From c924a7652fc408cc47bef7ca7f6a7d570b3c86be Mon Sep 17 00:00:00 2001 From: Andy McCrae Date: Thu, 23 Jul 2015 11:26:31 +0100 Subject: [PATCH] Adjust SSH key creation method for repo servers This patch ensures that the authorized_keys ansible module, as well as the built in "generate_ssh_keys" flag for user creation, so that we can avoid using shell out commands. Additionally, this moves the key synchronisation to use ansible variables instead of the memcache server. Change-Id: I4fe7620cae6bf68f4c0fe248cb1dfa3c24e44110 Closes-Bug: #1477494 --- playbooks/roles/repo_server/defaults/main.yml | 4 ++ playbooks/roles/repo_server/tasks/main.yml | 8 +-- .../repo_server/tasks/repo_key_create.yml | 54 ------------------- .../repo_server/tasks/repo_key_distribute.yml | 20 ++----- ...po_key_store.yml => repo_key_populate.yml} | 27 +++++----- .../repo_server/tasks/repo_post_install.yml | 18 ++++++- 6 files changed, 40 insertions(+), 91 deletions(-) delete mode 100644 playbooks/roles/repo_server/tasks/repo_key_create.yml rename playbooks/roles/repo_server/tasks/{repo_key_store.yml => repo_key_populate.yml} (56%) diff --git a/playbooks/roles/repo_server/defaults/main.yml b/playbooks/roles/repo_server/defaults/main.yml index 95f0470112..963d61bd6c 100644 --- a/playbooks/roles/repo_server/defaults/main.yml +++ b/playbooks/roles/repo_server/defaults/main.yml @@ -31,6 +31,10 @@ repo_auto_rebuild: false repo_memcached_servers: "{% for host in groups['repo_all'] %}{{ hostvars[host]['ansible_ssh_host'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}" +# If you want to regenerate the repo users SSH keys, on each run, set this var to True +# Otherwise keys will be generated on the first run and not regenerated each run. +repo_recreate_keys: False + repo_apt_packages: - aptitude - bridge-utils diff --git a/playbooks/roles/repo_server/tasks/main.yml b/playbooks/roles/repo_server/tasks/main.yml index 6d5f0e9a33..f33b4843c7 100644 --- a/playbooks/roles/repo_server/tasks/main.yml +++ b/playbooks/roles/repo_server/tasks/main.yml @@ -17,16 +17,10 @@ - include: repo_install.yml - include: repo_post_install.yml -- include: repo_key_create.yml - -- include: repo_key_store.yml - when: > - inventory_hostname == groups['pkg_repo'][0] and - groups.repo_all|length > 1 +- include: repo_key_populate.yml - include: repo_key_distribute.yml when: > - inventory_hostname != groups['pkg_repo'][0] and groups.repo_all|length > 1 - include: repo_sync_manager.yml diff --git a/playbooks/roles/repo_server/tasks/repo_key_create.yml b/playbooks/roles/repo_server/tasks/repo_key_create.yml deleted file mode 100644 index 86101ec814..0000000000 --- a/playbooks/roles/repo_server/tasks/repo_key_create.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Remove old key file(s) if found - file: - path: "{{ item }}" - state: "absent" - with_items: - - "{{ repo_service_home_folder }}/.ssh/authorized_keys" - - "{{ repo_service_home_folder }}/.ssh/id_rsa" - - "{{ repo_service_home_folder }}/.ssh/id_rsa.pub" - -- name: Create the nginx SSH key if it doesnt exist - shell: | - su - nginx -c 'ssh-keygen -f {{ repo_service_home_folder }}/.ssh/id_rsa -t rsa -q -N ""' - -- name: Create empty 'authorized_keys' file - file: - path: "{{ repo_service_home_folder }}/.ssh/authorized_keys" - state: "touch" - -- name: Change permissions on the generated keys - file: - path: "{{ item.path }}" - group: "www-data" - owner: "nginx" - mode: "{{ item.mode }}" - with_items: - - { path: "{{ repo_service_home_folder }}/.ssh/authorized_keys", mode: "0700" } - - { path: "{{ repo_service_home_folder }}/.ssh/id_rsa", mode: "0600" } - - { path: "{{ repo_service_home_folder }}/.ssh/id_rsa.pub", mode: "0644" } - -- name: Get public