Fix ssh config in nova to support cold migrations
- Fix .ssh/config file mapping - Move private key from nova-compute-ssh container to nova-compute container. - Map private and public keys to configmap-ssh which will default to the appropriate file permissions. - Add additional config to /etc/ssh/sshd_config to allow passwordless root logins over appropriate subnet passed in from overrides. - Remove chmods from sshd bash script as they are failing. Depends on helm-toolkit supporting multiple containers per daemonset pod. Story: 2003463 Task: 24723 Change-Id: Idd2e802c293f1e14991ee787ade9a4936fb373ff Signed-off-by: Gerry Kopec <Gerry.Kopec@windriver.com>
This commit is contained in:
parent
72829f71fa
commit
5a7c6581ad
@ -33,8 +33,21 @@ if [[ $(stat -c %U:%G ~nova/.ssh) != "nova:nova" ]]; then
|
||||
chown nova: ~nova/.ssh
|
||||
fi
|
||||
|
||||
chmod 0600 ~root/.ssh/authorized_keys
|
||||
chmod 0600 ~root/.ssh/id_rsa
|
||||
chmod 0600 ~root/.ssh/id_rsa.pub
|
||||
{{- if .Values.network.sshd.enabled }}
|
||||
subnet_address="{{- .Values.network.sshd.from_subnet -}}"
|
||||
cat > /tmp/sshd_config_extend <<EOF
|
||||
|
||||
# This Match block prevents Password Authentication for root user
|
||||
Match User root
|
||||
PasswordAuthentication no
|
||||
|
||||
# This Match Block is used to allow Root Login exceptions over the
|
||||
# internal subnet used by Nova Migrations
|
||||
Match Address $subnet_address
|
||||
PermitRootLogin without-password
|
||||
EOF
|
||||
cat /tmp/sshd_config_extend >> /etc/ssh/sshd_config
|
||||
rm /tmp/sshd_config_extend
|
||||
{{- end }}
|
||||
|
||||
exec /usr/sbin/sshd -D -e -o Port=$SSH_PORT
|
||||
|
@ -232,8 +232,8 @@ data:
|
||||
logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
|
||||
nova-ironic.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.nova_ironic | b64enc }}
|
||||
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_placement "key" "wsgi-nova-placement.conf" "format" "Secret" ) | indent 2 }}
|
||||
# FIXME(portdirect): why is this file suffixed .sh?
|
||||
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ssh "key" "ssh-config.sh" "format" "Secret" ) | indent 2 }}
|
||||
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ssh "key" "ssh-config" "format" "Secret" ) | indent 2 }}
|
||||
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.manifests.configmap_etc }}
|
||||
|
35
nova/templates/configmap-ssh.yaml
Executable file
35
nova/templates/configmap-ssh.yaml
Executable file
@ -0,0 +1,35 @@
|
||||
{{/*
|
||||
Copyright 2019 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "nova.configmap.ssh" }}
|
||||
{{- $envAll := index . 1 }}
|
||||
{{- with $envAll }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: nova-ssh
|
||||
type: Opaque
|
||||
data:
|
||||
ssh-key-private: {{ .Values.conf.ssh_private | b64enc }}
|
||||
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ssh_public "key" "ssh-key-public" "format" "Secret" ) | indent 2 }}
|
||||
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.manifests.configmap_etc }}
|
||||
{{- list "nova-ssh" . | include "nova.configmap.ssh" }}
|
||||
{{- end }}
|
@ -258,6 +258,9 @@ spec:
|
||||
mountPath: /root/.ssh/config
|
||||
subPath: ssh-config
|
||||
readOnly: true
|
||||
- name: nova-ssh
|
||||
mountPath: /root/.ssh/id_rsa
|
||||
subPath: ssh-key-private
|
||||
{{- if .Values.conf.ceph.enabled }}
|
||||
- name: etcceph
|
||||
mountPath: /etc/ceph
|
||||
@ -314,13 +317,10 @@ spec:
|
||||
mountPath: /var/lib/nova
|
||||
- name: varliblibvirt
|
||||
mountPath: /var/lib/libvirt
|
||||
- name: nova-etc
|
||||
mountPath: /root/.ssh/id_rsa
|
||||
subPath: ssh-key-private
|
||||
- name: nova-etc
|
||||
- name: nova-ssh
|
||||
mountPath: /root/.ssh/id_rsa.pub
|
||||
subPath: ssh-key-public
|
||||
- name: nova-etc
|
||||
- name: nova-ssh
|
||||
mountPath: /root/.ssh/authorized_keys
|
||||
subPath: ssh-key-public
|
||||
- name: nova-bin
|
||||
@ -336,6 +336,10 @@ spec:
|
||||
secret:
|
||||
secretName: {{ $configMapName }}
|
||||
defaultMode: 0444
|
||||
- name: nova-ssh
|
||||
secret:
|
||||
secretName: nova-ssh
|
||||
defaultMode: 0400
|
||||
{{- if .Values.conf.ceph.enabled }}
|
||||
- name: etcceph
|
||||
hostPath:
|
||||
|
@ -211,6 +211,9 @@ network:
|
||||
ssh:
|
||||
name: "nova-ssh"
|
||||
port: 8022
|
||||
sshd:
|
||||
enabled: false
|
||||
from_subnet: 0.0.0.0/24
|
||||
|
||||
dependencies:
|
||||
dynamic:
|
||||
@ -468,6 +471,8 @@ conf:
|
||||
StrictHostKeyChecking no
|
||||
UserKnownHostsFile /dev/null
|
||||
Port {{ .Values.network.ssh.port }}
|
||||
ssh_private: 'null'
|
||||
ssh_public: 'null'
|
||||
rally_tests:
|
||||
run_tempest: false
|
||||
tests:
|
||||
|
Loading…
x
Reference in New Issue
Block a user