use init container to copy sshd and openssl command

src/ClusterBootstrap/services/jobmanager/jobmanager.yaml

@@ -28,6 +28,9 @@ spec:
         image: {{cnf["worker-dockerregistry"]}}{{cnf["dockerprefix"]}}{{cnf["restfulapi"]}}:{{cnf["dockertag"]}}
         command: ["/runScheduler.sh"]
         imagePullPolicy: Always
+        env:
+        - name: INIT_CONTAINER_IMAGE
+          value: {{cnf["worker-dockerregistry"]}}{{cnf["dockerprefix"]}}init-container:{{cnf["dockertag"]}}
         volumeMounts:
         - mountPath: /etc/kubernetes/ssl
           name: certs

src/ClusterManager/dist_pod_template.py

@@ -111,6 +111,7 @@ def generate_pods(self, job):
         job.add_mountpoints(job.vc_storage_mountpoints())
         job.add_mountpoints(job.infiniband_mountpoints())
         params["mountpoints"] = job.mountpoints
+        params["init-container"] = os.environ["INIT_CONTAINER_IMAGE"]
 
         params["user_email"] = params["userName"]
         params["homeFolderHostpath"] = job.get_homefolder_hostpath()

src/ClusterManager/pod_template.py

@@ -182,6 +182,7 @@ def generate_pods(self, job):
             # mount /pod
             pod_path = job.get_hostpath(job.job_path, "master")
             pod["mountpoints"].append({"name": "pod", "containerPath": "/pod", "hostPath": pod_path, "enabled": True})
+            pod["init-container"] = os.environ["INIT_CONTAINER_IMAGE"]
 
             k8s_pod = self.generate_pod(pod)
             k8s_pods.append(k8s_pod)

src/Jobs_Templete/pod.yaml.template

@@ -105,6 +105,18 @@ spec:
   {% if job["hostIPC"] %}
   hostIPC: true
   {% endif %}
+  initContainers:
+  - name: init
+    imagePullPolicy: Always
+    image: {{ job["init-container"] }}
+    volumeMounts:
+    - mountPath: /dlts-runtime
+      name: dlts-runtime
+    command:
+    - cp
+    - -r
+    - /ssh_build
+    - /dlts-runtime
   containers:
   - name: {{ job["podName"] }}
     image: {{ job["image"] }}
@@ -143,6 +155,8 @@ spec:
         memory: {{ job["memoryrequest"] }}
       {% endif %}
     volumeMounts:
+    - mountPath: /dlts-runtime
+      name: dlts-runtime
     - name: "dlws-scripts"
       mountPath: /pod/scripts
       readOnly: true
@@ -249,6 +263,8 @@ spec:
   - name: authorized-keys-volume
     hostPath:
       path: {{ job["homeFolderHostpath"] }}/.ssh/authorized_keys
+  - name: dlts-runtime
+    emptyDir: {}
   {% if not job["dnsPolicy"] %}
   - name: resolv
     hostPath:
@@ -299,4 +315,4 @@ spec:
         {% endif %}
       {% endfor %}
     {% endif %}
-  {% endif %}
+  {% endif %}

src/dev-utils/get_images.py

@@ -0,0 +1,45 @@
+#!/usr/bin/python
+
+import argparse
+import logging
+import mysql.connector
+import json
+import base64
+import yaml
+
+log = logging.getLogger(__name__)
+
+def get_images(username, password, host, database):
+    result = []
+
+    conn = mysql.connector.connect(user=username, password=password,
+            host=host, database=database)
+    cursor = conn.cursor()
+    sql = "SELECT jobId, jobParams FROM jobs"
+    cursor.execute(sql)
+    data = cursor.fetchall()
+    for id, params in data:
+        params = json.loads(base64.b64decode(params))
+        result.append(params["image"])
+    conn.close()
+    return result
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser()
+    parser.add_argument("--config", "-c", help="path to config.yaml", required=True)
+    parser.add_argument("--cluster", "-i", help="path to clusterID.yml", required=True)
+    args = parser.parse_args()
+
+    logging.basicConfig(format="%(asctime)s - %(levelname)s - %(filename)s:%(lineno)s - %(message)s",
+            level=logging.INFO)
+
+    with open("config.yaml") as f:
+        mysql_config = yaml.load(f)
+
+    with open("deploy/clusterID.yml") as f:
+        cluster_id = yaml.load(f)["clusterId"]
+
+    images = get_images(mysql_config["mysql_username"], mysql_config["mysql_password"],
+        mysql_config["mysql_node"], "DLWSCluster-" + cluster_id)
+    for i in images:
+        print(i)

