1218312 – [Docs] [SHE] Add a note that ssh is not enabled by default on the RHEV-M Appliance, point to how to enable it.

Bug 1218312 - [Docs] [SHE] Add a note that ssh is not enabled by default on the RHEV-M Appliance, point to how to enable it.

Summary: [Docs] [SHE] Add a note that ssh is not enabled by default on the RHEV-M Appl...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	Documentation
Sub Component:
Version:	3.6.0
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	ovirt-3.6.1
Target Release:	3.6.0
Assignee:	Julie
QA Contact:	Tahlia Richardson
Docs Contact:
URL:
Whiteboard:	docs
Depends On:
Blocks:	1235347
TreeView+	depends on / blocked

Reported:	2015-05-04 14:55 UTC by Nikolai Sednev
Modified:	2016-02-10 18:56 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1211606
Clones:	1235347 (view as bug list)
Environment:
Last Closed:	2016-01-04 01:17:29 UTC
oVirt Team:	Docs
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Comment 2 Fabian Deutsch 2015-07-09 09:18:56 UTC

Andrew, can we add a notice to the documentation, telling the user that SSH is enabled by default for security reasons, but can be enabled using the doc from comment 14?
The appliance can always be accessed through the spice or vnc console (not sure how this is officially called in the docs).

Comment 4 Sandro Bonazzola 2015-10-26 12:43:13 UTC

this is an automated message. oVirt 3.6.0 RC3 has been released and GA is targeted to next week, Nov 4th 2015.
Please review this bug and if not a blocker, please postpone to a later release.
All bugs not postponed on GA release will be automatically re-targeted to

- 3.6.1 if severity >= high
- 4.0 if severity < high

Comment 5 Julie 2015-11-18 00:39:26 UTC

Hi Fabian, 
   Can you confirm if this bug is still relevant since I believe cloud-init takes care of the engine-setup stuff. Or does this still apply to 3.5 work flow?
Also not sure what comment14 doc you are referring to.

Cheers,
Julie

Comment 6 Fabian Deutsch 2015-11-18 10:22:05 UTC

I believe this bug is not relevant anymore, this is based on looking at the sources for hosted-engine-setup:

src/plugins/ovirt-hosted-engine-setup/vm/cloud_init.py:                'ssh_pwauth: True\n'

This shows that hosted-engine-setup (via cloud-init) is enabling ssh (and ssh password authentication).

Also the appliance itself is enabling ssh by default now:

(from spin-kickstarts):

rhevm-3.6-rhel-6/rhevm-appliance.ks:services --disabled="avahi-daemon,iscsi,iscsid,firstboot,kdump" --enabled="network,sshd,rsyslog,tuned"


I can't recall what I referred to with my comment "comment 14" above.

Comment 7 Julie 2015-11-20 00:15:58 UTC

(In reply to Fabian Deutsch from comment #6)
> I believe this bug is not relevant anymore, this is based on looking at the
> sources for hosted-engine-setup:
> 
> src/plugins/ovirt-hosted-engine-setup/vm/cloud_init.py:               
> 'ssh_pwauth: True\n'
> 
> This shows that hosted-engine-setup (via cloud-init) is enabling ssh (and
> ssh password authentication).
> 
> Also the appliance itself is enabling ssh by default now:
> 
> (from spin-kickstarts):
> 
> rhevm-3.6-rhel-6/rhevm-appliance.ks:services
> --disabled="avahi-daemon,iscsi,iscsid,firstboot,kdump"
> --enabled="network,sshd,rsyslog,tuned"
> 
> 
> I can't recall what I referred to with my comment "comment 14" above.

Thanks Fabian!
Nikolai,
     Can we close this bug since it's not applicable to the current setup? Please let me know if you have any concerns.

Kind regards,
Julie

Comment 8 Nikolai Sednev 2015-11-23 15:45:20 UTC

(In reply to Julie from comment #7)
> (In reply to Fabian Deutsch from comment #6)
> > I believe this bug is not relevant anymore, this is based on looking at the
> > sources for hosted-engine-setup:
> > 
> > src/plugins/ovirt-hosted-engine-setup/vm/cloud_init.py:               
> > 'ssh_pwauth: True\n'
> > 
> > This shows that hosted-engine-setup (via cloud-init) is enabling ssh (and
> > ssh password authentication).
> > 
> > Also the appliance itself is enabling ssh by default now:
> > 
> > (from spin-kickstarts):
> > 
> > rhevm-3.6-rhel-6/rhevm-appliance.ks:services
> > --disabled="avahi-daemon,iscsi,iscsid,firstboot,kdump"
> > --enabled="network,sshd,rsyslog,tuned"
> > 
> > 
> > I can't recall what I referred to with my comment "comment 14" above.
> 
> Thanks Fabian!
> Nikolai,
>      Can we close this bug since it's not applicable to the current setup?
> Please let me know if you have any concerns.
> 
> Kind regards,
> Julie

Last time we've tested it on RHELs, the ssh was disabled, will have to check on our latest deployment and will reply if still relevant.

