Bug 1792598
Summary: | OctaviaAmphoraSshKeyFile does not update public key if the filename / content changes | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Andreas Karis <akaris> |
Component: | openstack-tripleo-heat-templates | Assignee: | Gregory Thiemonge <gthiemon> |
Status: | CLOSED WONTFIX | QA Contact: | Bruna Bonguardo <bbonguar> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 13.0 (Queens) | CC: | augol, gthiemon, mburns |
Target Milestone: | z8 | Keywords: | Triaged, ZStream |
Target Release: | 16.1 (Train on RHEL 8.2) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-11-29 07:28:40 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Andreas Karis
2020-01-18 10:08:56 UTC
Note that this is problematic as we cannot / should not expect that administrators log into the controllers, retrieve the Octavia credentials and figure out which key names were already used. The operation should be idempotent, meaning that the new key should be pushed when the file name changes (or the MD5 sum of the key, ideally). At the moment, we can only create keys, but not update them with the same operation --> not idempotent The upstream patch doesn't solve the issue, it fails when the ssh key is updated. A new patch will fix it: https://review.opendev.org/c/openstack/tripleo-ansible/+/783824 My goal was to backport this patch down to wallaby (OSP17) but I can also try to backport it to train. https://review.opendev.org/c/openstack/tripleo-ansible/+/783824 cannot be backported easily, but we could use a part of this patch in a downstream-only commit. I need to evaluate it. We won't fix this issue in OSP16.x because backporting the wallaby/master commit is too risky. But here's a workaround to update the Octavia ssh key: 1. Get octavia user password from the undercloud: [stack@undercloud-0 ~]$ . stackrc (undercloud) [stack@undercloud-0 ~]$ ansible -i /usr/bin/tripleo-ansible-inventory -o -b -m shell -a "crudini --get /var/lib/config-data/puppet-generated/octavia/etc/octavia/octavia.conf service_auth password" controller-0 controller-0 | CHANGED | rc=0 | (stdout) zgV0J7CK0S8pqZvp392gLWdiy 2. Update the octavia user's ssh public key on the overcloud using the password: [stack@undercloud-0 ~]$ . overcloudrc (overcloud) [stack@undercloud-0 ~]$ export OCTAVIA_PASSWORD=zgV0J7CK0S8pqZvp392gLWdiy (overcloud) [stack@undercloud-0 ~]$ openstack keypair list --os-project-name service --os-username octavia --os-password $OCTAVIA_PASSWORD +-----------------+-------------------------------------------------+ | Name | Fingerprint | +-----------------+-------------------------------------------------+ | octavia-ssh-key | e7:e2:3d:94:48:cf:f5:8c:5e:54:98:bd:89:a5:29:a9 | +-----------------+-------------------------------------------------+ (overcloud) [stack@undercloud-0 ~]$ openstack keypair delete octavia-ssh-key --os-project-name service --os-username octavia --os-password $OCTAVIA_PASSWORD (overcloud) [stack@undercloud-0 ~]$ openstack keypair create --public-key ./id_rsa.pub octavia-ssh-key --os-project-name service --os-username octavia --os-password $OCTAVIA_PASSWORD +-------------+-------------------------------------------------+ | Field | Value | +-------------+-------------------------------------------------+ | fingerprint | e2:7b:d5:ae:93:30:f3:69:41:ce:f2:8c:7e:1b:71:a1 | | name | octavia-ssh-key | | type | ssh | | user_id | 18767ff3c12445018c4e108b60f15e1c | +-------------+-------------------------------------------------+ (overcloud) [stack@undercloud-0 ~]$ openstack keypair list --os-project-name service --os-username octavia --os-password $OCTAVIA_PASSWORD +-----------------+-------------------------------------------------+ | Name | Fingerprint | +-----------------+-------------------------------------------------+ | octavia-ssh-key | e2:7b:d5:ae:93:30:f3:69:41:ce:f2:8c:7e:1b:71:a1 | +-----------------+-------------------------------------------------+ |