key contents - command: | - cat {{ repo_service_home_folder }}/.ssh/id_rsa.pub - register: nginx_pub - changed_when: false - -- name: Build authorized keys - shell: | - echo "{{ nginx_pub.stdout }}" | tee -a {{ repo_service_home_folder }}/.ssh/authorized_keys - delegate_to: "{{ groups['pkg_repo'][0] }}" diff --git a/playbooks/roles/repo_server/tasks/repo_key_distribute.yml b/playbooks/roles/repo_server/tasks/repo_key_distribute.yml index 1c9aeafcc5..b164693a01 100644 --- a/playbooks/roles/repo_server/tasks/repo_key_distribute.yml +++ b/playbooks/roles/repo_server/tasks/repo_key_distribute.yml @@ -13,21 +13,11 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Retrieve authorized keys - memcached: - name: "{{ item.name }}" - file_path: "{{ item.src }}" - state: "retrieve" - file_mode: "{{ item.file_mode }}" - dir_mode: "{{ item.dir_mode }}" - server: "{{ repo_memcached_servers }}" - encrypt_string: "{{ memcached_encryption_key }}" - with_items: - - { src: "{{ repo_service_home_folder }}/.ssh/authorized_keys", name: "authorized_keys", file_mode: "0640", dir_mode: "0750" } - register: memcache_keys - until: memcache_keys|success - retries: 5 - delay: 2 +- name: Create authorized keys file from host vars + authorized_key: + user: "{{ repo_service_user_name }}" + key: "{{ hostvars[item]['repo_pubkey'] }}" + with_items: groups['pkg_repo'] tags: - repo-key - repo-key-store diff --git a/playbooks/roles/repo_server/tasks/repo_key_store.yml b/playbooks/roles/repo_server/tasks/repo_key_populate.yml similarity index 56% rename from playbooks/roles/repo_server/tasks/repo_key_store.yml rename to playbooks/roles/repo_server/tasks/repo_key_populate.yml index 75a5430a96..2036e3fe0b 100644 --- a/playbooks/roles/repo_server/tasks/repo_key_store.yml +++ b/playbooks/roles/repo_server/tasks/repo_key_populate.yml @@ -13,19 +13,18 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Distribute authorized keys for cluster consumption - memcached: - name: "{{ item.name }}" - file_path: "{{ item.src }}" - state: "present" - server: "{{ repo_memcached_servers }}" - encrypt_string: "{{ memcached_encryption_key }}" - with_items: - - { src: "{{ repo_service_home_folder }}/.ssh/authorized_keys", name: "authorized_keys" } - register: memcache_keys - until: memcache_keys|success - retries: 5 - delay: 2 +- name: Get public key contents and store as var + command: | + cat {{ repo_service_home_folder }}/.ssh/id_rsa.pub + register: repo_pub + changed_when: false tags: - repo-key - - repo-key-distribute + - repo-key-create + +- name: Register a fact for the repo user pub key + set_fact: + repo_pubkey: "{{ repo_pub.stdout }}" + tags: + - repo-key + - repo-key-create diff --git a/playbooks/roles/repo_server/tasks/repo_post_install.yml b/playbooks/roles/repo_server/tasks/repo_post_install.yml index 6467092139..327e87fa31 100644 --- a/playbooks/roles/repo_server/tasks/repo_post_install.yml +++ b/playbooks/roles/repo_server/tasks/repo_post_install.yml @@ -21,7 +21,20 @@ tags: - pkg-repo-group -- name: Create the nova system user +- name: Remove old key file(s) if found + file: + path: "{{ item }}" + state: "absent" + with_items: + - "{{ repo_service_home_folder }}/.ssh/authorized_keys" + - "{{ repo_service_home_folder }}/.ssh/id_rsa" + - "{{ repo_service_home_folder }}/.ssh/id_rsa.pub" + when: repo_recreate_keys | bool + tags: + - repo-key + - repo-key-create + +- name: Create the nginx system user user: name: "{{ repo_service_user_name }}" group: "{{ repo_service_group_name }}" @@ -30,8 +43,11 @@ system: "yes" createhome: "yes" home: "{{ repo_service_home_folder }}" + generate_ssh_key: "yes" tags: - pkg-repo-user + - repo-key + - repo-key-create - name: File and directory setup file: