175 lines
6.3 KiB
Diff
175 lines
6.3 KiB
Diff
From 7760815c98231ffd431f053f8fac35902f420118 Mon Sep 17 00:00:00 2001
|
|
From: Gerry Kopec <Gerry.Kopec@windriver.com>
|
|
Date: Thu, 10 Jan 2019 00:12:21 -0500
|
|
Subject: [PATCH] Enable cold migration in nova helm chart
|
|
|
|
- Move private key from sshd container to nova-compute container.
|
|
- Map private and public keys to configmap-ssh which will default to
|
|
correct file permissions.
|
|
- Add additional config to /etc/ssh/sshd_config to allow passwordless
|
|
root logins over appropriate subnet passed in from overrides.
|
|
- Remove chmods from sshd bash script as they are failing.
|
|
|
|
Depends on helm-toolkit supporting multiple containers per pod.
|
|
---
|
|
nova/templates/bin/_ssh-start.sh.tpl | 19 ++++++++++++++++---
|
|
nova/templates/configmap-etc.yaml | 4 ++--
|
|
nova/templates/configmap-ssh.yaml | 35 +++++++++++++++++++++++++++++++++++
|
|
nova/templates/daemonset-compute.yaml | 14 +++++++++-----
|
|
nova/values.yaml | 5 +++++
|
|
5 files changed, 67 insertions(+), 10 deletions(-)
|
|
create mode 100755 nova/templates/configmap-ssh.yaml
|
|
|
|
diff --git a/nova/templates/bin/_ssh-start.sh.tpl b/nova/templates/bin/_ssh-start.sh.tpl
|
|
index 1c10cb0..158090b 100644
|
|
--- a/nova/templates/bin/_ssh-start.sh.tpl
|
|
+++ b/nova/templates/bin/_ssh-start.sh.tpl
|
|
@@ -33,8 +33,21 @@ if [[ $(stat -c %U:%G ~nova/.ssh) != "nova:nova" ]]; then
|
|
chown nova: ~nova/.ssh
|
|
fi
|
|
|
|
-chmod 0600 ~root/.ssh/authorized_keys
|
|
-chmod 0600 ~root/.ssh/id_rsa
|
|
-chmod 0600 ~root/.ssh/id_rsa.pub
|
|
+{{- if .Values.network.sshd.enabled }}
|
|
+subnet_address="{{- .Values.network.sshd.from_subnet -}}"
|
|
+cat > /tmp/sshd_config_extend <<EOF
|
|
+
|
|
+# This Match block prevents Password Authentication for root user
|
|
+Match User root
|
|
+ PasswordAuthentication no
|
|
+
|
|
+# This Match Block is used to allow Root Login exceptions over the
|
|
+# internal subnet used by Nova Migrations
|
|
+Match Address $subnet_address
|
|
+ PermitRootLogin without-password
|
|
+EOF
|
|
+cat /tmp/sshd_config_extend >> /etc/ssh/sshd_config
|
|
+rm /tmp/sshd_config_extend
|
|
+{{- end }}
|
|
|
|
exec /usr/sbin/sshd -D -e -o Port=$SSH_PORT
|
|
diff --git a/nova/templates/configmap-etc.yaml b/nova/templates/configmap-etc.yaml
|
|
index 55aa311..0d1e7a5 100644
|
|
--- a/nova/templates/configmap-etc.yaml
|
|
+++ b/nova/templates/configmap-etc.yaml
|
|
@@ -232,8 +232,8 @@ data:
|
|
logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
|
|
nova-ironic.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.nova_ironic | b64enc }}
|
|
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_placement "key" "wsgi-nova-placement.conf" "format" "Secret" ) | indent 2 }}
|
|
-# FIXME(portdirect): why is this file suffixed .sh?
|
|
-{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ssh "key" "ssh-config.sh" "format" "Secret" ) | indent 2 }}
|
|
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ssh "key" "ssh-config" "format" "Secret" ) | indent 2 }}
|
|
+
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .Values.manifests.configmap_etc }}
|
|
diff --git a/nova/templates/configmap-ssh.yaml b/nova/templates/configmap-ssh.yaml
|
|
new file mode 100755
|
|
index 0000000..bab8e33
|
|
--- /dev/null
|
|
+++ b/nova/templates/configmap-ssh.yaml
|
|
@@ -0,0 +1,35 @@
|
|
+{{/*
|
|
+Copyright 2019 The Openstack-Helm Authors.
