Bug 1124579 - [RFE] Section ⁠8.9. "Configuring SSH Keys on the Node Host" only grabs one broker's rsync public key
Summary: [RFE] Section ⁠8.9. "Configuring SSH Keys on the Node Host" only grabs one br...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 2.1.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: brice
QA Contact: Bilhar
Depends On:
TreeView+ depends on / blocked
Reported: 2014-07-29 20:39 UTC by Miciah Dashiel Butler Masters
Modified: 2017-03-08 17:39 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 1124573
Last Closed: 2014-09-04 01:47:21 UTC

Attachments (Terms of Use)

Description Miciah Dashiel Butler Masters 2014-07-29 20:39:53 UTC
The Deployment Guide should instruct the administrator to ensure that each OpenShift node host has the rsync public key for each OpenShift broker host.  At a minimum, the guide should state something like the following:

    "The instructions in this Deployment Guide assume a deployment with only one broker host.  If your deployment includes more than one OpenShift broker host, you must ensure that each node host has the rsync_id_rsa.pub public key of each broker host.  In order to ensure this, when configuring a node host, repeat Steps 3 through 5 of Procedure 8.6. for each broker host."

The relevant section of the Deployment Guide is 

+++ This bug was initially created as a clone of Bug #1124573 +++

Description of problem:

openshift.ks/openshift tries to download https://${broker_hostname}/rsync_id_rsa.pub in install_rsync_pub_key.  If there are multiple OpenShift broker hosts, they may have different rsync keys.  An OpenShift node host must have the public key of each OpenShift broker host so that all broker hosts can rsync gears between all node hosts.

How reproducible:

Readily enough.

Steps to Reproduce:

1. Use openshift.ks or openshift.sh to install an OpenShift Enterprise PaaS with at least two OpenShift broker hosts: broker01.hosts.example.com and broker02.hosts.example.com and at least one OpenShift node host: node01.hosts.example.com.

2. Run `ssh broker01.hosts.example.com ssh-keygen -lf /etc/openshift/rsync_id_rsa.pub`.

3. Run `ssh broker02.hosts.example.com ssh-keygen -lf /etc/openshift/rsync_id_rsa.pub`.

4. Run `ssh node01.hosts.example.com while read -r line \; do ssh-keygen -l -f /dev/stdin \<\<\<\$line \; done \< /root/.ssh/authorized_keys`.

Actual results:

Only one of the fingerprints from the output of Steps 2 and 3 appear in the output of Step 4; this tells us that the node host has only one of the broker hosts' public keys.

Expected results:

The output of Step 4 should include the fingerprints in the output of both Steps 2 and 3, which would indicate that the node host had both broker hosts' public keys.

Additional info:

An alternative to downloading each OpenShift broker host's public key on each node host would be to use a single private key on all broker hosts.  However, it is generally bad practice to share a private key, and distributing the same private key to each OpenShift broker host would probably be no easier than distributing each OpenShift broker host's public key to each OpenShift node host.

Currently, openshift.ks/openshift.sh has CONF_BROKER_HOSTNAME to specify one OpenShift broker host's hostname.  To resolve this bug, we will need to need to introduce an additional setting to specify the list of OpenShift broker hostnames.  This variable could be named CONF_BROKER_REPLICANTS (which may be misleading as "replicant" may suggest data replication), CONF_BROKER_HOSTNAMES (which is perhaps too easily confused with CONF_BROKER_HOSTNAME), or something else.  I can write the fix once we decide on a name for the setting.

Here is the relevant code in openshift.ks which fetches the rsync public key and will need to be modified to fix this bug:


Comment 2 brice 2014-08-26 04:08:39 UTC
Miciah, this was pretty straight-forward.

I included a paragraph in the suggested place (for the 1.x, 2.x, and 2.1 books) and added a note box in the Configuring Redundancy section of the Deployment Guide too.

Could I please order an ack that this is fulfilling the request?


Comment 4 Miciah Dashiel Butler Masters 2014-08-26 17:01:32 UTC
Yes, the information looks accurate.

Perhaps the the note that you added to Section 7.9.4. "Configuring Redundancy" would better fit into Section "Broker Web Application", which already has a similar note about the broker authentication keys.  Whatever you think works best.

You're welcome, and thank you!

Note You need to log in before you can comment on or make changes to this bug.