From bedca5b35e8f9336182d5588d5650c1bb0682702 Mon Sep 17 00:00:00 2001
From: Christian Berendt <berendt@betacloud-solutions.de>
Date: Tue, 13 Sep 2016 14:27:15 +0200
Subject: [PATCH] Fix keystone fernet file exchange via ssh

* install openssh client in keystone-fernet container
* install rsync in keystone-ssh container
* fix syntax issue in ssh configuration
* copy ssh configuration into keystone-fernet container
* copy id_rsa.pub into keystone-ssh container
* copy id_rsa into keystone-fernet container
* use full path to ssh binary in used scripts
* add missing newlines at EOF
* when using type source set /var/lib/keystone as home
  directory for the user keystone

Co-Authored-By: Jeffrey Zhang <jeffrey.zhang@99cloud.net>
Change-Id: Id6b41030056a69f6516a054beb2fc0e08226e876
Closes-bug: #1623013
---
 ansible/roles/keystone/tasks/config.yml            |  4 ++--
 ansible/roles/keystone/templates/crontab.j2        |  2 +-
 .../keystone/templates/fernet-node-sync.sh.j2      |  4 ++--
 .../roles/keystone/templates/fernet-rotate.sh.j2   |  4 ++--
 ansible/roles/keystone/templates/id_rsa            |  2 +-
 ansible/roles/keystone/templates/id_rsa.pub        |  2 +-
 .../keystone/templates/keystone-fernet.json.j2     | 12 ++++++++++++
 .../roles/keystone/templates/keystone-ssh.json.j2  | 14 +-------------
 ansible/roles/keystone/templates/ssh_config.j2     |  4 ++--
 ansible/roles/keystone/templates/sshd_config.j2    |  2 +-
 docker/keystone/keystone-base/Dockerfile.j2        |  6 +++---
 docker/keystone/keystone-fernet/Dockerfile.j2      |  2 ++
 docker/keystone/keystone-ssh/Dockerfile.j2         | 10 ++++++++--
 13 files changed, 38 insertions(+), 30 deletions(-)

diff --git a/ansible/roles/keystone/tasks/config.yml b/ansible/roles/keystone/tasks/config.yml
index d7840fff6c..e39e7d6188 100644
--- a/ansible/roles/keystone/tasks/config.yml
+++ b/ansible/roles/keystone/tasks/config.yml
@@ -101,6 +101,8 @@
     - { src: "crontab.j2", dest: "crontab" }
     - { src: "fernet-rotate.sh.j2", dest: "fernet-rotate.sh" }
     - { src: "fernet-node-sync.sh.j2", dest: "fernet-node-sync.sh" }
+    - { src: "id_rsa", dest: "id_rsa" }
+    - { src: "ssh_config.j2", dest: "ssh_config" }
   when: keystone_token_provider == 'fernet'
 
 - name: Copying files for keystone-ssh
@@ -109,7 +111,5 @@
     dest: "{{ node_config_directory }}/keystone-ssh/{{ item.dest }}"
   with_items:
     - { src: "sshd_config.j2", dest: "sshd_config" }
-    - { src: "id_rsa", dest: "id_rsa" }
     - { src: "id_rsa.pub", dest: "id_rsa.pub" }
-    - { src: "ssh_config.j2", dest: "ssh_config" }
   when: keystone_token_provider == 'fernet'
diff --git a/ansible/roles/keystone/templates/crontab.j2 b/ansible/roles/keystone/templates/crontab.j2
index 967309793c..af16e114fd 100644
--- a/ansible/roles/keystone/templates/crontab.j2
+++ b/ansible/roles/keystone/templates/crontab.j2
@@ -1,3 +1,3 @@
 {% for cron_job in cron_jobs %}
 {{ cron_job['min'] }} {{ cron_job['hour'] }} * * {{ cron_job['day'] }} /usr/bin/fernet-rotate.sh
-{% endfor %}
\ No newline at end of file
+{% endfor %}
diff --git a/ansible/roles/keystone/templates/fernet-node-sync.sh.j2 b/ansible/roles/keystone/templates/fernet-node-sync.sh.j2
index ffbd7c7dde..a100f23771 100644
--- a/ansible/roles/keystone/templates/fernet-node-sync.sh.j2
+++ b/ansible/roles/keystone/templates/fernet-node-sync.sh.j2
@@ -11,6 +11,6 @@ fi
 # For each host node sync tokens
 {% for host in groups['keystone'] %}
 {% if inventory_hostname != host %}
-/usr/bin/rsync -azu --delete -e 'ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ keystone_ssh_port }}' keystone@{{ host }}:/etc/keystone/fernet-keys/ /etc/keystone/fernet-keys
+/usr/bin/rsync -azu --delete -e 'ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ keystone_ssh_port }} -F /var/lib/keystone/.ssh/config' keystone@{{ host }}:/etc/keystone/fernet-keys/ /etc/keystone/fernet-keys
 {% endif %}
-{% endfor %}
\ No newline at end of file
+{% endfor %}
diff --git a/ansible/roles/keystone/templates/fernet-rotate.sh.j2 b/ansible/roles/keystone/templates/fernet-rotate.sh.j2
index e79b8909d3..28c5b6f670 100644
--- a/ansible/roles/keystone/templates/fernet-rotate.sh.j2
+++ b/ansible/roles/keystone/templates/fernet-rotate.sh.j2
@@ -4,6 +4,6 @@ keystone-manage --config-file /etc/keystone/keystone.conf fernet_rotate --keysto
 
