Merge "Decouple ssh for nova migration from the host sshd"

2022-05-20 21:36:00 +00:00 · 2022-05-20 21:36:00 +00:00 · 54aa3ed964
commit 54aa3ed964
parent 285967fc24 ab2761541e
2 changed files with 41 additions and 124 deletions
--- a/deployment/nova/nova-migration-target-container-puppet.yaml
+++ b/deployment/nova/nova-migration-target-container-puppet.yaml
@ -60,14 +60,6 @@ resources:
  ContainersCommon:
    type: ../containers-common.yaml

-  SshdBase:
-    type: ../../deployment/sshd/sshd-baremetal-puppet.yaml
-    properties:
-      EndpointMap: {get_param: EndpointMap}
-      ServiceNetMap: {get_param: ServiceNetMap}
-      RoleName: {get_param: RoleName}
-      RoleParameters: {get_param: RoleParameters}
-
  RoleParametersValue:
    type: OS::Heat::Value
    properties:
@ -116,33 +108,52 @@ outputs:
                    proto: 'tcp'
                    dport: {get_param: MigrationSshPort}
      config_settings:
-        map_merge:
-          - get_attr: [SshdBase, role_data, config_settings]
-          - tripleo::profile::base::nova::migration::target::ssh_authorized_keys:
-              - {get_param: [ MigrationSshKey, public_key ]}
-            tripleo::profile::base::nova::migration::target::ssh_localaddrs:
-              - "%{lookup('cold_migration_ssh_inbound_addr')}"
-              - "%{lookup('live_migration_ssh_inbound_addr')}"
-            live_migration_ssh_inbound_addr:
-              str_replace:
-                template:
-                  "%{lookup('$NETWORK')}"
-                params:
-                  $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
-            cold_migration_ssh_inbound_addr:
-              str_replace:
-                template:
-                  "%{lookup('$NETWORK')}"
-                params:
-                  $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
-            tripleo::profile::base::sshd::port:
-              - 22
+        tripleo::profile::base::nova::migration::target::ssh_authorized_keys:
+          - {get_param: [ MigrationSshKey, public_key ]}
+        tripleo::profile::base::nova::migration::target::ssh_localaddrs:
+          - "%{lookup('cold_migration_ssh_inbound_addr')}"
+          - "%{lookup('live_migration_ssh_inbound_addr')}"
+        live_migration_ssh_inbound_addr:
+          str_replace:
+            template:
+              "%{lookup('$NETWORK')}"
+            params:
+              $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+        cold_migration_ssh_inbound_addr:
+          str_replace:
+            template:
+              "%{lookup('$NETWORK')}"
+            params:
+              $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
+        tripleo::profile::base::sshd::port:
+          - 22
+        tripleo::profile::base::sshd::password_authentication: 'no'
+        tripleo::profile::base::sshd::options:
+          # NOTE(tkajinam): Thse values inherits the default sshd options
+          HostKey:
+            - '/etc/ssh/ssh_host_rsa_key'
+            - '/etc/ssh/ssh_host_ecdsa_key'
+            - '/etc/ssh/ssh_host_ed25519_key'
+          SyslogFacility: 'AUTHPRIV'
+          AuthorizedKeysFile: '.ssh/authorized_keys'
+          ChallengeResponseAuthentication: 'no'
+          GSSAPIAuthentication: 'no'
+          GSSAPICleanupCredentials: 'no'
+          UsePAM: 'yes'
+          UseDNS: 'no'
+          X11Forwarding: 'yes'
+          AcceptEnv:
+            - 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES'
+            - 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT'
+            - 'LC_IDENTIFICATION LC_ALL LANGUAGE'
+            - 'XMODIFIERS'
+          Subsystem: 'sftp  /usr/libexec/openssh/sftp-server'
      puppet_config:
        config_volume: nova_libvirt
        step_config:
          list_join:
            - "\n"
-            - - get_attr: [SshdBase, role_data, step_config]
+            - - include tripleo::profile::base::sshd
              - include tripleo::profile::base::nova::migration::target
        config_image: {get_attr: [RoleParametersValue, value, ContainerNovaLibvirtConfigImage]}
      kolla_config:
--- a/deployment/sshd/sshd-baremetal-puppet.yaml
+++ b/deployment/sshd/sshd-baremetal-puppet.yaml
@ -1,94 +0,0 @@
-heat_template_version: wallaby
-
-description: >
-  Configure sshd_config
-
-parameters:
-  ServiceData:
-    default: {}
-    description: Dictionary packing service data
-    type: json
-  ServiceNetMap:
-    default: {}
-    description: Mapping of service_name -> network name. Typically set
-                 via parameter_defaults in the resource registry. Use
-                 parameter_merge_strategies to merge it with the defaults.
-    type: json
-  RoleName:
-    default: ''
-    description: Role name on which the service is applied
-    type: string
-  RoleParameters:
-    default: {}
-    description: Parameters specific to the role
-    type: json
-  EndpointMap:
-    default: {}
-    description: Mapping of service endpoint -> protocol. Typically set
-                 via parameter_defaults in the resource registry.
-    type: json
-  BannerText:
-    default: ''
-    description: Configures Banner text in sshd_config
-    type: string
-  MessageOfTheDay:
-    default: ''
-    description: Configures /etc/motd text
-    type: string
-  SshServerOptions:
-    default:
-      HostKey:
-        - '/etc/ssh/ssh_host_rsa_key'
-        - '/etc/ssh/ssh_host_ecdsa_key'
-        - '/etc/ssh/ssh_host_ed25519_key'
-      SyslogFacility: 'AUTHPRIV'
-      AuthorizedKeysFile: '.ssh/authorized_keys'
-      ChallengeResponseAuthentication: 'no'
-      GSSAPIAuthentication: 'no'
-      GSSAPICleanupCredentials: 'no'
-      UsePAM: 'yes'
-      UseDNS: 'no'
-      X11Forwarding: 'yes'
-      AcceptEnv:
-        - 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES'
-        - 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT'
-        - 'LC_IDENTIFICATION LC_ALL LANGUAGE'
-        - 'XMODIFIERS'
-      Subsystem: 'sftp  /usr/libexec/openssh/sftp-server'
-    description: Mapping of sshd_config values
-    type: json
-  SshServerOptionsOverrides:
-    default: {}
-    description: Mapping of sshd_config values to override definitions in
-                 SshServerOptions
-    type: json
-  PasswordAuthentication:
-    default: 'no'
-    description: Whether or not disable password authentication
-    type: string
-  SshFirewallAllowAll:
-    default: false
-    description: Set this to true to open up ssh access from all sources.
-    type: boolean
-
-outputs:
-  role_data:
-    description: Role data for the ssh
-    value:
-      service_name: sshd
-      firewall_rules:
-        '003 accept ssh from all':
-          proto: 'tcp'
-          dport: 22
-          extras:
-            ensure: {if: [{get_param: SshFirewallAllowAll}, 'present', 'absent']}
-      config_settings:
-        tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
-        tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
-        tripleo::profile::base::sshd::options:
-          map_merge:
-            - {get_param: SshServerOptions}
-            - {get_param: SshServerOptionsOverrides}
-        tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication}
-      step_config: |
-        include tripleo::profile::base::sshd