che-incubator · vitaliy-guliy · Feb 8, 2024 · Feb 8, 2024 · Feb 9, 2024 · Feb 9, 2024
@@ -16,96 +16,96 @@ name: Pull Request Check
 on: [pull_request]
 
 jobs:
-  build:
-    name: build
-    runs-on: ubuntu-22.04
-    strategy:
-      fail-fast: false
-      matrix:
-        dist: [ 'musl', 'libc' ]
-        arch: ['amd64']
-    steps:
-
-      - name: Checkout che-code source code
-        uses: actions/checkout@v3
-
-      - name: Compile che-code
-        run: |
-          docker buildx build \
-            --platform linux/${{matrix.arch}} \
-            --progress=plain \
-            -f build/dockerfiles/linux-${{matrix.dist}}.Dockerfile \
-            -t linux-${{matrix.dist}}-${{matrix.arch}} .
-
-      - name: Upload image
-        uses: ishworkh/docker-image-artifact-upload@v1
-        with:
-          image: "linux-${{matrix.dist}}-${{matrix.arch}}"
-
-  assemble:
-    name: assemble
-    runs-on: ubuntu-22.04
-    needs: build
-    steps:
-
-      - name: Checkout che-code source code
-        uses: actions/checkout@v3
-
-      - name: Cleanup docker images
-        run: |
-          docker system prune -af
-
-      - name: Download linux-libc-amd64 image
-        uses: ishworkh/docker-image-artifact-download@v1
-        with:
-          image: "linux-libc-amd64"
-
-      - name: Download linux-musl-amd64 image
-        uses: ishworkh/docker-image-artifact-download@v1
-        with:
-          image: "linux-musl-amd64"
-
-      - name: Login to Quay.io
-        uses: docker/login-action@v2
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_PULL_REQUESTS_USERNAME }}
-          password: ${{ secrets.QUAY_PULL_REQUESTS_PASSWORD }}
-
-      - name: Display docker images
-        run: |
-          docker images
-
-      - name: Assemble che-code
-        run: |
-          PR_NUMBER="${{ github.event.number }}"
-          echo "Pull request $PR_NUMBER"
-
-          IMAGE_NAME="quay.io/che-incubator-pull-requests/che-code:pr-$PR_NUMBER-amd64"
-          echo "_IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV
-
-          docker buildx build \
-            --platform linux/amd64 \
-            --progress=plain \
-            --push \
-            -f build/dockerfiles/assembly.Dockerfile \
-            -t ${IMAGE_NAME} .
-
-      - name: Display docker images (final)
-        run: |
-          docker images
-
-      - name: 'Comment PR'
-        uses: actions/github-script@v6
-        with:
-         script: |
-           const { repo: { owner, repo } } = context;
-           await github.rest.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: `Pull Request Che-Code image published:\n👉 [${process.env._IMAGE_NAME}](https://${process.env._IMAGE_NAME})`
-            })
+  # build:
+  #   name: build
+  #   runs-on: ubuntu-22.04
+  #   strategy:
