The problem in comment 2 is that cloud-init is enabled, this should not be the case in the RHEV-M 3.5 appliance. And I also see that the rhel-guest image we are using, is disabling root login by default. To fix this, we must not inherit from the rhel-guest image anymore, and make sure that cloud-init is disabled, sshd is enabled and the firewall ssh port is open and PermitRootLogin is yes. There might be something else we need.
please indicate why you expect SSH to be working. Providing ssh login for root be default considered non secure. It was never provided befor across all RedHat.
regarding cloud-init we need them for the growfs.
AFAIK the size of the disk in the OVA is left untouched when the appliance is started, thus the disk size does not change, and if it does not change, then we do not need to grow any partition. nd if it does change, then we can possibly use dracut-modules-growroot. For ssh, you are right, we should not necessarily enable ssh by default, after all a user can still access the VM via spice/vnc. Or not?
dracut-modules-growroot was not working . We needed the cloud-init growroot. we had a bug about it. I think it was needed because of qcow but I probably wrong.
Sandro, can you tell if the disk size of the appliance is modified in the HE - appliance flow?
As far as I know only memory size and cpus number can be changed during the setup.
restoring needinfo on nikolai, dropped by mistake
Providing the official red hat guide to handle OpenSSh config https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s2-ssh-configuration-sshd.html
Andrew, can we add a notice to the documentation, telling the user that SSH is enabled by default for security reasons, but can be enabled using the doc from comment 14? The appliance can always be accessed through the spice or vnc console (not sure how this is officially called in the docs).
Hi Fabian, Thank you for the needinfo request. Can do - thank you for letting us know! Kind regards, Andrew
(In reply to Anatoly Litovsky from comment #7) > please indicate why you expect SSH to be working. > Providing ssh login for root be default considered non secure. > It was never provided befor across all RedHat. I'm using regular PXE and then getting logged in via ssh, no problem. I do expect to have ssh configured to get access to the Engine's VM, because Spice not passing NAT and I can't relay on a single type of connection. I'm getting also ssh access to the hosts running over RHEVH/RHEL, no problem. The configuration is up to admins, they may block the access, but again, datacenter is one of the highly protected places, with it's own security appliances and security measure, hence disabling ssh for the HE VM based on appliance will dramatically limit admin's access to it. Only ssh config within the appliance not configured properly.
(In reply to Nikolai Sednev from comment #19) > (In reply to Anatoly Litovsky from comment #7) > > please indicate why you expect SSH to be working. > > Providing ssh login for root be default considered non secure. > > It was never provided befor across all RedHat. > > I'm using regular PXE and then getting logged in via ssh, no problem. Yes, but that is part of the deployment process, and not something that is pre-configured in the distribution. > I do expect to have ssh configured to get access to the Engine's VM, because > Spice not passing NAT and I can't relay on a single type of connection. That is a SPICE problem. > I'm getting also ssh access to the hosts running over RHEVH/RHEL, no problem. > The configuration is up to admins, they may block the access, but again, > datacenter is one of the highly protected places, with it's own security > appliances and security measure, hence disabling ssh for the HE VM based on > appliance will dramatically limit admin's access to it. > Only ssh config within the appliance not configured properly. We could discuss (as in RFE) if hosted-engine setup should gain the functionality to enable ssh in the appliance as part of the deploy process.
Assigning to Tahlia for review. Tahlia - for this bug, we need to add the note mentioned in comment #15 to the Installation Guide in the section on setting up the RHEV-M appliance.