From bfd97da0bfa386642d47e8d317aad70c99594cd5 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Wed, 30 Sep 2020 10:00:54 +0900 Subject: [PATCH] Allow partial override about SshServerOptions When operator needs to change any options described in sshd_config, he/she should use the parameter named SshServerOptions to define the updated configuration. However the problem here is that he/she should define the whole content instead of the actual lines to be overridden, otherwise some of the lines defined in its default can be missing from configuration. This makes it difficutlt to properly update the parameter during update or upgrade, since operators always need to check whetehr any change has been made about the default of SshServerOptions. This change introduces a new parameter, SshServerOptionsOverride, which can be used to override specific line in SshServerOptions. Note that SshServerOptions should still be used if any of the lines in SshServerOptions needs to be removed. Change-Id: I8a018c8c7435a753c8ed5b5fa211d91d053f8d67 --- deployment/sshd/sshd-baremetal-ansible.yaml | 10 +++++++++- deployment/sshd/sshd-baremetal-puppet.yaml | 10 +++++++++- .../ssh-server-options-overrides-f677913bfd65efe1.yaml | 6 ++++++ 3 files changed, 24 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/ssh-server-options-overrides-f677913bfd65efe1.yaml diff --git a/deployment/sshd/sshd-baremetal-ansible.yaml b/deployment/sshd/sshd-baremetal-ansible.yaml index dcaf51f99f..1a0859163a 100644 --- a/deployment/sshd/sshd-baremetal-ansible.yaml +++ b/deployment/sshd/sshd-baremetal-ansible.yaml @@ -60,6 +60,11 @@ parameters: Subsystem: 'sftp /usr/libexec/openssh/sftp-server' description: Mapping of sshd_config values type: json + SshServerOptionsOverrides: + default: {} + description: Mapping of sshd_config values to override definitions in + SshServerOptions + type: json PasswordAuthentication: default: 'no' description: Whether or not disable password authentication @@ -89,7 +94,10 @@ outputs: - include_role: name: tripleo_ssh vars: - tripleo_sshd_server_options: {get_param: SshServerOptions} + tripleo_sshd_server_options: + map_merge: + - {get_param: SshServerOptions} + - {get_param: SshServerOptionsOverrides} tripleo_sshd_password_authentication: {get_param: PasswordAuthentication} tripleo_sshd_banner_enabled: if: diff --git a/deployment/sshd/sshd-baremetal-puppet.yaml b/deployment/sshd/sshd-baremetal-puppet.yaml index d8412a4f5a..c712528194 100644 --- a/deployment/sshd/sshd-baremetal-puppet.yaml +++ b/deployment/sshd/sshd-baremetal-puppet.yaml @@ -60,6 +60,11 @@ parameters: Subsystem: 'sftp /usr/libexec/openssh/sftp-server' description: Mapping of sshd_config values type: json + SshServerOptionsOverrides: + default: {} + description: Mapping of sshd_config values to override definitions in + SshServerOptions + type: json PasswordAuthentication: default: 'no' description: Whether or not disable password authentication @@ -86,7 +91,10 @@ outputs: config_settings: tripleo::profile::base::sshd::bannertext: {get_param: BannerText} tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay} - tripleo::profile::base::sshd::options: {get_param: SshServerOptions} + tripleo::profile::base::sshd::options: + map_merge: + - {get_param: SshServerOptions} + - {get_param: SshServerOptionsOverrides} tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication} step_config: | include tripleo::profile::base::sshd diff --git a/releasenotes/notes/ssh-server-options-overrides-f677913bfd65efe1.yaml b/releasenotes/notes/ssh-server-options-overrides-f677913bfd65efe1.yaml new file mode 100644 index 0000000000..f92f919a03 --- /dev/null +++ b/releasenotes/notes/ssh-server-options-overrides-f677913bfd65efe1.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + The new ``SshServerOptionsOverrides`` parameter has been added. This + parameter can be used to override a part of sshd_config, which is defined + by the ``SshServerOptions``.