Support skipping SSH keyscan for older switch devices

Some network devices may use SSH key exchange algorithms that are no longer supported by the Ansible control host. This will cause ssh-keyscan to fail, preventing Kayobe from configuring the devices. This change makes it possible to work around the issue by setting switch_skip_keyscan to true for the affected devices. The SSH known hosts file on the Ansible control host will need to be populated manually. Change-Id: I4e3394cff1fd86eb5c1a4be55d6fd7fd080b2944
2024-08-19 15:52:34 +00:00 · 2024-08-19 15:52:34 +00:00 · 7e3e6558de
commit 7e3e6558de
parent da4bcb59b6
4 changed files with 27 additions and 0 deletions
--- a/ansible/inventory/group_vars/all/switches/keyscan
+++ b/ansible/inventory/group_vars/all/switches/keyscan
@ -0,0 +1,5 @@
+---
+# Whether to skip scanning SSH keys for switches. In some cases scanning SSH
+# keys may fail e.g. due to unsupported key exchange algorithms on older
+# devices.  Default is false.
+switch_skip_keyscan: false
--- a/ansible/physical-network.yml
+++ b/ansible/physical-network.yml
@ -117,6 +117,7 @@
       default(100) }}
  roles:
    - role: ssh-known-host
+      when: not switch_skip_keyscan | bool

    - role: arista-switch
      arista_switch_type: "{{ switch_type }}"
@ -133,6 +134,7 @@
       default(100) }}
  roles:
    - role: ssh-known-host
+      when: not switch_skip_keyscan | bool

    - role: dell-switch
      dell_switch_type: "{{ switch_type }}"
@ -150,6 +152,7 @@
       default(100) }}
  roles:
    - role: ssh-known-host
+      when: not switch_skip_keyscan | bool

    - role: stackhpc.network.dell_powerconnect_switch
      dell_powerconnect_switch_type: "{{ switch_type }}"
@ -166,6 +169,7 @@
       default(100) }}
  roles:
    - role: ssh-known-host
+      when: not switch_skip_keyscan | bool

    - role: junos-switch
      junos_switch_type: "{{ switch_type }}"
@ -183,6 +187,7 @@
       default(100) }}
  roles:
    - role: ssh-known-host
+      when: not switch_skip_keyscan | bool

    - role: stackhpc.network.mellanox_switch
      mellanox_switch_type: "{{ switch_type }}"
@ -199,6 +204,7 @@
       default(100) }}
  roles:
    - role: ssh-known-host
+      when: not switch_skip_keyscan | bool

    - role: nclu-switch
      nclu_switch_config: "{{ switch_config }}"
@ -209,6 +215,7 @@
  gather_facts: no
  roles:
    - role: ssh-known-host
+      when: not switch_skip_keyscan | bool

    - role: nvue-switch
      nvue_switch_config: "{{ switch_config }}"
--- a/doc/source/configuration/reference/physical-network.rst
+++ b/doc/source/configuration/reference/physical-network.rst
@ -181,6 +181,15 @@ example:
       description: compute0
       config: "{{ switch_interface_config_compute }}"

+Support for Older Devices
+=========================
+
+Some network devices may use SSH key exchange algorithms that are no longer
+supported by the Ansible control host. This will cause ``ssh-keyscan`` to fail,
+preventing Kayobe from configuring the devices. To work around this, set
+``switch_skip_keyscan`` to ``true`` for the affected devices. The SSH known
+hosts file on the Ansible control host will need to be populated manually.
+
 .. _physical-network-device-specific:

 Device-specific Configuration Variables
--- a/releasenotes/notes/switch-skip-keyscan-23b1f5006f443323.yaml
+++ b/releasenotes/notes/switch-skip-keyscan-23b1f5006f443323.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Adds support for skipping SSH keyscan when configuring switches using
+    ``kayobe physical network configure`` using a ``switch_skip_keyscan``
+    variable.