+  #     fail-fast: false
+  #     matrix:
+  #       dist: [ 'musl', 'libc' ]
+  #       arch: ['amd64']
+  #   steps:
+
+  #     - name: Checkout che-code source code
+  #       uses: actions/checkout@v3
+
+  #     - name: Compile che-code
+  #       run: |
+  #         docker buildx build \
+  #           --platform linux/${{matrix.arch}} \
+  #           --progress=plain \
+  #           -f build/dockerfiles/linux-${{matrix.dist}}.Dockerfile \
+  #           -t linux-${{matrix.dist}}-${{matrix.arch}} .
+
+  #     - name: Upload image
+  #       uses: ishworkh/docker-image-artifact-upload@v1
+  #       with:
+  #         image: "linux-${{matrix.dist}}-${{matrix.arch}}"
+
+  # assemble:
+  #   name: assemble
+  #   runs-on: ubuntu-22.04
+  #   needs: build
+  #   steps:
+
+  #     - name: Checkout che-code source code
+  #       uses: actions/checkout@v3
+
+  #     - name: Cleanup docker images
+  #       run: |
+  #         docker system prune -af
+
+  #     - name: Download linux-libc-amd64 image
+  #       uses: ishworkh/docker-image-artifact-download@v1
+  #       with:
+  #         image: "linux-libc-amd64"
+
+  #     - name: Download linux-musl-amd64 image
+  #       uses: ishworkh/docker-image-artifact-download@v1
+  #       with:
+  #         image: "linux-musl-amd64"
+
+  #     - name: Login to Quay.io
+  #       uses: docker/login-action@v2
+  #       with:
+  #         registry: quay.io
+  #         username: ${{ secrets.QUAY_PULL_REQUESTS_USERNAME }}
+  #         password: ${{ secrets.QUAY_PULL_REQUESTS_PASSWORD }}
+
+  #     - name: Display docker images
+  #       run: |
+  #         docker images
+
+  #     - name: Assemble che-code
+  #       run: |
+  #         PR_NUMBER="${{ github.event.number }}"
+  #         echo "Pull request $PR_NUMBER"
+
+  #         IMAGE_NAME="quay.io/che-incubator-pull-requests/che-code:pr-$PR_NUMBER-amd64"
+  #         echo "_IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV
+
+  #         docker buildx build \
+  #           --platform linux/amd64 \
+  #           --progress=plain \
+  #           --push \
+  #           -f build/dockerfiles/assembly.Dockerfile \
+  #           -t ${IMAGE_NAME} .
+
+  #     - name: Display docker images (final)
+  #       run: |
+  #         docker images
+
+  #     - name: 'Comment PR'
+  #       uses: actions/github-script@v6
+  #       with:
+  #        script: |
+  #          const { repo: { owner, repo } } = context;
+  #          await github.rest.issues.createComment({
+  #             issue_number: context.issue.number,
+  #             owner: context.repo.owner,
+  #             repo: context.repo.repo,
+  #             body: `Pull Request Che-Code image published:\n👉 [${process.env._IMAGE_NAME}](https://${process.env._IMAGE_NAME})`
+  #           })
 
