Description of problem: Apologies if this is related to [1] but the only area I have SshServerOptions is in one file so I'm not sure how it is overriding anything. Having SshServerOptions parameter set overwrites all sshd config parameters instead of appending the information: 17: [root@controller-0 heat-admin]# cat /etc/ssh/sshd_config ## Ansible managed UseDns no Equivalent 16.2 /etc/ssh/sshd_config # File is managed by Puppet Port 22 AcceptEnv LANG LC_* ChallengeResponseAuthentication no HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key PasswordAuthentication no PrintMotd no Subsystem sftp /usr/libexec/openssh/sftp-server UseDns no UsePAM yes X11Forwarding yes There are some small 17 speific parameter override tweaks utilized in the deployment but the SSH relevant parameters have been the same since 16. Parameters snippet used: resource_registry: OS::TripleO::Controller::Net::SoftwareConfig: OS::Heat::None OS::TripleO::ComputeSriov::Net::SoftwareConfig: OS::Heat::None parameter_defaults: NetworkConfigWithAnsible: true EC2MetadataIp: 192.168.24.1 ControlPlaneDefaultRoute: 192.168.24.1 ControlPlaneSubnetCidr: "24" NtpServer: ["clock.redhat.com","clock2.redhat.com"] NeutronTunnelTypes: "geneve" NeutronNetworkType: ['geneve', 'vlan'] NeutronEnableDVR: 'false' NeutronExternalNetworkBridge: '' NeutronNetworkVLANRanges: - datacentre:1:1000 - physnet1:2000:2005 NeutronOVSFirewallDriver: openvswitch SshServerOptions: UseDns: 'no' NovaEnableNUMALiveMigration: true NeutronPluginExtensions: "port_security,router,qos,segments,trunk,placement" NeutronServicePlugins: 'router,trunk,qos,placement' NeutronSriovAgentExtensions: "qos" SELinuxMode: permissive Version-Release number of selected component (if applicable): 17 How reproducible: 100% Steps to Reproduce: 1. Deploy environment with SSH relevant parameters in override yaml. 2. 3. Actual results: sshd_config is overwritten by values in THT Expected results: sshd_config should merge parameters Additional info: [1] https://bugzilla.redhat.com/show_bug.cgi?id=2077075
The problem with the current implementation is that we override the entire dictionary for the sshd options: https://github.com/openstack/tripleo-ansible/blob/master/tripleo_ansible/roles/tripleo_sshd/defaults/main.yml#L33 https://github.com/openstack/tripleo-heat-templates/blob/master/deployment/sshd/sshd-baremetal-ansible.yaml#L95-L98 I guess this would all need refactoring to template a default sshd_config file and provide each variable individually in Heat templates? Or, we could use |default() in the sshd_config file. Not the cleanest solutions, but afaik we can't override that dictionary and fall back to defaults if they weren't provided by the user. So to fix this, we would need to re-write it. I'll defer to the wider team for ideas and feedback.
Actually, it looks like this should work if we use: SshServerOptionsOverrides https://github.com/openstack/tripleo-heat-templates/blob/master/deployment/sshd/sshd-baremetal-ansible.yaml#L60-L64 I'll test that, we might need a better way of handling that. It's not well explained in the description and I can see how users would assume using SshServerOptions is the correct value. I mean, I'm using that for my own home deployment as well.
We generally expect user users the SshServerOptionsOverrides parameter if he/she wants to override only part of the defaults. The reason why we have the separate SshServerOptions parameter is that the Overrides parameter does not allow users to "remove" anything defined in default and in such case they need to use the SshServerOptions. > I guess this would all need refactoring to template a default sshd_config file > and provide each variable individually in Heat templates? It would be useful if the parameter is commonly customized but I don't think exposing the all parameters is too much redundant. Note that for this specific case UseDNS defaults to 'no' from stable/queens, so the definition triggering the problem looks just redundant. https://github.com/openstack/tripleo-heat-templates/commit/7b762a6a0c6a2931d3a11eecaad246a16f66f4e0
(In reply to Takashi Kajinami from comment #3) > We generally expect user users the SshServerOptionsOverrides parameter > if he/she wants to override only part of the defaults. > > The reason why we have the separate SshServerOptions parameter is that > the Overrides parameter does not allow users to "remove" anything defined > in default and in such case they need to use the SshServerOptions. See https://review.opendev.org/c/openstack/tripleo-heat-templates/+/755679 which added that Overrides parameter.
*** Bug 2091630 has been marked as a duplicate of this bug. ***
Used this environment file: parameter_defaults: SshServerOptions: UseDns: 'no' ssh parameters were merged and not replaced as seen in: sudo more /etc/ssh/sshd_config ## Ansible managed AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS AuthorizedKeysFile .ssh/authorized_keys ChallengeResponseAuthentication no GSSAPIAuthentication no GSSAPICleanupCredentials no HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key Subsystem sftp /usr/libexec/openssh/sftp-server SyslogFacility AUTHPRIV UseDNS no UseDns no UsePAM yes X11Forwarding yes
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2022:6543
(In reply to Takashi Kajinami from comment #4) > (In reply to Takashi Kajinami from comment #3) > > We generally expect user users the SshServerOptionsOverrides parameter > > if he/she wants to override only part of the defaults. > > > > The reason why we have the separate SshServerOptions parameter is that > > the Overrides parameter does not allow users to "remove" anything defined > > in default and in such case they need to use the SshServerOptions. > > See https://review.opendev.org/c/openstack/tripleo-heat-templates/+/755679 > which https://webecomewhatwebehold.online > added that Overrides parameter. The system always updates what we need. Thank.
This comment was flagged as spam, view the edit history to see the original text if required.