From 7bf8804177d3b7a9a4384c2b6d349228ecdced23 Mon Sep 17 00:00:00 2001 From: Adam Harwell Date: Wed, 9 Aug 2017 17:42:08 -0700 Subject: [PATCH] Add flag to disable SSHD on the amphora image Also deprecate the amp_ssh_access_allowed option. Change-Id: Icb61a65fac57e74235fac904639c411b0fa2b495 --- diskimage-create/README.rst | 2 ++ diskimage-create/diskimage-create.sh | 14 +++++++++++++- elements/remove-sshd/README.rst | 11 +++++++++++ elements/remove-sshd/package-installs.yaml | 2 ++ etc/octavia.conf | 3 ++- octavia/common/config.py | 5 +++++ .../controller/worker/tasks/compute_tasks.py | 7 +++++-- ...ecate-amp_ssh_key_name-e1041a64ed970a9e.yaml | 17 +++++++++++++++++ 8 files changed, 57 insertions(+), 4 deletions(-) create mode 100644 elements/remove-sshd/README.rst create mode 100644 elements/remove-sshd/package-installs.yaml create mode 100644 releasenotes/notes/deprecate-amp_ssh_key_name-e1041a64ed970a9e.yaml diff --git a/diskimage-create/README.rst b/diskimage-create/README.rst index 2e830447a7..5d2521b4fe 100644 --- a/diskimage-create/README.rst +++ b/diskimage-create/README.rst @@ -70,6 +70,7 @@ Command syntax: [-c **~/.cache/image-create** | ] [-h] [-i **ubuntu** | fedora | centos | rhel ] + [-n] [-o **amphora-x64-haproxy** | ] [-r ] [-s **2** | ] @@ -82,6 +83,7 @@ Command syntax: '-c' is the path to the cache directory (default: ~/.cache/image-create) '-h' display help message '-i' is the base OS (default: ubuntu) + '-n' disable sshd (default: enabled) '-o' is the output image file name '-r' enable the root account in the generated image (default: disabled) '-s' is the image size to produce in gigabytes (default: 2) diff --git a/diskimage-create/diskimage-create.sh b/diskimage-create/diskimage-create.sh index d32f9e0615..05c3ff0738 100755 --- a/diskimage-create/diskimage-create.sh +++ b/diskimage-create/diskimage-create.sh @@ -26,6 +26,7 @@ usage() { echo " [-d **xenial** | trusty | ]" echo " [-h]" echo " [-i **ubuntu** | fedora | centos | rhel ]" + echo " [-n]" echo " [-o **amphora-x64-haproxy** | ]" echo " [-r ]" echo " [-s **2** | ]" @@ -39,6 +40,7 @@ usage() { echo " '-d' distribution release id (default on ubuntu: xenial)" echo " '-h' display this help message" echo " '-i' is the base OS (default: ubuntu)" + echo " '-n' disable sshd (default: enabled)" echo " '-o' is the output image file name" echo " '-r' enable the root account in the generated image (default: disabled)" echo " '-s' is the image size to produce in gigabytes (default: 2)" @@ -74,7 +76,7 @@ if [ -z $OCTAVIA_REPO_PATH ]; then fi dib_enable_tracing= -while getopts "a:b:c:d:hi:o:t:r:s:vw:x" opt; do +while getopts "a:b:c:d:hi:no:t:r:s:vw:x" opt; do case $opt in a) AMP_ARCH=$OPTARG @@ -112,6 +114,9 @@ while getopts "a:b:c:d:hi:o:t:r:s:vw:x" opt; do exit 3 fi ;; + n) + AMP_DISABLE_SSHD=1 + ;; o) AMP_OUTPUTFILENAME=$(readlink -f $OPTARG) ;; @@ -174,6 +179,8 @@ AMP_IMAGETYPE=${AMP_IMAGETYPE:-"qcow2"} AMP_IMAGESIZE=${AMP_IMAGESIZE:-2} +AMP_DISABLE_SSHD=${AMP_DISABLE_SSHD:-0} + if [ "$AMP_BASEOS" = "rhel" ] && [ "$AMP_IMAGESIZE" -lt 3 ]; then echo "RHEL based amphora requires an image size of at least 3GB" exit 1 @@ -324,6 +331,11 @@ AMP_element_sequence="$AMP_element_sequence pip-cache" # Add certificate ramfs element AMP_element_sequence="$AMP_element_sequence certs-ramfs" +# Disable SSHD if requested +if [ "$AMP_DISABLE_SSHD" ]; then + AMP_element_sequence="$AMP_element_sequence remove-sshd" +fi + # Allow full elements override if [ "$DIB_ELEMENTS" ]; then AMP_element_sequence="$DIB_ELEMENTS" diff --git a/elements/remove-sshd/README.rst b/elements/remove-sshd/README.rst new file mode 100644 index 0000000000..a0be79497c --- /dev/null +++ b/elements/remove-sshd/README.rst @@ -0,0 +1,11 @@ +=========== +remove-sshd +=========== +This element ensures that openssh server is uninstalled and will not start. + +Note +---- +Most cloud images come with the openssh server service installed and enabled +during boot. However, sometimes this is not appropriate. In these cases, +using this element may be helpful to ensure your image will not accessible via +SSH. diff --git a/elements/remove-sshd/package-installs.yaml b/elements/remove-sshd/package-installs.yaml new file mode 100644 index 0000000000..3dc83e10d3 --- /dev/null +++ b/elements/remove-sshd/package-installs.yaml @@ -0,0 +1,2 @@ +openssh-server: + uninstall: True diff --git a/etc/octavia.conf b/etc/octavia.conf index 362d7ac568..2ca11b2874 100644 --- a/etc/octavia.conf +++ b/etc/octavia.conf @@ -192,8 +192,9 @@ # amp_image_owner_id = # Nova parameters to use when booting amphora # amp_flavor_id = +# Upload the ssh key as the service_auth user described elsewhere in this config. +# Leaving this variable blank will install no ssh key on the amphora. # amp_ssh_key_name = -# amp_ssh_access_allowed = True # Networks to attach to the Amphorae examples: # - One primary network diff --git a/octavia/common/config.py b/octavia/common/config.py index 7a0918f452..38b4d6f85f 100644 --- a/octavia/common/config.py +++ b/octavia/common/config.py @@ -297,6 +297,11 @@ controller_worker_opts = [ help=_('SSH key name used to boot the Amphora')), cfg.BoolOpt('amp_ssh_access_allowed', default=True, + deprecated_for_removal=True, + deprecated_reason='This option and amp_ssh_key_name overlap ' + 'in functionality, and only one is needed. ' + 'SSH access can be enabled/disabled simply ' + 'by setting amp_ssh_key_name, or not.', help=_('Determines whether or not to allow access ' 'to the Amphorae')), cfg.ListOpt('amp_boot_network_list', diff --git a/octavia/controller/worker/tasks/compute_tasks.py b/octavia/controller/worker/tasks/compute_tasks.py index 5080c47589..447e3c816a 100644 --- a/octavia/controller/worker/tasks/compute_tasks.py +++ b/octavia/controller/worker/tasks/compute_tasks.py @@ -63,9 +63,12 @@ class ComputeCreate(BaseComputeTask): LOG.debug("Compute create execute for amphora with id %s", amphora_id) user_data_config_drive = CONF.controller_worker.user_data_config_drive + + key_name = CONF.controller_worker.amp_ssh_key_name + # TODO(rm_work): amp_ssh_access_allowed is deprecated in Pike. + # Remove the following two lines in the S release. ssh_access = CONF.controller_worker.amp_ssh_access_allowed - ssh_key = CONF.controller_worker.amp_ssh_key_name - key_name = None if not ssh_access else ssh_key + key_name = None if not ssh_access else key_name try: if CONF.haproxy_amphora.build_rate_limit != -1: diff --git a/releasenotes/notes/deprecate-amp_ssh_key_name-e1041a64ed970a9e.yaml b/releasenotes/notes/deprecate-amp_ssh_key_name-e1041a64ed970a9e.yaml new file mode 100644 index 0000000000..8d335c5613 --- /dev/null +++ b/releasenotes/notes/deprecate-amp_ssh_key_name-e1041a64ed970a9e.yaml @@ -0,0 +1,17 @@ +--- +features: + - | + New option in diskimage-create.sh `-n` to completely disable sshd on the + amphora. +deprecations: + - | + Config option `amp_ssh_access_allowed` is deprecated, as it overlaps with + `amp_ssh_key_name` in functionality and is not needed. Simply leave the + variable `amp_ssh_key_name` blank and no ssh key will be installed. This + is the same result as using `amp_ssh_access_allowed = False`. +security: + - | + It is now possible to completely remove sshd from the amphora image, to + further lock down access and increase security. If this is set, providing + an `amp_ssh_key_name` in config will install the key, but ssh access will + not be possible as sshd will not be running.