Comment 9 Andrew Dahms 2015-11-27 03:25:35 UTC

Assigning to Julie for review.

Comment 10 Nikolai Sednev 2015-11-29 04:59:59 UTC

The ssh still disabled on appliance, I saw that on my HE environment with these components:
ovirt-vmconsole-host-1.0.1-0.0.master.20151105234454.git3e5d52e.el7.noarch
ovirt-release36-002-2.noarch
ovirt-engine-sdk-python-3.6.0.4-0.2.20151123.gita2f81ed.el7.centos.noarch
sanlock-3.2.4-1.el7.x86_64
ovirt-setup-lib-1.0.1-0.0.master.20151119123055.gitfa908be.el7.centos.noarch
qemu-kvm-rhev-2.3.0-31.el7_2.3.x86_64
ovirt-hosted-engine-ha-1.3.3-0.0.master.20151118145556.20151118145552.git71b535e.el7.noarch
ovirt-vmconsole-1.0.1-0.0.master.20151105234454.git3e5d52e.el7.noarch
ovirt-release36-snapshot-002-2.noarch
libvirt-client-1.2.17-13.el7.x86_64
ovirt-hosted-engine-setup-1.3.1-0.0.master.20151118143825.gitc013638.el7.centos.noarch
ovirt-host-deploy-1.4.2-0.0.master.20151122153544.gitfc808fc.el7.noarch
vdsm-4.17.10.1-0.el7ev.noarch
mom-0.5.1-2.el7.noarch
ovirt-hosted-engine-ha-1.3.3-0.0.master.20151118145556.20151118145552.git71b535e.el7.noarch
ovirt-hosted-engine-setup-1.3.1-0.0.master.20151118143825.gitc013638.el7.centos.noarch

Appliance was rhevm-appliance-20151119.0-1.

Comment 11 Julie 2015-12-01 00:57:05 UTC

(In reply to Nikolai Sednev from comment #10)
hi Nikolai, 
   Yes, I also tested this last Friday and found I need to enable SSH. I will add in a note on how to enable SSH. If Engineering intends to change the this behaviour, please let me know.

Kind regards,
Julie

Comment 15 Julie 2015-12-07 00:44:55 UTC

Added 'Restart the sshd service for the changes to take effect.' to the note.

Comment 18 Julie 2015-12-07 22:32:23 UTC

Hi Fabian,
  Thanks for the need_info. According to my testing, the SSH service is running by default, but password authentication and permit root login is disabled thus causing SSH to fail. When you spin up the manager VM, you set the root password for the engine VM so I assumed password authentication is the SSH method to use. Please advise if I'm wrong. Maybe the note should be:
====
To SSH into the Red Hat Enterprise Virtualization Manager virtual machine that is based on the RHEV-M Virtual Appliance, access the Manager virtual machine through the SPICE or VNC console, and edit /etc/ssh/sshd_config to change the following two options to yes:
PasswordAuthentication
PermitRootLogin"
Restart the sshd service for the changes to take effect.
====

Comment 19 Fabian Deutsch 2015-12-08 10:42:32 UTC

(In reply to Julie from comment #18)
…
> ====
> To SSH into the Red Hat Enterprise Virtualization Manager virtual machine

I'm being a bit picky here, but as ssh is enabled, and we just enable password authentication, I'd suggest to use something like:

To enable login with SSH password authentication into the Red Hat Enterprise Virtualization Manager virtual machine that is based on the RHEV-M Virtual Appliance, access the

> machine through the SPICE or VNC console, and edit /etc/ssh/sshd_config to
> change the following two options to yes:
> PasswordAuthentication
> PermitRootLogin"
> Restart the sshd service for the changes to take effect.
> ====

Comment 20 Julie 2015-12-10 05:04:19 UTC

Thanks Fabian, I have updated the note according to what you suggested.

Note You need to log in before you can comment on or make changes to this bug.