openstack/octavia
Code Issues Proposed changes

Add flag to disable SSHD on the amphora image

Browse Source 
Also deprecate the amp_ssh_access_allowed option.

Change-Id: Icb61a65fac57e74235fac904639c411b0fa2b495
This commit is contained in:
Adam Harwell 2017-08-09 17:42:08 -07:00
parent 690ccfd43f
commit 7bf8804177
8 changed files with 57 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
diskimage-create/README.rst
View File

@ -70,6 +70,7 @@ Command syntax:
[-c **~/.cache/image-create** | <cache directory> ] [-c **~/.cache/image-create** | <cache directory> ]
[-h] [-h]
[-i **ubuntu** | fedora | centos | rhel ] [-i **ubuntu** | fedora | centos | rhel ]
[-n]
[-o **amphora-x64-haproxy** | <filename> ] [-o **amphora-x64-haproxy** | <filename> ]
[-r <root password> ] [-r <root password> ]
[-s **2** | <size in GB> ] [-s **2** | <size in GB> ]
@ -82,6 +83,7 @@ Command syntax:
'-c' is the path to the cache directory (default: ~/.cache/image-create) '-c' is the path to the cache directory (default: ~/.cache/image-create)
'-h' display help message '-h' display help message
'-i' is the base OS (default: ubuntu) '-i' is the base OS (default: ubuntu)
'-n' disable sshd (default: enabled)
'-o' is the output image file name '-o' is the output image file name
'-r' enable the root account in the generated image (default: disabled) '-r' enable the root account in the generated image (default: disabled)
'-s' is the image size to produce in gigabytes (default: 2) '-s' is the image size to produce in gigabytes (default: 2)

14
diskimage-create/diskimage-create.sh
View File

@ -26,6 +26,7 @@ usage() {
echo " [-d **xenial** | trusty | <other release id> ]" echo " [-d **xenial** | trusty | <other release id> ]"
echo " [-h]" echo " [-h]"
echo " [-i **ubuntu** | fedora | centos | rhel ]" echo " [-i **ubuntu** | fedora | centos | rhel ]"
echo " [-n]"
echo " [-o **amphora-x64-haproxy** | <filename> ]" echo " [-o **amphora-x64-haproxy** | <filename> ]"
echo " [-r <root password> ]" echo " [-r <root password> ]"
echo " [-s **2** | <size in GB> ]" echo " [-s **2** | <size in GB> ]"
@ -39,6 +40,7 @@ usage() {
echo " '-d' distribution release id (default on ubuntu: xenial)" echo " '-d' distribution release id (default on ubuntu: xenial)"
echo " '-h' display this help message" echo " '-h' display this help message"
echo " '-i' is the base OS (default: ubuntu)" echo " '-i' is the base OS (default: ubuntu)"
echo " '-n' disable sshd (default: enabled)"
echo " '-o' is the output image file name" echo " '-o' is the output image file name"
echo " '-r' enable the root account in the generated image (default: disabled)" echo " '-r' enable the root account in the generated image (default: disabled)"
echo " '-s' is the image size to produce in gigabytes (default: 2)" echo " '-s' is the image size to produce in gigabytes (default: 2)"
@ -74,7 +76,7 @@ if [ -z $OCTAVIA_REPO_PATH ]; then
fi fi
dib_enable_tracing= dib_enable_tracing=
while getopts "a:b:c:d:hi:o:t:r:s:vw:x" opt; do while getopts "a:b:c:d:hi:no:t:r:s:vw:x" opt; do
case $opt in case $opt in
a) a)
AMP_ARCH=$OPTARG AMP_ARCH=$OPTARG
@ -112,6 +114,9 @@ while getopts "a:b:c:d:hi:o:t:r:s:vw:x" opt; do
exit 3 exit 3
fi fi
;; ;;
n)
AMP_DISABLE_SSHD=1
;;
o) o)
AMP_OUTPUTFILENAME=$(readlink -f $OPTARG) AMP_OUTPUTFILENAME=$(readlink -f $OPTARG)
;; ;;
@ -174,6 +179,8 @@ AMP_IMAGETYPE=${AMP_IMAGETYPE:-"qcow2"}
AMP_IMAGESIZE=${AMP_IMAGESIZE:-2} AMP_IMAGESIZE=${AMP_IMAGESIZE:-2}
AMP_DISABLE_SSHD=${AMP_DISABLE_SSHD:-0}
if [ "$AMP_BASEOS" = "rhel" ] && [ "$AMP_IMAGESIZE" -lt 3 ]; then if [ "$AMP_BASEOS" = "rhel" ] && [ "$AMP_IMAGESIZE" -lt 3 ]; then
echo "RHEL based amphora requires an image size of at least 3GB" echo "RHEL based amphora requires an image size of at least 3GB"
exit 1 exit 1
@ -324,6 +331,11 @@ AMP_element_sequence="$AMP_element_sequence pip-cache"
# Add certificate ramfs element # Add certificate ramfs element
AMP_element_sequence="$AMP_element_sequence certs-ramfs" AMP_element_sequence="$AMP_element_sequence certs-ramfs"
# Disable SSHD if requested
if [ "$AMP_DISABLE_SSHD" ]; then
AMP_element_sequence="$AMP_element_sequence remove-sshd"
fi
# Allow full elements override # Allow full elements override
if [ "$DIB_ELEMENTS" ]; then if [ "$DIB_ELEMENTS" ]; then
AMP_element_sequence="$DIB_ELEMENTS" AMP_element_sequence="$DIB_ELEMENTS"

