diff --git a/doc/source/roles/role-tripleo-ssh-known-hosts.rst b/doc/source/roles/role-tripleo-ssh-known-hosts.rst new file mode 100644 index 000000000..f127570c5 --- /dev/null +++ b/doc/source/roles/role-tripleo-ssh-known-hosts.rst @@ -0,0 +1,23 @@ +============================================== +TripleO-Ansible Role - tripleo-ssh-known-hosts +============================================== + +This role provides for the following services: + + * tripleo-ssh-known-hosts + + +Default variables +~~~~~~~~~~~~~~~~~ + +.. literalinclude:: ../../../tripleo_ansible/roles/tripleo-ssh-known-hosts/defaults/main.yml + :language: yaml + :start-after: under the License. + + +Example playbook +~~~~~~~~~~~~~~~~ + +.. literalinclude:: ../../../tripleo_ansible/roles/tripleo-ssh-known-hosts/molecule/default/playbook.yml + :language: yaml + :start-after: under the License. diff --git a/tox.ini b/tox.ini index 91296c213..7692cae73 100644 --- a/tox.ini +++ b/tox.ini @@ -231,3 +231,9 @@ basepython = {[testenv:mol]basepython} deps = {[testenv:mol]deps} changedir = {toxinidir}/tripleo_ansible/roles/tripleo-module-load commands = python -m pytest --color=yes --html={envlogdir}/reports.html --self-contained-html {tty:-s} {toxinidir}/tests/test_molecule.py --scenario=remove_module + +[testenv:mol-tripleo-ssh-known-hosts] +basepython = {[testenv:mol]basepython} +deps = {[testenv:mol]deps} +changedir = {toxinidir}/tripleo_ansible/roles/tripleo-ssh-known-hosts +commands = python -m pytest --color=yes --html={envlogdir}/reports.html --self-contained-html {tty:-s} {toxinidir}/tests/test_molecule.py diff --git a/tripleo_ansible/roles/tripleo-ssh-known-hosts/README.md b/tripleo_ansible/roles/tripleo-ssh-known-hosts/README.md new file mode 100644 index 000000000..220a33f2a --- /dev/null +++ b/tripleo_ansible/roles/tripleo-ssh-known-hosts/README.md @@ -0,0 +1,41 @@ +tripleo-ssh-known-hosts +======================= + +An Ansible role to add all SSH host keys to the host level known hosts file on +all hosts. + +Requirements +------------ + +This section needs to be documented. + +Role variables +-------------- + +- ssh_known_hosts: -- Dict of hostname to ssh_known_hosts entries for a given + host + +Dependencies +------------ + +None. + +Example Playbook +---------------- + +Sample playbook to call the role: + + - name: Configure SSH known hosts + hosts: all + roles: + - tripleo-ssh-known-hosts + +License +------- + +Free software: Apache License (2.0) + +Author Information +------------------ + +OpenStack TripleO team diff --git a/tripleo_ansible/roles/tripleo-ssh-known-hosts/defaults/main.yml b/tripleo_ansible/roles/tripleo-ssh-known-hosts/defaults/main.yml new file mode 100644 index 000000000..47035e358 --- /dev/null +++ b/tripleo_ansible/roles/tripleo-ssh-known-hosts/defaults/main.yml @@ -0,0 +1,34 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +# All variables intended for modification should place placed in this file. + +# NOTE(cloudnull): This role used to use a non-namespaced option, which has a high +# probability of creating conflicts with other roles in the greater +# ansible ecosystem. To ensure that we're able to retain existing +# variable functionality the "ssh_known_hosts" option will supersede +# "tripleo_ssh_known_hosts" if defined. This default should be removed +# just as soon as we're validate that the non-namespaced option is +# no longer in use. +# +# tripleo_ssh_known_hosts: +# overcloud-controller-0: '[172.17.25.246]*,[overcloud-controller-0.localdomain]*,[overcloud-controller-0]*,...' +# overcloud-novacompute-0: '[172.17.25.247]*,[overcloud-novacompute-0.localdomain]*,[overcloud-novacompute-0]*,...' +# overcloud-novacompute-1: '[172.17.25.248]*,[overcloud-novacompute-1.localdomain]*,[overcloud-novacompute-1]*,...' +# overcloud-novacompute-2: '[172.17.25.249]*,[overcloud-novacompute-2.localdomain]*,[overcloud-novacompute-2]*,...' +# +tripleo_ssh_known_hosts: "{{ ssh_known_hosts | default({}) }}" diff --git a/tripleo_ansible/roles/tripleo-ssh-known-hosts/meta/main.yml b/tripleo_ansible/roles/tripleo-ssh-known-hosts/meta/main.yml new file mode 100644 index 000000000..e65e965c9 --- /dev/null +++ b/tripleo_ansible/roles/tripleo-ssh-known-hosts/meta/main.yml @@ -0,0 +1,44 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +galaxy_info: + author: OpenStack + description: TripleO OpenStack Role -- tripleo-module-load + company: Red Hat + license: Apache-2.0 + min_ansible_version: 2.7 + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + platforms: + - name: Fedora + versions: + - 28 + - name: CentOS + versions: + - 7 + + galaxy_tags: + - tripleo + + +# List your role dependencies here, one per line. Be sure to remove the '[]' above, +# if you add dependencies to this list. +dependencies: [] diff --git a/tripleo_ansible/roles/tripleo-ssh-known-hosts/molecule/default/Dockerfile b/tripleo_ansible/roles/tripleo-ssh-known-hosts/molecule/default/Dockerfile new file mode 100644 index 000000000..1b91a0e0b --- /dev/null +++ b/tripleo_ansible/roles/tripleo-ssh-known-hosts/molecule/default/Dockerfile @@ -0,0 +1,37 @@ +# Molecule managed +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ + elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \ + elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi + +{% for pkg in item.easy_install | default([]) %} +# install pip for centos where there is no python-pip rpm in default repos +RUN easy_install {{ pkg }} +{% endfor %} + + +CMD ["sh", "-c", "while true; do sleep 10000; done"] diff --git a/tripleo_ansible/roles/tripleo-ssh-known-hosts/molecule/default/molecule.yml b/tripleo_ansible/roles/tripleo-ssh-known-hosts/molecule/default/molecule.yml new file mode 100644 index 000000000..4ceafc6b0 --- /dev/null +++ b/tripleo_ansible/roles/tripleo-ssh-known-hosts/molecule/default/molecule.yml @@ -0,0 +1,62 @@ +--- +driver: + name: docker + +log: true + +platforms: + - name: centos7 + hostname: centos7 + image: centos:7 + dockerfile: Dockerfile + pkg_extras: python-setuptools + easy_install: + - pip + environment: &env + http_proxy: "{{ lookup('env', 'http_proxy') }}" + https_proxy: "{{ lookup('env', 'https_proxy') }}" + + - name: fedora28 + hostname: fedora28 + image: fedora:28 + dockerfile: Dockerfile + pkg_extras: python*-setuptools + environment: + <<: *env + +provisioner: + name: ansible + inventory: + hosts: + all: + vars: + tripleo_ssh_known_hosts: + "centos7": '[10.0.0.0]*,[test-0.localdomain]*,[test-0]*' + "fedora28": '[10.0.0.0]*,[test-0.localdomain]*,[test-0]*' + children: + overcloud: + hosts: + fedora28: + ansible_ssh_host_key_rsa_public: AAAATEST + centos7: + ansible_ssh_host_key_rsa_public: AAAATEST + log: true + env: + ANSIBLE_STDOUT_CALLBACK: yaml + +scenario: + test_sequence: + - destroy + - create + - prepare + - converge + - verify + - destroy + +lint: + enabled: false + +verifier: + name: testinfra + lint: + name: flake8 diff --git a/tripleo_ansible/roles/tripleo-ssh-known-hosts/molecule/default/playbook.yml b/tripleo_ansible/roles/tripleo-ssh-known-hosts/molecule/default/playbook.yml new file mode 100644 index 000000000..602efb953 --- /dev/null +++ b/tripleo_ansible/roles/tripleo-ssh-known-hosts/molecule/default/playbook.yml @@ -0,0 +1,22 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +- name: Converge + hosts: all + pre_tasks: + roles: + - role: "tripleo-ssh-known-hosts" diff --git a/tripleo_ansible/roles/tripleo-ssh-known-hosts/molecule/default/prepare.yml b/tripleo_ansible/roles/tripleo-ssh-known-hosts/molecule/default/prepare.yml new file mode 100644 index 000000000..57929e854 --- /dev/null +++ b/tripleo_ansible/roles/tripleo-ssh-known-hosts/molecule/default/prepare.yml @@ -0,0 +1,26 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +- name: Prepare + hosts: all + roles: + - role: test_deps + tasks: + - name: Install additional dependencies + package: + name: openssh + state: present diff --git