openstack/tripleo-heat-templates
Code Issues Proposed changes
643c3d25d9
tripleo-heat-templates/deployment/sshd/sshd-baremetal-ansible.yaml
Takashi Kajinami bfd97da0bf Allow partial override about SshServerOptions 
When operator needs to change any options described in sshd_config,
he/she should use the parameter named SshServerOptions to define
the updated configuration.

However the problem here is that he/she should define the whole content
instead of the actual lines to be overridden, otherwise some of the
lines defined in its default can be missing from configuration. This
makes it difficutlt to properly update the parameter during update or
upgrade, since operators always need to check whetehr any change has
been made about the default of SshServerOptions.

This change introduces a new parameter, SshServerOptionsOverride, which
can be used to override specific line in SshServerOptions. Note that
SshServerOptions should still be used if any of the lines in
SshServerOptions needs to be removed.

Change-Id: I8a018c8c7435a753c8ed5b5fa211d91d053f8d67
2020-09-30 10:06:51 +09:00

114 lines
3.5 KiB
YAML
Raw Blame History

heat_template_version: rocky
description: >
Configure sshd_config
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
BannerText:
default: ''
description: Configures Banner text in sshd_config
type: string
MessageOfTheDay:
default: ''
description: Configures /etc/motd text
type: string
SshServerOptions:
default:
HostKey:
- '/etc/ssh/ssh_host_rsa_key'
- '/etc/ssh/ssh_host_ecdsa_key'
- '/etc/ssh/ssh_host_ed25519_key'
SyslogFacility: 'AUTHPRIV'
AuthorizedKeysFile: '.ssh/authorized_keys'
ChallengeResponseAuthentication: 'no'
GSSAPIAuthentication: 'yes'
GSSAPICleanupCredentials: 'no'
UsePAM: 'yes'
UseDNS: 'no'
X11Forwarding: 'yes'
AcceptEnv:
- 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES'
- 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT'
- 'LC_IDENTIFICATION LC_ALL LANGUAGE'
- 'XMODIFIERS'
Subsystem: 'sftp /usr/libexec/openssh/sftp-server'
description: Mapping of sshd_config values
type: json
SshServerOptionsOverrides:
default: {}
description: Mapping of sshd_config values to override definitions in
SshServerOptions
type: json
PasswordAuthentication:
default: 'no'
description: Whether or not disable password authentication
type: string
SshFirewallAllowAll:
default: false
description: Set this to true to open up ssh access from all sources.
type: boolean
conditions:
ssh_firewall_allow_all: {equals: [{get_param: SshFirewallAllowAll}, true]}
ssh_banner_text_empty: {equals: [{get_param: BannerText}, '']}
ssh_motd_text_empty: {equals: [{get_param: MessageOfTheDay}, '']}
outputs:
role_data:
description: Role data for the ssh
value:
service_name: sshd
firewall_rules:
'003 accept ssh from all':
proto: 'tcp'
dport: 22
extras:
ensure: {if: [ssh_firewall_allow_all, 'present', 'absent']}
host_prep_config:
- include_role:
name: tripleo_ssh
vars:
tripleo_sshd_server_options:
map_merge:
- {get_param: SshServerOptions}
- {get_param: SshServerOptionsOverrides}
tripleo_sshd_password_authentication: {get_param: PasswordAuthentication}
tripleo_sshd_banner_enabled:
if:
- ssh_banner_text_empty
- true
- false
tripleo_sshd_banner_text: {get_param: BannerText}
tripleo_sshd_motd_enabled:
if:
- ssh_motd_text_empty
- true
- false
tripleo_sshd_message_of_the_day: {get_param: MessageOfTheDay}
View Git Blame Copy Permalink