Browse Source

SSHD Service extensions

This change implements a MOTD message and provides a hash of
sshd config options which are sourced to the puppet-ssh module
as a hash.

The SSHD puppet service is enabled by default, as it is
required for Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293.
Also added the service to the CI roles.

Change-Id: Ie2e01d93082509b8ede37297067eab03bb1ab06e
Depends-On: I1d09530d69e42c0c36311789166554a889e46556
Closes-Bug: #1668543
Co-Authored-By: Oliver Walsh <owalsh@redhat.com>
changes/22/444622/10
Luke Hinds 4 years ago
committed by Oliver Walsh
parent
commit
5e14f95a4a
11 changed files with 46 additions and 4 deletions
  1. +2
    -0
      ci/environments/multinode-3nodes.yaml
  2. +1
    -0
      ci/environments/multinode-container-upgrade.yaml
  3. +1
    -0
      ci/environments/multinode.yaml
  4. +1
    -0
      ci/environments/multinode_major_upgrade.yaml
  5. +1
    -0
      ci/environments/scenario002-multinode.yaml
  6. +1
    -0
      ci/environments/scenario003-multinode.yaml
  7. +1
    -0
      ci/environments/scenario004-multinode.yaml
  8. +3
    -3
      environments/sshd-banner.yaml
  9. +1
    -1
      overcloud-resource-registry-puppet.j2.yaml
  10. +29
    -0
      puppet/services/sshd.yaml
  11. +5
    -0
      releasenotes/notes/sshd-service-extensions-0c4d0879942a2052.yaml

+ 2
- 0
ci/environments/multinode-3nodes.yaml View File

@ -56,6 +56,7 @@
- OS::TripleO::Services::NovaCompute
- OS::TripleO::Services::NovaLibvirt
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::Sshd
- name: Controller
CountDefault: 1
@ -77,3 +78,4 @@
- OS::TripleO::Services::Timezone
- OS::TripleO::Services::TripleoPackages
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::Sshd

+ 1
- 0
ci/environments/multinode-container-upgrade.yaml View File

@ -48,6 +48,7 @@ parameter_defaults:
- OS::TripleO::Services::Timezone
- OS::TripleO::Services::NovaCompute
- OS::TripleO::Services::NovaLibvirt
- OS::TripleO::Services::Sshd
ControllerExtraConfig:
nova::compute::libvirt::services::libvirt_virt_type: qemu
nova::compute::libvirt::libvirt_virt_type: qemu


+ 1
- 0
ci/environments/multinode.yaml View File

@ -52,6 +52,7 @@ parameter_defaults:
- OS::TripleO::Services::Timezone
- OS::TripleO::Services::NovaCompute
- OS::TripleO::Services::NovaLibvirt
- OS::TripleO::Services::Sshd
ControllerExtraConfig:
nova::compute::libvirt::services::libvirt_virt_type: qemu
nova::compute::libvirt::libvirt_virt_type: qemu


+ 1
- 0
ci/environments/multinode_major_upgrade.yaml View File

@ -56,6 +56,7 @@ parameter_defaults:
- OS::TripleO::Services::NovaLibvirt
- OS::TripleO::Services::Pacemaker
- OS::TripleO::Services::Horizon
- OS::TripleO::Services::Sshd
ControllerExtraConfig:
nova::compute::libvirt::services::libvirt_virt_type: qemu
nova::compute::libvirt::libvirt_virt_type: qemu


+ 1
- 0
ci/environments/scenario002-multinode.yaml View File

@ -61,6 +61,7 @@ parameter_defaults:
- OS::TripleO::Services::Ec2Api
- OS::TripleO::Services::TripleoPackages
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::Sshd
ControllerExtraConfig:
nova::compute::libvirt::services::libvirt_virt_type: qemu
nova::compute::libvirt::libvirt_virt_type: qemu


+ 1
- 0
ci/environments/scenario003-multinode.yaml View File

@ -55,6 +55,7 @@ parameter_defaults:
- OS::TripleO::Services::MistralExecutor
- OS::TripleO::Services::TripleoPackages
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::Sshd
ControllerExtraConfig:
nova::compute::libvirt::services::libvirt_virt_type: qemu
nova::compute::libvirt::libvirt_virt_type: qemu


+ 1
- 0
ci/environments/scenario004-multinode.yaml View File

@ -69,6 +69,7 @@ parameter_defaults:
- OS::TripleO::Services::NovaLibvirt
- OS::TripleO::Services::TripleoPackages
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::Sshd
ControllerExtraConfig:
nova::compute::libvirt::services::libvirt_virt_type: qemu
nova::compute::libvirt::libvirt_virt_type: qemu


+ 3
- 3
environments/sshd-banner.yaml View File

@ -1,6 +1,3 @@
resource_registry:
OS::TripleO::Services::Sshd: ../puppet/services/sshd.yaml
parameter_defaults:
BannerText: |
******************************************************************
@ -11,3 +8,6 @@ parameter_defaults:
* evidence of criminal activity, system personnel may provide *
* the evidence from such monitoring to law enforcement officials.*
******************************************************************
MessageOfTheDay: |
ALERT! You are entering into a secured area!
This service is restricted to authorized users only.

+ 1
- 1
overcloud-resource-registry-puppet.j2.yaml View File

@ -176,8 +176,8 @@ resource_registry:
OS::TripleO::Services::Memcached: puppet/services/memcached.yaml
OS::TripleO::Services::SaharaApi: OS::Heat::None
OS::TripleO::Services::SaharaEngine: OS::Heat::None
OS::TripleO::Services::Sshd: OS::Heat::None
OS::TripleO::Services::Securetty: OS::Heat::None
OS::TripleO::Services::Sshd: puppet/services/sshd.yaml
OS::TripleO::Services::Redis: puppet/services/database/redis.yaml
OS::TripleO::Services::NovaConductor: puppet/services/nova-conductor.yaml
OS::TripleO::Services::MongoDb: puppet/services/database/mongodb.yaml


+ 29
- 0
puppet/services/sshd.yaml View File

@ -22,6 +22,33 @@ parameters:
default: ''
description: Configures Banner text in sshd_config
type: string
MessageOfTheDay:
default: ''
description: Configures /etc/motd text
type: string
SshServerOptions:
default:
HostKey:
- '/etc/ssh/ssh_host_rsa_key'
- '/etc/ssh/ssh_host_ecdsa_key'
- '/etc/ssh/ssh_host_ed25519_key'
SyslogFacility: 'AUTHPRIV'
AuthorizedKeysFile: '.ssh/authorized_keys'
PasswordAuthentication: 'no'
ChallengeResponseAuthentication: 'no'
GSSAPIAuthentication: 'yes'
GSSAPICleanupCredentials: 'no'
UsePAM: 'yes'
X11Forwarding: 'yes'
UsePrivilegeSeparation: 'sandbox'
AcceptEnv:
- 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES'
- 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT'
- 'LC_IDENTIFICATION LC_ALL LANGUAGE'
- 'XMODIFIERS'
Subsystem: 'sftp /usr/libexec/openssh/sftp-server'
description: Mapping of sshd_config values
type: json
outputs:
role_data:
@ -30,5 +57,7 @@ outputs:
service_name: sshd
config_settings:
tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
step_config: |
include ::tripleo::profile::base::sshd

+ 5
- 0
releasenotes/notes/sshd-service-extensions-0c4d0879942a2052.yaml View File

@ -0,0 +1,5 @@
---
features:
- |
Added ability to manage MOTD Banner
Enabled SSHD composible service by default. Puppet-ssh manages the sshd config.

Loading…
Cancel
Save