Bug 1235347
Summary: | [Docs] [Install] Add a note that ssh is not enabled by default on the RHEV-M Appliance, point to how to enable it | ||
---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | rhev-integ |
Component: | Documentation | Assignee: | Tahlia Richardson <trichard> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Nikolai Sednev <nsednev> |
Severity: | urgent | Docs Contact: | |
Priority: | high | ||
Version: | 3.6.0 | CC: | adahms, bmcclain, dfediuck, ecohen, fdeutsch, gklein, lsurette, nsednev, pstehlik, rbalakri, yeylon, ylavi |
Target Milestone: | --- | Keywords: | Triaged, ZStream |
Target Release: | 3.5.4 | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | 1218312 | Environment: | |
Last Closed: | 2015-08-05 07:15:30 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1218312 | ||
Bug Blocks: | 1250288 |
Comment 6
Fabian Deutsch
2015-07-07 14:55:25 UTC
please indicate why you expect SSH to be working. Providing ssh login for root be default considered non secure. It was never provided befor across all RedHat. regarding cloud-init we need them for the growfs. AFAIK the size of the disk in the OVA is left untouched when the appliance is started, thus the disk size does not change, and if it does not change, then we do not need to grow any partition. nd if it does change, then we can possibly use dracut-modules-growroot. For ssh, you are right, we should not necessarily enable ssh by default, after all a user can still access the VM via spice/vnc. Or not? dracut-modules-growroot was not working . We needed the cloud-init growroot. we had a bug about it. I think it was needed because of qcow but I probably wrong. Sandro, can you tell if the disk size of the appliance is modified in the HE - appliance flow? As far as I know only memory size and cpus number can be changed during the setup. restoring needinfo on nikolai, dropped by mistake Providing the official red hat guide to handle OpenSSh config https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s2-ssh-configuration-sshd.html Andrew, can we add a notice to the documentation, telling the user that SSH is enabled by default for security reasons, but can be enabled using the doc from comment 14? The appliance can always be accessed through the spice or vnc console (not sure how this is officially called in the docs). Hi Fabian, Thank you for the needinfo request. Can do - thank you for letting us know! Kind regards, Andrew (In reply to Anatoly Litovsky from comment #7) > please indicate why you expect SSH to be working. > Providing ssh login for root be default considered non secure. > It was never provided befor across all RedHat. I'm using regular PXE and then getting logged in via ssh, no problem. I do expect to have ssh configured to get access to the Engine's VM, because Spice not passing NAT and I can't relay on a single type of connection. I'm getting also ssh access to the hosts running over RHEVH/RHEL, no problem. The configuration is up to admins, they may block the access, but again, datacenter is one of the highly protected places, with it's own security appliances and security measure, hence disabling ssh for the HE VM based on appliance will dramatically limit admin's access to it. Only ssh config within the appliance not configured properly. (In reply to Nikolai Sednev from comment #19) > (In reply to Anatoly Litovsky from comment #7) > > please indicate why you expect SSH to be working. > > Providing ssh login for root be default considered non secure. > > It was never provided befor across all RedHat. > > I'm using regular PXE and then getting logged in via ssh, no problem. Yes, but that is part of the deployment process, and not something that is pre-configured in the distribution. > I do expect to have ssh configured to get access to the Engine's VM, because > Spice not passing NAT and I can't relay on a single type of connection. That is a SPICE problem. > I'm getting also ssh access to the hosts running over RHEVH/RHEL, no problem. > The configuration is up to admins, they may block the access, but again, > datacenter is one of the highly protected places, with it's own security > appliances and security measure, hence disabling ssh for the HE VM based on > appliance will dramatically limit admin's access to it. > Only ssh config within the appliance not configured properly. We could discuss (as in RFE) if hosted-engine setup should gain the functionality to enable ssh in the appliance as part of the deploy process. Assigning to Tahlia for review. Tahlia - for this bug, we need to add the note mentioned in comment #15 to the Installation Guide in the section on setting up the RHEV-M appliance. |