From 14848c07a91c61b84128ed366c8f29e53a41ab14 Mon Sep 17 00:00:00 2001 From: Kevin Carter Date: Wed, 3 Sep 2014 13:53:04 -0500 Subject: [PATCH] revised nova-compute ssh keys --- .../playbooks/openstack/nova-all.yml | 1 + .../playbooks/openstack/nova-compute-keys.yml | 42 +++++++++++++ .../playbooks/openstack/nova-compute.yml | 1 - .../nova_compute_sshkey_create/tasks/main.yml | 40 ++++++++++++- .../nova_compute_sshkey_setup/tasks/main.yml | 59 +++++-------------- 5 files changed, 97 insertions(+), 46 deletions(-) create mode 100644 rpc_deployment/playbooks/openstack/nova-compute-keys.yml diff --git a/rpc_deployment/playbooks/openstack/nova-all.yml b/rpc_deployment/playbooks/openstack/nova-all.yml index ea7d9c51e0..83e733cf54 100644 --- a/rpc_deployment/playbooks/openstack/nova-all.yml +++ b/rpc_deployment/playbooks/openstack/nova-all.yml @@ -19,4 +19,5 @@ - include: nova-scheduler.yml - include: nova-conductor.yml - include: nova-compute.yml +- include: nova-compute-keys.yml - include: nova-spice-console.yml diff --git a/rpc_deployment/playbooks/openstack/nova-compute-keys.yml b/rpc_deployment/playbooks/openstack/nova-compute-keys.yml new file mode 100644 index 0000000000..fbdb611372 --- /dev/null +++ b/rpc_deployment/playbooks/openstack/nova-compute-keys.yml @@ -0,0 +1,42 @@ +--- +# Copyright 2014, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- hosts: localhost + user: root + gather_facts: false + tasks: + - name: Remove [ /tmp/authorized_keys ] file if found + file: + path: "/tmp/authorized_keys" + state: "absent" + +- hosts: nova_compute + user: root + roles: + - nova_compute_sshkey_create + +- hosts: nova_compute + user: root + roles: + - nova_compute_sshkey_setup + +- hosts: localhost + user: root + gather_facts: false + tasks: + - name: Remove [ /tmp/authorized_keys ] file if found + file: + path: "/tmp/authorized_keys" + state: "absent" diff --git a/rpc_deployment/playbooks/openstack/nova-compute.yml b/rpc_deployment/playbooks/openstack/nova-compute.yml index f9e64a2d47..51e1958f7a 100644 --- a/rpc_deployment/playbooks/openstack/nova-compute.yml +++ b/rpc_deployment/playbooks/openstack/nova-compute.yml @@ -33,7 +33,6 @@ - nova_libvirt - galera_client_cnf - init_script - - nova_compute_sshkey_setup vars_files: - inventory/group_vars/nova_all.yml - vars/config_vars/container_config_nova_compute.yml diff --git a/rpc_deployment/roles/nova_compute_sshkey_create/tasks/main.yml b/rpc_deployment/roles/nova_compute_sshkey_create/tasks/main.yml index a8e0fa5782..f43f2bc432 100644 --- a/rpc_deployment/roles/nova_compute_sshkey_create/tasks/main.yml +++ b/rpc_deployment/roles/nova_compute_sshkey_create/tasks/main.yml @@ -13,7 +13,43 @@ # See the License for the specific language governing permissions and # limitations under the License. +- name: Create the keys directory for the nova user + file: + state: "directory" + path: "/var/lib/nova/.ssh" + group: "nova" + owner: "nova" + mode: "0700" + +- name: Remove old key if found + file: + path: "{{ item }}" + state: "absent" + with_items: + - "/var/lib/nova/.ssh/nova" + - "/var/lib/nova/.ssh/nova.pub" + - name: Create the nova SSH key if it doesnt exist - shell: > - ls ~/.ssh/nova 2>/dev/null || ssh-keygen -f ~/.ssh/nova -t rsa -q -N "" + shell: ssh-keygen -f /var/lib/nova/.ssh/nova -t rsa -q -N "" + +- name: Change permissions on the generated keys + file: + path: "{{ item.path }}" + group: "nova" + owner: "nova" + mode: "{{ item.mode }}" + with_items: + - { path: "/var/lib/nova/.ssh/nova", mode: "0600" } + - { path: "/var/lib/nova/.ssh/nova.pub", mode: "0644" } + +- name: Get public key contents + command: cat /var/lib/nova/.ssh/nova.pub + register: nova_pub + changed_when: false + +- name: Build authorized keys + lineinfile: + dest: "/tmp/authorized_keys" + line: "{{ nova_pub.stdout }}" + create: "yes" delegate_to: localhost diff --git a/rpc_deployment/roles/nova_compute_sshkey_setup/tasks/main.yml b/rpc_deployment/roles/nova_compute_sshkey_setup/tasks/main.yml index ed1035d5a9..33a296b34f 100644 --- a/rpc_deployment/roles/nova_compute_sshkey_setup/tasks/main.yml +++ b/rpc_deployment/roles/nova_compute_sshkey_setup/tasks/main.yml @@ -13,49 +13,22 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Create the keys directory for the nova user - file: > - state=directory - path=/var/lib/nova/.ssh - group=nova - owner=nova - mode=0700 - -- name: Set nova users shell to /bin/bash and generate ssh_key - user: > - name=nova - shell=/bin/bash - -- name: Copy private key up to nova nodes - copy: > - src="~/.ssh/nova" - dest=/var/lib/nova/.ssh/id_rsa - owner=nova - group=nova - mode=0600 - -- name: Copy public key up to nova nodes - copy: > - src="~/.ssh/nova.pub" - dest=/var/lib/nova/.ssh/id_rsa.pub - owner=nova - group=nova - mode=0644 - -- name: Add key to authorized_keys file - authorized_key: - user=nova - path=/var/lib/nova/.ssh/authorized_keys - manage_dir=no - key="{{ lookup('file', '/var/lib/nova/.ssh/id_rsa.pub') }}" - - name: Prevent known_hosts from causing an issue - copy: > - src=ssh_config - dest="/var/lib/nova/.ssh/config" - owner=nova - group=nova - mode=0644 - + copy: + src: "ssh_config" + dest: "/var/lib/nova/.ssh/config" + owner: "nova" + group: "nova" + mode: "0644" +- name: Sync authorized_keys file + synchronize: + src: /tmp/authorized_keys + dest: /var/lib/nova/.ssh/authorized_keys +- name: Set authorized_keys permissions + file: + path: "/var/lib/nova/.ssh/authorized_keys" + owner: "nova" + group: "nova" + mode: "0600"