Bug 1324105 - [RFE] upgrade-non-controller.sh should use -o StrictHostKeyChecking=no when connecting to the nodes
Summary: [RFE] upgrade-non-controller.sh should use -o StrictHostKeyChecking=no when c...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo
Version: 8.0 (Liberty)
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
: ---
Assignee: mathieu bultel
QA Contact: Arik Chernetsky
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-05 14:09 UTC by Udi Kalifon
Modified: 2017-03-23 08:16 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-23 08:16:58 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Udi Kalifon 2016-04-05 14:09:47 UTC 
Description of problem:
upgrade-non-controller.sh prompts you to verify the authenticity of the host if it's the first time you connect to it:

[stack@instack ~]$ upgrade-non-controller.sh --upgrade 37abc909-6482-4275-a21b-44585ceef658
Tue Apr  5 09:50:21 EDT 2016 upgrade-non-controller.sh nova node 37abc909-6482-4275-a21b-44585ceef658 found with status ACTIVE
Tue Apr  5 09:50:22 EDT 2016 upgrade-non-controller.sh checking for upgrade script /root/tripleo_upgrade_node.sh on node 37abc909-6482-4275-a21b-44585ceef658 (192.0.2.9)
The authenticity of host '192.0.2.9 (192.0.2.9)' can't be established.
ECDSA key fingerprint is 8b:80:02:47:71:7f:69:30:1c:b4:bd:ee:f3:23:f4:c7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.0.2.9' (ECDSA) to the list of known hosts.

This prompting is interruptive, it should be automatic.


How reproducible:
whenever you connect to the nodes for the first time.


Steps to Reproduce:
1. Install a 7.3 overcloud
2. Don't ssh to all the nodes 
3. Upgrade to 8.0 as per the guide


Actual results:
When you run upgrade-non-controller.sh on a node that you never connected to, you get prompted by ssh to add the host's key to the known hosts list.
Comment 2 Mike Burns 2016-04-07 21:36:02 UTC 
This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.
Comment 5 Sofer Athlan-Guyot 2017-01-11 10:53:22 UTC 
Hi,

In osp10->11 upgrade, there is currently no ssh script to be run, making this bug disappear.  I will revisit the bug next week to confirm that no ssh "workaround" is ever needed during the upgrade procedure.
Comment 6 Sofer Athlan-Guyot 2017-01-24 18:31:22 UTC 
Hi,

so there will be ssh command, the details are still being worked out.  We will make sure that the right option are passed.
Comment 7 mathieu bultel 2017-03-23 08:14:45 UTC 
Hi,

For 10 to 11, we would have to run the script for upgrading the Compute nodes manually, or Ceph or whatever none controller nodes.
But this bug should be close as a won't fix.
The add of the option -o StrictHostKeyChecking=no to the ssh command is a security issue.
We can't assume that the tripleo framework consider to not check the finger print for the nodes, it's not safe at all.

I know, it would be better for automation purpose, but in this case, this is what i used:
sudo sed -i 's/ssh/ssh -o StrictHostKeyChecking=no/' /usr/bin/upgrade-non-controller.sh
Note You need to log in before you can comment on or make changes to this bug.