Add docs around updating undercloud ssh key

The ssh key for the undercloud user is used in provisioning new nodes so special care must be taken when updating the key to ensure the operator is not locked out of new and old nodes. This change provides a bit of documentation around the process for rotating the ssh key for the user on the undercloud. Change-Id: Ia52b775fe6f88f17961e812e03a4f57a93c77f00
2017-06-21 15:30:36 -06:00 · 2017-06-21 15:30:36 -06:00 · f7dbb7fac0
commit f7dbb7fac0
parent 6e056200c5
2 changed files with 42 additions and 0 deletions
--- a/doc/source/post_deployment/post_deployment.rst
+++ b/doc/source/post_deployment/post_deployment.rst
@ -17,3 +17,4 @@ In this chapter you will find advanced management of various |project| areas.
   build_single_image
   upload_single_image
   backup_restore_undercloud
+   update_undercloud_ssh_keys
--- a/doc/source/post_deployment/update_undercloud_ssh_keys.rst
+++ b/doc/source/post_deployment/update_undercloud_ssh_keys.rst
@ -0,0 +1,41 @@
+Updating undercloud user's ssh key
+==================================
+
+In order to update the ssh key for the user on the undercloud, a few steps must
+be done to ensure you do not lock yourself out of the overcloud nodes.  When
+the undercloud is installed, an ssh key is created and added to Nova running
+on the undercloud for provisioning the overcloud nodes. This key is uploaded
+into Nova as the `default` keypair.  To view the keypair run::
+
+    source stackrc
+    openstack keypair list
+
+Process to rotate ssh key
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The process to rotate the user key is as follows:
+
+1. Generate new key and do not replace the existing key. For example::
+
+    ssh-keygen -t rsa -N '' -f ~/new_ssh_key
+
+2. Copy ssh key to all existing hosts for the heat-admin user::
+
+    for HOST in $(openstack server list -f value -c Networks | sed -e 's/ctlplane=//'); do
+        ssh-copy-id -i ~/new_ssh_key heat-admin@$HOST
+    done
+
+3. Update the Undercloud's Nova default keypair::
+
+    openstack keypair delete default
+    openstack keypair create --public-key ~/new_ssh_key.pub default
+
+4. Backup old key and replace it with the new keys::
+
+    mkdir ~/.ssh/old_keys
+    mv ~/.ssh/id_rsa ~/.ssh/old_keys/id_rsa.backup-$(date +'%Y-%m-%d')
+    mv ~/.ssh/id_rsa.pub ~/.ssh/old_keys/id_rsa.pub.backup-$(date +'%Y-%m-%d')
+    mv ~/new_ssh_key ~/.ssh/id_rsa
+    mv ~/new_ssh_key.pub ~/.ssh/id_rsa.pub
+
+5. Remove old key from the allowed hosts on the nodes.