From 5e9a03d91c3874812123dd13e4c55d4ffdc4f5de Mon Sep 17 00:00:00 2001 From: Alex Schultz Date: Fri, 24 Jul 2020 13:01:00 -0600 Subject: [PATCH] Switch host sshd configuration to ansible This change updates the baremetal host sshd management to use ansible instead of puppet. It should still be noted that the nova-migration container still uses puppet to manage sshd. Change-Id: Iedd149c123d807dee229160f8e9f1b17bf379368 Depends-On: https://review.opendev.org/#/c/742970/ (cherry picked from commit b5dad0cf1062f1016270ff343074a5ab9c5507be) --- deployment/sshd/sshd-baremetal-ansible.yaml | 105 ++++++++++++++++++++ overcloud-resource-registry-puppet.j2.yaml | 2 +- sample-env-generator/standalone.yaml | 2 +- sample-env-generator/undercloud-minion.yaml | 2 +- 4 files changed, 108 insertions(+), 3 deletions(-) create mode 100644 deployment/sshd/sshd-baremetal-ansible.yaml diff --git a/deployment/sshd/sshd-baremetal-ansible.yaml b/deployment/sshd/sshd-baremetal-ansible.yaml new file mode 100644 index 0000000000..dcaf51f99f --- /dev/null +++ b/deployment/sshd/sshd-baremetal-ansible.yaml @@ -0,0 +1,105 @@ +heat_template_version: rocky + +description: > + Configure sshd_config + +parameters: + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + BannerText: + default: '' + description: Configures Banner text in sshd_config + type: string + MessageOfTheDay: + default: '' + description: Configures /etc/motd text + type: string + SshServerOptions: + default: + HostKey: + - '/etc/ssh/ssh_host_rsa_key' + - '/etc/ssh/ssh_host_ecdsa_key' + - '/etc/ssh/ssh_host_ed25519_key' + SyslogFacility: 'AUTHPRIV' + AuthorizedKeysFile: '.ssh/authorized_keys' + ChallengeResponseAuthentication: 'no' + GSSAPIAuthentication: 'yes' + GSSAPICleanupCredentials: 'no' + UsePAM: 'yes' + UseDNS: 'no' + X11Forwarding: 'yes' + AcceptEnv: + - 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES' + - 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT' + - 'LC_IDENTIFICATION LC_ALL LANGUAGE' + - 'XMODIFIERS' + Subsystem: 'sftp /usr/libexec/openssh/sftp-server' + description: Mapping of sshd_config values + type: json + PasswordAuthentication: + default: 'no' + description: Whether or not disable password authentication + type: string + SshFirewallAllowAll: + default: false + description: Set this to true to open up ssh access from all sources. + type: boolean + +conditions: + ssh_firewall_allow_all: {equals: [{get_param: SshFirewallAllowAll}, true]} + ssh_banner_text_empty: {equals: [{get_param: BannerText}, '']} + ssh_motd_text_empty: {equals: [{get_param: MessageOfTheDay}, '']} + +outputs: + role_data: + description: Role data for the ssh + value: + service_name: sshd + firewall_rules: + '003 accept ssh from all': + proto: 'tcp' + dport: 22 + extras: + ensure: {if: [ssh_firewall_allow_all, 'present', 'absent']} + host_prep_config: + - include_role: + name: tripleo_ssh + vars: + tripleo_sshd_server_options: {get_param: SshServerOptions} + tripleo_sshd_password_authentication: {get_param: PasswordAuthentication} + tripleo_sshd_banner_enabled: + if: + - ssh_banner_text_empty + - true + - false + tripleo_sshd_banner_text: {get_param: BannerText} + tripleo_sshd_motd_enabled: + if: + - ssh_motd_text_empty + - true + - false + tripleo_sshd_message_of_the_day: {get_param: MessageOfTheDay} diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 88cb5d586b..10e09789fb 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -186,7 +186,7 @@ resource_registry: OS::TripleO::Services::Securetty: OS::Heat::None # TODO(aschultz): Remove this in U as we switched to a task in the deploy OS::TripleO::Services::SELinux: OS::Heat::None - OS::TripleO::Services::Sshd: deployment/sshd/sshd-baremetal-puppet.yaml + OS::TripleO::Services::Sshd: deployment/sshd/sshd-baremetal-ansible.yaml OS::TripleO::Services::Redis: OS::Heat::None OS::TripleO::Services::NovaApi: deployment/nova/nova-api-container-puppet.yaml OS::TripleO::Services::NovaCompute: deployment/nova/nova-compute-container-puppet.yaml diff --git a/sample-env-generator/standalone.yaml b/sample-env-generator/standalone.yaml index 5259ab0cf6..60d5ed8db6 100644 --- a/sample-env-generator/standalone.yaml +++ b/sample-env-generator/standalone.yaml @@ -34,7 +34,7 @@ environments: deployment/tripleo-packages/tripleo-packages-baremetal-puppet.yaml: parameters: - EnablePackageInstall - deployment/sshd/sshd-baremetal-puppet.yaml: + deployment/sshd/sshd-baremetal-ansible.yaml: parameters: - SshFirewallAllowAll # TODO(aschultz): hack to pull in this config transport, not sure it is diff --git a/sample-env-generator/undercloud-minion.yaml b/sample-env-generator/undercloud-minion.yaml index 6d0a53a65f..27b1052288 100644 --- a/sample-env-generator/undercloud-minion.yaml +++ b/sample-env-generator/undercloud-minion.yaml @@ -15,7 +15,7 @@ environments: deployment/tripleo-packages/tripleo-packages-baremetal-puppet.yaml: parameters: - EnablePackageInstall - deployment/sshd/sshd-baremetal-puppet.yaml: + deployment/sshd/sshd-baremetal-ansible.yaml: parameters: - SshFirewallAllowAll # TODO(aschultz): hack to pull in this config transport, not sure it is