Bug 914648
| Summary: | Packstack should create and distribute nova keys | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Jaroslav Henner <jhenner> | ||||
| Component: | openstack-packstack | Assignee: | Martin Magr <mmagr> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Jaroslav Henner <jhenner> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 2.0 (Folsom) | CC: | adahms, aortega, dasmith, derekh, ichavero, jkt, lars, mmagr, yfried | ||||
| Target Milestone: | rc | Keywords: | FutureFeature, Triaged | ||||
| Target Release: | 5.0 (RHEL 7) | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | openstack-packstack-2014.1.1-0.26.dev1157.el6ost | Doc Type: | Enhancement | ||||
| Doc Text: |
This update introduces support for generating and distributing SSH keys to provide support for migrating instances via connections using QEMU and SSH to remote hypervisors. This update also ensures QEMU migration ports are open for Nova compute nodes and that Nova passes 'no_verify' to libvirt, making it possible for Nova to access compute nodes correctly when resizing instances.
|
Story Points: | --- | ||||
| Clone Of: | |||||||
| : | 1082628 (view as bug list) | Environment: | |||||
| Last Closed: | 2014-07-08 15:37:34 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1082628 | ||||||
| Attachments: |
|
||||||
|
Description
Jaroslav Henner
2013-02-22 12:01:09 UTC
There is a real fix (making the SSHing here go away) in the works Adding some additional thoughts/context here... Presently Packstack only distributes the public keys to all remote hosts, to allow the main node running packstack to talk to all remote hosts. Adding the private key as well would allow passwordless ssh between all compute nodes, which would enable support for Nova migrate/resize using libvirt migration over root passwordless ssh tunnels. NOTE: This is not a good idea for production environments, but since Packstack is meant for PoC and demos, this is a reasonable option. Even still, we probably want to make enabling of distributing the private key files an explicitly opt-in vs. making it done by default. There is (as mentioned in comment #2) separate work ongoing to make it so that Nova doesn't rely on libvirt/ssh tunnels, but until that work completes we probably need to rely on this mechanism at least for Packstack. (In reply to Perry Myers from comment #3) > Adding some additional thoughts/context here... > > Presently Packstack only distributes the public keys to all remote hosts, to > allow the main node running packstack to talk to all remote hosts. Adding > the private key as well would allow passwordless ssh between all compute > nodes, which would enable support for Nova migrate/resize using libvirt > migration over root passwordless ssh tunnels. > > NOTE: This is not a good idea for production environments, but since > Packstack is meant for PoC and demos, this is a reasonable option. Even > still, we probably want to make enabling of distributing the private key > files an explicitly opt-in vs. making it done by default. > > There is (as mentioned in comment #2) separate work ongoing to make it so > that Nova doesn't rely on libvirt/ssh tunnels, but until that work completes > we probably need to rely on this mechanism at least for Packstack. We don't need to distribute root keys but nova keys. On grizzly, nova tries to ssh as nova, not root. If it is different on newer releases, I would call that a bug. Nova doesn't specify a user for ssh, so whatever user nova is running as is what is used for the copy. So yes, still in icehouse, this means it happens as the nova user for us. Going back to the "don't fix things in packstack" thread, it seems like this should actually go into the Nova puppet module (which is already responsible for creating the nova user). Here's my proposal for how to handle this in the puppet module: https://github.com/larsks/puppet-nova/blob/feature/sshkeys/manifests/init.pp#L304 Does that make sense? Given an appropriate packstack template these changes appear to Do the Right Thing, modulo some selinux issues (the nova home directory is labelled nova_var_lib_t, to which sshd does not have access...this would probably require a fix in the selinux package). If people like this solution, I'll push it upstream and work on the corresponding support in packstack. We would need to generate an ssh keypair here and then include both the private and public keys as literals in the generated manifests. Note that for live migrations, we need keys for root as well. Also note that both types of migrations will require that host keys for all nodes be installed on every node before migrations can work. I have some problems with this change: * The no_verify=1 is used in the uri, which I think enables MITM attack. * The key is in /etc/nova/ssh while the nova home is ~nova (/var/lib/nova). I am not sure it is wise or not to have the key in /etc instead of ~nova. is there a new option for packstack to enable this? right now this still fails with openstack-packstack-2014.1.1-0.32.1.dev1209.el7ost Created attachment 914967 [details]
migration fails
As yfried found, this is still broken. When doing nova migrate (resize to another host), nova tries to ssh to the other host, resulting permissions denied.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2014-0846.html |