*** Bug 1033940 has been marked as a duplicate of this bug. ***

Blueprint up for review: https://review.openstack.org/#/c/85877/

eglynn,

Can we get the correct manual steps to follow that will set up passwordless ssh and any corresponding nova conf changes that would be needed to make this work given the current state of affairs?

Nova rsyncs between compute hosts over ssh as the nova user using the IP address of the destination compute host. This must work without requiring any input. Specifically, this means that:

* The source host must have the host key of the dest host
* The dest host key must be keyed against the dest host ip address
* The source host must have an ssh key in ~nova/.ssh/id_rsa
* The dest host must have the source host's ssh key in ~nova/.ssh/authorized_keys
* The dest host must have enabled the nova account for login

This doesn't work out of the box on my packstack setup, although it has done some of the work already. Already done by packstack:

* /etc/ssh/ssh_known_hosts contains the host keys of all hosts known to packstack on all hosts
* ~nova/.ssh/id_rsa exists [1]
* ~nova/.ssh/authorized_keys exists [1]

Although /etc/ssh/ssh_known_hosts contains all host keys, it is not readable by the nova user. As these are public keys, this file should be world readable. Also, login is not enabled for the nova user. Steps required to fix these:

# chmod 0644 /etc/ssh/ssh_known_hosts
# chsh -s /bin/bash nova

I assume that ssh host keys are collected by puppet. This seems to work well. You could also use something like ssh-keyscan to populate this, but I recommend against it as it has no root of trust, and is therefore insecure.

I'm not going to try to describe every possible way you could achieve the above end goal. Let me know if you need more.

[1] As configured by packstack, id_rsa is common to all compute hosts, so authorized_keys simply contains the public part of this key. Both these files are identical across all compute hosts. I haven't fully considered the implications of this, but it makes me uneasy.

There's also an openstack-packstack BZ where there was discussion wrt nova and known_hosts:

https://bugzilla.redhat.com/show_bug.cgi?id=1151126

Thanks.

Will this get released in an OSP6 z-stream errata, or should this BZ be closed?

(In reply to Karl Hastings from comment #16)
> Will this get released in an OSP6 z-stream errata, or should this BZ be
> closed?

Not for 6, there is a separate set of fixes for 7, 8, 9, 10, 11 in the process of being pushed out whereby director will co-ordinate the setup.

Agree that OSP6 is long gone.

Do we need to a separate bugs for OSP10, OSP11, and 12?

Mike B., can you notify us which z-stream these fixes are pushed to CDN with?