Bug 1568918

Summary: RFE: Possibility to edit sshd config on the director node
Product: Red Hat OpenStack Reporter: ojanas
Component: instack-undercloudAssignee: Alex Schultz <aschultz>
Status: CLOSED CURRENTRELEASE QA Contact: Arik Chernetsky <achernet>
Severity: medium Docs Contact:
Priority: medium    
Version: 12.0 (Pike)CC: aschultz, dbecker, mburns, morazi
Target Milestone: ---Keywords: FutureFeature, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-18 19:43:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
example hieradata none

Description ojanas 2018-04-18 12:21:53 UTC 
Description of problem:

Customer is looking for a way to edit/modify the sshd config on the director node with the condition that those changes would survive next # openstack undercloud upgrade. 

This is achievable for the overcloud nodes via the heat templates -> so customer is looking for a way how to achieve the same for the the director node (obviously not via heat templates)

For example these directives (just an example):

AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE XMODIFIERS LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AuthorizedKeysFile .ssh/authorized_keys    
ChallengeResponseAuthentication yes
GSSAPIAuthentication no
GSSAPICleanupCredentials yes
LogLevel VERBOSE

Thank you.
Comment 1 Alex Schultz 2018-04-18 19:42:08 UTC 
Created attachment 1423715 [details]
example hieradata

So this should already be possible using the hieradata_override option in the undercloud.conf. For example we have it documented[0] for tuning ssl ciphers, 

For the specific ssh options, you would need to configure tripleo::profile::base::sshd::options

This will require a similar structure to what is configured in the overcloud using the SshServerOptions[1] parameter.

See attached file as an example file that could be used with "hieradata_override = /home/stack/rhbz1568918.yaml"


[0] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/12/html/director_installation_and_usage/appe-security_enhancements
[1] https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/sshd.yaml#L42-L62