Refactor SSH key handling and update .gitignore

Author: bootjp

.gitignore

@@ -29,3 +29,7 @@ jepsen/.lein-*
 jepsen/.nrepl-port
 .m2/
 jepsen/store/
+
+# Jepsen local SSH keys (generated locally; never commit)
+jepsen/docker/id_rsa
+jepsen/.ssh/

jepsen/Vagrantfile

@@ -1,3 +1,5 @@
+require "fileutils"
+
 NODES = {
   ctrl: "192.168.56.10",
   n1:   "192.168.56.11",
@@ -7,6 +9,19 @@ NODES = {
   n5:   "192.168.56.15"
 }.freeze
 
+KEY_DIR = File.join(__dir__, ".ssh")
+CTRL_KEY = File.join(KEY_DIR, "ctrl_id_rsa")
+CTRL_PUB = "#{CTRL_KEY}.pub"
+
+unless File.exist?(CTRL_KEY)
+  FileUtils.mkdir_p(KEY_DIR)
+  unless system("ssh-keygen", "-t", "rsa", "-b", "2048", "-N", "", "-f", CTRL_KEY)
+    raise "failed to generate Jepsen SSH key at #{CTRL_KEY}"
+  end
+end
+
+CTRL_PUB_KEY = File.read(CTRL_PUB).strip
+
 Vagrant.configure("2") do |config|
   config.ssh.insert_key = false
   #config.vm.box = "debian/bookworm64"
@@ -37,7 +52,7 @@ Vagrant.configure("2") do |config|
         node.vm.synced_folder ".", "/vagrant", disabled: true
       end
 
-      node.vm.provision "shell", path: "provision/base.sh", args: name.to_s
+      node.vm.provision "shell", path: "provision/base.sh", args: [name.to_s, CTRL_PUB_KEY]
     end
   end
 end

jepsen/docker/id_rsa

@@ -24,10 +24,23 @@ if ! command -v lein >/dev/null 2>&1; then
     chmod +x /usr/local/bin/lein
 fi
 
-# Generate SSH key for control node to connect to others
+# Generate or install SSH key for control node to connect to others
 if [ ! -f /root/.ssh/id_rsa ]; then
     mkdir -p /root/.ssh
-    cp /jepsen-ro/jepsen/docker/id_rsa /root/.ssh/id_rsa
+    if [ -n "${JEPSEN_SSH_PRIVATE_KEY:-}" ]; then
+        printf "%s" "${JEPSEN_SSH_PRIVATE_KEY}" > /root/.ssh/id_rsa
+    elif [ -n "${JEPSEN_SSH_PRIVATE_KEY_PATH:-}" ] && [ -f "${JEPSEN_SSH_PRIVATE_KEY_PATH}" ]; then
+        cp "${JEPSEN_SSH_PRIVATE_KEY_PATH}" /root/.ssh/id_rsa
+    elif [ -f /jepsen-ro/jepsen/docker/id_rsa ]; then
+        # Backward-compatible path (local, uncommitted key file)
+        cp /jepsen-ro/jepsen/docker/id_rsa /root/.ssh/id_rsa
+    else
+        if ! command -v ssh-keygen >/dev/null 2>&1; then
+            apt-get update -y
+            apt-get install -y --no-install-recommends openssh-client
+        fi
+        ssh-keygen -t rsa -b 2048 -N "" -f /root/.ssh/id_rsa
+    fi
     chmod 600 /root/.ssh/id_rsa
     # Disable strict host checking
     echo "Host *" > /root/.ssh/config

jepsen/docker/run-in-docker.sh

@@ -2,7 +2,7 @@ Host n1
   HostName 127.0.0.1
   User vagrant
   Port 2221
-  IdentityFile /Users/bootjp/src/elastickv/jepsen/docker/id_rsa
+  IdentityFile ~/.ssh/id_rsa
   StrictHostKeyChecking no
   UserKnownHostsFile /dev/null
   LogLevel ERROR
@@ -11,7 +11,7 @@ Host n2
   HostName 127.0.0.1
   User vagrant
   Port 2222
-  IdentityFile /Users/bootjp/src/elastickv/jepsen/docker/id_rsa
+  IdentityFile ~/.ssh/id_rsa
   StrictHostKeyChecking no
   UserKnownHostsFile /dev/null
   LogLevel ERROR
@@ -20,7 +20,7 @@ Host n3
   HostName 127.0.0.1
   User vagrant
   Port 2223
-  IdentityFile /Users/bootjp/src/elastickv/jepsen/docker/id_rsa
+  IdentityFile ~/.ssh/id_rsa
   StrictHostKeyChecking no
   UserKnownHostsFile /dev/null
   LogLevel ERROR
@@ -29,7 +29,7 @@ Host n4
   HostName 127.0.0.1
   User vagrant
   Port 2224
-  IdentityFile /Users/bootjp/src/elastickv/jepsen/docker/id_rsa
+  IdentityFile ~/.ssh/id_rsa
   StrictHostKeyChecking no
   UserKnownHostsFile /dev/null
   LogLevel ERROR
@@ -38,7 +38,7 @@ Host n5
   HostName 127.0.0.1
   User vagrant
   Port 2225
-  IdentityFile /Users/bootjp/src/elastickv/jepsen/docker/id_rsa
+  IdentityFile ~/.ssh/id_rsa
   StrictHostKeyChecking no
   UserKnownHostsFile /dev/null
   LogLevel ERROR

jepsen/docker/ssh_config

@@ -2,6 +2,7 @@
 set -euo pipefail
 
 ROLE="${1:-db}"
+PUBKEY="${2:-}"
 
