Bug 1403313

Summary: Faulty nova SSH setup procedure for VM Migration documentation
Product: Red Hat OpenStack Reporter: Alexander Chuzhoy <sasha>
Component: documentationAssignee: Dan Macpherson <dmacpher>
Status: CLOSED CURRENTRELEASE QA Contact: RHOS Documentation Team <rhos-docs>
Severity: unspecified Docs Contact:
Priority: high    
Version: 9.0 (Mitaka)CC: dmacpher, mpryc, sasha, srevivo
Target Milestone: async   
Target Release: 9.0 (Mitaka)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-16 03:22:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Alexander Chuzhoy 2016-12-09 15:38:20 UTC 
Documentation:  https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/single/director-installation-and-usage/#sect-Migrating_VMs_from_an_Overcloud_Compute_Node

The documentation in the link says:
 Log into each Compute node as the nova user and run the following script to set up the keys:

NOVA_SSH=/var/lib/nova/.ssh
mkdir ${NOVA_SSH}

cp nova_id_rsa ${NOVA_SSH}/id_rsa
chmod 600 ${NOVA_SSH}/id_rsa
cp nova_id_rsa.pub ${NOVA_SSH}/id_rsa.pub
cp nova_id_rsa.pub ${NOVA_SSH}/authorized_keys

chown -R nova.nova ${NOVA_SSH}

# enable login for nova user on compute hosts:
usermod -s /bin/bash nova

# add ssh keys of overcloud nodes into known hosts:
ssh-keyscan -t rsa `os-apply-config --key hosts --type raw --key-default '' | awk '{print $1}'` >> /etc/ssh/ssh_known_hosts



But running usermod and appending lines to /etc/ssh/ssh_known_hosts requires root (or explicit permissions)

./migrat_prep.sh: line 13: /usr/sbin/usermod: Permission denied
Traceback (most recent call last):
  File "/bin/os-apply-config", line 10, in <module>
    sys.exit(main())
  File "/usr/lib/python2.7/site-packages/os_apply_config/apply_config.py", line 335, in main
    opts.metadata = load_list_from_json(opts.os_config_files)
  File "/usr/lib/python2.7/site-packages/os_apply_config/apply_config.py", line 318, in load_list_from_json
    with open(json_file) as ocf:
IOError: [Errno 13] Permission denied: '/var/lib/os-collect-config/os_config_files.json'
./migrat_prep.sh: line 16: /etc/ssh/ssh_known_hosts: Permission denied


Thanks.
Comment 1 Alexander Chuzhoy 2016-12-09 15:43:38 UTC 
same goes for the line with:
os-apply-config --key hosts --type raw --key-default ''
Needs root.
Comment 2 Alexander Chuzhoy 2016-12-09 17:02:16 UTC 
Also note the following behavior:

[root@overcloud-compute-0 ~]# ssh-keyscan -t rsa `os-apply-config --key hosts --type raw --key-default '' | awk '{print $1}'`
getaddrinfo \\n192.168.100.13: Name or service not known
Comment 3 Alexander Chuzhoy 2016-12-09 18:26:46 UTC 
Here's a link to upstream doc:
http://docs.openstack.org/admin-guide/cli-nova-migrate-cfg-ssh.html
Comment 4 Dan Macpherson 2016-12-12 02:03:24 UTC 
*** Bug 1395756 has been marked as a duplicate of this bug. ***
Comment 5 Dan Macpherson 2016-12-12 02:06:49 UTC 
So I'm revamping the procedure and script. I'm going to try and provide a script they can execute from the Undercloud instead of on each Compute node.

BZ#1395756 also pointed out how illogical it is to ask the user to login as the nova user to run the script, but the script contains a command to enable bash usage for the nova user.
Comment 16 Dan Macpherson 2016-12-16 03:22:12 UTC 
The new script and procedure has been pushed to OSP10 and OSP9. Here's the OSP10 live version:

https://access.redhat.com/documentation/en/red-hat-openstack-platform/10/single/director-installation-and-usage/#sect-Migrating_VMs_from_an_Overcloud_Compute_Node

Closing this BZ, but feel free to reopen if further changes are required.