src/docker-images/init-container/Dockerfile

@@ -0,0 +1,18 @@
+FROM ubuntu:16.04 as builder
+
+RUN apt-get update && apt-get install -y wget gzip build-essential
+
+WORKDIR /ssh_build
+
+COPY build-openssh-static.sh /ssh_build
+RUN sh build-openssh-static.sh
+
+#FROM python:3.8.0-alpine3.10
+FROM ubuntu:16.04
+
+WORKDIR /ssh_build
+
+COPY --from=builder /ssh_build/root /ssh_build
+COPY init.d /ssh_build/init.d
+COPY default /ssh_build/default
+COPY install.sh /ssh_build

src/docker-images/init-container/build-openssh-static.sh

@@ -0,0 +1,58 @@
+#!/bin/sh
+
+set -u
+set -e
+set -x
+umask 0077
+
+ZLIB_URL="https://www.zlib.net/zlib-1.2.11.tar.gz"
+SSH_URL="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.1p1.tar.gz"
+SSL_URL="https://www.openssl.org/source/openssl-1.0.2t.tar.gz"
+
+mkdir dist
+
+(cd dist
+    wget $ZLIB_URL
+    wget $SSH_URL
+    wget $SSL_URL
+)
+
+top="$(pwd)"
+root="$top/root"
+build="$top/build"
+
+export CFLAGS="-I$root/include -L. -fPIC"
+export CPPFLAGS="-I$root/include -L. -fPIC"
+
+rm -rf "$root" "$build"
+mkdir -p "$root" "$build"
+
+gzip -dc dist/zlib-*.tar.gz |(cd "$build" && tar xf -)
+cd "$build"/zlib-*
+./configure --prefix="$root" --static
+make -j12
+make install
+cd "$top"
+
+gzip -dc dist/openssl-*.tar.gz |(cd "$build" && tar xf -)
+cd "$build"/openssl-*
+./config --prefix="$root" no-shared
+make -j12
+make install
+cd "$top"
+
+gzip -dc dist/openssh-*.tar.gz |(cd "$build" && tar xf -)
+cd "$build"/openssh-*
+cp -p "$root"/lib/*.a .
+[ -f sshd_config.orig ] || cp -p sshd_config sshd_config.orig
+sed \
+  -e 's/^#\(PubkeyAuthentication\) .*/\1 yes/' \
+  -e '/^# *Kerberos/d' \
+  -e '/^# *GSSAPI/d' \
+  -e 's/^#\([A-Za-z]*Authentication\) .*/\1 no/' \
+  sshd_config.orig \
+  >sshd_config \
+;
+./configure --prefix="$root" --with-privsep-user=nobody --with-privsep-path="/var/run/sshd"
+make -j12
+make install

src/docker-images/init-container/default/ssh

@@ -0,0 +1 @@
+SSHD_OPTS="-f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key"

