From 3153f27c245cc1bbb23f1ec9af85272cf6d7aebd Mon Sep 17 00:00:00 2001 From: Ian Wienand Date: Wed, 20 Nov 2019 14:22:28 +1100 Subject: [PATCH] vos-release: fix key sourcing; disable exclusive key I wasn't correctly sourcing the key; it has to come from hostvars as it is in a different play on different hosts. This fixes it. We also need to not have the base roles overwrite the authorized_keys file each time. The key we provision can only run a limited script that wraps "vos release". Unfortunately our gitops falls down a bit here because we don't have full testing for the AFS servers; put this on the todo list :) I have run this manually for testing. Change-Id: I0995434bde7e43082c01daa331c4b8b268d9b4bc --- playbooks/group_vars/afs.yaml | 5 +++++ playbooks/roles/vos-release/README.rst | 8 ++++---- playbooks/roles/vos-release/tasks/main.yaml | 8 +++++--- 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/playbooks/group_vars/afs.yaml b/playbooks/group_vars/afs.yaml index 2314190b2e..d6fa5c665f 100644 --- a/playbooks/group_vars/afs.yaml +++ b/playbooks/group_vars/afs.yaml @@ -1 +1,6 @@ iptables_extra_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007] + +# we allow a special key deployed on the mirror-update hosts to run a +# restricted script that runs "vos release" with localauth +# permissions, to avoid timeouts. See vos-release role. +bastion_key_exclusive: false \ No newline at end of file diff --git a/playbooks/roles/vos-release/README.rst b/playbooks/roles/vos-release/README.rst index 27d2b9d1f4..7683e52692 100644 --- a/playbooks/roles/vos-release/README.rst +++ b/playbooks/roles/vos-release/README.rst @@ -5,10 +5,10 @@ Install a user and script to do remote ``vos release`` with timeouts. This relies on ``vos_release_keypair`` which is expected to be a -single keypair from the mirror-update host. It will allow that -keypair to run ``/usr/local/bin/vos_release.sh``, which filters the -incoming command. Releases are expected to be triggered on the update -host with:: +single keypair set previously by hosts in the "mirror-update" group. +It will allow that keypair to run ``/usr/local/bin/vos_release.sh``, +which filters the incoming command. Releases are expected to be +triggered on the update host with:: ssh -i /root/.ssh/id_vos_release afs01.dfw.openstack.org vos release . diff --git a/playbooks/roles/vos-release/tasks/main.yaml b/playbooks/roles/vos-release/tasks/main.yaml index de42074e2e..cb38a5fa5c 100644 --- a/playbooks/roles/vos-release/tasks/main.yaml +++ b/playbooks/roles/vos-release/tasks/main.yaml @@ -9,11 +9,13 @@ - name: Ensure update key assert: that: - - vos_release_keypair is defined + - hostvars[item]['vos_release_keypair'] is defined + with_inventory_hostnames: mirror-update - name: Install vos release key authorized_key: user: 'root' state: present - key: '{{ vos_release_keypair["public_key"] }}' - key_options: 'command="/usr/local/bin/vos_release.sh",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty' \ No newline at end of file + key: '{{ hostvars[item]["vos_release_keypair"]["public_key"] }}' + key_options: 'command="/usr/local/bin/vos_release.sh",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty' + with_inventory_hostnames: mirror-update \ No newline at end of file