diff --git a/deployment/nova/nova-migration-target-container-puppet.yaml b/deployment/nova/nova-migration-target-container-puppet.yaml index 294365f9bb..308ac166bd 100644 --- a/deployment/nova/nova-migration-target-container-puppet.yaml +++ b/deployment/nova/nova-migration-target-container-puppet.yaml @@ -60,14 +60,6 @@ resources: ContainersCommon: type: ../containers-common.yaml - SshdBase: - type: ../../deployment/sshd/sshd-baremetal-puppet.yaml - properties: - EndpointMap: {get_param: EndpointMap} - ServiceNetMap: {get_param: ServiceNetMap} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - RoleParametersValue: type: OS::Heat::Value properties: @@ -116,33 +108,52 @@ outputs: proto: 'tcp' dport: {get_param: MigrationSshPort} config_settings: - map_merge: - - get_attr: [SshdBase, role_data, config_settings] - - tripleo::profile::base::nova::migration::target::ssh_authorized_keys: - - {get_param: [ MigrationSshKey, public_key ]} - tripleo::profile::base::nova::migration::target::ssh_localaddrs: - - "%{lookup('cold_migration_ssh_inbound_addr')}" - - "%{lookup('live_migration_ssh_inbound_addr')}" - live_migration_ssh_inbound_addr: - str_replace: - template: - "%{lookup('$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - cold_migration_ssh_inbound_addr: - str_replace: - template: - "%{lookup('$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} - tripleo::profile::base::sshd::port: - - 22 + tripleo::profile::base::nova::migration::target::ssh_authorized_keys: + - {get_param: [ MigrationSshKey, public_key ]} + tripleo::profile::base::nova::migration::target::ssh_localaddrs: + - "%{lookup('cold_migration_ssh_inbound_addr')}" + - "%{lookup('live_migration_ssh_inbound_addr')}" + live_migration_ssh_inbound_addr: + str_replace: + template: + "%{lookup('$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + cold_migration_ssh_inbound_addr: + str_replace: + template: + "%{lookup('$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} + tripleo::profile::base::sshd::port: + - 22 + tripleo::profile::base::sshd::password_authentication: 'no' + tripleo::profile::base::sshd::options: + # NOTE(tkajinam): Thse values inherits the default sshd options + HostKey: + - '/etc/ssh/ssh_host_rsa_key' + - '/etc/ssh/ssh_host_ecdsa_key' + - '/etc/ssh/ssh_host_ed25519_key' + SyslogFacility: 'AUTHPRIV' + AuthorizedKeysFile: '.ssh/authorized_keys' + ChallengeResponseAuthentication: 'no' + GSSAPIAuthentication: 'no' + GSSAPICleanupCredentials: 'no' + UsePAM: 'yes' + UseDNS: 'no' + X11Forwarding: 'yes' + AcceptEnv: + - 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES' + - 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT' + - 'LC_IDENTIFICATION LC_ALL LANGUAGE' + - 'XMODIFIERS' + Subsystem: 'sftp /usr/libexec/openssh/sftp-server' puppet_config: config_volume: nova_libvirt step_config: list_join: - "\n" - - - get_attr: [SshdBase, role_data, step_config] + - - include tripleo::profile::base::sshd - include tripleo::profile::base::nova::migration::target config_image: {get_attr: [RoleParametersValue, value, ContainerNovaLibvirtConfigImage]} kolla_config: diff --git a/deployment/sshd/sshd-baremetal-puppet.yaml b/deployment/sshd/sshd-baremetal-puppet.yaml deleted file mode 100644 index bda7df3bb7..0000000000 --- a/deployment/sshd/sshd-baremetal-puppet.yaml +++ /dev/null @@ -1,94 +0,0 @@ -heat_template_version: wallaby - -description: > - Configure sshd_config - -parameters: - ServiceData: - default: {} - description: Dictionary packing service data - type: json - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. Use - parameter_merge_strategies to merge it with the defaults. - type: json - RoleName: - default: '' - description: Role name on which the service is applied - type: string - RoleParameters: - default: {} - description: Parameters specific to the role - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - BannerText: - default: '' - description: Configures Banner text in sshd_config - type: string - MessageOfTheDay: - default: '' - description: Configures /etc/motd text - type: string - SshServerOptions: - default: - HostKey: - - '/etc/ssh/ssh_host_rsa_key' - - '/etc/ssh/ssh_host_ecdsa_key' - - '/etc/ssh/ssh_host_ed25519_key' - SyslogFacility: 'AUTHPRIV' - AuthorizedKeysFile: '.ssh/authorized_keys' - ChallengeResponseAuthentication: 'no' - GSSAPIAuthentication: 'no' - GSSAPICleanupCredentials: 'no' - UsePAM: 'yes' - UseDNS: 'no' - X11Forwarding: 'yes' - AcceptEnv: - - 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES' - - 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT' - - 'LC_IDENTIFICATION LC_ALL LANGUAGE' - - 'XMODIFIERS' - Subsystem: 'sftp /usr/libexec/openssh/sftp-server' - description: Mapping of sshd_config values - type: json - SshServerOptionsOverrides: - default: {} - description: Mapping of sshd_config values to override definitions in - SshServerOptions - type: json - PasswordAuthentication: - default: 'no' - description: Whether or not disable password authentication - type: string - SshFirewallAllowAll: - default: false - description: Set this to true to open up ssh access from all sources. - type: boolean - -outputs: - role_data: - description: Role data for the ssh - value: - service_name: sshd - firewall_rules: - '003 accept ssh from all': - proto: 'tcp' - dport: 22 - extras: - ensure: {if: [{get_param: SshFirewallAllowAll}, 'present', 'absent']} - config_settings: - tripleo::profile::base::sshd::bannertext: {get_param: BannerText} - tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay} - tripleo::profile::base::sshd::options: - map_merge: - - {get_param: SshServerOptions} - - {get_param: SshServerOptionsOverrides} - tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication} - step_config: | - include tripleo::profile::base::sshd