 {% for host in groups['keystone'] %}
 {% if inventory_hostname != host %}
-/usr/bin/rsync -az -e 'ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ keystone_ssh_port }}' --delete /etc/keystone/fernet-keys/ keystone@{{ host }}:/etc/keystone/fernet-keys
+/usr/bin/rsync -az -e 'ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ keystone_ssh_port }} -F /var/lib/keystone/.ssh/config' --delete /etc/keystone/fernet-keys/ keystone@{{ host }}:/etc/keystone/fernet-keys
 {% endif %}
-{% endfor %}
\ No newline at end of file
+{% endfor %}
diff --git a/ansible/roles/keystone/templates/id_rsa b/ansible/roles/keystone/templates/id_rsa
index bdce5093eb..3e27166162 100644
--- a/ansible/roles/keystone/templates/id_rsa
+++ b/ansible/roles/keystone/templates/id_rsa
@@ -1 +1 @@
-{{ keystone_ssh_key.private_key }}
\ No newline at end of file
+{{ keystone_ssh_key.private_key }}
diff --git a/ansible/roles/keystone/templates/id_rsa.pub b/ansible/roles/keystone/templates/id_rsa.pub
index 907b0e7e7b..529f98ab89 100644
--- a/ansible/roles/keystone/templates/id_rsa.pub
+++ b/ansible/roles/keystone/templates/id_rsa.pub
@@ -1 +1 @@
-{{ keystone_ssh_key.public_key }}
\ No newline at end of file
+{{ keystone_ssh_key.public_key }}
diff --git a/ansible/roles/keystone/templates/keystone-fernet.json.j2 b/ansible/roles/keystone/templates/keystone-fernet.json.j2
index b74f01715e..9078977b5e 100644
--- a/ansible/roles/keystone/templates/keystone-fernet.json.j2
+++ b/ansible/roles/keystone/templates/keystone-fernet.json.j2
@@ -24,6 +24,18 @@
             "dest": "/usr/bin/fernet-node-sync.sh",
             "owner": "root",
             "perm": "0755"
+        },
+        {
+            "source": "{{ container_config_directory }}/ssh_config",
+            "dest": "/var/lib/keystone/.ssh/config",
+            "owner": "keystone",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/id_rsa",
+            "dest": "/var/lib/keystone/.ssh/id_rsa",
+            "owner": "keystone",
+            "perm": "0600"
         }
     ]
 }
diff --git a/ansible/roles/keystone/templates/keystone-ssh.json.j2 b/ansible/roles/keystone/templates/keystone-ssh.json.j2
index c38fd6d626..c13e0eda60 100644
--- a/ansible/roles/keystone/templates/keystone-ssh.json.j2
+++ b/ansible/roles/keystone/templates/keystone-ssh.json.j2
@@ -7,18 +7,6 @@
             "owner": "root",
             "perm": "0644"
         },
-        {
-            "source": "{{ container_config_directory }}/ssh_config",
-            "dest": "/var/lib/keystone/.ssh/config",
-            "owner": "keystone",
-            "perm": "0600"
-        },
-        {
-            "source": "{{ container_config_directory }}/id_rsa",
-            "dest": "/var/lib/keystone/.ssh/id_rsa",
-            "owner": "keystone",
-            "perm": "0600"
-        },
         {
             "source": "{{ container_config_directory }}/id_rsa.pub",
             "dest": "/var/lib/keystone/.ssh/authorized_keys",
@@ -26,4 +14,4 @@
             "perm": "0600"
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/ansible/roles/keystone/templates/ssh_config.j2 b/ansible/roles/keystone/templates/ssh_config.j2
index f30dee26d0..4a177f6552 100644
--- a/ansible/roles/keystone/templates/ssh_config.j2
+++ b/ansible/roles/keystone/templates/ssh_config.j2
@@ -1,4 +1,4 @@
-Host {% for host in groups['keystone'] %}{% if inventory_hostname != host %}{{ host }} {% endif %}{% endfor %}
+Host *
   StrictHostKeyChecking no
   UserKnownHostsFile /dev/null
-  Port {{ keystone_ssh_port }}
\ No newline at end of file
+  Port {{ keystone_ssh_port }}
diff --git a/ansible/roles/keystone/templates/sshd_config.j2 b/ansible/roles/keystone/templates/sshd_config.j2
index 8ccb340625..8b66f42c7d 100644
--- a/ansible/roles/keystone/templates/sshd_config.j2
+++ b/ansible/roles/keystone/templates/sshd_config.j2
@@ -2,4 +2,4 @@ Port {{ keystone_ssh_port }}
 ListenAddress {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
 
