Bug 1235347

Summary: [Docs] [Install] Add a note that ssh is not enabled by default on the RHEV-M Appliance, point to how to enable it
Product: Red Hat Enterprise Virtualization Manager Reporter: rhev-integ
Component: DocumentationAssignee: Tahlia Richardson <trichard>
Status: CLOSED CURRENTRELEASE QA Contact: Nikolai Sednev <nsednev>
Severity: urgent Docs Contact:
Priority: high    
Version: 3.6.0CC: adahms, bmcclain, dfediuck, ecohen, fdeutsch, gklein, lsurette, nsednev, pstehlik, rbalakri, yeylon, ylavi
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: 3.5.4   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1218312 Environment:
Last Closed: 2015-08-05 07:15:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1218312    
Bug Blocks: 1250288    

Comment 6 Fabian Deutsch 2015-07-07 14:55:25 UTC 
The problem in comment 2 is that cloud-init is enabled, this should not be the case in the RHEV-M 3.5 appliance.

And I also see that the rhel-guest image we are using, is disabling root login by default.

To fix this, we must not inherit from the rhel-guest image anymore, and make sure that cloud-init is disabled, sshd is enabled and the firewall ssh port is open and PermitRootLogin is yes.

There might be something else we need.
Comment 7 Anatoly Litovsky 2015-07-08 06:24:32 UTC 
please indicate why you expect SSH to be working.
Providing ssh login for root be default considered non secure.
It was never provided befor across all RedHat.
Comment 8 Anatoly Litovsky 2015-07-08 06:25:02 UTC 
regarding cloud-init we need them for the growfs.
Comment 9 Fabian Deutsch 2015-07-08 07:54:22 UTC 
AFAIK the size of the disk in the OVA is left untouched when the appliance is started, thus the disk size does not change, and if it does not change, then we do not need to grow any partition.
nd if it does change, then we can possibly use dracut-modules-growroot.

For ssh, you are right, we should not necessarily enable ssh by default, after all a user can still access the VM via spice/vnc.

Or not?
Comment 10 Anatoly Litovsky 2015-07-08 08:40:04 UTC 
dracut-modules-growroot was not working .
We needed the cloud-init growroot.

we had a bug about it. 
I think it was needed because of qcow but I probably wrong.
Comment 11 Fabian Deutsch 2015-07-08 08:52:35 UTC 
Sandro, can you tell if the disk size of the appliance is modified in the HE - appliance flow?
Comment 12 Sandro Bonazzola 2015-07-08 09:22:37 UTC 
As far as I know only memory size and cpus number can be changed during the setup.
Comment 13 Sandro Bonazzola 2015-07-08 09:23:11 UTC 
restoring needinfo on nikolai, dropped by mistake
Comment 14 Anatoly Litovsky 2015-07-09 06:06:40 UTC 
Providing the official red hat guide to handle OpenSSh config
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s2-ssh-configuration-sshd.html
Comment 15 Fabian Deutsch 2015-07-09 09:18:00 UTC 
Andrew, can we add a notice to the documentation, telling the user that SSH is enabled by default for security reasons, but can be enabled using the doc from comment 14?
The appliance can always be accessed through the spice or vnc console (not sure how this is officially called in the docs).
Comment 17 Andrew Dahms 2015-07-09 10:55:01 UTC 
Hi Fabian,

Thank you for the needinfo request. Can do - thank you for letting us know!

Kind regards,

Andrew
Comment 19 Nikolai Sednev 2015-07-09 14:13:58 UTC 
(In reply to Anatoly Litovsky from comment #7)
> please indicate why you expect SSH to be working.
> Providing ssh login for root be default considered non secure.
> It was never provided befor across all RedHat.

I'm using regular PXE and then getting logged in via ssh, no problem.
I do expect to have ssh configured to get access to the Engine's VM, because Spice not passing NAT and I can't relay on a single type of connection.
I'm getting also ssh access to the hosts running over RHEVH/RHEL, no problem.
The configuration is up to admins, they may block the access, but again, datacenter is one of the highly protected places, with it's own security appliances and security measure, hence disabling ssh for the HE VM based on appliance will dramatically limit admin's access to it.  
Only ssh config within the appliance not configured properly.
Comment 20 Fabian Deutsch 2015-07-09 15:07:57 UTC 
(In reply to Nikolai Sednev from comment #19)
> (In reply to Anatoly Litovsky from comment #7)
> > please indicate why you expect SSH to be working.
> > Providing ssh login for root be default considered non secure.
> > It was never provided befor across all RedHat.
> 
> I'm using regular PXE and then getting logged in via ssh, no problem.

Yes, but that is part of the deployment process, and not something that is pre-configured in the distribution.

> I do expect to have ssh configured to get access to the Engine's VM, because
> Spice not passing NAT and I can't relay on a single type of connection.

That is a SPICE problem.

> I'm getting also ssh access to the hosts running over RHEVH/RHEL, no problem.
> The configuration is up to admins, they may block the access, but again,
> datacenter is one of the highly protected places, with it's own security
> appliances and security measure, hence disabling ssh for the HE VM based on
> appliance will dramatically limit admin's access to it.  
> Only ssh config within the appliance not configured properly.

We could discuss (as in RFE) if hosted-engine setup should gain the functionality to enable ssh in the appliance as part of the deploy process.
Comment 21 Andrew Dahms 2015-07-23 03:32:32 UTC 
Assigning to Tahlia for review.

Tahlia - for this bug, we need to add the note mentioned in comment #15 to the Installation Guide in the section on setting up the RHEV-M appliance.