src/docker-images/init-container/init.d/ssh

@@ -0,0 +1,174 @@
+#! /bin/sh
+
+### BEGIN INIT INFO
+# Provides:		sshd
+# Required-Start:	$remote_fs $syslog
+# Required-Stop:	$remote_fs $syslog
+# Default-Start:	2 3 4 5
+# Default-Stop:		
+# Short-Description:	OpenBSD Secure Shell server
+### END INIT INFO
+
+set -e
+
+# /etc/init.d/ssh: start and stop the OpenBSD "secure shell(tm)" daemon
+
+test -x /usr/sbin/sshd || exit 0
+( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0
+
+umask 022
+
+if test -f /etc/default/ssh; then
+    . /etc/default/ssh
+fi
+
+. /lib/lsb/init-functions
+
+if [ -n "$2" ]; then
+    SSHD_OPTS="$SSHD_OPTS $2"
+fi
+
+# Are we running from init?
+run_by_init() {
+    ([ "$previous" ] && [ "$runlevel" ]) || [ "$runlevel" = S ]
+}
+
+check_for_upstart() {
+    if init_is_upstart; then
+	exit $1
+    fi
+}
+
+check_for_no_start() {
+    # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
+    if [ -e /etc/ssh/sshd_not_to_be_run ]; then 
+	if [ "$1" = log_end_msg ]; then
+	    log_end_msg 0 || true
+	fi
+	if ! run_by_init; then
+	    log_action_msg "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)" || true
+	fi
+	exit 0
+    fi
+}
+
+check_dev_null() {
+    if [ ! -c /dev/null ]; then
+	if [ "$1" = log_end_msg ]; then
+	    log_end_msg 1 || true
+	fi
+	if ! run_by_init; then
+	    log_action_msg "/dev/null is not a character device!" || true
+	fi
+	exit 1
+    fi
+}
+
+check_privsep_dir() {
+    # Create the PrivSep empty dir if necessary
+    if [ ! -d /var/run/sshd ]; then
+	mkdir /var/run/sshd
+	chmod 0755 /var/run/sshd
+    fi
+}
+
+check_config() {
+    if [ ! -e /etc/ssh/sshd_not_to_be_run ]; then
+	/usr/sbin/sshd $SSHD_OPTS -t || exit 1
+    fi
+}
+
+export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
+
+case "$1" in
+  start)
+	check_for_upstart 1
+	check_privsep_dir
+	check_for_no_start
+	check_dev_null
+	log_daemon_msg "Starting OpenBSD Secure Shell server" "sshd" || true
+	if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
+	    log_end_msg 0 || true
+	else
+	    log_end_msg 1 || true
+	fi
+	;;
+  stop)
+	check_for_upstart 0
+	log_daemon_msg "Stopping OpenBSD Secure Shell server" "sshd" || true
+	if start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid; then
+	    log_end_msg 0 || true
+	else
+	    log_end_msg 1 || true
+	fi
+	;;
+
+  reload|force-reload)
+	check_for_upstart 1
+	check_for_no_start
+	check_config
+	log_daemon_msg "Reloading OpenBSD Secure Shell server's configuration" "sshd" || true
+	if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd; then
+	    log_end_msg 0 || true
+	else
+	    log_end_msg 1 || true
+	fi
+	;;
+
+  restart)
+	check_for_upstart 1
+	check_privsep_dir
+	check_config
+	log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true
+	start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /var/run/sshd.pid
+	check_for_no_start log_end_msg
+	check_dev_null log_end_msg
+	if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
+	    log_end_msg 0 || true
+	else
+	    log_end_msg 1 || true
+	fi
+	;;
+
+  try-restart)
+	check_for_upstart 1
+	check_privsep_dir
+	check_config
+	log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true
+	RET=0
+	start-stop-daemon --stop --quiet --retry 30 --pidfile /var/run/sshd.pid || RET="$?"
+	case $RET in
+	    0)
+		# old daemon stopped
+		check_for_no_start log_end_msg
+		check_dev_null log_end_msg
+		if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
+		    log_end_msg 0 || true
+		else
+		    log_end_msg 1 || true
+		fi
+		;;
+	    1)
+		# daemon not running
+		log_progress_msg "(not running)" || true
+		log_end_msg 0 || true
+		;;
+	    *)
+		# failed to stop
+		log_progress_msg "(failed to stop)" || true
+		log_end_msg 1 || true
+		;;
+	esac
+	;;
+
+  status)
+	check_for_upstart 1
+	status_of_proc -p /var/run/sshd.pid /usr/sbin/sshd sshd && exit 0 || exit $?
+	;;
+
+  *)
+	log_action_msg "Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart|try-restart|status}" || true
+	exit 1
+esac
+
+exit 0

src/docker-images/init-container/install.sh

@@ -0,0 +1,8 @@
+cwd=`dirname $0`
+
+mkdir -p /etc/ssh
+cp $cwd/etc/* /etc/ssh
+cp $cwd/init.d/* /etc/init.d
+chmod +x /etc/init.d/ssh
+cp $cwd/default/* /etc/default
+cp -r $cwd/bin $cwd/sbin $cwd/lib $cwd/libexec /usr/

src/init-scripts/bootstrap.sh

@@ -1,6 +1,8 @@
 #! /bin/bash
 set -ex
 
+sh -x /dlts-runtime/ssh_build/install.sh
+
 SCRIPT_DIR=/pod/scripts
 
 echo bootstrap starts at `date` &>> ${LOG_DIR}/bootstrap.log

src/init-scripts/init_user.sh

@@ -9,7 +9,6 @@ export ENV_FILE=/pod.env
 
 # install required pkgs
 export DEBIAN_FRONTEND=noninteractive
-time apt-get update && time apt-get install sudo openssl -y
 
 # setup user and group, fix permissions
 addgroup --force-badname --gid  ${DLWS_GID} domainusers