Merge "Improve deployment performance on large clusters"

releasenotes/notes/nova-largecluster-key-inserts-afc8cac63af41087.yaml

@@ -0,0 +1,12 @@
+---
+features:
+  - The nova SSH public key distribution has been made a lot faster
+    especially when deploying against very large clusters. To support
+    larger clusters the role has moved away from the "authorized_key"
+    module and is now generating a script to insert keys that may
+    be missing from the authorized keys file. The script is saved on all
+    nova compute nodes and can be found at
+    ``/usr/local/bin/openstack-nova-key.sh``. If ever there is a need to
+    reinsert keys or fix issues on a given compute node the script can be
+    executed at any time without directly running the ansible playbooks
+    or roles.

tasks/nova_compute_key_distribute.yml

@@ -13,12 +13,36 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Create authorized keys file from host vars
-  authorized_key:
-    user: "{{ nova_system_user_name }}"
-    key: "{{ hostvars[item]['nova_pubkey'] | b64decode }}"
-  with_items: "{{ groups['nova_compute'] }}"
-  when: hostvars[item]['nova_pubkey'] is defined
+# The authorized key file script will be generated locally and copied to all known
+#  compute hosts within the environment. This script will add a key to the nova
+#  user's .ssh/authorized_keys file if it's not already found.
+- name: Drop authorized keys file script locally
+  template:
+    src: "nova-key-insert.sh.j2"
+    dest: "/usr/local/bin/openstack-nova-key.sh"
+    mode: "0755"
+  delegate_to: localhost
+  when: inventory_hostname == groups['nova_compute'][0]
+  tags:
+    - nova-key
+    - nova-key-distribute
+
+- name: Copy templated authorized keys file script
+  copy:
+    src: "/usr/local/bin/openstack-nova-key.sh"
+    dest: "/usr/local/bin/openstack-nova-key.sh"
+    mode: "0755"
+  tags:
+    - nova-key
+    - nova-key-distribute
+
+- name: Run authorized keys file script
+  command: "/usr/local/bin/openstack-nova-key.sh"
+  register: key_create
+  changed_when: key_create.rc == 3
+  failed_when:
+    - key_create.rc != 3
+    - key_create.rc != 0
   tags:
     - nova-key
     - nova-key-distribute

templates/nova-key-insert.sh.j2

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+#  Running the script:
+#  * The script will exit 99 if the home folder for the user set by
+#    "nova_system_user_name" is not found.
+#  * If the script adds a key to the authorized keys file it will exit 3.
+#  * If the script takes no action it will exit 0.
+
+set -ex
+
+EXIT_CODE=0
+USER_HOME="$(getent passwd {{ nova_system_user_name }} | awk -F':' '{print $6}')"
+
+[[ -d "${USER_HOME}" ]] || exit 99
+if [[ ! -f "${USER_HOME}/.ssh/authorized_keys" ]]; then
+  touch "${USER_HOME}/.ssh/authorized_keys"
+  chown {{ nova_system_user_name }}:{{ nova_system_group_name }} "${USER_HOME}/.ssh/authorized_keys"
+  chmod 0600 "${USER_HOME}/.ssh/authorized_keys"
+fi
+
+{% for item in groups['nova_compute'] %}
+{% if hostvars[item]['nova_pubkey'] is defined %}
+KEY="{{ hostvars[item]['nova_pubkey'] | b64decode }}"
+if ! grep -q -w "${KEY}" "${USER_HOME}/.ssh/authorized_keys"; then
+  echo "${KEY}" | tee -a "${USER_HOME}/.ssh/authorized_keys"
+  EXIT_CODE=3
+fi
+{% endif %}
+{% endfor %}
+
+exit "${EXIT_CODE}"
+