openstack/kolla-ansible
Code Issues Proposed changes

Fix keystone fernet file exchange via ssh

Browse Source 
* install openssh client in keystone-fernet container
* install rsync in keystone-ssh container
* fix syntax issue in ssh configuration
* copy ssh configuration into keystone-fernet container
* copy id_rsa.pub into keystone-ssh container
* copy id_rsa into keystone-fernet container
* use full path to ssh binary in used scripts
* add missing newlines at EOF
* when using type source set /var/lib/keystone as home
  directory for the user keystone

Co-Authored-By: Jeffrey Zhang <jeffrey.zhang@99cloud.net>
Change-Id: Id6b41030056a69f6516a054beb2fc0e08226e876
Closes-bug: #1623013
This commit is contained in:
Christian Berendt 2016-09-13 14:27:15 +02:00 committed by Jeffrey Zhang
parent 40e768ec2a
commit bedca5b35e
13 changed files with 38 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ansible/roles/keystone/tasks/config.yml
View File

@ -101,6 +101,8 @@
- { src: "crontab.j2", dest: "crontab" } - { src: "crontab.j2", dest: "crontab" }
- { src: "fernet-rotate.sh.j2", dest: "fernet-rotate.sh" } - { src: "fernet-rotate.sh.j2", dest: "fernet-rotate.sh" }
- { src: "fernet-node-sync.sh.j2", dest: "fernet-node-sync.sh" } - { src: "fernet-node-sync.sh.j2", dest: "fernet-node-sync.sh" }
- { src: "id_rsa", dest: "id_rsa" }
- { src: "ssh_config.j2", dest: "ssh_config" }
when: keystone_token_provider == 'fernet' when: keystone_token_provider == 'fernet'
- name: Copying files for keystone-ssh - name: Copying files for keystone-ssh
@ -109,7 +111,5 @@
dest: "{{ node_config_directory }}/keystone-ssh/{{ item.dest }}" dest: "{{ node_config_directory }}/keystone-ssh/{{ item.dest }}"
with_items: with_items:
- { src: "sshd_config.j2", dest: "sshd_config" } - { src: "sshd_config.j2", dest: "sshd_config" }
- { src: "id_rsa", dest: "id_rsa" }
- { src: "id_rsa.pub", dest: "id_rsa.pub" } - { src: "id_rsa.pub", dest: "id_rsa.pub" }
- { src: "ssh_config.j2", dest: "ssh_config" }
when: keystone_token_provider == 'fernet' when: keystone_token_provider == 'fernet'

2
ansible/roles/keystone/templates/crontab.j2
View File

@ -1,3 +1,3 @@
{% for cron_job in cron_jobs %} {% for cron_job in cron_jobs %}
{{ cron_job['min'] }} {{ cron_job['hour'] }} * * {{ cron_job['day'] }} /usr/bin/fernet-rotate.sh {{ cron_job['min'] }} {{ cron_job['hour'] }} * * {{ cron_job['day'] }} /usr/bin/fernet-rotate.sh
{% endfor %} {% endfor %}

4
ansible/roles/keystone/templates/fernet-node-sync.sh.j2
View File

@ -11,6 +11,6 @@ fi
# For each host node sync tokens # For each host node sync tokens
{% for host in groups['keystone'] %} {% for host in groups['keystone'] %}
{% if inventory_hostname != host %} {% if inventory_hostname != host %}
/usr/bin/rsync -azu --delete -e 'ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ keystone_ssh_port }}' keystone@{{ host }}:/etc/keystone/fernet-keys/ /etc/keystone/fernet-keys /usr/bin/rsync -azu --delete -e 'ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ keystone_ssh_port }} -F /var/lib/keystone/.ssh/config' keystone@{{ host }}:/etc/keystone/fernet-keys/ /etc/keystone/fernet-keys
{% endif %} {% endif %}
{% endfor %} {% endfor %}

4
ansible/roles/keystone/templates/fernet-rotate.sh.j2
View File

@ -4,6 +4,6 @@ keystone-manage --config-file /etc/keystone/keystone.conf fernet_rotate --keysto
{% for host in groups['keystone'] %} {% for host in groups['keystone'] %}
{% if inventory_hostname != host %} {% if inventory_hostname != host %}
/usr/bin/rsync -az -e 'ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ keystone_ssh_port }}' --delete /etc/keystone/fernet-keys/ keystone@{{ host }}:/etc/keystone/fernet-keys /usr/bin/rsync -az -e 'ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ keystone_ssh_port }} -F /var/lib/keystone/.ssh/config' --delete /etc/keystone/fernet-keys/ keystone@{{ host }}:/etc/keystone/fernet-keys
{% endif %} {% endif %}
{% endfor %} {% endfor %}

2
ansible/roles/keystone/templates/id_rsa
View File

@ -1 +1 @@
{{ keystone_ssh_key.private_key }} {{ keystone_ssh_key.private_key }}

2
ansible/roles/keystone/templates/id_rsa.pub
View File

@ -1 +1 @@
{{ keystone_ssh_key.public_key }} {{ keystone_ssh_key.public_key }}

12
ansible/roles/keystone/templates/keystone-fernet.json.j2
View File

@ -24,6 +24,18 @@
"dest": "/usr/bin/fernet-node-sync.sh", "dest": "/usr/bin/fernet-node-sync.sh",
"owner": "root", "owner": "root",
"perm": "0755" "perm": "0755"
},
{
"source": "{{ container_config_directory }}/ssh_config",
"dest": "/var/lib/keystone/.ssh/config",
"owner": "keystone",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/id_rsa",
"dest": "/var/lib/keystone/.ssh/id_rsa",
"owner": "keystone",
"perm": "0600"
} }
] ]
} }

14
ansible/roles/keystone/templates/keystone-ssh.json.j2
View File

@ -7,18 +7,6 @@
"owner": "root", "owner": "root",
"perm": "0644" "perm": "0644"
}, },
{
"source": "{{ container_config_directory }}/ssh_config",
"dest": "/var/lib/keystone/.ssh/config",
"owner": "keystone",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/id_rsa",
"dest": "/var/lib/keystone/.ssh/id_rsa",
"owner": "keystone",
"perm": "0600"
},
{ {
"source": "{{ container_config_directory }}/id_rsa.pub", "source": "{{ container_config_directory }}/id_rsa.pub",
"dest": "/var/lib/keystone/.ssh/authorized_keys", "dest": "/var/lib/keystone/.ssh/authorized_keys",
@ -26,4 +14,4 @@
"perm": "0600" "perm": "0600"
} }
] ]
} }

4
ansible/roles/keystone/templates/ssh_config.j2
View File

@ -1,4 +1,4 @@
Host {% for host in groups['keystone'] %}{% if inventory_hostname != host %}{{ host }} {% endif %}{% endfor %} Host *
StrictHostKeyChecking no StrictHostKeyChecking no
UserKnownHostsFile /dev/null UserKnownHostsFile /dev/null
Port {{ keystone_ssh_port }} Port {{ keystone_ssh_port }}

2
ansible/roles/keystone/templates/sshd_config.j2
View File

@ -2,4 +2,4 @@ Port {{ keystone_ssh_port }}
ListenAddress {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }} ListenAddress {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
SyslogFacility AUTHPRIV SyslogFacility AUTHPRIV
UsePAM yes UsePAM yes

6
docker/keystone/keystone-base/Dockerfile.j2
View File

@ -61,13 +61,13 @@ RUN echo > /etc/apache2/ports.conf
{% block keystone_source_install %} {% block keystone_source_install %}
ADD keystone-base-archive /keystone-base-source ADD keystone-base-archive /keystone-base-source
RUN ln -s keystone-base-source/* keystone \ RUN ln -s keystone-base-source/* keystone \
&& useradd --user-group keystone \ && useradd --user-group --create-home --home-dir /var/lib/keystone keystone \
&& /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /keystone \ && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /keystone \
&& mkdir -p /etc/keystone /var/www/cgi-bin/keystone /var/log/apache2 /home/keystone \ && mkdir -p /etc/keystone /var/www/cgi-bin/keystone /var/log/apache2 \
&& cp -r /keystone/etc/* /etc/keystone/ \ && cp -r /keystone/etc/* /etc/keystone/ \
&& cp /var/lib/kolla/venv/bin/keystone-wsgi-admin /var/www/cgi-bin/keystone/admin \ && cp /var/lib/kolla/venv/bin/keystone-wsgi-admin /var/www/cgi-bin/keystone/admin \
&& cp /var/lib/kolla/venv/bin/keystone-wsgi-public /var/www/cgi-bin/keystone/main \ && cp /var/lib/kolla/venv/bin/keystone-wsgi-public /var/www/cgi-bin/keystone/main \
&& chown -R keystone: /etc/keystone /var/www/cgi-bin/keystone /var/log/apache2 /home/keystone && chown -R keystone: /etc/keystone /var/www/cgi-bin/keystone /var/log/apache2
{% endblock %} {% endblock %}
{% endif %} {% endif %}

2
docker/keystone/keystone-fernet/Dockerfile.j2
View File

@ -8,11 +8,13 @@ MAINTAINER {{ maintainer }}
{% if base_distro in ['fedora', 'centos', 'oraclelinux', 'rhel'] %} {% if base_distro in ['fedora', 'centos', 'oraclelinux', 'rhel'] %}
{% set keystone_fernet_packages = [ {% set keystone_fernet_packages = [
'cronie', 'cronie',
'openssh-clients',
'rsync' 'rsync'
] %} ] %}
{% elif base_distro in ['ubuntu', 'debian'] %} {% elif base_distro in ['ubuntu', 'debian'] %}
{% set keystone_fernet_packages = [ {% set keystone_fernet_packages = [
'cron', 'cron',
'openssh-client',
'rsync' 'rsync'
] %} ] %}
{% endif %} {% endif %}

10
docker/keystone/keystone-ssh/Dockerfile.j2
View File

@ -6,9 +6,15 @@ MAINTAINER {{ maintainer }}
{% import "macros.j2" as macros with context %} {% import "macros.j2" as macros with context %}
{% if base_distro in ['centos', 'fedora', 'oraclelinux', 'rhel'] %} {% if base_distro in ['centos', 'fedora', 'oraclelinux', 'rhel'] %}
{% set keystone_ssh_packages = ['openssh-server'] %} {% set keystone_ssh_packages = [
'openssh-server',
'rsync'
] %}
{% elif base_distro in ['ubuntu', 'debian'] %} {% elif base_distro in ['ubuntu', 'debian'] %}
{% set keystone_ssh_packages = ['openssh-server'] %} {% set keystone_ssh_packages = [
'openssh-server',
'rsync'
] %}
RUN mkdir -p /var/run/sshd \ RUN mkdir -p /var/run/sshd \
&& chmod 0755 /var/run/sshd && chmod 0755 /var/run/sshd