   dev:
     name: dev
@@ -135,7 +135,7 @@ jobs:
             --platform linux/amd64 \
             --progress=plain \
             --push \
-            -f build/dockerfiles/dev.Dockerfile \
+            -f build/dockerfiles/dev.ssh.Dockerfile \
             -t ${DEV_IMAGE_NAME} .
 
       - name: Display docker images

@@ -0,0 +1,70 @@
+# Copyright (c) 2022 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+
+FROM quay.io/devfile/universal-developer-image:latest
+
+USER 0
+
+RUN dnf -y install libsecret openssh-server dropbear && \
+    dnf -y clean all --enablerepo='*'
+
+# Follow the sample https://www.golinuxcloud.com/run-sshd-as-non-root-user-without-sudo/
+
+# Step 1. Generate SSH Host keys
+
+RUN mkdir /opt/ssh
+
+RUN ssh-keygen -q -N "" -t dsa -f /opt/ssh/ssh_host_dsa_key && \
+    ssh-keygen -q -N "" -t rsa -b 4096 -f /opt/ssh/ssh_host_rsa_key && \
+    ssh-keygen -q -N "" -t ecdsa -f /opt/ssh/ssh_host_ecdsa_key && \
+    ssh-keygen -q -N "" -t ed25519 -f /opt/ssh/ssh_host_ed25519_key
+
+RUN ls -l /opt/ssh/
+
+# Step 2. Configure SSHH as non-root user
+
+RUN cp /etc/ssh/sshd_config /opt/ssh/
+
+# Use a non-privileged port
+RUN sed -i 's|#Port 22|Port 2022|' /opt/ssh/sshd_config
+
+# provide the new path containing these host keys
+RUN sed -i 's|HostKey /etc/ssh/ssh_host_rsa_key|HostKey /opt/ssh/ssh_host_rsa_key|' /opt/ssh/sshd_config
+RUN sed -i 's|HostKey /etc/ssh/ssh_host_ecdsa_key|HostKey /opt/ssh/ssh_host_ecdsa_key|' /opt/ssh/sshd_config
+RUN sed -i 's|HostKey /etc/ssh/ssh_host_ed25519_key|HostKey /opt/ssh/ssh_host_ed25519_key|' /opt/ssh/sshd_config
+
+RUN sed -i 's|#PubkeyAuthentication yes|PubkeyAuthentication yes|' /opt/ssh/sshd_config
+RUN sed -i 's|AuthorizedKeysFile	.ssh/authorized_keys|AuthorizedKeysFile /home/user/ssh/authorized_keys|' /opt/ssh/sshd_config
+
+# Enable DEBUG log. You can ignore this but this may help you debug any issue while enabling SSHD for the first time
+RUN sed -i 's|#LogLevel INFO|LogLevel DEBUG3|' /opt/ssh/sshd_config
+
+RUN sed -i 's|#StrictModes yes|StrictModes=no|' /opt/ssh/sshd_config
+
+
+# Provide a path to store PID file which is accessible by normal user for write purpose
+RUN sed -i 's|#PidFile /var/run/sshd.pid|PidFile /opt/ssh/sshd.pid|' /opt/ssh/sshd_config
+
+RUN echo "account include base-account" > /etc/pam.d/sshd.pam
+
+
+# Add script to start and stop the service
+COPY --chown=0:0 /build/sshd.start /
+COPY --chown=0:0 /build/sshd.connect /
+
+
+# Step 4. Fix permissions
+RUN chmod 644 /opt/ssh/*
+RUN chmod 664 /opt/ssh/sshd_config
+RUN chown -R user:root /opt/ssh/
+
+RUN chmod 774 /opt/ssh
+
+EXPOSE 2022
+
+USER 10001
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+rm -rf /home/user/.ssh
+mkdir -p /home/user/.ssh
+
+ssh -l user -p 2022 -i /home/user/ssh/host_ed25519_key 127.0.0.1
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# should prepare ssh keys
+rm -rf /home/user/ssh
+mkdir -p /home/user/ssh
+ssh-keygen -q -N "" -t ed25519 -f /home/user/ssh/host_ed25519_key
+cp /home/user/ssh/host_ed25519_key.pub /home/user/ssh/authorized_keys
+
+# start
+/usr/sbin/sshd -D -f /opt/ssh/sshd_config -E /tmp/sshd.log
+
+# stop
+# /usr/sbin/sshd -t -f /opt/ssh/sshd_config -E /tmp/sshd.log
@@ -0,0 +1,45 @@
+#
+# Copyright (c) 2022 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+
+schemaVersion: 2.1.0
+metadata:
+  name: ssh-test
+
+projects:
+  - name: recommended-extensions-sample
+    git:
+      remotes:
+        origin: https://github.com/vitaliy-guliy/recommended-extensions-sample
+      checkoutFrom:
+        revision: master
+
+components:
+
+  - name: dev
+    container:
+      image: quay.io/che-incubator-pull-requests/che-code-dev:pr-327-dev-amd64
+      memoryLimit: 8Gi
+      memoryRequest: 512Mi
+      cpuRequest: 500m
+      cpuLimit: 3500m
+      endpoints:
+        - exposure: public
+          name: dev
+          secure: true
+          protocol: http
+          targetPort: 8000
+
+        - exposure: public
+          name: sshd
+          targetPort: 2022
+          protocol: tcp
+
+  - name: projects
+    volume:
+      size: 7Gi
@@ -10,6 +10,7 @@
 schemaVersion: 2.1.0
 metadata:
   name: che-code
+
 components:
 
   - name: dev