From 7e3e6558de7639003e078015e770b9e9e7a2a111 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Mon, 19 Aug 2024 15:52:34 +0000 Subject: [PATCH] Support skipping SSH keyscan for older switch devices Some network devices may use SSH key exchange algorithms that are no longer supported by the Ansible control host. This will cause ssh-keyscan to fail, preventing Kayobe from configuring the devices. This change makes it possible to work around the issue by setting switch_skip_keyscan to true for the affected devices. The SSH known hosts file on the Ansible control host will need to be populated manually. Change-Id: I4e3394cff1fd86eb5c1a4be55d6fd7fd080b2944 --- ansible/inventory/group_vars/all/switches/keyscan | 5 +++++ ansible/physical-network.yml | 7 +++++++ doc/source/configuration/reference/physical-network.rst | 9 +++++++++ .../notes/switch-skip-keyscan-23b1f5006f443323.yaml | 6 ++++++ 4 files changed, 27 insertions(+) create mode 100644 ansible/inventory/group_vars/all/switches/keyscan create mode 100644 releasenotes/notes/switch-skip-keyscan-23b1f5006f443323.yaml diff --git a/ansible/inventory/group_vars/all/switches/keyscan b/ansible/inventory/group_vars/all/switches/keyscan new file mode 100644 index 000000000..4fcdd1f5c --- /dev/null +++ b/ansible/inventory/group_vars/all/switches/keyscan @@ -0,0 +1,5 @@ +--- +# Whether to skip scanning SSH keys for switches. In some cases scanning SSH +# keys may fail e.g. due to unsupported key exchange algorithms on older +# devices. Default is false. +switch_skip_keyscan: false diff --git a/ansible/physical-network.yml b/ansible/physical-network.yml index c00eb6422..f3bfaf00f 100644 --- a/ansible/physical-network.yml +++ b/ansible/physical-network.yml @@ -117,6 +117,7 @@ default(100) }} roles: - role: ssh-known-host + when: not switch_skip_keyscan | bool - role: arista-switch arista_switch_type: "{{ switch_type }}" @@ -133,6 +134,7 @@ default(100) }} roles: - role: ssh-known-host + when: not switch_skip_keyscan | bool - role: dell-switch dell_switch_type: "{{ switch_type }}" @@ -150,6 +152,7 @@ default(100) }} roles: - role: ssh-known-host + when: not switch_skip_keyscan | bool - role: stackhpc.network.dell_powerconnect_switch dell_powerconnect_switch_type: "{{ switch_type }}" @@ -166,6 +169,7 @@ default(100) }} roles: - role: ssh-known-host + when: not switch_skip_keyscan | bool - role: junos-switch junos_switch_type: "{{ switch_type }}" @@ -183,6 +187,7 @@ default(100) }} roles: - role: ssh-known-host + when: not switch_skip_keyscan | bool - role: stackhpc.network.mellanox_switch mellanox_switch_type: "{{ switch_type }}" @@ -199,6 +204,7 @@ default(100) }} roles: - role: ssh-known-host + when: not switch_skip_keyscan | bool - role: nclu-switch nclu_switch_config: "{{ switch_config }}" @@ -209,6 +215,7 @@ gather_facts: no roles: - role: ssh-known-host + when: not switch_skip_keyscan | bool - role: nvue-switch nvue_switch_config: "{{ switch_config }}" diff --git a/doc/source/configuration/reference/physical-network.rst b/doc/source/configuration/reference/physical-network.rst index b9146f771..e0e69cc18 100644 --- a/doc/source/configuration/reference/physical-network.rst +++ b/doc/source/configuration/reference/physical-network.rst @@ -181,6 +181,15 @@ example: description: compute0 config: "{{ switch_interface_config_compute }}" +Support for Older Devices +========================= + +Some network devices may use SSH key exchange algorithms that are no longer +supported by the Ansible control host. This will cause ``ssh-keyscan`` to fail, +preventing Kayobe from configuring the devices. To work around this, set +``switch_skip_keyscan`` to ``true`` for the affected devices. The SSH known +hosts file on the Ansible control host will need to be populated manually. + .. _physical-network-device-specific: Device-specific Configuration Variables diff --git a/releasenotes/notes/switch-skip-keyscan-23b1f5006f443323.yaml b/releasenotes/notes/switch-skip-keyscan-23b1f5006f443323.yaml new file mode 100644 index 000000000..60a434bc8 --- /dev/null +++ b/releasenotes/notes/switch-skip-keyscan-23b1f5006f443323.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Adds support for skipping SSH keyscan when configuring switches using + ``kayobe physical network configure`` using a ``switch_skip_keyscan`` + variable.