Unify and fix rootless key setup

For some reason, ssh-keygen is unable to write to /root even as root on
AlmaLinux 8:

	# id
	uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
	# id -Z
	ls -ld /root
	# ssh-keygen -t ecdsa -N "" -f /root/rootless.key || cat /var/log/audit/audit.log
	Saving key "/root/rootless.key" failed: Permission denied

The audit.log shows:

> type=AVC msg=audit(1744834995.352:546): avc:  denied  { dac_override } for  pid=13471 comm="ssh-keygen" capability=1  scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:system_r:ssh_keygen_t:s0 tclass=capability permissive=0
> type=SYSCALL msg=audit(1744834995.352:546): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5641c7587520 a2=241 a3=180 items=0 ppid=4978 pid=13471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)␝ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

A workaround is to use /root/.ssh directory instead of just /root.

While at it, let's unify rootless user and key setup into a single place.

Signed-off-by: Kir Kolyshkin <[email protected]>
(cherry picked from commit 87ae2f8)
Signed-off-by: Kir Kolyshkin <[email protected]>

Author: kolyshkin

.cirrus.yml

@@ -71,14 +71,8 @@ task:
     git checkout $BATS_VERSION
     ./install.sh /usr/local
     cd -
-    # Add a user for rootless tests
-    useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
-    # Allow root and rootless itself to execute `ssh rootless@localhost` in tests/rootless.sh
-    ssh-keygen -t ecdsa -N "" -f /root/rootless.key
-    mkdir -m 0700 -p /home/rootless/.ssh
-    cp /root/rootless.key /home/rootless/.ssh/id_ecdsa
-    cat /root/rootless.key.pub >> /home/rootless/.ssh/authorized_keys
-    chown -R rootless.rootless /home/rootless
+    # Setup rootless tests.
+    /home/runc/script/setup_rootless.sh
     # set PATH
     echo 'export PATH=/usr/local/go/bin:/usr/local/bin:$PATH' >> /root/.bashrc
     # Setup ssh localhost for terminal emulation (script -e did not work)

.github/workflows/test.yml

@@ -159,13 +159,7 @@ jobs:
     - name: add rootless user
       if: matrix.rootless == 'rootless'
       run: |
-        sudo useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
-        # Allow root and rootless itself to execute `ssh rootless@localhost` in tests/rootless.sh
-        ssh-keygen -t ecdsa -N "" -f $HOME/rootless.key
-        sudo mkdir -m 0700 -p /home/rootless/.ssh
-        sudo cp $HOME/rootless.key /home/rootless/.ssh/id_ecdsa
-        sudo cp $HOME/rootless.key.pub /home/rootless/.ssh/authorized_keys
-        sudo chown -R rootless.rootless /home/rootless
+        ./script/setup_rootless.sh
         sudo chmod a+X $HOME # for Ubuntu 22.04 and later
 
     - name: integration test (fs driver)

script/setup_host_fedora.sh

@@ -12,15 +12,8 @@ dnf clean all
 # To avoid "avc: denied { nosuid_transition }" from SELinux as we run tests on /tmp.
 mount -o remount,suid /tmp
 
-# Add a user for rootless tests
-useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
-
-# Allow root and rootless itself to execute `ssh rootless@localhost` in tests/rootless.sh
-ssh-keygen -t ecdsa -N "" -f /root/rootless.key
-mkdir -m 0700 /home/rootless/.ssh
-cp /root/rootless.key /home/rootless/.ssh/id_ecdsa
-cat /root/rootless.key.pub >>/home/rootless/.ssh/authorized_keys
-chown -R rootless.rootless /home/rootless
+# Setup rootless user.
+"$(dirname "${BASH_SOURCE[0]}")"/setup_rootless.sh
 
 # Delegate cgroup v2 controllers to rootless user via --systemd-cgroup
 mkdir -p /etc/systemd/system/[email protected]

script/setup_rootless.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+set -eux -o pipefail
+
+# Add a user for rootless tests.
+sudo useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
+
+# Allow both the current user and rootless itself to use
+# ssh rootless@localhost in tests/rootless.sh.
+# shellcheck disable=SC2174 # Silence "-m only applies to the deepest directory".
+mkdir -p -m 0700 "$HOME/.ssh"
+ssh-keygen -t ecdsa -N "" -f "$HOME/.ssh/rootless.key"
+sudo mkdir -p -m 0700 /home/rootless/.ssh
+sudo cp "$HOME/.ssh/rootless.key" /home/rootless/.ssh/id_ecdsa
+sudo cp "$HOME/.ssh/rootless.key.pub" /home/rootless/.ssh/authorized_keys
+sudo chown -R rootless.rootless /home/rootless

tests/rootless.sh

@@ -185,7 +185,7 @@ for enabled_features in $features_powerset; do
 		# We use `ssh rootless@localhost` instead of `sudo -u rootless` for creating systemd user session.
 		# Alternatively we could use `machinectl shell`, but it is known not to work well on SELinux-enabled hosts as of April 2020:
 		# https://bugzilla.redhat.com/show_bug.cgi?id=1788616
-		ssh -t -t -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i "$HOME/rootless.key" rootless@localhost -- PATH="$PATH" RUNC_USE_SYSTEMD="$RUNC_USE_SYSTEMD" bats -t "$ROOT/tests/integration$ROOTLESS_TESTPATH"
+		ssh -t -t -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i "$HOME/.ssh/rootless.key" rootless@localhost -- PATH="$PATH" RUNC_USE_SYSTEMD="$RUNC_USE_SYSTEMD" bats -t "$ROOT/tests/integration$ROOTLESS_TESTPATH"
 	else
 		sudo -HE -u rootless PATH="$PATH" "$(which bats)" -t "$ROOT/tests/integration$ROOTLESS_TESTPATH"
 	fi