Bug 1235347 - [Docs] [Install] Add a note that ssh is not enabled by default on the RHEV-M Appliance, point to how to enable it
Summary: [Docs] [Install] Add a note that ssh is not enabled by default on the RHEV-M ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: Documentation
Version: 3.6.0
Hardware: x86_64
OS: Linux
high
urgent
Target Milestone: ---
: 3.5.4
Assignee: Tahlia Richardson
QA Contact: Nikolai Sednev
URL:
Whiteboard:
Depends On: 1218312
Blocks: 1250288
TreeView+ depends on / blocked
 
Reported: 2015-06-24 14:44 UTC by rhev-integ
Modified: 2015-08-05 07:15 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 1218312
Environment:
Last Closed: 2015-08-05 07:15:30 UTC
oVirt Team: ---
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Comment 6 Fabian Deutsch 2015-07-07 14:55:25 UTC 
The problem in comment 2 is that cloud-init is enabled, this should not be the case in the RHEV-M 3.5 appliance.

And I also see that the rhel-guest image we are using, is disabling root login by default.

To fix this, we must not inherit from the rhel-guest image anymore, and make sure that cloud-init is disabled, sshd is enabled and the firewall ssh port is open and PermitRootLogin is yes.

There might be something else we need.
Comment 7 Anatoly Litovsky 2015-07-08 06:24:32 UTC 
please indicate why you expect SSH to be working.
Providing ssh login for root be default considered non secure.
It was never provided befor across all RedHat.
Comment 8 Anatoly Litovsky 2015-07-08 06:25:02 UTC 
regarding cloud-init we need them for the growfs.
Comment 9 Fabian Deutsch 2015-07-08 07:54:22 UTC 
AFAIK the size of the disk in the OVA is left untouched when the appliance is started, thus the disk size does not change, and if it does not change, then we do not need to grow any partition.
nd if it does change, then we can possibly use dracut-modules-growroot.

For ssh, you are right, we should not necessarily enable ssh by default, after all a user can still access the VM via spice/vnc.

Or not?
Comment 10 Anatoly Litovsky 2015-07-08 08:40:04 UTC 
dracut-modules-growroot was not working .
We needed the cloud-init growroot.

we had a bug about it. 
I think it was needed because of qcow but I probably wrong.
Comment 11 Fabian Deutsch 2015-07-08 08:52:35 UTC 
Sandro, can you tell if the disk size of the appliance is modified in the HE - appliance flow?
Comment 12 Sandro Bonazzola 2015-07-08 09:22:37 UTC 
As far as I know only memory size and cpus number can be changed during the setup.
Comment 13 Sandro Bonazzola 2015-07-08 09:23:11 UTC 
restoring needinfo on nikolai, dropped by mistake
Comment 14 Anatoly Litovsky 2015-07-09 06:06:40 UTC 
Providing the official red hat guide to handle OpenSSh config
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s2-ssh-configuration-sshd.html
Comment 15 Fabian Deutsch 2015-07-09 09:18:00 UTC 
Andrew, can we add a notice to the documentation, telling the user that SSH is enabled by default for security reasons, but can be enabled using the doc from comment 14?
The appliance can always be accessed through the spice or vnc console (not sure how this is officially called in the docs).
Comment 17 Andrew Dahms 2015-07-09 10:55:01 UTC 
Hi Fabian,

Thank you for the needinfo request. Can do - thank you for letting us know!

Kind regards,

Andrew
Comment 19 Nikolai Sednev 2015-07-09 14:13:58 UTC 
(In reply to Anatoly Litovsky from comment #7)
> please indicate why you expect SSH to be working.
> Providing ssh login for root be default considered non secure.
> It was never provided befor across all RedHat.

I'm using regular PXE and then getting logged in via ssh, no problem.
I do expect to have ssh configured to get access to the Engine's VM, because Spice not passing NAT and I can't relay on a single type of connection.
I'm getting also ssh access to the hosts running over RHEVH/RHEL, no problem.
The configuration is up to admins, they may block the access, but again, datacenter is one of the highly protected places, with it's own security appliances and security measure, hence disabling ssh for the HE VM based on appliance will dramatically limit admin's access to it.  
Only ssh config within the appliance not configured properly.
Comment 20 Fabian Deutsch 2015-07-09 15:07:57 UTC 
(In reply to Nikolai Sednev from comment #19)
> (In reply to Anatoly Litovsky from comment #7)
> > please indicate why you expect SSH to be working.
> > Providing ssh login for root be default considered non secure.
> > It was never provided befor across all RedHat.
> 
> I'm using regular PXE and then getting logged in via ssh, no problem.

Yes, but that is part of the deployment process, and not something that is pre-configured in the distribution.

> I do expect to have ssh configured to get access to the Engine's VM, because
> Spice not passing NAT and I can't relay on a single type of connection.

That is a SPICE problem.

> I'm getting also ssh access to the hosts running over RHEVH/RHEL, no problem.
> The configuration is up to admins, they may block the access, but again,
> datacenter is one of the highly protected places, with it's own security
> appliances and security measure, hence disabling ssh for the HE VM based on
> appliance will dramatically limit admin's access to it.  
> Only ssh config within the appliance not configured properly.

We could discuss (as in RFE) if hosted-engine setup should gain the functionality to enable ssh in the appliance as part of the deploy process.
Comment 21 Andrew Dahms 2015-07-23 03:32:32 UTC 
Assigning to Tahlia for review.

Tahlia - for this bug, we need to add the note mentioned in comment #15 to the Installation Guide in the section on setting up the RHEV-M appliance.
Note You need to log in before you can comment on or make changes to this bug.