From ab2761541e6d453e7596a86d7a40a56255136940 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Fri, 22 Apr 2022 13:20:15 +0900 Subject: [PATCH] Decouple ssh for nova migration from the host sshd Currently we have two sshd instances running in overcloud deployment. (1) sshd running at host, so that users can login to each baremetal host (2) sshd running inside the nova_migration_target container. This allows nova to use ssh to transfer data during migration. (1) is now managed by triplble while (2) is managed by puppet. However (2) is referring the parameters for (1) and any customization for host sshd by tht parameters affects (2). This change removes the reference from (2) to (1) so that we can use robust sshd configuration for nova migration target, which is designed according to actual requirements by nova. Change-Id: I3d4d9726e8ee6aca4a4fa5a01476bce556004979 --- ...ova-migration-target-container-puppet.yaml | 71 ++++++++------ deployment/sshd/sshd-baremetal-puppet.yaml | 94 ------------------- 2 files changed, 41 insertions(+), 124 deletions(-) delete mode 100644 deployment/sshd/sshd-baremetal-puppet.yaml diff --git a/deployment/nova/nova-migration-target-container-puppet.yaml b/deployment/nova/nova-migration-target-container-puppet.yaml index 294365f9bb..308ac166bd 100644 --- a/deployment/nova/nova-migration-target-container-puppet.yaml +++ b/deployment/nova/nova-migration-target-container-puppet.yaml @@ -60,14 +60,6 @@ resources: ContainersCommon: type: ../containers-common.yaml - SshdBase: - type: ../../deployment/sshd/sshd-baremetal-puppet.yaml - properties: - EndpointMap: {get_param: EndpointMap} - ServiceNetMap: {get_param: ServiceNetMap} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - RoleParametersValue: type: OS::Heat::Value properties: @@ -116,33 +108,52 @@ outputs: proto: 'tcp' dport: {get_param: MigrationSshPort} config_settings: - map_merge: - - get_attr: [SshdBase, role_data, config_settings] - - tripleo::profile::base::nova::migration::target::ssh_authorized_keys: - - {get_param: [ MigrationSshKey, public_key ]} - tripleo::profile::base::nova::migration::target::ssh_localaddrs: - - "%{lookup('cold_migration_ssh_inbound_addr')}" - - "%{lookup('live_migration_ssh_inbound_addr')}" - live_migration_ssh_inbound_addr: - str_replace: - template: - "%{lookup('$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - cold_migration_ssh_inbound_addr: - str_replace: - template: - "%{lookup('$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} - tripleo::profile::base::sshd::port: - - 22 + tripleo::profile::base::nova::migration::target::ssh_authorized_keys: + - {get_param: [ MigrationSshKey, public_key ]} + tripleo::profile::base::nova::migration::target::ssh_localaddrs: + - "%{lookup('cold_migration_ssh_inbound_addr')}" + - "%{lookup('live_migration_ssh_inbound_addr')}" + live_migration_ssh_inbound_addr: + str_replace: + template: + "%{lookup('$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + cold_migration_ssh_inbound_addr: + str_replace: + template: + "%{lookup('$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} + tripleo::profile::base::sshd::port: + - 22 + tripleo::profile::base::sshd::password_authentication: 'no' + tripleo::profile::base::sshd::options: + # NOTE(tkajinam): Thse values inherits the default sshd options + HostKey: + - '/etc/ssh/ssh_host_rsa_key' + - '/etc/ssh/ssh_host_ecdsa_key' + - '/etc/ssh/ssh_host_ed25519_key' + SyslogFacility: 'AUTHPRIV' + AuthorizedKeysFile: '.ssh/authorized_keys' + ChallengeResponseAuthentication: 'no' + GSSAPIAuthentication: 'no' + GSSAPICleanupCredentials: 'no' + UsePAM: 'yes' + UseDNS: 'no' + X11Forwarding: 'yes' + AcceptEnv: + - 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES' + - 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT' + - 'LC_IDENTIFICATION LC_ALL LANGUAGE' + - 'XMODIFIERS' + Subsystem: 'sftp /usr/libexec/openssh/sftp-server' puppet_config: config_volume: nova_libvirt step_config: list_join: - "\n" - - - get_attr: [SshdBase, role_data, step_config] + - - include tripleo::profile::base::sshd - include tripleo::profile::base::nova::migration::target config_image: {get_attr: [RoleParametersValue, value, ContainerNovaLibvirtConfigImage]} kolla_config: diff --git a/deployment/sshd/sshd-baremetal-puppet.yaml b/deployment/sshd/sshd-baremetal-puppet.yaml deleted file mode 100644 index bda7df3bb7..0000000000 --- a/deployment/sshd/sshd-baremetal-puppet.yaml +++ /dev/null @@ -1,94 +0,0 @@ -heat_template_version: wallaby - -description: > - Configure sshd_config - -parameters: - ServiceData: - default: {} - description: Dictionary packing service data - type: json - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. Use - parameter_merge_strategies to merge it with the defaults. - type: json - RoleName: - default: '' - description: Role name on which the service is applied - type: string - RoleParameters: - default: {} - description: Parameters specific to the role - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - BannerText: - default: '' - description: Configures Banner text in sshd_config - type: string - MessageOfTheDay: - default: '' - description: Configures /etc/motd text - type: string - SshServerOptions: - default: - HostKey: - - '/etc/ssh/ssh_host_rsa_key' - - '/etc/ssh/ssh_host_ecdsa_key' - - '/etc/ssh/ssh_host_ed25519_key' - SyslogFacility: 'AUTHPRIV' - AuthorizedKeysFile: '.ssh/authorized_keys' - ChallengeResponseAuthentication: 'no' - GSSAPIAuthentication: 'no' - GSSAPICleanupCredentials: 'no' - UsePAM: 'yes' - UseDNS: 'no' - X11Forwarding: 'yes' - AcceptEnv: - - 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES' - - 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT' - - 'LC_IDENTIFICATION LC_ALL LANGUAGE' - - 'XMODIFIERS' - Subsystem: 'sftp /usr/libexec/openssh/sftp-server' - description: Mapping of sshd_config values - type: json - SshServerOptionsOverrides: - default: {} - description: Mapping of sshd_config values to override definitions in - SshServerOptions - type: json - PasswordAuthentication: - default: 'no' - description: Whether or not disable password authentication - type: string - SshFirewallAllowAll: - default: false - description: Set this to true to open up ssh access from all sources. - type: boolean - -outputs: - role_data: - description: Role data for the ssh - value: - service_name: sshd - firewall_rules: - '003 accept ssh from all': - proto: 'tcp' - dport: 22 - extras: - ensure: {if: [{get_param: SshFirewallAllowAll}, 'present', 'absent']} - config_settings: - tripleo::profile::base::sshd::bannertext: {get_param: BannerText} - tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay} - tripleo::profile::base::sshd::options: - map_merge: - - {get_param: SshServerOptions} - - {get_param: SshServerOptionsOverrides} - tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication} - step_config: | - include tripleo::profile::base::sshd