a/tripleo_ansible/roles/tripleo-ssh-known-hosts/molecule/default/tests/test_default.py b/tripleo_ansible/roles/tripleo-ssh-known-hosts/molecule/default/tests/test_default.py new file mode 100644 index 000000000..efbeb6795 --- /dev/null +++ b/tripleo_ansible/roles/tripleo-ssh-known-hosts/molecule/default/tests/test_default.py @@ -0,0 +1,28 @@ +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +import os + +import testinfra.utils.ansible_runner + + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') + + +def test_host_key_add(host): + assert '[10.0.0.0]*,[test-0.localdomain]*,[test-0]* ssh-rsa AAAATEST' \ + in host.file("/etc/ssh/ssh_known_hosts").content_string diff --git a/tripleo_ansible/roles/tripleo-ssh-known-hosts/molecule/default/verify.yml b/tripleo_ansible/roles/tripleo-ssh-known-hosts/molecule/default/verify.yml new file mode 100644 index 000000000..dfd4c7352 --- /dev/null +++ b/tripleo_ansible/roles/tripleo-ssh-known-hosts/molecule/default/verify.yml @@ -0,0 +1,15 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. diff --git a/tripleo_ansible/roles/tripleo-ssh-known-hosts/tasks/main.yml b/tripleo_ansible/roles/tripleo-ssh-known-hosts/tasks/main.yml new file mode 100644 index 000000000..f50f678ae --- /dev/null +++ b/tripleo_ansible/roles/tripleo-ssh-known-hosts/tasks/main.yml @@ -0,0 +1,65 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +- name: Add host keys in /etc/ssh/ssh_known_hosts for live/cold-migration + become: true + check_mode: false + block: + - name: Create temporary file for ssh_known_hosts + tempfile: + state: file + register: ssh_known_hosts_tmp + + - name: Check for ssh_known_hosts file + stat: + path: /etc/ssh/ssh_known_hosts + register: _ssh_known_hosts + + - name: Create a temporary copy of ssh_known_hosts + slurp: + src: "/etc/ssh/ssh_known_hosts" + register: existing_ssh_known_hosts + when: + - _ssh_known_hosts.stat.exists | bool + + - name: Write temporary file + copy: + content: "{{ existing_ssh_known_hosts['content'] | b64decode }}" + dest: "{{ ssh_known_hosts_tmp.path }}" + when: + - _ssh_known_hosts.stat.exists | bool + + - name: Add host keys to temporary ssh_known_hosts + lineinfile: + path: "{{ ssh_known_hosts_tmp.path }}" + line: "{{ tripleo_ssh_known_hosts[(hostvars[item]['ansible_hostname'] | lower)] ~ ' ssh-rsa ' ~ hostvars[item]['ansible_ssh_host_key_rsa_public'] }}" + create: true + with_items: "{{ groups['overcloud'] | intersect(play_hosts) }}" + + # Workaround https://bugs.launchpad.net/tripleo/+bug/1810932 + # Ansible modules perform a replace instead of in-place modification. + # This breaks propagation of changes to containers that bind mount ssh_known_hosts + - name: In-place update of /etc/ssh_known_hosts + shell: |- + cat '{{ ssh_known_hosts_tmp.path }}' > /etc/ssh/ssh_known_hosts + + - name: Remove temp file + file: + path: "{{ ssh_known_hosts_tmp.path }}" + state: absent + tags: + - tripleo_ssh_known_hosts diff --git a/zuul.d/molecule.yaml b/zuul.d/molecule.yaml index b91960b73..f7140299c 100644 --- a/zuul.d/molecule.yaml +++ b/zuul.d/molecule.yaml @@ -11,6 +11,7 @@ - tripleo-ansible-centos-7-role-addition - tripleo-ansible-centos-7-molecule-tripleo-create-admin - tripleo-ansible-centos-7-molecule-tripleo-module-load + - tripleo-ansible-centos-7-molecule-tripleo-ssh-known-hosts gate: jobs: - tripleo-ansible-centos-7-molecule-aide @@ -22,6 +23,7 @@ - tripleo-ansible-centos-7-role-addition - tripleo-ansible-centos-7-molecule-tripleo-create-admin - tripleo-ansible-centos-7-molecule-tripleo-module-load + - tripleo-ansible-centos-7-molecule-tripleo-ssh-known-hosts name: tripleo-ansible-molecule-jobs - job: files: @@ -90,3 +92,10 @@ parent: tripleo-ansible-centos vars: tox_envlist: mol-tripleo-module-load +- job: + files: + - ^tripleo_ansible/roles/tripleo-ssh-known-hosts/.* + name: tripleo-ansible-centos-7-molecule-tripleo-ssh-known-hosts + parent: tripleo-ansible-centos + vars: + tox_envlist: mol-tripleo-ssh-known-hosts