diff --git a/phala-cloud-prelaunch-script/prelaunch.sh b/phala-cloud-prelaunch-script/prelaunch.sh index b61190f..6ae8c92 100644 --- a/phala-cloud-prelaunch-script/prelaunch.sh +++ b/phala-cloud-prelaunch-script/prelaunch.sh @@ -1,6 +1,6 @@ #!/bin/bash echo "----------------------------------------------" -echo "Running Phala Cloud Pre-Launch Script v0.0.11" +echo "Running Phala Cloud Pre-Launch Script v0.0.12" echo "----------------------------------------------" set -e @@ -138,50 +138,95 @@ perform_cleanup # # Set root password. # -if [ -n "$DSTACK_ROOT_PASSWORD" ]; then - echo "$DSTACK_ROOT_PASSWORD" | passwd --stdin root 2>/dev/null \ - || printf '%s\n%s\n' "$DSTACK_ROOT_PASSWORD" "$DSTACK_ROOT_PASSWORD" | passwd root - unset DSTACK_ROOT_PASSWORD - echo "Root password set/updated from DSTACK_ROOT_PASSWORD" - -elif [ -z "$(grep '^root:' /etc/shadow 2>/dev/null | cut -d: -f2)" ]; then - DSTACK_ROOT_PASSWORD=$( - dd if=/dev/urandom bs=32 count=1 2>/dev/null \ - | sha256sum \ - | awk '{print $1}' \ - | cut -c1-32 - ) - echo "$DSTACK_ROOT_PASSWORD" | passwd --stdin root 2>/dev/null \ - || printf '%s\n%s\n' "$DSTACK_ROOT_PASSWORD" "$DSTACK_ROOT_PASSWORD" | passwd root - unset DSTACK_ROOT_PASSWORD - echo "Root password set (random auto-init)" +echo "Setting root password.." -else - echo "Root password already set; no changes." +# Check if password files are writable +PASSWD_WRITABLE=true +if [ ! -w /etc/passwd ]; then + echo "Warning: /etc/passwd is read-only" + PASSWD_WRITABLE=false fi - -mkdir -p /home/root/.ssh -if [[ -n "$DSTACK_ROOT_PUBLIC_KEY" ]]; then - echo "$DSTACK_ROOT_PUBLIC_KEY" > /home/root/.ssh/authorized_keys - unset $DSTACK_ROOT_PUBLIC_KEY - echo "Root public key set" +if [ ! -w /etc/shadow ]; then + echo "Warning: /etc/shadow is read-only" + PASSWD_WRITABLE=false fi -if [[ -n "$DSTACK_AUTHORIZED_KEYS" ]]; then - echo "$DSTACK_AUTHORIZED_KEYS" > /home/root/.ssh/authorized_keys - unset $DSTACK_AUTHORIZED_KEYS - echo "Root authorized_keys set" + +if [ "$PASSWD_WRITABLE" = "false" ]; then + echo "Skipping password setup due to read-only file system" +else + # Check if chpasswd is available + if command -v chpasswd >/dev/null 2>&1; then + echo "Using chpasswd method" + + if [ -n "$DSTACK_ROOT_PASSWORD" ]; then + echo "Setting root password from user.." + echo "root:$DSTACK_ROOT_PASSWORD" | chpasswd + unset DSTACK_ROOT_PASSWORD + echo "Root password set/updated from DSTACK_ROOT_PASSWORD" + elif [ -z "$(grep '^root:' /etc/shadow 2>/dev/null | cut -d: -f2)" ]; then + echo "Setting random root password.." + DSTACK_ROOT_PASSWORD=$( + LC_ALL=C tr -dc 'A-Za-z0-9' < /dev/urandom | dd bs=1 count=32 2>/dev/null + ) + echo "root:$DSTACK_ROOT_PASSWORD" | chpasswd + unset DSTACK_ROOT_PASSWORD + echo "Root password set (random auto-init)" + else + echo "Root password already set; no changes." + fi + else + echo "Using passwd method" + + if [ -n "$DSTACK_ROOT_PASSWORD" ]; then + echo "Setting root password from user.." + echo "$DSTACK_ROOT_PASSWORD" | passwd --stdin root 2>/dev/null \ + || printf '%s\n%s\n' "$DSTACK_ROOT_PASSWORD" "$DSTACK_ROOT_PASSWORD" | passwd root + unset DSTACK_ROOT_PASSWORD + echo "Root password set/updated from DSTACK_ROOT_PASSWORD" + elif [ -z "$(grep '^root:' /etc/shadow 2>/dev/null | cut -d: -f2)" ]; then + echo "Setting random root password.." + DSTACK_ROOT_PASSWORD=$( + LC_ALL=C tr -dc 'A-Za-z0-9' < /dev/urandom | dd bs=1 count=32 2>/dev/null + ) + echo "$DSTACK_ROOT_PASSWORD" | passwd --stdin root 2>/dev/null \ + || printf '%s\n%s\n' "$DSTACK_ROOT_PASSWORD" "$DSTACK_ROOT_PASSWORD" | passwd root + unset DSTACK_ROOT_PASSWORD + echo "Root password set (random auto-init)" + else + echo "Root password already set; no changes." + fi + fi fi -if [[ -f /dstack/user_config ]] && jq empty /dstack/user_config 2>/dev/null; then - if [[ $(jq 'has("ssh_authorized_keys")' /dstack/user_config 2>/dev/null) == "true" ]]; then - jq -j '.ssh_authorized_keys' /dstack/user_config >> /home/root/.ssh/authorized_keys - # Remove duplicates if there are multiple keys - if [[ $(cat /home/root/.ssh/authorized_keys | wc -l) -gt 1 ]]; then - sort -u /home/root/.ssh/authorized_keys > /home/root/.ssh/authorized_keys.tmp - mv /home/root/.ssh/authorized_keys.tmp /home/root/.ssh/authorized_keys +# +# Set SSH authorized keys +# +if mkdir -p /home/root/.ssh 2>/dev/null; then + if [[ -n "$DSTACK_ROOT_PUBLIC_KEY" ]]; then + echo "$DSTACK_ROOT_PUBLIC_KEY" > /home/root/.ssh/authorized_keys + unset $DSTACK_ROOT_PUBLIC_KEY + echo "Root public key set" + fi + if [[ -n "$DSTACK_AUTHORIZED_KEYS" ]]; then + echo "$DSTACK_AUTHORIZED_KEYS" > /home/root/.ssh/authorized_keys + unset $DSTACK_AUTHORIZED_KEYS + echo "Root authorized_keys set" + fi + + if [[ -f /dstack/user_config ]] && jq empty /dstack/user_config 2>/dev/null; then + if [[ $(jq 'has("ssh_authorized_keys")' /dstack/user_config 2>/dev/null) == "true" ]]; then + jq -j '.ssh_authorized_keys' /dstack/user_config >> /home/root/.ssh/authorized_keys + # Remove duplicates if there are multiple keys + if [[ $(cat /home/root/.ssh/authorized_keys | wc -l) -gt 1 ]]; then + sort -u /home/root/.ssh/authorized_keys > /home/root/.ssh/authorized_keys.tmp + mv /home/root/.ssh/authorized_keys.tmp /home/root/.ssh/authorized_keys + fi + echo "Set root authorized_keys from user preferences, total" $(cat /home/root/.ssh/authorized_keys | wc -l) "keys" fi - echo "Set root authorized_keys from user preferences, total" $(cat /home/root/.ssh/authorized_keys | wc -l) "keys" fi +else + echo "Warning: Cannot create /home/root/.ssh directory (read-only file system?)" + echo "Skipping SSH key setup" fi if [[ -S /var/run/dstack.sock ]]; then