From bda35e7fd60b48af24b0b7501bffba151ab2d187 Mon Sep 17 00:00:00 2001
From: Kevin Carter <kevin.carter@rackspace.com>
Date: Tue, 31 May 2016 14:53:15 -0500
Subject: [PATCH] Improve deployment performance on large clusters

This change makes the nova key distribution a lot faster
especially when deploying against very large clusters. The
change moves away from the authorized_key module and instead
generates a script with the same capabilities which is then
executed. The generated script is stored in locally on the remote
host at "/usr/local/bin/openstack-nova-key.sh" and can be
executed at any time to fix and or clean up nova authorized key
problems.

Change-Id: I0d5ec9d735a104a57ec5cf7938116915af803088
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
---
 ...ecluster-key-inserts-afc8cac63af41087.yaml | 12 +++++++
 tasks/nova_compute_key_distribute.yml         | 36 +++++++++++++++----
 templates/nova-key-insert.sh.j2               | 31 ++++++++++++++++
 3 files changed, 73 insertions(+), 6 deletions(-)
 create mode 100644 releasenotes/notes/nova-largecluster-key-inserts-afc8cac63af41087.yaml
 create mode 100644 templates/nova-key-insert.sh.j2

diff --git a/releasenotes/notes/nova-largecluster-key-inserts-afc8cac63af41087.yaml b/releasenotes/notes/nova-largecluster-key-inserts-afc8cac63af41087.yaml
new file mode 100644
index 00000000..96c22655
--- /dev/null
+++ b/releasenotes/notes/nova-largecluster-key-inserts-afc8cac63af41087.yaml
@@ -0,0 +1,12 @@
+---
+features:
+  - The nova SSH public key distribution has been made a lot faster
+    especially when deploying against very large clusters. To support
+    larger clusters the role has moved away from the "authorized_key"
+    module and is now generating a script to insert keys that may
+    be missing from the authorized keys file. The script is saved on all
+    nova compute nodes and can be found at
+    ``/usr/local/bin/openstack-nova-key.sh``. If ever there is a need to
+    reinsert keys or fix issues on a given compute node the script can be
+    executed at any time without directly running the ansible playbooks
+    or roles.
diff --git a/tasks/nova_compute_key_distribute.yml b/tasks/nova_compute_key_distribute.yml
index fba191e4..b88d05fa 100644
--- a/tasks/nova_compute_key_distribute.yml
+++ b/tasks/nova_compute_key_distribute.yml
@@ -13,12 +13,36 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Create authorized keys file from host vars
-  authorized_key:
-    user: "{{ nova_system_user_name }}"
-    key: "{{ hostvars[item]['nova_pubkey'] | b64decode }}"
-  with_items: "{{ groups['nova_compute'] }}"
-  when: hostvars[item]['nova_pubkey'] is defined
+# The authorized key file script will be generated locally and copied to all known
+#  compute hosts within the environment. This script will add a key to the nova
+#  user's .ssh/authorized_keys file if it's not already found.
+- name: Drop authorized keys file script locally
+  template:
+    src: "nova-key-insert.sh.j2"
+    dest: "/usr/local/bin/openstack-nova-key.sh"
+    mode: "0755"
+  delegate_to: localhost
+  when: inventory_hostname == groups['nova_compute'][0]
+  tags:
+    - nova-key
+    - nova-key-distribute
+
+- name: Copy templated authorized keys file script
+  copy:
+    src: "/usr/local/bin/openstack-nova-key.sh"
+    dest: "/usr/local/bin/openstack-nova-key.sh"
+    mode: "0755"
+  tags:
+    - nova-key
+    - nova-key-distribute
+
+- name: Run authorized keys file script
+  command: "/usr/local/bin/openstack-nova-key.sh"
+  register: key_create
+  changed_when: key_create.rc == 3
+  failed_when:
+    - key_create.rc != 3
+    - key_create.rc != 0
   tags:
     - nova-key
     - nova-key-distribute
diff --git a/templates/nova-key-insert.sh.j2 b/templates/nova-key-insert.sh.j2
new file mode 100644
index 00000000..e02120a4
--- /dev/null
+++ b/templates/nova-key-insert.sh.j2
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+#  Running the script:
+#  * The script will exit 99 if the home folder for the user set by
+#    "nova_system_user_name" is not found.
+#  * If the script adds a key to the authorized keys file it will exit 3.
+#  * If the script takes no action it will exit 0.
+
+set -ex
+
+EXIT_CODE=0
+USER_HOME="$(getent passwd {{ nova_system_user_name }} | awk -F':' '{print $6}')"
+
+[[ -d "${USER_HOME}" ]] || exit 99
+if [[ ! -f "${USER_HOME}/.ssh/authorized_keys" ]]; then
+  touch "${USER_HOME}/.ssh/authorized_keys"
+  chown {{ nova_system_user_name }}:{{ nova_system_group_name }} "${USER_HOME}/.ssh/authorized_keys"
+  chmod 0600 "${USER_HOME}/.ssh/authorized_keys"
+fi
+
+{% for item in groups['nova_compute'] %}
+{% if hostvars[item]['nova_pubkey'] is defined %}
+KEY="{{ hostvars[item]['nova_pubkey'] | b64decode }}"
+if ! grep -q -w "${KEY}" "${USER_HOME}/.ssh/authorized_keys"; then
+  echo "${KEY}" | tee -a "${USER_HOME}/.ssh/authorized_keys"
+  EXIT_CODE=3
+fi
+{% endif %}
+{% endfor %}
+
+exit "${EXIT_CODE}"
+