From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id CCAA3285040
	for <kdevops@lists.linux.dev>; Thu,  2 Oct 2025 20:21:42 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1759436502; cv=none; b=Kn4sJiJ9dkhUyiKBYm2lMi16cnFhtilQ4lFUrxYPT4wM1glTjUBYZBUbGpJhkpM1dk8cFPnnzqhn5VzVPMxLZyskg0nRHfNN8YV8g0Y4zjb56Kzj+df6RA0f9U6SQDgDCiQUhIzWsHr2oo6F64IJyIsrzPCAIq9u8YTh59I/jh8=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1759436502; c=relaxed/simple;
	bh=BhVlIBUbCRy0g2pWQgw395OSWvMDstq472VPVPa9PNE=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=OQ/2pgC0JBJELUTLV2f1Xe+QivW++2TpcCA2S11GhQg+SKRCCCphBpPGGM/J7yWLGvxJiWEeyBnFKLaDeurfc/LPOv2RlIOovU+urU6cT9lnmxyCx3Yz4a3/wYRBpm5hGhN+9r6jxj982EUBr8UckzxzzG2iVY6QmXRYlayLqlY=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=hXc7SlMj; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="hXc7SlMj"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3CE59C4CEF4;
	Thu,  2 Oct 2025 20:21:42 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1759436502;
	bh=BhVlIBUbCRy0g2pWQgw395OSWvMDstq472VPVPa9PNE=;
	h=From:To:Cc:Subject:Date:From;
	b=hXc7SlMjL3fBsXIJwPIQ4GBuurewj5zDVXDvJYzWjoA0Y97KW5DEh5qd/4mhqFVzI
	 aFZw0AmWHogjwTrVIqmdBcMeYor6n5TYuKBfEvcSL4BuNMChfB24QIUEOLppQINyjI
	 e1ngPSvHe6x8NgZ6OlH0lINUdMegqj8lBxL24mDOh5NBfCHtyNT5JLV4WqBnteu/LV
	 iRjw9yxnf/m+UtcqJoElaFyBx5lurow6fVnz4obQREjFUCEhRHFNi0CVII0pIMG4tb
	 3EM6UAGCH6RyigVSEC7C+1HmMMtaiyisDDtrZ9UYEFM8QcFgulrD2cLAhwGnS9hp++
	 uLFqHiofvOT6g==
From: Chuck Lever <cel@kernel.org>
To: <kdevops@lists.linux.dev>
Cc: Chuck Lever <chuck.lever@oracle.com>
Subject: [PATCH v1 0/6] Enable users to set an alternate ssh port
Date: Thu,  2 Oct 2025 16:21:34 -0400
Message-ID: <20251002202140.3596787-1-cel@kernel.org>
X-Mailer: git-send-email 2.51.0
Precedence: bulk
X-Mailing-List: kdevops@lists.linux.dev
List-Id: <kdevops.lists.linux.dev>
List-Subscribe: <mailto:kdevops+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:kdevops+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

From: Chuck Lever <chuck.lever@oracle.com>

Particularly in the cloud, provisioning publicly visible instances
with port 22 for ssh is bad security practice. Almost as soon as
kdevops brings up such an instance, it comes under attack on port
22.

So, my thought is to enable the use of an alternate port for Ansible
control. This series provides that flexibility; the default is still
to use port 22.

I've tested this with RHEL 9 on AWS, Azure, GCE, and OCI, and with
Debian 12 on AWS; and I tested with Fedora and guestfs.

One of the side benefits of this series is that now all of the
cloud providers except Lambda make use of a cloud-init script. We
can introduce additional capabilities there, going forward.

Also pushed to the linux-kdevops/kdevops alternate-ssh-port branch.

Chuck Lever (6):
  ansible.cfg: Allow the use of alternate ssh ports
  base_image: Make the semanage command available on base images
  guestfs: Refactor the construction of the virt-sysprep command line
  guestfs: Use the alternate ssh port for Ansible control
  terraform: Hoist the AWS cloud-init script into terraform/
  terraform: Use the alternate ssh port for Ansible control

 kconfigs/Kconfig.ansible_cfg                  | 41 ++++++++
 playbooks/nixos.yml                           |  2 +-
 .../ansible_cfg/templates/ansible.cfg.j2      |  3 +
 .../base_image/templates/virt-builder.j2      |  2 +-
 .../templates/aws/terraform.tfvars.j2         |  1 +
 .../templates/azure/terraform.tfvars.j2       |  1 +
 .../templates/gce/terraform.tfvars.j2         |  1 +
 .../templates/lambdalabs/terraform.tfvars.j2  |  1 +
 .../templates/oci/terraform.tfvars.j2         |  1 +
 .../templates/openstack/terraform.tfvars.j2   |  1 +
 .../roles/guestfs/tasks/bringup/main.yml      | 44 +++++----
 .../roles/terraform/templates/ssh_config.j2   |  2 +-
 scripts/update_ssh_config_guestfs.py          |  3 +-
 scripts/update_ssh_config_lambdalabs.py       | 18 +++-
 terraform/aws/main.tf                         |  7 +-
 terraform/aws/templates/script.sh             | 55 -----------
 terraform/azure/main.tf                       |  9 +-
 terraform/gce/main.tf                         | 23 ++++-
 terraform/lambdalabs/main.tf                  | 43 +++++++-
 terraform/oci/main.tf                         | 11 ++-
 terraform/openstack/main.tf                   | 11 ++-
 terraform/scripts/cloud-init.sh               | 97 +++++++++++++++++++
 terraform/shared.tf                           |  6 ++
 23 files changed, 289 insertions(+), 94 deletions(-)
 delete mode 100755 terraform/aws/templates/script.sh
 create mode 100755 terraform/scripts/cloud-init.sh

-- 
2.51.0