Bug 1331858 - [RFE] Allow user to enable ssh access for RHEV-M appliance during hosted-engine deploy
Summary: [RFE] Allow user to enable ssh access for RHEV-M appliance during hosted-engi...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-hosted-engine-setup
Version: 4.0.0
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ovirt-4.1.0-alpha
: ---
Assignee: Simone Tiraboschi
QA Contact: Nikolai Sednev
URL:
Whiteboard:
: 1382581 (view as bug list)
Depends On:
Blocks: 1412024
TreeView+ depends on / blocked
 
Reported: 2016-04-29 20:32 UTC by Marina Kalinin
Modified: 2019-11-14 07:54 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
This update allows you to enable SSH access for the Manager virtual machine when deploying the self-hosted engine. You can choose between yes, no and without-password. You can also pass a public SSH key for the root user during deployment.
Clone Of:
Environment:
Last Closed: 2017-04-25 00:50:13 UTC
oVirt Team: Integration
Target Upstream Version:
Embargoed:
gklein: testing_plan_complete+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2262201 0 None None None 2016-05-18 18:08:37 UTC
Red Hat Product Errata RHEA-2017:1002 0 normal SHIPPED_LIVE ovirt-hosted-engine-setup bug fix and enhancement update 2017-04-18 20:14:37 UTC

Description Marina Kalinin 2016-04-29 20:32:46 UTC
Currently, RHEV-M appliance provided d/s does not have root ssh access enabled due to security reasons. It is quite inconvenient and requires additional steps from the user[1]. Hosted-engine setup should ask the user during hosted-engine deployment to enable ssh access for RHEV-M appliance.

[1] https://access.redhat.com/solutions/2262201

Comment 1 Marina Kalinin 2016-04-29 20:33:02 UTC
P.S. I think this RFE should be filed on the d/s project. But following the current workflow.

Comment 2 Jiri Belka 2016-06-16 10:19:33 UTC
IMO the question should be (based on an installer of a project who maintains OpenSSH):

~~~
Allow root ssh login? (yes, no, prohibit-password) no
~~~

When prohibit-password would be intered, then we could ask for public ssh key.

Comment 3 Jiri Belka 2016-06-16 10:20:48 UTC
There could be also a line like this one to describe what's going on:

~~~
        echo "WARNING: root is targeted by password guessing attacks, pubkeys are safer."
~~~

Comment 4 Marina Kalinin 2016-06-17 20:32:28 UTC
Sure. 
Not sure about warnings. I think we are overdoing here.
All RHEV-M deployments have root access by default (as any other RHEL box).

Comment 5 Simone Tiraboschi 2016-10-10 10:00:12 UTC
*** Bug 1382581 has been marked as a duplicate of this bug. ***

Comment 6 Yaniv Lavi 2016-11-07 13:09:22 UTC
Why are the scripts removing the patch?

Comment 7 Eyal Edri 2016-11-07 13:16:52 UTC
Shlomi, can you check? 
new hooks were deployed recently, so there might be a bug in the new code.

Comment 12 Yaniv Lavi 2016-11-20 12:47:21 UTC
(In reply to Eyal Edri from comment #7)
> Shlomi, can you check? 
> new hooks were deployed recently, so there might be a bug in the new code.

Any news?

Comment 13 Yaniv Lavi 2017-01-08 15:27:29 UTC
Should this be on QA?

Comment 14 Nikolai Sednev 2017-01-23 15:38:27 UTC
Works for me on components as appears bellow:
         Enter ssh public key for the root user that will be used for the engine appliance (leave it empty to skip): 
[WARNING] Skipping appliance root ssh public key
          Do you want to enable ssh access for the root user (yes, no, without-password) [yes]: 

Hosts:
rhevm-appliance-20161214.0-1.el7ev.noarch
ovirt-hosted-engine-ha-2.1.0-1.el7ev.noarch
ovirt-host-deploy-1.6.0-1.el7ev.noarch
ovirt-imageio-common-0.5.0-0.el7ev.noarch
ovirt-vmconsole-host-1.0.4-1.el7ev.noarch
qemu-kvm-rhev-2.6.0-28.el7_3.3.x86_64
libvirt-client-2.0.0-10.el7_3.4.x86_64
mom-0.5.8-1.el7ev.noarch
vdsm-4.19.2-2.el7ev.x86_64
ovirt-hosted-engine-setup-2.1.0-2.el7ev.noarch
ovirt-setup-lib-1.1.0-1.el7ev.noarch
ovirt-engine-sdk-python-3.6.9.1-1.el7ev.noarch
ovirt-imageio-daemon-0.5.0-0.el7ev.noarch
ovirt-vmconsole-1.0.4-1.el7ev.noarch
rhevm-appliance-20161214.0-1.el7ev.noarch
sanlock-3.4.0-1.el7.x86_64
Linux version 3.10.0-514.6.1.el7.x86_64 (mockbuild.eng.bos.redhat.com) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) ) #1 SMP Sat Dec 10 11:15:38 EST 2016
Linux 3.10.0-514.6.1.el7.x86_64 #1 SMP Sat Dec 10 11:15:38 EST 2016 x86_64 x86_64 x86_64 GNU/Linux
Red Hat Enterprise Linux Server release 7.3 (Maipo)


Note You need to log in before you can comment on or make changes to this bug.