From 3b85afeef64ee8181be58a58d1a0df7f059b46fe Mon Sep 17 00:00:00 2001 From: Dominik Wombacher Date: Sun, 5 May 2024 09:04:15 +0000 Subject: [PATCH 1/8] feat: Packit dist-git onboarding --- .packit.yaml | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .packit.yaml diff --git a/.packit.yaml b/.packit.yaml new file mode 100644 index 0000000..260ee28 --- /dev/null +++ b/.packit.yaml @@ -0,0 +1,39 @@ +# See the documentation for more information: +# https://packit.dev/docs/configuration/ + +upstream_project_url: https://github.com/aws/aws-ec2-instance-connect-config +upstream_package_name: aws-ec2-instance-connect-config +downstream_package_name: ec2-instance-connect + +jobs: + - job: pull_from_upstream + trigger: release + # Keeping dist-git branches non-divergent + # Requirs manual local merge from rawhide to stable release branches + # https://packit.dev/docs/fedora-releases-guide#keeping-dist-git-branches-non-divergent + dist_git_branches: + - fedora-rawhide + + - job: koji_build + trigger: commit + allowed_pr_authors: + - packit + - all_admins + - all_committers + - @cloud-sig + allowed_committers: + - all_admins + - all_committers + - @cloud-sig + dist_git_branches: + - fedora-all + + - job: bodhi_update + trigger: commit + allowed_builders: + - packit + - all_admins + - all_committers + - @cloud-sig + dist_git_branches: + - fedora-branched # rawhide updates are created automatically From 372beca14de2a8c62609634a640d77635bcbf969 Mon Sep 17 00:00:00 2001 From: Dominik Wombacher Date: Sun, 5 May 2024 09:32:21 +0000 Subject: [PATCH 2/8] fix: ec2-instance-connect.fc was dropped during initial package import --- .gitignore | 1 - ec2-instance-connect.fc | 0 sources | 1 - 3 files changed, 2 deletions(-) create mode 100644 ec2-instance-connect.fc diff --git a/.gitignore b/.gitignore index 0415758..6a8098c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ /aws-ec2-instance-connect-config-1.1.17.tar.gz -/ec2-instance-connect.fc diff --git a/ec2-instance-connect.fc b/ec2-instance-connect.fc new file mode 100644 index 0000000..e69de29 diff --git a/sources b/sources index febfcc6..858abe0 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ SHA512 (aws-ec2-instance-connect-config-1.1.17.tar.gz) = f3cb3f80a302844aff25b34aad494197ee4c435d93b3727736241b8c29dbe976ed30dee178288f08a11940d2b2d564b5a5c95df7bbdb2626b06c790bec2651ba -SHA512 (ec2-instance-connect.fc) = cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e From 89afc21822f4e4f99b1e460c72e41a73d58161b2 Mon Sep 17 00:00:00 2001 From: Dominik Wombacher Date: Mon, 6 May 2024 12:42:09 +0000 Subject: [PATCH 3/8] fix: Packit config, parse error because of missing quotes --- .packit.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.packit.yaml b/.packit.yaml index 260ee28..2dda719 100644 --- a/.packit.yaml +++ b/.packit.yaml @@ -20,11 +20,11 @@ jobs: - packit - all_admins - all_committers - - @cloud-sig + - '@cloud-sig' # string with @ needs quotes to be valid yaml allowed_committers: - all_admins - all_committers - - @cloud-sig + - '@cloud-sig' # string with @ needs quotes to be valid yaml dist_git_branches: - fedora-all @@ -34,6 +34,6 @@ jobs: - packit - all_admins - all_committers - - @cloud-sig + - '@cloud-sig' # string with @ needs quotes to be valid yaml dist_git_branches: - fedora-branched # rawhide updates are created automatically From 28926596bdfa8c9479eef486a6db4e81ce48e74d Mon Sep 17 00:00:00 2001 From: Dominik Wombacher Date: Mon, 6 May 2024 13:35:51 +0000 Subject: [PATCH 4/8] feat: Add EPEL repos to Packit config --- .packit.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.packit.yaml b/.packit.yaml index 2dda719..d48a7e9 100644 --- a/.packit.yaml +++ b/.packit.yaml @@ -27,6 +27,7 @@ jobs: - '@cloud-sig' # string with @ needs quotes to be valid yaml dist_git_branches: - fedora-all + - epel-all - job: bodhi_update trigger: commit @@ -37,3 +38,4 @@ jobs: - '@cloud-sig' # string with @ needs quotes to be valid yaml dist_git_branches: - fedora-branched # rawhide updates are created automatically + - epel-all From 61ecf024fbc0a47fbb43eb9337bc734d00ca2eef Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 17 Jul 2024 21:40:44 +0000 Subject: [PATCH 5/8] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild --- ec2-instance-connect.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ec2-instance-connect.spec b/ec2-instance-connect.spec index f28d149..6fcfc42 100644 --- a/ec2-instance-connect.spec +++ b/ec2-instance-connect.spec @@ -5,7 +5,7 @@ Name: ec2-instance-connect Summary: EC2 Instance Connect scripts Version: 1.1.17 -Release: 1%{?dist} +Release: 2%{?dist} License: Apache-2.0 URL: https://github.com/aws/%{project} @@ -151,6 +151,9 @@ fi %changelog +* Wed Jul 17 2024 Fedora Release Engineering - 1.1.17-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + * Fri May 03 2024 Dominik Wombacher 1.1.17-1 - Initial package - Fix: Update curl command to not fail silently on HTTP server error. From 841a8c6eddfa1abc5bec00a2ef3f02b452b9a14e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 16 Jan 2025 16:35:17 +0000 Subject: [PATCH 6/8] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild --- ec2-instance-connect.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ec2-instance-connect.spec b/ec2-instance-connect.spec index 6fcfc42..18065c4 100644 --- a/ec2-instance-connect.spec +++ b/ec2-instance-connect.spec @@ -5,7 +5,7 @@ Name: ec2-instance-connect Summary: EC2 Instance Connect scripts Version: 1.1.17 -Release: 2%{?dist} +Release: 3%{?dist} License: Apache-2.0 URL: https://github.com/aws/%{project} @@ -151,6 +151,9 @@ fi %changelog +* Thu Jan 16 2025 Fedora Release Engineering - 1.1.17-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + * Wed Jul 17 2024 Fedora Release Engineering - 1.1.17-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild From 17387736e1c35a17e7d16dfc7065e26051d2a9da Mon Sep 17 00:00:00 2001 From: Maxwell G Date: Wed, 9 Jul 2025 22:11:55 -0500 Subject: [PATCH 7/8] Orphaned for 6+ weeks --- .gitignore | 1 - .packit.yaml | 41 ----- ...and-to-not-fail-silently-on-HTTP-ser.patch | 25 --- README.md | 3 - dead.package | 1 + ec2-instance-connect.conf | 3 - ec2-instance-connect.fc | 0 ec2-instance-connect.if | 1 - ec2-instance-connect.spec | 162 ------------------ ec2-instance-connect.sysusers | 2 - ec2-instance-connect.te | 18 -- sources | 1 - 12 files changed, 1 insertion(+), 257 deletions(-) delete mode 100644 .gitignore delete mode 100644 .packit.yaml delete mode 100644 0001-Update-curl-command-to-not-fail-silently-on-HTTP-ser.patch delete mode 100644 README.md create mode 100644 dead.package delete mode 100644 ec2-instance-connect.conf delete mode 100644 ec2-instance-connect.fc delete mode 100644 ec2-instance-connect.if delete mode 100644 ec2-instance-connect.spec delete mode 100644 ec2-instance-connect.sysusers delete mode 100644 ec2-instance-connect.te delete mode 100644 sources diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 6a8098c..0000000 --- a/.gitignore +++ /dev/null @@ -1 +0,0 @@ -/aws-ec2-instance-connect-config-1.1.17.tar.gz diff --git a/.packit.yaml b/.packit.yaml deleted file mode 100644 index d48a7e9..0000000 --- a/.packit.