Description of problem: Customer is looking for a way to edit/modify the sshd config on the director node with the condition that those changes would survive next # openstack undercloud upgrade. This is achievable for the overcloud nodes via the heat templates -> so customer is looking for a way how to achieve the same for the the director node (obviously not via heat templates) For example these directives (just an example): AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE XMODIFIERS LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AuthorizedKeysFile .ssh/authorized_keys ChallengeResponseAuthentication yes GSSAPIAuthentication no GSSAPICleanupCredentials yes LogLevel VERBOSE Thank you.
Created attachment 1423715 [details] example hieradata So this should already be possible using the hieradata_override option in the undercloud.conf. For example we have it documented[0] for tuning ssl ciphers, For the specific ssh options, you would need to configure tripleo::profile::base::sshd::options This will require a similar structure to what is configured in the overcloud using the SshServerOptions[1] parameter. See attached file as an example file that could be used with "hieradata_override = /home/stack/rhbz1568918.yaml" [0] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/12/html/director_installation_and_usage/appe-security_enhancements [1] https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/sshd.yaml#L42-L62