From 8a69b692c4bdf3b5b7b32907ea8f117c194058b3 Mon Sep 17 00:00:00 2001 From: Carlos Goncalves Date: Wed, 9 May 2018 14:06:22 +0200 Subject: [PATCH] Check pub key file perms and default to pub key data The previously default /home/stack/.ssh/id_rsa.pub file may not exist or be readable; exit with explicit error message. Users can still specify a file path but will need to ensure it is readable. Should a file path not be specified, default to amp_ssh_key_data. The value is passed by THT with the public key of the 'default' keypair from the undercloud which anyway is the public key of the 'stack' user. This patch also fixes a syntax error in octavia-undercloud role. Closes-Bug: #1770153 Closes-Bug: #1770641 Depends-On: https://review.openstack.org/568022 Change-Id: I0026343d90b84572c3002fa21001cfb09c742391 --- playbooks/octavia-files.yaml | 1 + playbooks/roles/common/defaults/main.yml | 2 +- .../roles/octavia-undercloud/tasks/main.yml | 39 +++++++++++++++---- .../fix-octavia-pub-key-d195fbf1976a8d36.yaml | 3 ++ ...avia-undercloud-role-c02b0c5b0f1ece34.yaml | 3 ++ workbooks/octavia_post.yaml | 2 + 6 files changed, 41 insertions(+), 9 deletions(-) create mode 100644 releasenotes/notes/fix-octavia-pub-key-d195fbf1976a8d36.yaml create mode 100644 releasenotes/notes/fix-syntax-error-in-octavia-undercloud-role-c02b0c5b0f1ece34.yaml diff --git a/playbooks/octavia-files.yaml b/playbooks/octavia-files.yaml index 2c17f5837..a1112858d 100644 --- a/playbooks/octavia-files.yaml +++ b/playbooks/octavia-files.yaml @@ -5,6 +5,7 @@ vars: amp_ssh_key_name: "{{ amp_ssh_key_name }}" amp_ssh_key_path: "{{ amp_ssh_key_path }}" + amp_ssh_key_data: "{{ amp_ssh_key_data }}" auth_username: "{{ auth_username }}" auth_pasword: "{{ auth_password }}" auth_project_name: "{{ auth_project_name }}" diff --git a/playbooks/roles/common/defaults/main.yml b/playbooks/roles/common/defaults/main.yml index bf497dec0..4167d8fed 100644 --- a/playbooks/roles/common/defaults/main.yml +++ b/playbooks/roles/common/defaults/main.yml @@ -3,7 +3,7 @@ amp_image_name: "" amp_image_filename: "" amp_image_tag: "amphora-image" amp_ssh_key_name: "octavia-ssh-key" -amp_ssh_key_path: "/home/stack/.ssh/id_rsa.pub" +amp_ssh_key_path: "" auth_username: "octavia" auth_project_name: "service" lb_mgmt_net_name: "lb-mgmt-net" diff --git a/playbooks/roles/octavia-undercloud/tasks/main.yml b/playbooks/roles/octavia-undercloud/tasks/main.yml index 6b7d352a7..9c6d87bc9 100644 --- a/playbooks/roles/octavia-undercloud/tasks/main.yml +++ b/playbooks/roles/octavia-undercloud/tasks/main.yml @@ -24,16 +24,39 @@ - include_tasks: image_mgmt.yml when: image_file_result.stat.exists - - name: check if pub key file exists - stat: path="{{ amp_ssh_key_path }}" - register: ssh_pub_key_file_result + - name: use ssh pub key file if provided and is readable + block: + - name: check if pub key file exists + stat: path="{{ amp_ssh_key_path }}" + register: key_file_result + ignore_errors: true + + - name: fail if ssh pub key file does not exist or is not readable + fail: msg="{{ amp_ssh_key_path }} does not exist or is not readable by user {{ ansible_user }}" + when: key_file_result|failed or key_file_result.stat.exists == False or key_file_result.stat.readable == False + + - set_fact: + amp_ssh_key_path_final: "{{ amp_ssh_key_path }}" + when: amp_ssh_key_path is defined and amp_ssh_key_path != "" + + - name: defaulting to public key from undercloud default keypair + block: + - name: create temp pub key file + tempfile: state=file + register: ssh_key_tmp_file + + - name: copy ssh public key content to temp file + copy: content="{{ amp_ssh_key_data }}" dest="{{ ssh_key_tmp_file.path }}" + + - set_fact: + amp_ssh_key_path_final: "{{ ssh_key_tmp_file.path }}" + when: amp_ssh_key_path is not defined or amp_ssh_key_path == "" - name: upload pub key to overcloud shell: | openstack keypair show {{ amp_ssh_key_name }} || \ - openstack keypair create --public-key {{ amp_ssh_key_path }} {{ amp_ssh_key_name }} + openstack keypair create --public-key {{ amp_ssh_key_path_final }} {{ amp_ssh_key_name }} environment: - OS_USERNAME: {{ auth_username }} - OS_PASSWORD: {{ auth_password }} - OS_PROJECT_NAME: {{ auth_project_name }} - when: ssh_pub_key_file_result.stat.exists == True + OS_USERNAME: "{{ auth_username }}" + OS_PASSWORD: "{{ auth_password }}" + OS_PROJECT_NAME: "{{ auth_project_name }}" diff --git a/releasenotes/notes/fix-octavia-pub-key-d195fbf1976a8d36.yaml b/releasenotes/notes/fix-octavia-pub-key-d195fbf1976a8d36.yaml new file mode 100644 index 000000000..8c891cd8c --- /dev/null +++ b/releasenotes/notes/fix-octavia-pub-key-d195fbf1976a8d36.yaml @@ -0,0 +1,3 @@ +--- +fixes: + - Check pub key file permissions and default to pub key data for Octavia. diff --git a/releasenotes/notes/fix-syntax-error-in-octavia-undercloud-role-c02b0c5b0f1ece34.yaml b/releasenotes/notes/fix-syntax-error-in-octavia-undercloud-role-c02b0c5b0f1ece34.yaml new file mode 100644 index 000000000..b3a3bb799 --- /dev/null +++ b/releasenotes/notes/fix-syntax-error-in-octavia-undercloud-role-c02b0c5b0f1ece34.yaml @@ -0,0 +1,3 @@ +--- +fixes: + - Fix syntax error in octavia-undercloud role. diff --git a/workbooks/octavia_post.yaml b/workbooks/octavia_post.yaml index f5c7e8374..f0f141dee 100644 --- a/workbooks/octavia_post.yaml +++ b/workbooks/octavia_post.yaml @@ -13,6 +13,7 @@ workflows: - amp_image_tag - amp_ssh_key_name - amp_ssh_key_path + - amp_ssh_key_data - auth_username - auth_password - auth_project_name @@ -101,6 +102,7 @@ workflows: amp_image_tag: <% $.amp_image_tag %> amp_ssh_key_name: <% $.amp_ssh_key_name %> amp_ssh_key_path: <% $.amp_ssh_key_path %> + amp_ssh_key_data: <% $.amp_ssh_key_data %> auth_username: <% $.auth_username %> auth_password: <% $.auth_password %> auth_project_name: <% $.auth_project_name %>