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# See the documentation for more information: -# https://packit.dev/docs/configuration/ - -upstream_project_url: https://github.com/aws/aws-ec2-instance-connect-config -upstream_package_name: aws-ec2-instance-connect-config -downstream_package_name: ec2-instance-connect - -jobs: - - job: pull_from_upstream - trigger: release - # Keeping dist-git branches non-divergent - # Requirs manual local merge from rawhide to stable release branches - # https://packit.dev/docs/fedora-releases-guide#keeping-dist-git-branches-non-divergent - dist_git_branches: - - fedora-rawhide - - - job: koji_build - trigger: commit - allowed_pr_authors: - - packit - - all_admins - - all_committers - - '@cloud-sig' # string with @ needs quotes to be valid yaml - allowed_committers: - - all_admins - - all_committers - - '@cloud-sig' # string with @ needs quotes to be valid yaml - dist_git_branches: - - fedora-all - - epel-all - - - job: bodhi_update - trigger: commit - allowed_builders: - - packit - - all_admins - - all_committers - - '@cloud-sig' # string with @ needs quotes to be valid yaml - dist_git_branches: - - fedora-branched # rawhide updates are created automatically - - epel-all diff --git a/0001-Update-curl-command-to-not-fail-silently-on-HTTP-ser.patch b/0001-Update-curl-command-to-not-fail-silently-on-HTTP-ser.patch deleted file mode 100644 index 9b42cfe..0000000 --- a/0001-Update-curl-command-to-not-fail-silently-on-HTTP-ser.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 086f148e3e2c34759ecf203f6b13a4d726572975 Mon Sep 17 00:00:00 2001 -From: "Author: Vishrutha Konappa Reddy" -Date: Thu, 9 Jun 2022 19:55:47 -0400 -Subject: [PATCH] Update curl command to not fail silently on HTTP server error - ---- - src/bin/eic_curl_authorized_keys | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/bin/eic_curl_authorized_keys b/src/bin/eic_curl_authorized_keys -index 667ec7a..25e0a8e 100755 ---- a/src/bin/eic_curl_authorized_keys -+++ b/src/bin/eic_curl_authorized_keys -@@ -87,7 +87,7 @@ if [ "${id_exit}" -ne 0 ] ; then - fi - - # Verify that we have active keys. Fast-exit if we do not. --keys_status="$(/usr/bin/curl -s -f -m 1 -H "${IMDS_TOKEN_HEADER}" -o /dev/null -I -w %{http_code} "${IMDS}/managed-ssh-keys/active-keys/${1}/")" -+keys_status="$(/usr/bin/curl -s -m 1 -H "${IMDS_TOKEN_HEADER}" -o /dev/null -I -w %{http_code} "${IMDS}/managed-ssh-keys/active-keys/${1}/")" - if [ "${keys_status}" != "200" ] - then - # No keys for this user. Nothing to do. --- -2.44.0 - diff --git a/README.md b/README.md deleted file mode 100644 index 7353dee..0000000 --- a/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# ec2-instance-connect - -The ec2-instance-connect package diff --git a/dead.package b/dead.package new file mode 100644 index 0000000..5204a84 --- /dev/null +++ b/dead.package @@ -0,0 +1 @@ +Orphaned for 6+ weeks diff --git a/ec2-instance-connect.conf b/ec2-instance-connect.conf deleted file mode 100644 index 876168d..0000000 --- a/ec2-instance-connect.conf +++ /dev/null @@ -1,3 +0,0 @@ -[Service] -ExecStart= -ExecStart=/usr/sbin/sshd -D -o "AuthorizedKeysCommand /usr/bin/eic_run_authorized_keys %%u %%f" -o "AuthorizedKeysCommandUser ec2-instance-connect" $SSHD_OPTS diff --git a/ec2-instance-connect.fc b/ec2-instance-connect.fc deleted file mode 100644 index e69de29..0000000 diff --git a/ec2-instance-connect.if b/ec2-instance-connect.if deleted file mode 100644 index 3eb6a30..0000000 --- a/ec2-instance-connect.if +++ /dev/null @@ -1 +0,0 @@ -## diff --git a/ec2-instance-connect.spec b/ec2-instance-connect.spec deleted file mode 100644 index 18065c4..0000000 --- a/ec2-instance-connect.spec +++ /dev/null @@ -1,162 +0,0 @@ -%global project aws-ec2-instance-connect-config -%global modulename ec2-instance-connect -%global selinuxtype targeted - -Name: ec2-instance-connect -Summary: EC2 Instance Connect scripts -Version: 1.1.17 -Release: 3%{?dist} - -License: Apache-2.0 -URL: https://github.com/aws/%{project} -Source0: https://github.com/aws/%{project}/archive/%{version}/%{project}-%{version}.tar.gz -# SELinux Policy -Source1: %{modulename}.te -Source2: %{modulename}.if -Source3: %{modulename}.fc -# User definition -Source4: %{modulename}.sysusers -# Systemd drop-in file -Source5: %{modulename}.conf - -# Mentioned as v1.1.18 fix in upstream .spec but never released. Backport till upstream releases >1.1.17 -Patch1: 0001-Update-curl-command-to-not-fail-silently-on-HTTP-ser.patch - -BuildArch: noarch - -BuildRequires: systemd-rpm-macros -%{?sysusers_requires_compat} - -Requires: openssh >= 6.9.0 -Requires: coreutils -Requires: openssh-server >= 6.9.0 -Requires: openssl -Requires: curl -Requires: systemd - -Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) -Recommends: %{name}-config - -%description -This package contains the EC2 instance configuration and -scripts necessary to enable AWS EC2 Instance Connect. - - -# SELinux subpackage -%package selinux -Summary: ec2-instance-connect SELinux policy -BuildArch: noarch -Requires: selinux-policy-%{selinuxtype} -Requires: ec2-instance-connect -Requires(post): selinux-policy-%{selinuxtype} -BuildRequires: selinux-policy-devel -%{?selinux_requires} - -%description selinux -Custom SELinux policy module for ec2-instance-connect - - -# Configuration subpackage -%package config -Summary: ec2-instance-connect configuration -BuildArch: noarch -Requires: ec2-instance-connect -BuildRequires: systemd-rpm-macros -%{?systemd_requires} - -%description config -Systemd drop-in for sshd.service to set ec2-instance-connect -specific AuthorizedKeysCommand and AuthorizedKeysCommandUser - - -%prep -%autosetup -p1 -n %{project}-%{version} - - -%build -# SELinux policy (originally from selinux-policy-contrib) -# this policy module will override the production module -mkdir selinux -cp -p %{SOURCE1} selinux/ -cp -p %{SOURCE2} selinux/ -cp -p %{SOURCE3} selinux/ - -make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp -bzip2 -9 %{modulename}.pp - - -%install -mkdir -p %{buildroot}/%{_bindir} -install -p -m 755 "%{_builddir}/%{project}-%{version}/src/bin/eic_run_authorized_keys" %{buildroot}/%{_bindir} -install -p -m 755 "%{_builddir}/%{project}-%{version}/src/bin/eic_curl_authorized_keys" %{buildroot}/%{_bindir} -install -p -m 755 "%{_builddir}/%{project}-%{version}/src/bin/eic_parse_authorized_keys" %{buildroot}/%{_bindir} - -install -D -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 -install -D -p -m 0644 selinux/%{modulename}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{modulename}.if - -install -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysusersdir}/%{modulename}.conf - -install -p -D -m 0644 %{SOURCE5} %{buildroot}%{_unitdir}/sshd.service.d/%{modulename}.conf - - -# SELinux contexts are saved so that only affected files can be -# relabeled after the policy module installation -%pre selinux -%selinux_relabel_pre -s %{selinuxtype} - -%post selinux -%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 - -%postun selinux -if [ $1 -eq 0 ]; then - %selinux_modules_uninstall -s %{selinuxtype} %{modulename} -fi - -%posttrans selinux -%selinux_relabel_post -s %{selinuxtype} - -%files selinux -%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* -%{_datadir}/selinux/devel/include/distributed/%{modulename}.if -%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} - - -%post config -%systemd_post sshd.service - -%preun config -%systemd_preun sshd.service - -%postun config -%systemd_postun_with_restart sshd.service - - -%files config -%{_unitdir}/sshd.service.d/%{modulename}.conf - - -%files -%doc README.md CONTRIBUTING.md CODE_OF_CONDUCT.md -%license LICENSE NOTICE - -%attr(0755,root,root) %{_bindir}/eic_run_authorized_keys -%attr(0755,root,root) %{_bindir}/eic_curl_authorized_keys -%attr(0755,root,root) %{_bindir}/eic_parse_authorized_keys - -%{_sysusersdir}/%{modulename}.conf - - -%pre -%sysusers_create_compat %{SOURCE4} - - -%changelog -* Thu Jan 16 2025 Fedora Release Engineering - 1.1.17-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild - -* Wed Jul 17 2024 Fedora Release Engineering - 1.1.17-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild - -* Fri May 03 2024 Dominik Wombacher 1.1.17-1 -- Initial package -- Fix: Update curl command to not fail silently on HTTP server error. diff --git a/ec2-instance-connect.sysusers b/ec2-instance-connect.sysusers deleted file mode 100644 index 14bd4e4..0000000 --- a/ec2-instance-connect.sysusers +++ /dev/null @@ -1,2 +0,0 @@ -#Type Name ID GECOS Home directory Shell -u ec2-instance-connect - "EC2 Instance Connect service user" - /sbin/nologin diff --git a/ec2-instance-connect.te b/ec2-instance-connect.te deleted file mode 100644 index e50be29..0000000 --- a/ec2-instance-connect.te +++ /dev/null @@ -1,18 +0,0 @@ - -module ec2-instance-connect 1.0; - -require { - type ssh_keygen_exec_t; - type sshd_t; - type http_port_t; - class file { execute execute_no_trans open read }; - class process setpgid; - class tcp_socket name_connect; - class file map; -} - -#============= sshd_t ============== -allow sshd_t http_port_t:tcp_socket name_connect; -allow sshd_t self:process setpgid; -allow sshd_t ssh_keygen_exec_t:file { execute execute_no_trans open read }; -allow sshd_t ssh_keygen_exec_t:file map; diff --git a/sources b/sources deleted file mode 100644 index 858abe0..0000000 --- a/sources +++ /dev/null @@ -1 +0,0 @@ -SHA512 (aws-ec2-instance-connect-config-1.1.17.tar.gz) = f3cb3f80a302844aff25b34aad494197ee4c435d93b3727736241b8c29dbe976ed30dee178288f08a11940d2b2d564b5a5c95df7bbdb2626b06c790bec2651ba From 57dde6752a2a595e33e0e4a8cd00f899017dde05 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 23 Jul 2025 18:49:58 +0000 Subject: [PATCH 8/8] Unretire package: ec2-instance-connect on rawhide Reverts retirement commit 17387736e1c35a17e7d16dfc7065e26051d2a9da Releng issue: https://pagure.io/releng/issue/12836 --- .gitignore | 1 + .packit.yaml | 41 +++++ ...and-to-not-fail-silently-on-HTTP-ser.patch | 25 +++ README.md | 3 + dead.package | 1 - ec2-instance-connect.conf | 3 + ec2-instance-connect.fc | 0 ec2-instance-connect.if | 1 + ec2-instance-connect.spec | 162 ++++++++++++++++++ ec2-instance-connect.sysusers | 2 + ec2-instance-connect.te | 18 ++ sources | 1 + 12 files changed, 257 insertions(+), 1 deletion(-) create mode 100644 .gitignore create mode 100644 .packit.yaml create mode 100644 0001-Update-curl-command-to-not-fail-silently-on-HTTP-ser.patch create mode 100644 README.md delete mode 100644 dead.package create mode 100644 ec2-instance-connect.conf create mode 100644 ec2-instance-connect.fc create mode 100644 ec2-instance-connect.if create mode 100644 ec2-instance-connect.spec create mode 100644 ec2-instance-connect.sysusers create mode 100644 ec2-instance-connect.te create mode 100644 sources diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..6a8098c --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/aws-ec2-instance-connect-config-1.1.17.tar.gz diff --git a/.packit.yaml b/.packit.yaml new file mode 100644 index 0000000..d48a7e9 --- /dev/null +++ b/.packit.yaml @@ -0,0 +1,41 @@ +# See the documentation for more information: +# https://packit.dev/docs/configuration/ + +upstream_project_url: https://github.com/aws/aws-ec2-instance-connect-config +upstream_package_name: aws-ec2-instance-connect-config +downstream_package_name: ec2-instance-connect + +jobs: + - job: pull_from_upstream + trigger: release + # Keeping dist-git branches non-divergent + # Requirs manual local merge from rawhide to stable release branches + # https://packit.dev/docs/fedora-releases-guide#keeping-dist-git-branches-non-divergent + dist_git_branches: + - fedora-rawhide + + - job: koji_build + trigger: commit + allowed_pr_authors: + - packit + - all_admins + - all_committers + - '@cloud-sig' # string with @ needs quotes to be valid yaml + allowed_committers: + - all_admins + - all_committers + - '@cloud-sig' # string with @ needs quotes to be valid yaml + dist_git_branches: + - fedora-all + - epel-all + + - job: bodhi_update + trigger: commit + allowed_builders: + - packit + - all_admins + - all_committers + - '@cloud-sig' # string with @ needs quotes to be valid yaml + dist_git_branches: + - fedora-branched # rawhide updates are created automatically + - epel-all diff --git a/0001-Update-curl-command-to-not-fail-silently-on-HTTP-ser.patch b/0001-Update-curl-command-to-not-fail-silently-on-HTTP-ser.patch new file mode 100644 index 0000000..9b42cfe --- /dev/null +++ b/0001-Update-curl-command-to-not-fail-silently-on-HTTP-ser.patch @@ -0,0 +1,25 @@ +From 086f148e3e2c34759ecf203f6b13a4d726572975 Mon Sep 17 00:00:00 2001 +From: "Author: Vishrutha Konappa Reddy" +Date: Thu, 9 Jun 2022 19:55:47 -0400 +Subject: [PATCH] Update curl command to not fail silently on HTTP server error + +--- + src/bin/eic_curl_authorized_keys | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/bin/eic_curl_authorized_keys b/src/bin/eic_curl_authorized_keys +index 667ec7a..25e0a8e 100755 +--- a/src/bin/eic_curl_authorized_keys ++++ b/src/bin/eic_curl_authorized_keys +@@ -87,7 +87,7 @@ if [ "${id_exit}" -ne 0 ] ; then + fi + + # Verify that we have active keys. Fast-exit if we do not. +-keys_status="$(/usr/bin/curl -s -f -m 1 -H "${IMDS_TOKEN_HEADER}" -o /dev/null -I -w %{http_code} "${IMDS}/managed-ssh-keys/active-keys/${1}/")" ++keys_status="$(/usr/bin/curl -s -m 1 -H "${IMDS_TOKEN_HEADER}" -o /dev/null -I -w %{http_code} "${IMDS}/managed-ssh-keys/active-keys/${1}/")" + if [ "${keys_status}" != "200" ] + then + # No keys for this user. Nothing to do. +-- +2.44.0 + diff --git a/README.md b/README.md new file mode 100644 index 0000000..7353dee --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# ec2-instance-connect + +The ec2-instance-connect package diff --git a/dead.package b/dead.package deleted file mode 100644 index 5204a84..0000000 --- a/dead.package +++ /dev/null @@ -1 +0,0 @@ -Orphaned for 6+ weeks diff --git a/ec2-instance-connect.conf b/ec2-instance-connect.conf new file mode 100644 index 0000000..876168d --- /dev/null +++ b/ec2-instance-connect.conf @@ -0,0 +1,3 @@ +[Service] +ExecStart= +ExecStart=/usr/sbin/sshd -D -o "AuthorizedKeysCommand /usr/bin/eic_run_authorized_keys %%u %%f" -o "AuthorizedKeysCommandUser ec2-instance-connect" $SSHD_OPTS diff --git a/ec2-instance-connect.fc b/ec2-instance-connect.fc new file mode 100644 index 0000000..e69de29 diff --git a/ec2-instance-connect.if b/ec2-instance-connect.if new file mode 100644 index 0000000..3eb6a30 --- /dev/null +++ b/ec2-instance-connect.if @@ -0,0 +1 @@ +## diff --git a/ec2-instance-connect.spec b/ec2-instance-connect.spec new file mode 100644 index 0000000..18065c4 --- /dev/null +++ b/ec2-instance-connect.spec @@ -0,0 +1,162 @@ +%global project aws-ec2-instance-connect-config +%global modulename ec2-instance-connect +%global selinuxtype targeted + +Name: ec2-instance-connect +Summary: EC2 Instance Connect scripts +Version: 1.1.17 +Release: 3%{?dist} + +License: Apache-2.0 +URL: https://github.com/aws/%{project} +Source0: https://github.com/aws/%{project}/archive/%{version}/%{project}-%{version}.tar.gz +# SELinux Policy +Source1: %{modulename}.te +Source2: %{modulename}.if +Source3: %{modulename}.fc +# User definition +Source4: %{modulename}.sysusers +# Systemd drop-in file +Source5: %{modulename}.conf + +# Mentioned as v1.1.18 fix in upstream .spec but never released. Backport till upstream releases >1.1.17 +Patch1: 0001-Update-curl-command-to-not-fail-silently-on-HTTP-ser.patch + +BuildArch: noarch + +BuildRequires: systemd-rpm-macros +%{?sysusers_requires_compat} + +Requires: openssh >= 6.9.0 +Requires: coreutils +Requires: openssh-server >= 6.9.0 +Requires: openssl +Requires: curl +Requires: systemd + +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) +Recommends: %{name}-config + +%description +This package contains the EC2 instance configuration and +scripts necessary to enable AWS EC2 Instance Connect. + + +# SELinux subpackage +%package selinux +Summary: ec2-instance-connect SELinux policy +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires: ec2-instance-connect +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +%{?selinux_requires} + +%description selinux +Custom SELinux policy module for ec2-instance-connect + + +# Configuration subpackage +%package config +Summary: ec2-instance-connect configuration +BuildArch: noarch +Requires: ec2-instance-connect +BuildRequires: systemd-rpm-macros +%{?systemd_requires} + +%description config +Systemd drop-in for sshd.service to set ec2-instance-connect +specific AuthorizedKeysCommand and AuthorizedKeysCommandUser + + +%prep +%autosetup -p1 -n %{project}-%{version} + + +%build +# SELinux policy (originally from selinux-policy-contrib) +# this policy module will override the production module +mkdir selinux +cp -p %{SOURCE1} selinux/ +cp -p %{SOURCE2} selinux/ +cp -p %{SOURCE3} selinux/ + +make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp +bzip2 -9 %{modulename}.pp + + +%install +mkdir -p %{buildroot}/%{_bindir} +install -p -m 755 "%{_builddir}/%{project}-%{version}/src/bin/eic_run_authorized_keys" %{buildroot}/%{_bindir} +install -p -m 755 "%{_builddir}/%{project}-%{version}/src/bin/eic_curl_authorized_keys" %{buildroot}/%{_bindir} +install -p -m 755 "%{_builddir}/%{project}-%{version}/src/bin/eic_parse_authorized_keys" %{buildroot}/%{_bindir} + +install -D -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 +install -D -p -m 0644 selinux/%{modulename}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{modulename}.if + +install -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysusersdir}/%{modulename}.conf + +install -p -D -m 0644 %{SOURCE5} %{buildroot}%{_unitdir}/sshd.service.d/%{modulename}.conf + + +# SELinux contexts are saved so that only affected files can be +# relabeled after the policy module installation +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename} +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} + +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* +%{_datadir}/selinux/devel/include/distributed/%{modulename}.if +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} + + +%post config +%systemd_post sshd.service + +%preun config +%systemd_preun sshd.service + +%postun config +%systemd_postun_with_restart sshd.service + + +%files config +%{_unitdir}/sshd.service.d/%{modulename}.conf + + +%files +%doc README.md CONTRIBUTING.md CODE_OF_CONDUCT.md +%license LICENSE NOTICE + +%attr(0755,root,root) %{_bindir}/eic_run_authorized_keys +%attr(0755,root,root) %{_bindir}/eic_curl_authorized_keys +%attr(0755,root,root) %{_bindir}/eic_parse_authorized_keys + +%{_sysusersdir}/%{modulename}.conf + + +%pre +%sysusers_create_compat %{SOURCE4} + + +%changelog +* Thu Jan 16 2025 Fedora Release Engineering - 1.1.17-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + +* Wed Jul 17 2024 Fedora Release Engineering - 1.1.17-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Fri May 03 2024 Dominik Wombacher 1.1.17-1 +- Initial package +- Fix: Update curl command to not fail silently on HTTP server error. diff --git a/ec2-instance-connect.sysusers b/ec2-instance-connect.sysusers new file mode 100644 index 0000000..14bd4e4 --- /dev/null +++ b/ec2-instance-connect.sysusers @@ -0,0 +1,2 @@ +#Type Name ID GECOS Home directory Shell +u ec2-instance-connect - "EC2 Instance Connect service user" - /sbin/nologin diff --git a/ec2-instance-connect.te b/ec2-instance-connect.te new file mode 100644 index 0000000..e50be29 --- /dev/null +++ b/ec2-instance-connect.te @@ -0,0 +1,18 @@ + +module ec2-instance-connect 1.0; + +require { + type ssh_keygen_exec_t; + type sshd_t; + type http_port_t; + class file { execute execute_no_trans open read }; + class process setpgid; + class tcp_socket name_connect; + class file map; +} + +#============= sshd_t ============== +allow sshd_t http_port_t:tcp_socket name_connect; +allow sshd_t self:process setpgid; +allow sshd_t ssh_keygen_exec_t:file { execute execute_no_trans open read }; +allow sshd_t ssh_keygen_exec_t:file map; diff --git a/sources b/sources new file mode 100644 index 0000000..858abe0 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (aws-ec2-instance-connect-config-1.1.17.tar.gz) = f3cb3f80a302844aff25b34aad494197ee4c435d93b3727736241b8c29dbe976ed30dee178288f08a11940d2b2d564b5a5c95df7bbdb2626b06c790bec2651ba