From 7760815c98231ffd431f053f8fac35902f420118 Mon Sep 17 00:00:00 2001 From: Gerry Kopec Date: Thu, 10 Jan 2019 00:12:21 -0500 Subject: [PATCH] Enable cold migration in nova helm chart - Move private key from sshd container to nova-compute container. - Map private and public keys to configmap-ssh which will default to correct file permissions. - Add additional config to /etc/ssh/sshd_config to allow passwordless root logins over appropriate subnet passed in from overrides. - Remove chmods from sshd bash script as they are failing. Depends on helm-toolkit supporting multiple containers per pod. --- nova/templates/bin/_ssh-start.sh.tpl | 19 ++++++++++++++++--- nova/templates/configmap-etc.yaml | 4 ++-- nova/templates/configmap-ssh.yaml | 35 +++++++++++++++++++++++++++++++++++ nova/templates/daemonset-compute.yaml | 14 +++++++++----- nova/values.yaml | 5 +++++ 5 files changed, 67 insertions(+), 10 deletions(-) create mode 100755 nova/templates/configmap-ssh.yaml diff --git a/nova/templates/bin/_ssh-start.sh.tpl b/nova/templates/bin/_ssh-start.sh.tpl index 1c10cb0..158090b 100644 --- a/nova/templates/bin/_ssh-start.sh.tpl +++ b/nova/templates/bin/_ssh-start.sh.tpl @@ -33,8 +33,21 @@ if [[ $(stat -c %U:%G ~nova/.ssh) != "nova:nova" ]]; then chown nova: ~nova/.ssh fi -chmod 0600 ~root/.ssh/authorized_keys -chmod 0600 ~root/.ssh/id_rsa -chmod 0600 ~root/.ssh/id_rsa.pub +{{- if .Values.network.sshd.enabled }} +subnet_address="{{- .Values.network.sshd.from_subnet -}}" +cat > /tmp/sshd_config_extend <> /etc/ssh/sshd_config +rm /tmp/sshd_config_extend +{{- end }} exec /usr/sbin/sshd -D -e -o Port=$SSH_PORT diff --git a/nova/templates/configmap-etc.yaml b/nova/templates/configmap-etc.yaml index 55aa311..0d1e7a5 100644 --- a/nova/templates/configmap-etc.yaml +++ b/nova/templates/configmap-etc.yaml @@ -232,8 +232,8 @@ data: logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }} nova-ironic.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.nova_ironic | b64enc }} {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_placement "key" "wsgi-nova-placement.conf" "format" "Secret" ) | indent 2 }} -# FIXME(portdirect): why is this file suffixed .sh? -{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ssh "key" "ssh-config.sh" "format" "Secret" ) | indent 2 }} +{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ssh "key" "ssh-config" "format" "Secret" ) | indent 2 }} + {{- end }} {{- end }} {{- if .Values.manifests.configmap_etc }} diff --git a/nova/templates/configmap-ssh.yaml b/nova/templates/configmap-ssh.yaml new file mode 100755 index 0000000..bab8e33 --- /dev/null +++ b/nova/templates/configmap-ssh.yaml @@ -0,0 +1,35 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "nova.configmap.ssh" }} +{{- $envAll := index . 1 }} +{{- with $envAll }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: nova-ssh +type: Opaque +data: + ssh-key-private: {{ .Values.conf.ssh_private | b64enc }} +{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ssh_public "key" "ssh-key-public" "format" "Secret" ) | indent 2 }} + +{{- end }} +{{- end }} + +{{- if .Values.manifests.configmap_etc }} +{{- list "nova-ssh" . | include "nova.configmap.ssh" }} +{{- end }} diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml index 850f0b0..82f185f 100644 --- a/nova/templates/daemonset-compute.yaml +++ b/nova/templates/daemonset-compute.yaml @@ -217,6 +217,9 @@ spec: mountPath: /root/.ssh/config subPath: ssh-config readOnly: true + - name: nova-ssh + mountPath: /root/.ssh/id_rsa + subPath: ssh-key-private {{- if .Values.conf.ceph.enabled }} - name: etcceph mountPath: /etc/ceph @@ -273,13 +276,10 @@ spec: mountPath: /var/lib/nova - name: varliblibvirt mountPath: /var/lib/libvirt - - name: nova-etc - mountPath: /root/.ssh/id_rsa - subPath: ssh-key-private - - name: nova-etc + - name: nova-ssh mountPath: /root/.ssh/id_rsa.pub subPath: ssh-key-public - - name: nova-etc + - name: nova-ssh mountPath: /root/.ssh/authorized_keys subPath: ssh-key-public - name: nova-bin @@ -295,6 +295,10 @@ spec: secret: secretName: {{ $configMapName }} defaultMode: 0444 + - name: nova-ssh + secret: + secretName: nova-ssh + defaultMode: 0400 {{- if .Values.conf.ceph.enabled }} - name: etcceph emptyDir: {} diff --git a/nova/values.yaml b/nova/values.yaml index 4edf5c6..9646ded 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -209,6 +209,9 @@ network: ssh: name: "nova-ssh" port: 8022 + sshd: + enabled: false + from_subnet: 0.0.0.0/24 dependencies: dynamic: @@ -460,6 +463,8 @@ conf: StrictHostKeyChecking no UserKnownHostsFile /dev/null Port {{ .Values.network.ssh.port }} + ssh_private: 'null' + ssh_public: 'null' rally_tests: run_tempest: false tests: -- 1.8.3.1