Heat templates for deploying OpenStack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

115 lines
4.2 KiB

  1. #!/bin/bash
  2. set -eu
  3. # whitespace (space or newline) separated list
  4. OVERCLOUD_HOSTS=${OVERCLOUD_HOSTS:-""}
  5. OVERCLOUD_SSH_USER=${OVERCLOUD_SSH_USER:-"$USER"}
  6. # this is just for compatibility with CI
  7. SUBNODES_SSH_KEY=${SUBNODES_SSH_KEY:-"$HOME/.ssh/id_rsa"}
  8. # this is the intended variable for overriding
  9. OVERCLOUD_SSH_KEY=${OVERCLOUD_SSH_KEY:-"$SUBNODES_SSH_KEY"}
  10. SSH_TIMEOUT_OPTIONS=${SSH_TIMEOUT_OPTIONS:-"-o ConnectionAttempts=6 -o ConnectTimeout=30"}
  11. SSH_HOSTKEY_OPTIONS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
  12. SHORT_TERM_KEY_COMMENT="TripleO split stack short term key"
  13. SLEEP_TIME=5
  14. # The default is defined in tripleoclient/constants.py
  15. ENABLE_SSH_ADMIN_TIMEOUT=${ENABLE_SSH_ADMIN_TIMEOUT:-"600"}
  16. # needed to handle where python lives
  17. function get_python() {
  18. command -v python3 || command -v python2 || command -v python || exit 1
  19. }
  20. function overcloud_ssh_hosts_json {
  21. echo "$OVERCLOUD_HOSTS" | $(get_python) -c '
  22. from __future__ import print_function
  23. import json, re, sys
  24. print(json.dumps(re.split("\s+", sys.stdin.read().strip())))'
  25. }
  26. function overcloud_ssh_key_json {
  27. # we pass the contents to Mistral instead of just path, otherwise
  28. # the key file would have to be readable for the mistral user
  29. cat "$1" | $(get_python) -c 'import json,sys; print(json.dumps(sys.stdin.read()))'
  30. }
  31. function workflow_finished {
  32. local execution_id="$1"
  33. counter=$(( $ENABLE_SSH_ADMIN_TIMEOUT / $SLEEP_TIME ))
  34. while [ $counter -gt 0 ]
  35. do
  36. RESULT=$(openstack workflow execution show -f value -c State $execution_id)
  37. if [ "$RESULT" == "ERROR" ]; then
  38. echo "Workflow $execution_id finished with error. Check mistral logs."
  39. return 1
  40. elif [ "$RESULT" == "SUCCESS" ]; then
  41. echo "Workflow $execution_id finished with success."
  42. return 0
  43. else
  44. sleep $SLEEP_TIME
  45. fi
  46. counter=$(( $counter - 1 ))
  47. done
  48. echo "Workflow $execution_id did not finish after $ENABLE_SSH_ADMIN_TIMEOUT seconds."
  49. return 1
  50. }
  51. function generate_short_term_keys {
  52. local tmpdir=$(mktemp -d)
  53. ssh-keygen -N '' -t rsa -b 4096 -f "$tmpdir/id_rsa" -C "$SHORT_TERM_KEY_COMMENT" > /dev/null
  54. echo "$tmpdir"
  55. }
  56. if [ -z "$OVERCLOUD_HOSTS" ]; then
  57. echo 'Please set $OVERCLOUD_HOSTS'
  58. exit 1
  59. fi
  60. echo "Starting workflow to create ssh admin on deployed servers."
  61. echo "SSH user: $OVERCLOUD_SSH_USER"
  62. echo "SSH key file: $OVERCLOUD_SSH_KEY"
  63. echo "Hosts: $OVERCLOUD_HOSTS"
  64. echo
  65. SHORT_TERM_KEY_DIR=$(generate_short_term_keys)
  66. SHORT_TERM_KEY_PRIVATE="$SHORT_TERM_KEY_DIR/id_rsa"
  67. SHORT_TERM_KEY_PUBLIC="$SHORT_TERM_KEY_DIR/id_rsa.pub"
  68. SHORT_TERM_KEY_PUBLIC_CONTENT=$(cat $SHORT_TERM_KEY_PUBLIC)
  69. for HOST in $OVERCLOUD_HOSTS; do
  70. echo "Inserting TripleO short term key for $HOST"
  71. # prepending an extra newline so that if authorized_keys didn't
  72. # end with a newline previously, we don't end up garbling it up
  73. ssh $SSH_TIMEOUT_OPTIONS $SSH_HOSTKEY_OPTIONS -i "$OVERCLOUD_SSH_KEY" -l "$OVERCLOUD_SSH_USER" "$HOST" "echo -e '\n$SHORT_TERM_KEY_PUBLIC_CONTENT' >> \$HOME/.ssh/authorized_keys"
  74. done
  75. echo "Starting ssh admin enablement workflow"
  76. EXECUTION_PARAMS="{\"ssh_user\": \"$OVERCLOUD_SSH_USER\", \"ssh_servers\": $(overcloud_ssh_hosts_json), \"ssh_private_key\": $(overcloud_ssh_key_json "$SHORT_TERM_KEY_PRIVATE")}"
  77. EXECUTION_CREATE_OUTPUT=$(openstack workflow execution create -f shell -d 'deployed server ssh admin creation' tripleo.access.v1.enable_ssh_admin "$EXECUTION_PARAMS")
  78. echo "$EXECUTION_CREATE_OUTPUT"
  79. EXECUTION_ID=$(echo "$EXECUTION_CREATE_OUTPUT" | grep '^id=' | awk '-F"' '{ print $2 }')
  80. if [ -z "$EXECUTION_ID" ]; then
  81. echo "Failed to get workflow execution ID for ssh admin creation workflow"
  82. exit 1
  83. fi
  84. echo -n "Waiting for the workflow execution to finish (id $EXECUTION_ID)."
  85. if ! workflow_finished $EXECUTION_ID; then
  86. exit 1
  87. fi
  88. echo # newline after the previous dots
  89. for HOST in $OVERCLOUD_HOSTS; do
  90. echo "Removing TripleO short term key from $HOST"
  91. ssh $SSH_TIMEOUT_OPTIONS $SSH_HOSTKEY_OPTIONS -i "$OVERCLOUD_SSH_KEY" -l "$OVERCLOUD_SSH_USER" "$HOST" "sed -i -e '/$SHORT_TERM_KEY_COMMENT/d' \$HOME/.ssh/authorized_keys"
  92. done
  93. echo "Removing short term keys locally"
  94. rm -r "$SHORT_TERM_KEY_DIR"
  95. echo "Success."