Disable SSH login for nova_migration user when migration over ssh is disabled.
If migration over ssh is enabled, and then later disabled, the ssh config
for the nova_migration user remains intact. This change clobbers the migration
SSH key to disable login when it is not necessary.
Change-Id: Icc6d5d4f4671b3525a731d334ca6fa7c5419dac3
Closes-Bug: #1688321
(cherry picked from commit fe8edab1f4
)
This commit is contained in:
parent
0c3e97a5ae
commit
3346f7f6e2
|
@ -185,31 +185,42 @@ class tripleo::profile::base::nova (
|
||||||
notify => Service['sshd']
|
notify => Service['sshd']
|
||||||
}
|
}
|
||||||
|
|
||||||
file { '/etc/nova/migration/authorized_keys':
|
$migration_authorized_keys = $migration_ssh_key['public_key']
|
||||||
content => $migration_ssh_key['public_key'],
|
$migration_identity = $migration_ssh_key['private_key']
|
||||||
mode => '0640',
|
$migration_user_shell = '/bin/bash'
|
||||||
owner => 'root',
|
}
|
||||||
group => 'nova_migration',
|
else {
|
||||||
require => Package['openstack-nova-migration'],
|
# Remove the keys and prevent login when migration over SSH is not enabled
|
||||||
}
|
$migration_authorized_keys = '# Migration over SSH disabled by TripleO'
|
||||||
|
$migration_identity = '# Migration over SSH disabled by TripleO'
|
||||||
# Client side
|
$migration_user_shell = '/sbin/nologin'
|
||||||
file { '/etc/nova/migration/identity':
|
}
|
||||||
content => $migration_ssh_key['private_key'],
|
|
||||||
mode => '0600',
|
package { 'openstack-nova-migration':
|
||||||
owner => 'nova',
|
ensure => present,
|
||||||
group => 'nova',
|
tag => ['openstack', 'nova-package'],
|
||||||
require => Package['openstack-nova-migration'],
|
}
|
||||||
}
|
|
||||||
$migration_pkg_ensure = installed
|
file { '/etc/nova/migration/authorized_keys':
|
||||||
} else {
|
content => $migration_authorized_keys,
|
||||||
$migration_pkg_ensure = absent
|
mode => '0640',
|
||||||
|
owner => 'root',
|
||||||
|
group => 'nova_migration',
|
||||||
|
require => Package['openstack-nova-migration']
|
||||||
|
}
|
||||||
|
|
||||||
|
file { '/etc/nova/migration/identity':
|
||||||
|
content => $migration_identity,
|
||||||
|
mode => '0600',
|
||||||
|
owner => 'nova',
|
||||||
|
group => 'nova',
|
||||||
|
require => Package['openstack-nova-migration']
|
||||||
|
}
|
||||||
|
|
||||||
|
user {'nova_migration':
|
||||||
|
shell => $migration_user_shell,
|
||||||
|
require => Package['openstack-nova-migration']
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
$migration_pkg_ensure = absent
|
|
||||||
}
|
|
||||||
package {'openstack-nova-migration':
|
|
||||||
ensure => $migration_pkg_ensure
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -95,9 +95,8 @@ describe 'tripleo::profile::base::nova' do
|
||||||
is_expected.to contain_class('nova::cache')
|
is_expected.to contain_class('nova::cache')
|
||||||
is_expected.to contain_class('nova::placement')
|
is_expected.to contain_class('nova::placement')
|
||||||
is_expected.to_not contain_class('nova::migration::libvirt')
|
is_expected.to_not contain_class('nova::migration::libvirt')
|
||||||
is_expected.to contain_package('openstack-nova-migration').with(
|
is_expected.to_not contain_file('/etc/nova/migration/authorized_keys')
|
||||||
:ensure => 'absent'
|
is_expected.to_not contain_file('/etc/nova/migration/identity')
|
||||||
)
|
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -132,7 +131,22 @@ describe 'tripleo::profile::base::nova' do
|
||||||
:configure_nova => params[:nova_compute_enabled]
|
:configure_nova => params[:nova_compute_enabled]
|
||||||
)
|
)
|
||||||
is_expected.to contain_package('openstack-nova-migration').with(
|
is_expected.to contain_package('openstack-nova-migration').with(
|
||||||
:ensure => 'absent'
|
:ensure => 'present'
|
||||||
|
)
|
||||||
|
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
|
||||||
|
:content => '# Migration over SSH disabled by TripleO',
|
||||||
|
:mode => '0640',
|
||||||
|
:owner => 'root',
|
||||||
|
:group => 'nova_migration',
|
||||||
|
)
|
||||||
|
is_expected.to contain_file('/etc/nova/migration/identity').with(
|
||||||
|
:content => '# Migration over SSH disabled by TripleO',
|
||||||
|
:mode => '0600',
|
||||||
|
:owner => 'nova',
|
||||||
|
