Refactor root ssh config, add admin net and domain to list of host nets

SSH config for root user should use key auth regardless of hostname. This enables deployment to hosts that have IP addresses outside of RFC 1918 ranges. Host network should include admin network expressed by wildcard. Added extra_admin_networks and Fuel DNS domain in the list as well. Added new function ipcalc_network_wildcard Change-Id: I21501feb9e2f9cce83600596889f3f9b89174310 Closes-Bug: #1491912 Co-Authored-By: Dmitry Ilyin <dilyin@mirantis.com>
2015-09-03 19:44:25 +03:00 · 2015-09-03 19:44:25 +03:00 · a1109ac546
commit a1109ac546
parent befb7243e4
5 changed files with 72 additions and 7 deletions
--- a/deployment/puppet/nailgun/examples/host-only.pp
+++ b/deployment/puppet/nailgun/examples/host-only.pp
@ -15,6 +15,11 @@ else {
 $ntp_servers = delete([$::fuel_settings['NTP1'], $::fuel_settings['NTP2'],
                      $::fuel_settings['NTP3']], "")

+$admin_network = ipcalc_network_wildcard(
+  $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
+  $::fuel_settings['ADMIN_NETWORK']['netmask'])
+$extra_networks = $fuel_settings['EXTRA_ADMIN_NETWORKS']
+
 Class['nailgun::packages'] ->
 Class['nailgun::client'] ->
 Class['nailgun::host'] ->
@ -37,6 +42,8 @@ class { 'nailgun::host':
  dns_domain        => $::fuel_settings['DNS_DOMAIN'],
  dns_search        => $::fuel_settings['DNS_SEARCH'],
  dns_upstream      => split($::fuel_settings['DNS_UPSTREAM'], ','),
+  admin_network     => $admin_network,
+  extra_networks    => $extra_networks,
  repo_root         => "/var/www/nailgun/${::fuel_version['VERSION']['openstack_version']}",
  monitord_user     => $::fuel_settings['keystone']['monitord_user'],
  monitord_password => $::fuel_settings['keystone']['monitord_password'],
--- a/deployment/puppet/nailgun/examples/host-upgrade.pp
+++ b/deployment/puppet/nailgun/examples/host-upgrade.pp
@ -13,6 +13,11 @@ else {
 $ntp_servers = delete([$::fuel_settings['NTP1'], $::fuel_settings['NTP2'],
                      $::fuel_settings['NTP3']], "")

+$admin_network = ipcalc_network_wildcard(
+  $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
+  $::fuel_settings['ADMIN_NETWORK']['netmask'])
+$extra_networks = $fuel_settings['EXTRA_ADMIN_NETWORKS']
+
 Class['nailgun::packages'] ->
 Class['nailgun::host'] ->
 Class['docker::dockerctl'] ->
@ -34,6 +39,8 @@ class { 'nailgun::host':
  dns_domain        => $::fuel_settings['DNS_DOMAIN'],
  dns_search        => $::fuel_settings['DNS_SEARCH'],
  dns_upstream      => split($::fuel_settings['DNS_UPSTREAM'], ','),
+  admin_network     => $admin_network,
+  extra_networks    => $extra_networks,
  repo_root         => "/var/www/nailgun/${::fuel_version['VERSION']['openstack_version']}",
  monitord_user     => $::fuel_settings['keystone']['monitord_user'],
  monitord_password => $::fuel_settings['keystone']['monitord_password'],
--- a/deployment/puppet/nailgun/lib/puppet/parser/functions/ipcalc_network_wildcard.rb
+++ b/deployment/puppet/nailgun/lib/puppet/parser/functions/ipcalc_network_wildcard.rb
@ -0,0 +1,42 @@
+module Puppet::Parser::Functions
+  newfunction(:ipcalc_network_wildcard, :type => :rvalue, :doc => <<-EOS
+Returns network wildcard by host ip address and netmask.
+    EOS
+  ) do |arguments|
+
+    require 'ipaddr'
+
+    if (arguments.size != 2) then
+      raise(Puppet::ParseError, "ipcalc_network_wilrdcard(): Wrong number of arguments "+
+            "given #{arguments.size} for 2")
+    end
+
+    begin
+      ip = arguments[0]
+      mask = arguments[1]
+      address = IPAddr.new("#{ip}/#{mask}")
+
+      class << address
+        def mask_length
+          @mask_addr.to_s(2).count("1")
+        end
+
+        def wildcard_notation
+          return unless ipv4?
+          octets = mask_length / 8
+          pattern = []
+          (0...octets).map do |i|
+            pattern << ((@addr >> (24 - 8 * i)) & 0xff)
+          end
+          pattern << '*' if octets < 4
+          pattern.join '.'
+        end
+      end
+
+    return address.wildcard_notation
+    rescue ArgumentError
+       raise(Puppet::ParseError, "ipcalc_network_wildcard(): bad arguments #{arguments[0]} #{arguments[1]}")
+    end
+  end
+end
+
--- a/deployment/puppet/nailgun/manifests/host.pp
+++ b/deployment/puppet/nailgun/manifests/host.pp
@ -5,6 +5,8 @@ $cobbler_host = '127.0.0.1',
 $dns_search = 'domain.tld',
 $dns_domain = 'domain.tld',
 $dns_upstream = [],
+$admin_network = '10.20.0.*',
+$extra_networks = undef,
 $nailgun_group = 'nailgun',
 $nailgun_user = 'nailgun',
 $gem_source = 'http://localhost/gems/',
--- a/deployment/puppet/nailgun/templates/root_ssh_config.erb
+++ b/deployment/puppet/nailgun/templates/root_ssh_config.erb
@ -1,7 +1,14 @@
-Host node-* controller-* compute-* storage-* 10.* 192.168.* 172.30.* 172.31.* 172.2?.* 172.1?.*
-CheckHostIP no
-IdentityFile ~/.ssh/bootstrap.rsa
-IdentityFile ~/.ssh/id_rsa
-StrictHostKeyChecking no
-UserKnownHostsFile /dev/null
-AddressFamily inet
+Host *
+  IdentityFile ~/.ssh/bootstrap.rsa
+  IdentityFile ~/.ssh/id_rsa
+
+Host *.<%= @dns_domain %> node-* controller-* compute-* storage-* 10.* 192.168.* 172.30.* 172.31.* 172.2?.* 172.1?.* <%= @admin_network %> <%
+if @extra_networks.is_a?(Hash)
+  @extra_networks.each do |netname, net| -%>
+ <%= scope.function_ipcalc_network_wildcard([net['ipaddress'],net['netmask']]) %><%
+    end
+end %>
+  CheckHostIP no
+  StrictHostKeyChecking no
+  UserKnownHostsFile /dev/null
+  AddressFamily inet