Bug 1448062
| Summary: | Unable to log in via SSH to compute nodes with the heat-admin user | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Marius Cornea <mcornea> |
| Component: | openstack-tripleo-heat-templates | Assignee: | Angus Thomas <athomas> |
| Status: | CLOSED ERRATA | QA Contact: | Amit Ugol <augol> |
| Severity: | urgent | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 10.0 (Newton) | CC: | aschultz, dbecker, fhubik, jjoyce, jslagle, mburns, michele, mkrcmari, morazi, rhel-osp-director-maint |
| Target Milestone: | async | Keywords: | Triaged, ZStream |
| Target Release: | 10.0 (Newton) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-tripleo-heat-templates-5.2.0-15.el7ost | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-05-17 12:26:17 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Marius Cornea
2017-05-04 13:04:13 UTC
It seems that a typo was introduced in sshd_config on overcloud compute nodes while trying to configure ssh for live migration. It's not possible to ssh into compute nodes and sshd on computes complains about the bad line 21:
"Match LocalAddress 192.168.24.16, User nova_migration"
I believe that the comma is not supposed to be there and once I remove the comma, ssh starts to work as expected.
There is possibly one more time a problem with comma at line:
Match LocalAddress !192.168.24.16,!
For sure sshd complains about the line 21 of the sshd_config where the comma should not be.
If we have there more local migration addresses then they are supposed to be separated by comma but It's not the case of our setups.
Example of created sshd_config by puppet:
# File is managed by Puppet
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
PasswordAuthentication no
PrintMotd no
Subsystem sftp /usr/libexec/openssh/sftp-server
SyslogFacility AUTHPRIV
UsePAM yes
UsePrivilegeSeparation sandbox
X11Forwarding yes
Match LocalAddress 192.168.24.16, User nova_migration
AllowTcpForwarding no
AuthorizedKeysFile /etc/nova/migration/authorized_keys
ForceCommand /bin/nova-migration-wrapper
PasswordAuthentication no
X11Forwarding no
Match LocalAddress !192.168.24.16,!
DenyUsers nova_migration
The related reviews seem to be: https://review.openstack.org/#/c/458082/ https://review.openstack.org/#/c/458077/ It seems that the problem is that live_migration_ssh_inbound_addr is empty and thus tripleo::profile::base::nova::migration_ssh_localaddrs is something like: ['192.168.24.16', ''] From my /etc/puppet/hieradata/service_configs.yaml: . . . cold_migration_ssh_inbound_addr: 192.168.24.16 kernel_modules: { "nf_conntrack": {} } live_migration_ssh_inbound_addr: . . . tripleo::profile::base::nova::migration_ssh_localaddrs: [ "%{hiera('cold_migration_ssh_inbound_addr')}", "%{hiera('live_migration_ssh_inbound_addr')}" ] . . Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:1242 |