11
elements/remove-sshd/README.rst Normal file
View File

@ -0,0 +1,11 @@
===========
remove-sshd
===========
This element ensures that openssh server is uninstalled and will not start.
Note
----
Most cloud images come with the openssh server service installed and enabled
during boot. However, sometimes this is not appropriate. In these cases,
using this element may be helpful to ensure your image will not accessible via
SSH.

2
elements/remove-sshd/package-installs.yaml Normal file
View File

@ -0,0 +1,2 @@
openssh-server:
uninstall: True

3
etc/octavia.conf
View File

@ -192,8 +192,9 @@
# amp_image_owner_id = # amp_image_owner_id =
# Nova parameters to use when booting amphora # Nova parameters to use when booting amphora
# amp_flavor_id = # amp_flavor_id =
# Upload the ssh key as the service_auth user described elsewhere in this config.
# Leaving this variable blank will install no ssh key on the amphora.
# amp_ssh_key_name = # amp_ssh_key_name =
# amp_ssh_access_allowed = True
# Networks to attach to the Amphorae examples: # Networks to attach to the Amphorae examples:
# - One primary network # - One primary network

5
octavia/common/config.py
View File

@ -297,6 +297,11 @@ controller_worker_opts = [
help=_('SSH key name used to boot the Amphora')), help=_('SSH key name used to boot the Amphora')),
cfg.BoolOpt('amp_ssh_access_allowed', cfg.BoolOpt('amp_ssh_access_allowed',
default=True, default=True,
deprecated_for_removal=True,
deprecated_reason='This option and amp_ssh_key_name overlap '
'in functionality, and only one is needed. '
'SSH access can be enabled/disabled simply '
'by setting amp_ssh_key_name, or not.',
help=_('Determines whether or not to allow access ' help=_('Determines whether or not to allow access '
'to the Amphorae')), 'to the Amphorae')),
cfg.ListOpt('amp_boot_network_list', cfg.ListOpt('amp_boot_network_list',

7
octavia/controller/worker/tasks/compute_tasks.py
View File

@ -63,9 +63,12 @@ class ComputeCreate(BaseComputeTask):
LOG.debug("Compute create execute for amphora with id %s", amphora_id) LOG.debug("Compute create execute for amphora with id %s", amphora_id)
user_data_config_drive = CONF.controller_worker.user_data_config_drive user_data_config_drive = CONF.controller_worker.user_data_config_drive
key_name = CONF.controller_worker.amp_ssh_key_name
# TODO(rm_work): amp_ssh_access_allowed is deprecated in Pike.
# Remove the following two lines in the S release.
ssh_access = CONF.controller_worker.amp_ssh_access_allowed ssh_access = CONF.controller_worker.amp_ssh_access_allowed
ssh_key = CONF.controller_worker.amp_ssh_key_name key_name = None if not ssh_access else key_name
key_name = None if not ssh_access else ssh_key
try: try:
if CONF.haproxy_amphora.build_rate_limit != -1: if CONF.haproxy_amphora.build_rate_limit != -1:

17
releasenotes/notes/deprecate-amp_ssh_key_name-e1041a64ed970a9e.yaml Normal file
View File

@ -0,0 +1,17 @@
---
features:
- |
New option in diskimage-create.sh `-n` to completely disable sshd on the
amphora.
deprecations:
- |
Config option `amp_ssh_access_allowed` is deprecated, as it overlaps with
`amp_ssh_key_name` in functionality and is not needed. Simply leave the
variable `amp_ssh_key_name` blank and no ssh key will be installed. This
is the same result as using `amp_ssh_access_allowed = False`.
security:
- |
It is now possible to completely remove sshd from the amphora image, to
further lock down access and increase security. If this is set, providing
an `amp_ssh_key_name` in config will install the key, but ssh access will
not be possible as sshd will not be running.