 echo "[jepsen] provisioning role=${ROLE}"
 sudo apt-get update -y
@@ -44,38 +45,20 @@ if [ "$ROLE" = "ctrl" ]; then
   echo 'export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin' | sudo tee /etc/profile.d/go.sh >/dev/null
 
   if [ ! -f /home/vagrant/.ssh/id_rsa ]; then
-    cat <<'KEY' > /home/vagrant/.ssh/id_rsa
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzI
-w+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoP
-kcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2
-hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NO
-Td0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcW
-yLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQIBIwKCAQEA4iqWPJXtzZA68mKd
-ELs4jJsdyky+ewdZeNds5tjcnHU5zUYE25K+ffJED9qUWICcLZDc81TGWjHyAqD1
-Bw7XpgUwFgeUJwUlzQurAv+/ySnxiwuaGJfhFM1CaQHzfXphgVml+fZUvnJUTvzf
-TK2Lg6EdbUE9TarUlBf/xPfuEhMSlIE5keb/Zz3/LUlRg8yDqz5w+QWVJ4utnKnK
-iqwZN0mwpwU7YSyJhlT4YV1F3n4YjLswM5wJs2oqm0jssQu/BT0tyEXNDYBLEF4A
-sClaWuSJ2kjq7KhrrYXzagqhnSei9ODYFShJu8UWVec3Ihb5ZXlzO6vdNQ1J9Xsf
-4m+2ywKBgQD6qFxx/Rv9CNN96l/4rb14HKirC2o/orApiHmHDsURs5rUKDx0f9iP
-cXN7S1uePXuJRK/5hsubaOCx3Owd2u9gD6Oq0CsMkE4CUSiJcYrMANtx54cGH7Rk
-EjFZxK8xAv1ldELEyxrFqkbE4BKd8QOt414qjvTGyAK+OLD3M2QdCQKBgQDtx8pN
-CAxR7yhHbIWT1AH66+XWN8bXq7l3RO/ukeaci98JfkbkxURZhtxV/HHuvUhnPLdX
-3TwygPBYZFNo4pzVEhzWoTtnEtrFueKxyc3+LjZpuo+mBlQ6ORtfgkr9gBVphXZG
-YEzkCD3lVdl8L4cw9BVpKrJCs1c5taGjDgdInQKBgHm/fVvv96bJxc9x1tffXAcj
-3OVdUN0UgXNCSaf/3A/phbeBQe9xS+3mpc4r6qvx+iy69mNBeNZ0xOitIjpjBo2+
-dBEjSBwLk5q5tJqHmy/jKMJL4n9ROlx93XS+njxgibTvU6Fp9w+NOFD/HvxB3Tcz
-6+jJF85D5BNAG3DBMKBjAoGBAOAxZvgsKN+JuENXsST7F89Tck2iTcQIT8g5rwWC
-P9Vt74yboe2kDT531w8+egz7nAmRBKNM751U/95P9t88EDacDI/Z2OwnuFQHCPDF
-llYOUI+SpLJ6/vURRbHSnnn8a/XG+nzedGH5JGqEJNQsz+xT2axM0/W/CRknmGaJ
-kda/AoGANWrLCz708y7VYgAtW2Uf1DPOIYMdvo6fxIB5i9ZfISgcJ/bbCUkFrhoH
-+vq/5CIWxCPp0f85R4qxxQ5ihxJ0YDQT9Jpx4TMss4PSavPaBH3RXow5Ohe+bYoQ
-NE5OgEXk2wVfZczCZpigBKbKZHNYcelXtTt/nP3rsCuGcM4h53s=
------END RSA PRIVATE KEY-----
-KEY
+    if [ -f /home/vagrant/elastickv/jepsen/.ssh/ctrl_id_rsa ]; then
+      cp /home/vagrant/elastickv/jepsen/.ssh/ctrl_id_rsa /home/vagrant/.ssh/id_rsa
+    else
+      if ! command -v ssh-keygen >/dev/null 2>&1; then
+        sudo apt-get install -y --no-install-recommends openssh-client
+      fi
+      ssh-keygen -t rsa -b 2048 -N "" -f /home/vagrant/.ssh/id_rsa
+    fi
     chmod 600 /home/vagrant/.ssh/id_rsa
     chown vagrant:vagrant /home/vagrant/.ssh/id_rsa
   fi
+  if [ -z "${PUBKEY}" ] && [ -f /home/vagrant/.ssh/id_rsa.pub ]; then
+    PUBKEY="$(cat /home/vagrant/.ssh/id_rsa.pub)"
+  fi
   cat <<'EOF' > /home/vagrant/.ssh/config
 Host n1 n2 n3 n4 n5
   User vagrant
@@ -87,10 +70,12 @@ EOF
   chown vagrant:vagrant /home/vagrant/.ssh/config
 fi
 
-# authorize the same key on all nodes
-cat <<'PUB' >> /home/vagrant/.ssh/authorized_keys
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDo0XyJqWW9BWnbZYOROSyu2+n15ZbrgPGFa/pM+E4xmHu4B8yMPp4jbWRhR8w/Pr9SNmCeqF3r3LdWHktKPR2cjduPaoAoM1BbXTii7+iHnaZaqD5HJhXQhr3Y+QQOjcYVMFyQU8hMAzMF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key
-PUB
+touch /home/vagrant/.ssh/authorized_keys
+if [ -n "${PUBKEY}" ]; then
+  if ! grep -Fq "${PUBKEY}" /home/vagrant/.ssh/authorized_keys; then
+    echo "${PUBKEY}" >> /home/vagrant/.ssh/authorized_keys
+  fi
+fi
 chown vagrant:vagrant /home/vagrant/.ssh/authorized_keys
 chmod 600 /home/vagrant/.ssh/authorized_keys