2226812 – Upgrade [OSP16.2 -> OSP17.1] multi-cell SSH Public/Private Key rotation needed to Enable upgrades from 16.x to 17.1

Bug 2226812 - Upgrade [OSP16.2 -> OSP17.1] multi-cell SSH Public/Private Key rotation needed to Enable upgrades from 16.x to 17.1 [NEEDINFO]

Summary: Upgrade [OSP16.2 -> OSP17.1] multi-cell SSH Public/Private Key rotation neede...

Keywords:
Status:	ASSIGNED
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	tripleo-ansible
Sub Component:
Version:	17.1 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	z1
Target Release:	17.1
Assignee:	Andre
QA Contact:	Joe H. Rahme
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1759007
TreeView+	depends on / blocked

Reported:	2023-07-26 16:02 UTC by Juan Badia Payno
Modified:	2023-08-16 13:20 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:
Flags:	ifrangs: needinfo? (afariasa)

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	OSP-26926	0	None	None	None	2023-07-26 16:05:39 UTC

Description Juan Badia Payno 2023-07-26 16:02:31 UTC

This bugzilla is a next step of https://bugzilla.redhat.com/show_bug.cgi?id=2151002

The minimum key size for rhel-9 for rsa is 2048, we need to implement a method to enable replace the keys of all the node.

Currently, the method used ssh_key_rotation.yaml [1] it works when there is only one stack.

The current process allows to switch between key with the following command:

ansible-playbook -i tripleo-stack-inventory.yaml ssh_key_rotation.yaml

On the multi-cell environment, there are several inventory files so the playbook is launched for all the inventory files. However the playbook creates a new ssh key pair for every execution, so the connectivity with the first inventory is lost when the second one is executed.

[1] https://github.com/openstack/tripleo-ansible/blob/stable/wallaby/tripleo_ansible/playbooks/ssh_key_rotation.yaml

Comment 1 Juan Badia Payno 2023-07-27 06:59:28 UTC

As a workaround previous to the Undercloud Operative System upgrade:

# This aims to keep the ssh connection from the undercloud to the hypervisor (CI - vbmc issue)
if [ ! -f ~/.ssh/old/id_rsa ]; then
 mkdir ~/.ssh/old/
 cp -a ~/.ssh/id_rsa ~/.ssh/old/
 cp -a ~/.ssh/id_rsa.pub  ~/.ssh/old/
 cat <<'EOF' >> ~/.ssh/config
Host 172.16.0.1 
   StrictHostKeyChecking no
   UserKnownHostsFile=/dev/null
   HostName 172.16.0.1
   User root
   IdentityFile /home/stack/.ssh/old/id_rsa
EOF

fi

# This creates one inventory with all the inventory files and use that inventory to do the ssh key rotation
# this only works for overcloud with less than 10 stacks
if [ ! -f  all_inventory ]; then
 # Create local files for modifiactions
 touch all_inventory
 cp /usr/share/ansible/tripleo-playbooks/ssh_key_rotation.yaml /home/stack/ssh_key_rotation.yaml
           
 # Create one big single inventory file
 STACKS=""
 for i in `ls ~/overcloud-deploy/ | grep -v undercloud`; do
   STACKS="${STACKS},${i}_allovercloud"
   sed -e "s|id00|${i}_id00|g" -e "s|Undercloud|${i}Undercloud|g" -e "s|^allovercloud|${i}allovercloud|g" ~/overcloud-deploy/$i/tripleo-ansible-inventory.yaml >> all_inventory
 done
           
 # Modify the playbook to update all nodes on all overcloud stacks
 REPLACEMENT=`echo $STACKS | cut -c2-`
           
 sed -i -e "s|allovercloud|${REPLACEMENT}|g" /home/stack/ssh_key_rotation.yaml
 ansible-playbook -i all_inventory /home/stack/ssh_key_rotation.yaml
           
fi

Note You need to log in before you can comment on or make changes to this bug.