Hide Forgot
Description of problem: ssh_config is changed completely if customized hiera is used. Version-Release number of selected component (if applicable): OSP13 How reproducible: 100% Steps to Reproduce: 1. openstack undercloud install 2. Check sshd_config 3. in undercloud.conf add hieradata_override = /home/stack/hieradata.yaml 4. In hieradata.yaml specify tripleo::profile::base::sshd::options: PermitRootLogin: 'no' 5. Check sshd_config Actual results: # diff -u /etc/ssh/sshd_config /etc/ssh/sshd_config.bak --- /etc/ssh/sshd_config 2018-12-13 01:40:10.851877086 -0500 +++ /etc/ssh/sshd_config.bak 2018-12-13 00:32:07.359455937 -0500 @@ -1,13 +1,21 @@ # File is managed by Puppet Port 22 -AcceptEnv LANG LC_* +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE +AcceptEnv XMODIFIERS +AuthorizedKeysFile .ssh/authorized_keys ChallengeResponseAuthentication no +GSSAPIAuthentication yes +GSSAPICleanupCredentials no HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key -PermitRootLogin no PrintMotd no -Subsystem sftp /usr/libexec/openssh/sftp-server +Subsystem sftp /usr/libexec/openssh/sftp-server +SyslogFacility AUTHPRIV +UseDNS no UsePAM yes +UsePrivilegeSeparation sandbox X11Forwarding yes Expected results: Only one line (PermitRootLogin) should be different Additional info:
Yes the entire set of options must be provided. it is not merged. If a customer needs to tweak one of the items, they still need to provide the full set. https://github.com/openstack/instack-undercloud/blob/stable/queens/elements/puppet-stack-config/os-apply-config/etc/puppet/hieradata/RedHat.yaml#L3-L22