revised nova-compute ssh keys

rpc_deployment/playbooks/openstack/nova-all.yml

@@ -19,4 +19,5 @@
 - include: nova-scheduler.yml
 - include: nova-conductor.yml
 - include: nova-compute.yml
+- include: nova-compute-keys.yml
 - include: nova-spice-console.yml

rpc_deployment/playbooks/openstack/nova-compute-keys.yml

@@ -0,0 +1,42 @@
+---
+# Copyright 2014, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- hosts: localhost
+  user: root
+  gather_facts: false
+  tasks:
+    - name: Remove [ /tmp/authorized_keys ] file if found
+      file:
+        path: "/tmp/authorized_keys"
+        state: "absent"
+
+- hosts: nova_compute
+  user: root
+  roles:
+    - nova_compute_sshkey_create
+
+- hosts: nova_compute
+  user: root
+  roles:
+    - nova_compute_sshkey_setup
+
+- hosts: localhost
+  user: root
+  gather_facts: false
+  tasks:
+    - name: Remove [ /tmp/authorized_keys ] file if found
+      file:
+        path: "/tmp/authorized_keys"
+        state: "absent"

rpc_deployment/playbooks/openstack/nova-compute.yml

@@ -33,7 +33,6 @@
     - nova_libvirt
     - galera_client_cnf
     - init_script
-    - nova_compute_sshkey_setup
   vars_files:
     - inventory/group_vars/nova_all.yml
     - vars/config_vars/container_config_nova_compute.yml

rpc_deployment/roles/nova_compute_sshkey_create/tasks/main.yml

@@ -13,7 +13,43 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- name: Create the keys directory for the nova user
+  file:
+    state: "directory"
+    path: "/var/lib/nova/.ssh"
+    group: "nova"
+    owner: "nova"
+    mode: "0700"
+
+- name: Remove old key if found
+  file:
+    path: "{{ item }}"
+    state: "absent"
+  with_items:
+    - "/var/lib/nova/.ssh/nova"
+    - "/var/lib/nova/.ssh/nova.pub"
+
 - name: Create the nova SSH key if it doesnt exist
-  shell: >
-    ls ~/.ssh/nova 2>/dev/null || ssh-keygen -f ~/.ssh/nova -t rsa -q -N ""
+  shell: ssh-keygen -f /var/lib/nova/.ssh/nova -t rsa -q -N ""
+
+- name: Change permissions on the generated keys
+  file:
+    path: "{{ item.path }}"
+    group: "nova"
+    owner: "nova"
+    mode: "{{ item.mode }}"
+  with_items:
+    - { path: "/var/lib/nova/.ssh/nova", mode: "0600" }
+    - { path: "/var/lib/nova/.ssh/nova.pub", mode: "0644" }
+
+- name: Get public key contents
+  command: cat /var/lib/nova/.ssh/nova.pub
+  register: nova_pub
+  changed_when: false
+
+- name: Build authorized keys
+  lineinfile: 
+    dest: "/tmp/authorized_keys"
+    line: "{{ nova_pub.stdout }}"
+    create: "yes"
   delegate_to: localhost

rpc_deployment/roles/nova_compute_sshkey_setup/tasks/main.yml

@@ -13,49 +13,22 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Create the keys directory for the nova user
-  file: >
-    state=directory
-    path=/var/lib/nova/.ssh
-    group=nova
-    owner=nova
-    mode=0700
-
-- name: Set nova users shell to /bin/bash and generate ssh_key
-  user: >
-    name=nova
-    shell=/bin/bash
-
-- name: Copy private key up to nova nodes
-  copy: >
-    src="~/.ssh/nova"
-    dest=/var/lib/nova/.ssh/id_rsa
-    owner=nova
-    group=nova
-    mode=0600
-
-- name: Copy public key up to nova nodes
-  copy: >
-    src="~/.ssh/nova.pub"
-    dest=/var/lib/nova/.ssh/id_rsa.pub
-    owner=nova
-    group=nova
-    mode=0644
-
-- name: Add key to authorized_keys file
-  authorized_key:
-    user=nova
-    path=/var/lib/nova/.ssh/authorized_keys
-    manage_dir=no
-    key="{{ lookup('file', '/var/lib/nova/.ssh/id_rsa.pub') }}"
-
 - name: Prevent known_hosts from causing an issue
-  copy: >
-    src=ssh_config
-    dest="/var/lib/nova/.ssh/config"
-    owner=nova
-    group=nova
-    mode=0644
-
+  copy:
+    src: "ssh_config"
+    dest: "/var/lib/nova/.ssh/config"
+    owner: "nova"
+    group: "nova"
+    mode: "0644"
 
+- name: Sync authorized_keys file
+  synchronize:
+    src: /tmp/authorized_keys
+    dest: /var/lib/nova/.ssh/authorized_keys
 
+- name: Set authorized_keys permissions
+  file:
+    path: "/var/lib/nova/.ssh/authorized_keys"
+    owner: "nova"
+    group: "nova"
+    mode: "0600"