Bug 1324105

Summary: [RFE] upgrade-non-controller.sh should use -o StrictHostKeyChecking=no when connecting to the nodes
Product: Red Hat OpenStack Reporter: Udi Kalifon <ukalifon>
Component: openstack-tripleoAssignee: mathieu bultel <mbultel>
Status: CLOSED WONTFIX QA Contact: Arik Chernetsky <achernet>
Severity: medium Docs Contact:
Priority: low    
Version: 8.0 (Liberty)CC: jcoufal, mbultel, mburns, rhel-osp-director-maint, sathlang
Target Milestone: ---Keywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-23 08:16:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Udi Kalifon 2016-04-05 14:09:47 UTC 
Description of problem:
upgrade-non-controller.sh prompts you to verify the authenticity of the host if it's the first time you connect to it:

[stack@instack ~]$ upgrade-non-controller.sh --upgrade 37abc909-6482-4275-a21b-44585ceef658
Tue Apr  5 09:50:21 EDT 2016 upgrade-non-controller.sh nova node 37abc909-6482-4275-a21b-44585ceef658 found with status ACTIVE
Tue Apr  5 09:50:22 EDT 2016 upgrade-non-controller.sh checking for upgrade script /root/tripleo_upgrade_node.sh on node 37abc909-6482-4275-a21b-44585ceef658 (192.0.2.9)
The authenticity of host '192.0.2.9 (192.0.2.9)' can't be established.
ECDSA key fingerprint is 8b:80:02:47:71:7f:69:30:1c:b4:bd:ee:f3:23:f4:c7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.0.2.9' (ECDSA) to the list of known hosts.

This prompting is interruptive, it should be automatic.


How reproducible:
whenever you connect to the nodes for the first time.


Steps to Reproduce:
1. Install a 7.3 overcloud
2. Don't ssh to all the nodes 
3. Upgrade to 8.0 as per the guide


Actual results:
When you run upgrade-non-controller.sh on a node that you never connected to, you get prompted by ssh to add the host's key to the known hosts list.
Comment 2 Mike Burns 2016-04-07 21:36:02 UTC 
This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.
Comment 5 Sofer Athlan-Guyot 2017-01-11 10:53:22 UTC 
Hi,

In osp10->11 upgrade, there is currently no ssh script to be run, making this bug disappear.  I will revisit the bug next week to confirm that no ssh "workaround" is ever needed during the upgrade procedure.
Comment 6 Sofer Athlan-Guyot 2017-01-24 18:31:22 UTC 
Hi,

so there will be ssh command, the details are still being worked out.  We will make sure that the right option are passed.
Comment 7 mathieu bultel 2017-03-23 08:14:45 UTC 
Hi,

For 10 to 11, we would have to run the script for upgrading the Compute nodes manually, or Ceph or whatever none controller nodes.
But this bug should be close as a won't fix.
The add of the option -o StrictHostKeyChecking=no to the ssh command is a security issue.
We can't assume that the tripleo framework consider to not check the finger print for the nodes, it's not safe at all.

I know, it would be better for automation purpose, but in this case, this is what i used:
sudo sed -i 's/ssh/ssh -o StrictHostKeyChecking=no/' /usr/bin/upgrade-non-controller.sh