:group => 'nova',
|
||||||
|
)
|
||||||
|
is_expected.to contain_user('nova_migration').with(
|
||||||
|
:shell => '/sbin/nologin'
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
@ -169,7 +183,22 @@ describe 'tripleo::profile::base::nova' do
|
||||||
:configure_nova => params[:nova_compute_enabled],
|
:configure_nova => params[:nova_compute_enabled],
|
||||||
)
|
)
|
||||||
is_expected.to contain_package('openstack-nova-migration').with(
|
is_expected.to contain_package('openstack-nova-migration').with(
|
||||||
:ensure => 'absent'
|
:ensure => 'present'
|
||||||
|
)
|
||||||
|
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
|
||||||
|
:content => '# Migration over SSH disabled by TripleO',
|
||||||
|
:mode => '0640',
|
||||||
|
:owner => 'root',
|
||||||
|
:group => 'nova_migration',
|
||||||
|
)
|
||||||
|
is_expected.to contain_file('/etc/nova/migration/identity').with(
|
||||||
|
:content => '# Migration over SSH disabled by TripleO',
|
||||||
|
:mode => '0600',
|
||||||
|
:owner => 'nova',
|
||||||
|
:group => 'nova',
|
||||||
|
)
|
||||||
|
is_expected.to contain_user('nova_migration').with(
|
||||||
|
:shell => '/sbin/nologin'
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
@ -223,6 +252,9 @@ describe 'tripleo::profile::base::nova' do
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
is_expected.to_not contain_ssh__server__match_block('nova_migration deny')
|
is_expected.to_not contain_ssh__server__match_block('nova_migration deny')
|
||||||
|
is_expected.to contain_package('openstack-nova-migration').with(
|
||||||
|
:ensure => 'present'
|
||||||
|
)
|
||||||
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
|
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
|
||||||
:content => 'ssh-rsa bar',
|
:content => 'ssh-rsa bar',
|
||||||
:mode => '0640',
|
:mode => '0640',
|
||||||
|
@ -235,8 +267,8 @@ describe 'tripleo::profile::base::nova' do
|
||||||
:owner => 'nova',
|
:owner => 'nova',
|
||||||
:group => 'nova',
|
:group => 'nova',
|
||||||
)
|
)
|
||||||
is_expected.to contain_package('openstack-nova-migration').with(
|
is_expected.to contain_user('nova_migration').with(
|
||||||
:ensure => 'installed'
|
:shell => '/bin/bash'
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
@ -297,6 +329,9 @@ describe 'tripleo::profile::base::nova' do
|
||||||
'DenyUsers' => 'nova_migration'
|
'DenyUsers' => 'nova_migration'
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
is_expected.to contain_package('openstack-nova-migration').with(
|
||||||
|
:ensure => 'present'
|
||||||
|
)
|
||||||
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
|
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
|
||||||
:content => 'ssh-rsa bar',
|
:content => 'ssh-rsa bar',
|
||||||
:mode => '0640',
|
:mode => '0640',
|
||||||
|
@ -309,8 +344,8 @@ describe 'tripleo::profile::base::nova' do
|
||||||
:owner => 'nova',
|
:owner => 'nova',
|
||||||
:group => 'nova',
|
:group => 'nova',
|
||||||
)
|
)
|
||||||
is_expected.to contain_package('openstack-nova-migration').with(
|
is_expected.to contain_user('nova_migration').with(
|
||||||
:ensure => 'installed'
|
:shell => '/bin/bash'
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
@ -365,6 +400,9 @@ describe 'tripleo::profile::base::nova' do
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
is_expected.to_not contain_ssh__server__match_block('nova_migration deny')
|
is_expected.to_not contain_ssh__server__match_block('nova_migration deny')
|
||||||
|
is_expected.to contain_package('openstack-nova-migration').with(
|
||||||
|
:ensure => 'present'
|
||||||
|
)
|
||||||
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
|
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
|
||||||
:content => 'ssh-rsa bar',
|
:content => 'ssh-rsa bar',
|
||||||
:mode => '0640',
|
:mode => '0640',
|
||||||
|
@ -377,8 +415,8 @@ describe 'tripleo::profile::base::nova' do
|
||||||
:owner => 'nova',
|
:owner => 'nova',
|
||||||
:group => 'nova',
|
:group => 'nova',
|
||||||
)
|
)
|
||||||
is_expected.to contain_package('openstack-nova-migration').with(
|
is_expected.to contain_user('nova_migration').with(
|
||||||
:ensure => 'installed'
|
:shell => '/bin/bash'
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue