diff --git a/playbooks/roles/os_nova/defaults/main.yml b/playbooks/roles/os_nova/defaults/main.yml index d496d77ce6..62ae8e383d 100644 --- a/playbooks/roles/os_nova/defaults/main.yml +++ b/playbooks/roles/os_nova/defaults/main.yml @@ -229,6 +229,10 @@ nova_scheduler_manager: nova.scheduler.manager.SchedulerManager nova_scheduler_weight_classes: nova.scheduler.weights.all_weighers nova_scheduler_program_name: nova-scheduler +# If you want to regenerate the nova users SSH keys, on each run, set this var to True +# Otherwise keys will be generated on the first run and not regenerated each run. +nova_recreate_keys: False + ## General Neutron configuration # If ``nova_osapi_compute_workers`` is unset the system will use half the number of available VCPUS to # compute the number of api workers to use. diff --git a/playbooks/roles/os_nova/tasks/nova_compute.yml b/playbooks/roles/os_nova/tasks/nova_compute.yml index fd4b343271..70da214f17 100644 --- a/playbooks/roles/os_nova/tasks/nova_compute.yml +++ b/playbooks/roles/os_nova/tasks/nova_compute.yml @@ -16,13 +16,6 @@ - include: nova_compute_kvm.yml when: nova_virt_type == 'kvm' or nova_virt_type == 'qemu' -- include: nova_compute_key_create.yml - -- include: nova_compute_key_store.yml - when: > - inventory_hostname == groups['nova_compute'][0] +- include: nova_compute_key_populate.yml - include: nova_compute_key_distribute.yml - when: > - inventory_hostname != groups['nova_compute'][0] and - inventory_hostname in groups['nova_compute'] diff --git a/playbooks/roles/os_nova/tasks/nova_compute_key_create.yml b/playbooks/roles/os_nova/tasks/nova_compute_key_create.yml deleted file mode 100644 index 5bdab33d81..0000000000 --- a/playbooks/roles/os_nova/tasks/nova_compute_key_create.yml +++ /dev/null @@ -1,85 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Remove old key file(s) if found - file: - path: "{{ item }}" - state: "absent" - with_items: - - "{{ nova_system_home_folder }}/.ssh/authorized_keys" - - "{{ nova_system_home_folder }}/.ssh/id_rsa" - - "{{ nova_system_home_folder }}/.ssh/id_rsa.pub" - tags: - - nova-key - - nova-key-create - -- name: Create the nova SSH config file - copy: - src: "ssh_config" - dest: "/var/lib/nova/.ssh/config" - owner: "{{ nova_system_user_name }}" - group: "{{ nova_system_user_name }}" - mode: "0644" - tags: - - nova-key - - nova-key-create - -- name: Create the nova SSH key if it doesnt exist - command: | - ssh-keygen -f {{ nova_system_home_folder }}/.ssh/id_rsa -t rsa -q -N "" - sudo: yes - sudo_user: "{{ nova_system_user_name }}" - tags: - - nova-key - - nova-key-create - -- name: Create empty 'authorized_keys' file - file: - path: "{{ nova_system_home_folder }}/.ssh/authorized_keys" - state: "touch" - tags: - - nova-key - - nova-key-create - -- name: Change permissions on the generated keys - file: - path: "{{ item.path }}" - group: "{{ nova_system_user_name }}" - owner: "{{ nova_system_user_name }}" - mode: "{{ item.mode }}" - with_items: - - { path: "{{ nova_system_home_folder }}/.ssh/authorized_keys", mode: "0700" } - - { path: "{{ nova_system_home_folder }}/.ssh/id_rsa", mode: "0600" } - - { path: "{{ nova_system_home_folder }}/.ssh/id_rsa.pub", mode: "0644" } - tags: - - nova-key - - nova-key-create - -- name: Get public key contents - command: | - cat {{ nova_system_home_folder }}/.ssh/id_rsa.pub - register: nova_pub - changed_when: false - tags: - - nova-key - - nova-key-create - -- name: Build authorized keys - shell: | - echo "{{ nova_pub.stdout }}" | tee -a {{ nova_system_home_folder }}/.ssh/authorized_keys - delegate_to: "{{ groups['nova_compute'][0] }}" - tags: - - nova-key - - nova-key-create diff --git a/playbooks/roles/os_nova/tasks/nova_compute_key_distribute.yml b/playbooks/roles/os_nova/tasks/nova_compute_key_distribute.yml index 764df2a3f4..f93cd2f6ef 100644 --- a/playbooks/roles/os_nova/tasks/nova_compute_key_distribute.yml +++ b/playbooks/roles/os_nova/tasks/nova_compute_key_distribute.yml @@ -13,21 +13,11 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Retrieve authorized keys - memcached: - name: "{{ item.name }}" - file_path: "{{ item.src }}" - state: "retrieve" - file_mode: "{{ item.file_mode }}" - dir_mode: "{{ item.dir_mode }}" - server: "{{ memcached_servers.split(',')[0] }}" - encrypt_string: "{{ memcached_encryption_key }}" - with_items: - - { src: "{{ nova_system_home_folder }}/.ssh/authorized_keys", name: "authorized_keys", file_mode: "0640", dir_mode: "0750" } - register: memcache_keys - until: memcache_keys|success - retries: 5 - delay: 2 +- name: Create authorized keys file from host vars + authorized_key: + user: "{{ nova_system_user_name }}" + key: "{{ hostvars[item]['nova_pubkey'] }}" + with_items: groups['nova_compute'] tags: - nova-key - nova-key-distribute diff --git a/playbooks/roles/os_nova/tasks/nova_compute_key_store.yml b/playbooks/roles/os_nova/tasks/nova_compute_key_populate.yml similarity index 51% rename from playbooks/roles/os_nova/tasks/nova_compute_key_store.yml rename to playbooks/roles/os_nova/tasks/nova_compute_key_populate.yml index 6ed298f64d..3084929196 100644 --- a/playbooks/roles/os_nova/tasks/nova_compute_key_store.yml +++ b/playbooks/roles/os_nova/tasks/nova_compute_key_populate.yml @@ -13,19 +13,29 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Distribute authorized keys for cluster consumption - memcached: - name: "{{ item.name }}" - file_path: "{{ item.src }}" - state: "present" - server: "{{ memcached_servers.split(',')[0] }}" - encrypt_string: "{{ memcached_encryption_key }}" - with_items: - - { src: "{{ nova_system_home_folder }}/.ssh/authorized_keys", name: "authorized_keys" } - register: memcache_keys - until: memcache_keys|success - retries: 5 - delay: 2 +- name: Create the nova SSH config file + copy: + src: "ssh_config" + dest: "/var/lib/nova/.ssh/config" + owner: "{{ nova_system_user_name }}" + group: "{{ nova_system_user_name }}" + mode: "0644" tags: - nova-key - - nova-key-store + - nova-key-create + +- name: Get public key contents and store as var + command: | + cat {{ nova_system_home_folder }}/.ssh/id_rsa.pub + register: nova_pub + changed_when: false + tags: + - nova-key + - nova-key-create + +- name: Register a fact for the nova pub key + set_fact: + nova_pubkey: "{{ nova_pub.stdout }}" + tags: + - nova-key + - nova-key-create diff --git a/playbooks/roles/os_nova/tasks/nova_pre_install.yml b/playbooks/roles/os_nova/tasks/nova_pre_install.yml index 046fa61398..e17dc7bf6e 100644 --- a/playbooks/roles/os_nova/tasks/nova_pre_install.yml +++ b/playbooks/roles/os_nova/tasks/nova_pre_install.yml @@ -21,6 +21,19 @@ tags: - nova-group +- name: Remove old key file(s) if found + file: + path: "{{ item }}" + state: "absent" + with_items: + - "{{ nova_system_home_folder }}/.ssh/authorized_keys" + - "{{ nova_system_home_folder }}/.ssh/id_rsa" + - "{{ nova_system_home_folder }}/.ssh/id_rsa.pub" + when: nova_recreate_keys | bool + tags: + - nova-key + - nova-key-create + - name: Create the nova system user user: name: "{{ nova_system_user_name }}" @@ -30,8 +43,11 @@ system: "yes" createhome: "yes" home: "{{ nova_system_home_folder }}" + generate_ssh_key: "yes" tags: - nova-user + - nova-key + - nova-key-create - name: Create nova dir file: