
+COPY build/sshd_config.append.tpl /etc/ssh/
+COPY prompt.sh /etc/profile.d/
 RUN sed -i 's/rancher:!/rancher:*/g' /etc/shadow && \
     sed -i 's/docker:!/docker:*/g' /etc/shadow && \
-    sed -i 's/#ClientAliveInterval 0/ClientAliveInterval 180/g' /etc/ssh/sshd_config && \
     echo '## allow password less for rancher user' >> /etc/sudoers && \
     echo 'rancher ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers && \
     echo '## allow password less for docker user' >> /etc/sudoers && \
-    echo 'docker ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
-COPY prompt.sh /etc/profile.d/
+    echo 'docker ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers && \
+    cat /etc/ssh/sshd_config > /etc/ssh/sshd_config.tpl && \
+    cat /etc/ssh/sshd_config.append.tpl >> /etc/ssh/sshd_config.tpl && \
+    rm -f /etc/ssh/sshd_config.append.tpl /etc/ssh/sshd_config

images/02-console/prebuild.sh

@@ -13,3 +13,19 @@ DISTRIB_ID=${DISTRIB_ID}
 DISTRIB_RELEASE=${VERSION}
 DISTRIB_DESCRIPTION="${DISTRIB_ID} ${VERSION}"
 EOF
+
+cat > ./build/sshd_config.append.tpl << EOF
+{{- if .Port}}
+Port {{.Port}}
+{{- end}}
+
+{{- if .ListenAddress}}
+ListenAddress {{.ListenAddress}}
+{{- end}}
+
+ClientAliveInterval 180
+
+UseDNS no
+PermitRootLogin no
+AllowGroups docker
+EOF