|
|
+
|
|
+Licensed under the Apache License, Version 2.0 (the "License");
|
|
+you may not use this file except in compliance with the License.
|
|
+You may obtain a copy of the License at
|
|
+
|
|
+ http://www.apache.org/licenses/LICENSE-2.0
|
|
+
|
|
+Unless required by applicable law or agreed to in writing, software
|
|
+distributed under the License is distributed on an "AS IS" BASIS,
|
|
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
+See the License for the specific language governing permissions and
|
|
+limitations under the License.
|
|
+*/}}
|
|
+
|
|
+{{- define "nova.configmap.ssh" }}
|
|
+{{- $envAll := index . 1 }}
|
|
+{{- with $envAll }}
|
|
+---
|
|
+apiVersion: v1
|
|
+kind: Secret
|
|
+metadata:
|
|
+ name: nova-ssh
|
|
+type: Opaque
|
|
+data:
|
|
+ ssh-key-private: {{ .Values.conf.ssh_private | b64enc }}
|
|
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ssh_public "key" "ssh-key-public" "format" "Secret" ) | indent 2 }}
|
|
+
|
|
+{{- end }}
|
|
+{{- end }}
|
|
+
|
|
+{{- if .Values.manifests.configmap_etc }}
|
|
+{{- list "nova-ssh" . | include "nova.configmap.ssh" }}
|
|
+{{- end }}
|
|
diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml
|
|
index 850f0b0..82f185f 100644
|
|
--- a/nova/templates/daemonset-compute.yaml
|
|
+++ b/nova/templates/daemonset-compute.yaml
|
|
@@ -217,6 +217,9 @@ spec:
|
|
mountPath: /root/.ssh/config
|
|
subPath: ssh-config
|
|
readOnly: true
|
|
+ - name: nova-ssh
|
|
+ mountPath: /root/.ssh/id_rsa
|
|
+ subPath: ssh-key-private
|
|
{{- if .Values.conf.ceph.enabled }}
|
|
- name: etcceph
|
|
mountPath: /etc/ceph
|
|
@@ -273,13 +276,10 @@ spec:
|
|
mountPath: /var/lib/nova
|
|
- name: varliblibvirt
|
|
mountPath: /var/lib/libvirt
|
|
- - name: nova-etc
|
|
- mountPath: /root/.ssh/id_rsa
|
|
- subPath: ssh-key-private
|
|
- - name: nova-etc
|
|
+ - name: nova-ssh
|
|
mountPath: /root/.ssh/id_rsa.pub
|
|
subPath: ssh-key-public
|
|
- - name: nova-etc
|
|
+ - name: nova-ssh
|
|
mountPath: /root/.ssh/authorized_keys
|
|
subPath: ssh-key-public
|
|
- name: nova-bin
|
|
@@ -295,6 +295,10 @@ spec:
|
|
secret:
|
|
secretName: {{ $configMapName }}
|
|
defaultMode: 0444
|
|
+ - name: nova-ssh
|
|
+ secret:
|
|
+ secretName: nova-ssh
|
|
+ defaultMode: 0400
|
|
{{- if .Values.conf.ceph.enabled }}
|
|
- name: etcceph
|
|
emptyDir: {}
|
|
diff --git a/nova/values.yaml b/nova/values.yaml
|
|
index 4edf5c6..9646ded 100644
|
|
--- a/nova/values.yaml
|
|
+++ b/nova/values.yaml
|
|
@@ -209,6 +209,9 @@ network:
|
|
ssh:
|
|
name: "nova-ssh"
|
|
port: 8022
|
|
+ sshd:
|
|
+ enabled: false
|
|
+ from_subnet: 0.0.0.0/24
|
|
|
|
dependencies:
|
|
dynamic:
|
|
@@ -460,6 +463,8 @@ conf:
|
|
StrictHostKeyChecking no
|
|
UserKnownHostsFile /dev/null
|
|
Port {{ .Values.network.ssh.port }}
|
|
+ ssh_private: 'null'
|
|
+ ssh_public: 'null'
|
|
rally_tests:
|
|
run_tempest: false
|
|
tests:
|
|
--
|
|
1.8.3.1
|
|
|