+++ This bug was initially created as a clone of Bug #1741670 +++ +++ This bug was initially created as a clone of Bug #1731755 +++ Description of problem: There is a specific ask for root access in DCN node for debugging purpose. This shall be disabled in production environment. I have followed the RHOSP13 Advanced Overcloud Customization document, Sector 20.5 (Using Secure root access) and updated the following in network-environment.yaml file: #This file is an example of an environment file for defining the isolated #networks and related parameters. resource_registry: # Network Interface templates to use (these files must exist). You can # override these by including one of the net-*.yaml environment files, # such as net-bond-with-vlans.yaml, or modifying the list here. # Port assignments for the Controller OS::TripleO::Controller::Net::SoftwareConfig: ../network/config/single-nic-vlans/controller.yaml # Port assignments for the KontronDCN OS::TripleO::KontronDCN::Net::SoftwareConfig: ../network/config/single-nic-vlans/kontrondcn.yaml OS::TripleO::NodeUserData: ../firstboot/userdata_root_password.yaml parameter_defaults: NodeRootPassword: "ABCDEFG1234" # This section is where deployment-specific configuration is done # CIDR subnet mask length for provisioning network ControlPlaneSubnetCidr: '24' With this, I could see that password is updated as per my configuration but the root ssh access does not work after the DCN node is fully deployed. I have also noticed that as soon as DCN is accessible but not fully deployed, I could do ssh with root user. I see that in the DCN, the sshd_config file the following: PasswordAuthentication no which is not correct. As per my configuration it is: (undercloud) [stack@rhosbng5-mgmt openstack-tripleo-heat-templates]$ cat firstboot/userdata_root_password.yaml heat_template_version: queens description: > Uses cloud-init to enable root logins and set the root password. Note this is less secure than the default configuration and may not be appropriate for production environments, it's intended for illustration and development/debugging only. parameters: NodeRootPassword: description: Root password for the nodes hidden: true type: string resources: userdata: type: OS::Heat::MultipartMime properties: parts: - config: {get_resource: root_config} root_config: type: OS::Heat::CloudConfig properties: cloud_config: ssh_pwauth: true disable_root: false chpasswd: list: str_replace: template: "root:PASSWORD" params: PASSWORD: {get_param: NodeRootPassword} expire: False outputs: OS::stack_id: value: {get_resource: userdata} Version-Release number of selected component (if applicable): https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/advanced_overcloud_customization/index#enabling_root_user_access How reproducible: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/advanced_overcloud_customization/index#enabling_root_user_access Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Why PasswordAuthentication is not set to true although I have updated the same in userdata_root_password.yaml Additional info: --- Additional comment from Cristian Muresanu on 2019-07-21 19:58:31 UTC --- heat-cfntools-1.3.0-2.el7ost.noarch Thu Jul 4 10:23:16 2019 openstack-heat-api-10.0.3-3.el7ost.noarch Thu Jul 4 10:41:14 2019 openstack-heat-api-cfn-10.0.3-3.el7ost.noarch Thu Jul 4 10:41:22 2019 openstack-heat-common-10.0.3-3.el7ost.noarch Thu Jul 4 10:41:03 2019 openstack-heat-engine-10.0.3-3.el7ost.noarch Thu Jul 4 10:41:34 2019 openstack-tripleo-heat-templates-8.3.1-18.el7ost.noarch Thu Jul 4 10:23:28 2019 puppet-heat-12.4.1-0.20190214021237.a7ed720.el7ost.noarch Thu Jul 4 10:23:14 2019 python2-heatclient-1.14.1-1.el7ost.noarch Thu Jul 4 10:23:20 2019 python-heat-agent-1.5.4-1.el7ost.noarch Thu Jul 4 10:23:21 2019 --- Additional comment from Ollie Walsh on 2019-08-07 12:23:33 UTC --- Would need to change SshServerOptions to enable password auth (https://github.com/openstack/tripleo-heat-templates/blob/stable/queens/puppet/services/sshd.yaml#L41) e.g: parameter_defaults: SshServerOptions: HostKey: - '/etc/ssh/ssh_host_rsa_key' - '/etc/ssh/ssh_host_ecdsa_key' - '/etc/ssh/ssh_host_ed25519_key' SyslogFacility: 'AUTHPRIV' AuthorizedKeysFile: '.ssh/authorized_keys' PasswordAuthentication: 'yes' ChallengeResponseAuthentication: 'no' GSSAPIAuthentication: 'yes' GSSAPICleanupCredentials: 'no' UsePAM: 'yes' UseDNS: 'no' X11Forwarding: 'yes' UsePrivilegeSeparation: 'sandbox' AcceptEnv: - 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES' - 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT' - 'LC_IDENTIFICATION LC_ALL LANGUAGE' - 'XMODIFIERS' Subsystem: 'sftp /usr/libexec/openssh/sftp-server' --- Additional comment from Ollie Walsh on 2019-08-07 12:38:18 UTC --- If the client side is stack@undercloud you also will need to disable pub key auth when connecting: (undercloud) [stack@undercloud-0 ~]$ ssh root.24.8 Warning: Permanently added '192.168.24.8' (ECDSA) to the list of known hosts. Please login as the user "heat-admin" rather than the user "root". Connection to 192.168.24.8 closed. (undercloud) [stack@undercloud-0 ~]$ ssh -o PubkeyAuthentication=no root.24.8 Warning: Permanently added '192.168.24.8' (ECDSA) to the list of known hosts. root.24.8's password: Last login: Wed Aug 7 12:35:11 2019 from 192.168.24.1 [root@overcloud-computelocal-0 ~]#
Closing EOL, OSP 15 has been retired as of Sept 19