Hi Axel,
If know that the installation method is copyright wouldn't be the
solution as simple as removing the existing keys right *before* any key
generation attempt is made in the hook script?
Something like:
[ "xcopy" = "x${install_method}" ] && rm ${prefix}/etc/ssh/ssh_host_*
Will try this this evening and will get back to you. Not sure about all the
corner cases you have in mind. Haven't read your link yet, either...
Thanks.
Le 14 mars 2013 00:23, "Axel Beckert" <a...@debian.org> a écrit :
> Hi Nicolas,
>
> ncaniart wrote:
> > When using the --install-method=copy of xen-create-image,
> > the SSH host keys are copied from the template DomU to the
> > newly created guest.
>
> Indeed.
>
> > The template in question was a Debian Wheezy (don't have other
> > distributions around to check, sorry).
>
> Shouldn't make a difference.
>
> > Could be related to the fix applied to #607236:
>
> That, but also
>
> https://gitorious.org/xen-tools/xen-tools/commit/8cf4c83936c7cb97b7f1b9e15910a52fa92fceca
> which shows some reasoning why the key-generation has been moved
> outside the package installation.
>
> I'm currently thinking about moving key generation back into the
> chroot as the availability of new key formats (namely ECDSA) may
> differ between Dom0 and DomU. Should be solvable by bind-mounting
> /dev/.
>
> But that doesn't solve your problem.
>
> So my current plan is:
>
> Install openssh-server and -client first, let them generate the host
> keys inside the chroot. That would also be closer to the KISS
> principle.
>
> Then, afterwards, check if install-method is copy and only if so,
> regenerate the SSH keys -- inside the chroot, too.
>
> I'll though still have to think about that potential solution. There
> are many corner cases to take care of.
>
> > Don't know how the incriminated hook in #607236 could be modified:
> > it only receives the new gests image mount point as an argument.
> > It would require to have the install method too. Is this information
> > available somewhere else ?
>
> Yes, it's available via the environment. You see that if you add the
> command "env" to that script. Unfortunately these were so far only
> used inside perl scripts where dashes in environment variable didn't
> cause any harm. But it was not easily possible to use these variables
> inside bash scripts.
>
> I fixed that today in these two commits:
>
> https://gitorious.org/xen-tools/xen-tools/commit/76d9d5951058f64fa5eff32676308e12fd4fe7a7
>
> https://gitorious.org/xen-tools/xen-tools/commit/ff7ded28e8f7cb3da33d6d210ba00152168009bc
>
> From the next release on, you can check the content of $install_method
> inside the hook script.
>
> Regards, Axel
> --
> ,''`. | Axel Beckert <a...@debian.org>, http://people.debian.org/~abe/
> : :' : | Debian Developer, ftp.ch.debian.org Admin
> `. `' | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
> `- | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
>
