openstack/tripleo-heat-templates
Code Issues Proposed changes
Files
08641d846ab8d51261eab0bee62a45e7955dd3f6
tripleo-heat-templates/deployed-server/scripts/enable-ssh-admin.sh
James Slagle 08641d846a Use StrictHostKeyChecking=no in enable-ssh-admin.sh 
Use StrictHostKeyChecking=no to inject the temporary ssh key in
enable-ssh-admin.sh. The user provides the list of hosts for ssh, so we
can safely assume that they intend to ssh to those hosts.

Also, for the ovb case the hosts will have new host ssh keys which have
not yet been accepted.

Change-Id: Ia2a2d1e4c214d9d9190131c280a54eab066e3657
Closes-Bug: #1737027
2017-12-07 14:54:49 -05:00

90 lines
3.2 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
set -eu
# whitespace (space or newline) separated list
OVERCLOUD_HOSTS=${OVERCLOUD_HOSTS:-""}
OVERCLOUD_SSH_USER=${OVERCLOUD_SSH_USER:-"$USER"}
# this is just for compatibility with CI
SUBNODES_SSH_KEY=${SUBNODES_SSH_KEY:-"$HOME/.ssh/id_rsa"}
# this is the intended variable for overriding
OVERCLOUD_SSH_KEY=${OVERCLOUD_SSH_KEY:-"$SUBNODES_SSH_KEY"}
SHORT_TERM_KEY_COMMENT="TripleO split stack short term key"
SLEEP_TIME=5
function overcloud_ssh_hosts_json {
echo "$OVERCLOUD_HOSTS" | python -c '
from __future__ import print_function
import json, re, sys
print(json.dumps(re.split("\s+", sys.stdin.read().strip())))'
}
function overcloud_ssh_key_json {
# we pass the contents to Mistral instead of just path, otherwise
# the key file would have to be readable for the mistral user
cat "$1" | python -c 'import json,sys; print(json.dumps(sys.stdin.read()))'
}
function workflow_finished {
local execution_id="$1"
openstack workflow execution show -f shell $execution_id | grep 'state="SUCCESS"' > /dev/null
}
function generate_short_term_keys {
local tmpdir=$(mktemp -d)
ssh-keygen -N '' -t rsa -b 4096 -f "$tmpdir/id_rsa" -C "$SHORT_TERM_KEY_COMMENT" > /dev/null
echo "$tmpdir"
}
if [ -z "$OVERCLOUD_HOSTS" ]; then
echo 'Please set $OVERCLOUD_HOSTS'
exit 1
fi
echo "Starting workflow to create ssh admin on deployed servers."
echo "SSH user: $OVERCLOUD_SSH_USER"
echo "SSH key file: $OVERCLOUD_SSH_KEY"
echo "Hosts: $OVERCLOUD_HOSTS"
echo
SHORT_TERM_KEY_DIR=$(generate_short_term_keys)
SHORT_TERM_KEY_PRIVATE="$SHORT_TERM_KEY_DIR/id_rsa"
SHORT_TERM_KEY_PUBLIC="$SHORT_TERM_KEY_DIR/id_rsa.pub"
SHORT_TERM_KEY_PUBLIC_CONTENT=$(cat $SHORT_TERM_KEY_PUBLIC)
for HOST in $OVERCLOUD_HOSTS; do
echo "Inserting TripleO short term key for $HOST"
# prepending an extra newline so that if authorized_keys didn't
# end with a newline previously, we don't end up garbling it up
ssh -o StrictHostKeyChecking=no -i "$OVERCLOUD_SSH_KEY" -l "$OVERCLOUD_SSH_USER" "$HOST" "echo -e '\n$SHORT_TERM_KEY_PUBLIC_CONTENT' >> \$HOME/.ssh/authorized_keys"
done
echo "Starting ssh admin enablement workflow"
EXECUTION_PARAMS="{\"ssh_user\": \"$OVERCLOUD_SSH_USER\", \"ssh_servers\": $(overcloud_ssh_hosts_json), \"ssh_private_key\": $(overcloud_ssh_key_json "$SHORT_TERM_KEY_PRIVATE")}"
EXECUTION_CREATE_OUTPUT=$(openstack workflow execution create -f shell -d 'deployed server ssh admin creation' tripleo.access.v1.enable_ssh_admin "$EXECUTION_PARAMS")
echo "$EXECUTION_CREATE_OUTPUT"
EXECUTION_ID=$(echo "$EXECUTION_CREATE_OUTPUT" | grep '^id=' | awk '-F"' '{ print $2 }')
if [ -z "$EXECUTION_ID" ]; then
echo "Failed to get workflow execution ID for ssh admin creation workflow"
exit 1
fi
echo -n "Waiting for the workflow execution to finish (id $EXECUTION_ID)."
while ! workflow_finished $EXECUTION_ID; do
sleep $SLEEP_TIME
echo -n .
done
echo # newline after the previous dots
for HOST in $OVERCLOUD_HOSTS; do
echo "Removing TripleO short term key from $HOST"
ssh -l "$OVERCLOUD_SSH_USER" "$HOST" "sed -i -e '/$SHORT_TERM_KEY_COMMENT/d' \$HOME/.ssh/authorized_keys"
done
echo "Removing short term keys locally"
rm -r "$SHORT_TERM_KEY_DIR"
echo "Success."
View Git Blame Copy Permalink