 SyslogFacility AUTHPRIV
-UsePAM yes
\ No newline at end of file
+UsePAM yes
diff --git a/docker/keystone/keystone-base/Dockerfile.j2 b/docker/keystone/keystone-base/Dockerfile.j2
index bd583e8033..fe4c5cf1d7 100644
--- a/docker/keystone/keystone-base/Dockerfile.j2
+++ b/docker/keystone/keystone-base/Dockerfile.j2
@@ -61,13 +61,13 @@ RUN echo > /etc/apache2/ports.conf
 {% block keystone_source_install %}
 ADD keystone-base-archive /keystone-base-source
 RUN ln -s keystone-base-source/* keystone \
-    && useradd --user-group keystone \
+    && useradd --user-group --create-home --home-dir /var/lib/keystone keystone \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /keystone \
-    && mkdir -p /etc/keystone /var/www/cgi-bin/keystone /var/log/apache2 /home/keystone \
+    && mkdir -p /etc/keystone /var/www/cgi-bin/keystone /var/log/apache2 \
     && cp -r /keystone/etc/* /etc/keystone/ \
     && cp /var/lib/kolla/venv/bin/keystone-wsgi-admin /var/www/cgi-bin/keystone/admin \
     && cp /var/lib/kolla/venv/bin/keystone-wsgi-public /var/www/cgi-bin/keystone/main \
-    && chown -R keystone: /etc/keystone /var/www/cgi-bin/keystone /var/log/apache2 /home/keystone
+    && chown -R keystone: /etc/keystone /var/www/cgi-bin/keystone /var/log/apache2
 {% endblock %}
 
 {% endif %}
diff --git a/docker/keystone/keystone-fernet/Dockerfile.j2 b/docker/keystone/keystone-fernet/Dockerfile.j2
index bda73bcf38..8c058e2055 100644
--- a/docker/keystone/keystone-fernet/Dockerfile.j2
+++ b/docker/keystone/keystone-fernet/Dockerfile.j2
@@ -8,11 +8,13 @@ MAINTAINER {{ maintainer }}
 {% if base_distro in ['fedora', 'centos', 'oraclelinux', 'rhel'] %}
     {% set keystone_fernet_packages = [
         'cronie',
+        'openssh-clients',
         'rsync'
     ] %}
 {% elif base_distro in ['ubuntu', 'debian'] %}
     {% set keystone_fernet_packages = [
         'cron',
+        'openssh-client',
         'rsync'
     ] %}
 {% endif %}
diff --git a/docker/keystone/keystone-ssh/Dockerfile.j2 b/docker/keystone/keystone-ssh/Dockerfile.j2
index cf3e90851e..92fa412551 100644
--- a/docker/keystone/keystone-ssh/Dockerfile.j2
+++ b/docker/keystone/keystone-ssh/Dockerfile.j2
@@ -6,9 +6,15 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 
 {% if base_distro in ['centos', 'fedora', 'oraclelinux', 'rhel'] %}
-    {% set keystone_ssh_packages = ['openssh-server'] %}
+    {% set keystone_ssh_packages = [
+        'openssh-server',
+        'rsync'
+    ] %}
 {% elif base_distro in ['ubuntu', 'debian'] %}
-    {% set keystone_ssh_packages = ['openssh-server'] %}
+    {% set keystone_ssh_packages = [
+        'openssh-server',
+        'rsync'
+    ] %}
 
 RUN mkdir -p /var/run/sshd \
     && chmod 0755 /var/run/sshd