add make clean-kssh to actually delete all config files when the service is stopped (#96)

Author: mmou

.gitignore

@@ -3,6 +3,8 @@ keybaseca.config
 nohup.out
 env.list
 __pycache__
+**/.mypy_cache/
+tests/env.sh
 
 # sphinx generated files:
 _build

docker/Dockerfile-ca

@@ -44,6 +44,7 @@ COPY --from=builder --chown=keybase:keybase /bot-sshca/bin/keybaseca bin/
 # copy in entrypoint scripts
 COPY --chown=keybase:keybase ./docker/entrypoint-generate.sh ./
 COPY --chown=keybase:keybase ./docker/entrypoint-server.sh ./
+COPY --chown=keybase:keybase ./docker/entrypoint-cleanup.sh ./
 
 # Run container as root but only to be able to chown the Docker bind-mount, 
 # then immediatetly step down to the keybase user via sudo in the entrypoint scripts

docker/Makefile

@@ -21,7 +21,7 @@ endif
 
 # Generate a new CA key
 generate: env-file-exists build
-	docker run -e FORCE_WRITE=$(FORCE_WRITE) --env-file ./env.list -v $(CURDIR)/example-keybaseca-volume:/mnt:rw ca:latest ./entrypoint-generate.sh
+	docker run --init -e FORCE_WRITE=$(FORCE_WRITE) --env-file ./env.list -v $(CURDIR)/example-keybaseca-volume:/mnt:rw ca:latest ./entrypoint-generate.sh
 	@echo -e "\nRun these commands on each server that you wish to use with the CA chatbot\n"
 	@echo "useradd developer && mkdir -p /home/developer && chown developer:developer /home/developer  # The user that will be used for non-root logins"
 	@echo "echo \"`cat $(CURDIR)/example-keybaseca-volume/keybase-ca-key.pub`\" > /etc/ssh/ca.pub"
@@ -33,17 +33,21 @@ generate: env-file-exists build
 
 # Start the CA chatbot in the background
 serve: env-file-exists ca-key-exists
-	docker run -d --restart unless-stopped --env-file ./env.list -v $(CURDIR)/example-keybaseca-volume:/mnt:rw ca:latest ./entrypoint-server.sh
+	docker run -d --init --restart unless-stopped --env-file ./env.list -v $(CURDIR)/example-keybaseca-volume:/mnt:rw ca:latest ./entrypoint-server.sh
 	@echo 'Started CA bot service in the background... Use `docker ps` and `docker logs` to monitor it'
 
 # Stop the service
-stop:
+stop: clean-kssh
 	docker kill `docker ps -q --filter ancestor=ca`
 
 # Restart the service (useful if you updated env.list)
 restart: stop serve
 
-# Wipe all data
+# Delete all kssh config files
+clean-kssh: env-file-exists
+	docker run --init -e FORCE_WRITE=$(FORCE_WRITE) --env-file ./env.list -v $(CURDIR)/example-keybaseca-volume:/mnt:rw ca:latest ./entrypoint-cleanup.sh
+
+# Delete all CA data
 clean: confirm-clean reset-permissions
 	@# Sudo since it is likely owned by another use since it was written from a docker container
 	sudo rm -rf example-keybaseca-volume/keybaseca*

docker/entrypoint-cleanup.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+# chown as root
+chown -R keybase:keybase /mnt
+
+# Run everything else as the keybase user
+sudo -i -u keybase bash << EOF
+export "FORCE_WRITE=$FORCE_WRITE"
+export "KEYBASE_USERNAME=$KEYBASE_USERNAME"
+export "KEYBASE_PAPERKEY=$KEYBASE_PAPERKEY"
+nohup bash -c "KEYBASE_RUN_MODE=prod kbfsfuse /keybase | grep -v 'ERROR Mounting the filesystem failed' &"
+sleep ${KEYBASE_TIMEOUT:-5}
+keybase oneshot
+bin/keybaseca --wipe-all-configs
+sleep ${KEYBASE_TIMEOUT:-5}
+EOF

src/cmd/keybaseca/keybaseca.go

@@ -42,7 +42,7 @@ func main() {
 		cli.BoolFlag{
 			Name:   "wipe-all-configs",
 			Hidden: true,
-			Usage:  "Used in the integration tests to clean all client configs from KBFS",
+			Usage:  "Clean all client configs the CA Keybase user can find from KBFS",
 		},
 		cli.BoolFlag{
 			Name:   "wipe-logs",
@@ -214,6 +214,8 @@ func mainAction(c *cli.Context) error {
 		semaphore := sync.WaitGroup{}
 		semaphore.Add(len(teams))
 		boundChan := make(chan interface{}, shared.BoundedParallelismLimit)
+		teamsFound := []string{}
+		teamsFoundMutex := sync.Mutex{}
 		for _, team := range teams {
 			go func(team string) {
 				// Blocks until there is room in boundChan
@@ -226,6 +228,9 @@ func mainAction(c *cli.Context) error {
 					if err != nil {
 						fmt.Printf("%v\n", err)
 					}
+					teamsFoundMutex.Lock()
+					teamsFound = append(teamsFound, team)
+					teamsFoundMutex.Unlock()
 				}
 				semaphore.Done()
 
@@ -234,6 +239,7 @@ func mainAction(c *cli.Context) error {
 			}(team)
 		}
 		semaphore.Wait()
+		fmt.Printf("Deleted configs found in these teams: %+v\n", teamsFound)
 	case c.Bool("wipe-logs"):
 		conf, err := loadServerConfig()
 		if err != nil {