actions: run: add support for running commands outside of fakemachine

[silbe]

Even when set to run outside the chroot, scripts/commands are still run inside fakemachine. Lots of things don't work within that environment, e.g. because regular /etc is not available (not even sudo works). It would be very useful to have the ability to run scripts outside of fakemachine (as the user invoking debos) with the ability to modify the rootfs.

My particular use case is installing SSH host keys. The keys are encrypted to a private key on an OpenPGP card, accessible to the user running debos. The SSH host keys can only be decrypted by running a command as the original user, not but running within fakemachine or running as root. Additionally they are stored within Salt (Configuration Management system), not just a file encrypted directly with GnuPG. Extracting them requires running a command within the regular environment of the user.

[obbardc]

this is out-of-scope for debos really; infecting the image with anything from host (other than e.g an overlay or directly copying in files or calling host commands afterwards to tarball image) is an antipattern

[silbe]

@obbardc How do you propose to address the use case of including credentials in the image? My current work-around is decrypting them before invoking debos and passing them as template variables via command line parameters but that is insecure on most machines (exposed in /proc to all users).

[obbardc]

I don't know what your usecase is. I am not sure why you would want to include SSH host keys in the image ?

[silbe]

I don't know what your usecase is. I am not sure why you would want to include SSH host keys in the image ?

We build an individual base OS image for each host that includes the SSH host keys so that a secure connection can be established on first run. There is no trusted network link to the hosts. Not including SSH host keys in the image would open us up to man-in-the-middle attacks.

[obbardc]

Can you extract the key outside of the debos call and inject it into debos using an overlay action ?

I am not sure exactly what your procedure is with the OpenPGP card.

Could you try to use fakemachine --volume to mount a directory from the host inside a fakemachine, and see if you can extract the key like that ? In the past I have used fakemachine --image to mount an image AFTER its built with debos, to then sign things and add keys etc manually (outside of a CI loop).

[silbe]

Placing the credentials on tmpfs (e.g. /run/user) would be much better than passing them as parameters at least. I'd prefer something based on fd passing, but bind-mounting a unix socket should be close enough. So how do I get debos to pass --volume to fakemachine?