sshkey-deployment-example/Dockerfile.native at main · NSO-developer/sshkey-deployment-example · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
FROM redhat/ubi9:latest

ARG NSO_ARCH
ARG NSO_VERSION
ARG NSOAPP_NAME
ARG EX0_IP
ARG EX1_IP
ARG EX2_IP
ARG NSO_HOST_NAME
ARG NCS_IPC_PATH

ENV NSO_ARCH=${NSO_ARCH}
ENV NSO_VERSION=${NSO_VERSION}
ENV NSOAPP_NAME=${NSOAPP_NAME}
ENV NSO_HOST_NAME=${NSO_HOST_NAME}
ENV NCS_IPC_PATH=${NCS_IPC_PATH}
ENV NCS_ROOT_DIR=/opt/ncs
ENV NCS_DIR=/opt/ncs/current
ENV NCS_CONFIG_DIR=/etc/ncs
ENV NCS_RUN_DIR=/var/opt/ncs
ENV NCS_LOG_DIR=/var/log/ncs
ENV LD_LIBRARY_PATH=/opt/ncs/current/lib
ENV PYTHONPATH=/opt/ncs/current/src/ncs/pyapi
ENV PATH=/opt/ncs/current/bin:/opt/ncs/current/lib/ncs/bin:$PATH
ENV NCS_CLI_SSH=true
ENV NCS_WEBUI_TRANSPORT_SSL=true
ENV NCS_NETCONF_TRANSPORT_SSH=true

# Copy the NSO installer to the container
COPY nso-${NSO_VERSION}.linux.${NSO_ARCH}.installer.bin /tmp

# Minimal installation with an admin and oper user for NSO PAM authentication.
# The admin user is authenticated over SSH using a public key and over RESTCONF
# using a token. The read-only oper user uses password authentication.
# NSO runs as the admin user.
RUN dnf update -y \
    && dnf --disableplugin=subscription-manager install -y --nodocs python3.12 \
    java-17-openjdk-devel make openssl openssh-clients libxslt cronie \
    logrotate python3.12-pip \
    && ln -sf /usr/bin/python3.12 /usr/bin/python3 \
    && ln -s /usr/bin/python3 /usr/bin/python \
    && ln -sf pip3.12 pip3 \
    && ln -sf pip3.12 pip \
    && python -m pip install --root-user-action=ignore --upgrade pip \
    && python -m pip install --root-user-action=ignore requests \
    && groupadd ncsadmin \
    && groupadd ncsoper \
    && useradd --create-home --home-dir /home/admin --no-user-group \
       --no-log-init --groups ncsadmin --shell /bin/bash admin \
    && useradd --create-home --home-dir /home/oper --no-user-group \
       --no-log-init --groups ncsoper --shell /bin/bash oper \
    && echo "oper:oper" | chpasswd \
    && chmod u+x /tmp/nso-${NSO_VERSION}.linux.${NSO_ARCH}.installer.bin \
    && /tmp/nso-${NSO_VERSION}.linux.${NSO_ARCH}.installer.bin --system-install \
       --run-as-user admin --non-interactive \
    && chown -Rh admin:ncsadmin ${NCS_CONFIG_DIR} ${NCS_RUN_DIR} \
    ${NCS_LOG_DIR} /home/admin \
    && chmod -R g=u ${NCS_CONFIG_DIR} ${NCS_RUN_DIR} ${NCS_LOG_DIR} \
    && chown admin:ncsadmin ${NCS_ROOT_DIR} \
    && set -eux; \
       LEGACY_PRIV_1="${NCS_DIR}/lib/ncs/lib/core/confd/priv/cmdwrapper"; \
       LEGACY_PRIV_2="${NCS_DIR}/netsim/confd/lib/confd/lib/core/confd/priv/cmdwrapper"; \
       if [ -e "${LEGACY_PRIV_1}" ]; then \
         CHOWN_PATH="${LEGACY_PRIV_1}"; \
         CHMOD_PATH="${LEGACY_PRIV_2}"; \
       else \
         CONFD_DIR="$(ls -d "${NCS_DIR}"/lib/ncs/lib/confd-* | head -n1)"; \
         CONFD_VERSION="${CONFD_DIR##*-}"; \
         CHOWN_PATH="${NCS_DIR}/lib/ncs/lib/confd-${CONFD_VERSION}/priv/cmdwrapper"; \
         CHMOD_PATH="${NCS_DIR}/netsim/confd/lib/confd/lib/confd-${CONFD_VERSION}/priv/cmdwrapper"; \
       fi; \
       chown root "${CHOWN_PATH}"; \
       chmod u+s "${CHMOD_PATH}" \
    && sed -i.orig -e 's|</cli>|\ \ <style>c</style>\
\ \ </cli>|' \
            -e 's|</restconf>|\ \ <token-response>\n\
\ \ \ \ \ \ <x-auth-token>true</x-auth-token>\n\
\ \ \ \ </token-response>\n\
\ \ </restconf>|' \
            -e "s|</webui>|\ \ <server-name>${NSO_HOST_NAME}</server-name>\n\
\ \ \ \ <match-host-name>true</match-host-name>\n\
\ \ </webui>|" \
            -e "s|</aaa>|\ \ <external-validation>\n\
\ \ \ \ \ \ <enabled>true</enabled>\n\
\ \ \ \ \ \ <executable>${NCS_RUN_DIR}/scripts/token_auth.sh</executable>\n\
\ \ \ \ </external-validation>\n\
\ \ </aaa>|" \
            -e 's|@ncs|@nso-\\\H|g' \
	         ${NCS_CONFIG_DIR}/ncs.conf \
      && ncs_conf_tool -a "  <ncs-local-ipc><enabled>true</enabled><path>${NCS_IPC_PATH}</path></ncs-local-ipc>" ncs-config < ${NCS_CONFIG_DIR}/ncs.conf > ${NCS_CONFIG_DIR}/ncs.conf.tmp && mv -f ${NCS_CONFIG_DIR}/ncs.conf.tmp ${NCS_CONFIG_DIR}/ncs.conf \
      && ncs_conf_tool -e "sha-512" ncs-config crypt-hash algorithm < ${NCS_CONFIG_DIR}/ncs.conf > ${NCS_CONFIG_DIR}/ncs.conf.tmp && mv -f ${NCS_CONFIG_DIR}/ncs.conf.tmp ${NCS_CONFIG_DIR}/ncs.conf
# Add the NSO client application to the container
ADD ${NSOAPP_NAME}.tar.gz /

# Three netsim ConfD network element nodes are set up using the built-in NETCONF NED.
RUN chown -Rh admin:ncsadmin /${NSOAPP_NAME}/package-store \
    && chmod -R o-wxs /${NSOAPP_NAME}/package-store \
    && chmod -R g=u /${NSOAPP_NAME}/package-store \
    && rm -f ${NCS_CONFIG_DIR}/ssh/*key* \
    && sed -i.orig -e "s|_EX0_IP_|${EX0_IP}|" \
                   -e "s|_EX1_IP_|${EX1_IP}|" \
                   -e "s|_EX2_IP_|${EX2_IP}|" \
                   /${NSOAPP_NAME}/devices_init.xml
WORKDIR /${NSOAPP_NAME}
# Set up public key and token authentication, then run the CLI and RESTCONF
# client showcase scripts that use a service to setup the SSH public key
# authentication to the three network elements too.
CMD [ "./run_native.sh" ]