Merge "Fix keystone fernet file exchange via ssh"
This commit is contained in:
Jenkins
Gerrit Code Review
commit
db9003e39b
@ -101,6 +101,8 @@
|
|||||||
- { src: "crontab.j2", dest: "crontab" }
|
- { src: "crontab.j2", dest: "crontab" }
|
||||||
- { src: "fernet-rotate.sh.j2", dest: "fernet-rotate.sh" }
|
- { src: "fernet-rotate.sh.j2", dest: "fernet-rotate.sh" }
|
||||||
- { src: "fernet-node-sync.sh.j2", dest: "fernet-node-sync.sh" }
|
- { src: "fernet-node-sync.sh.j2", dest: "fernet-node-sync.sh" }
|
||||||
|
- { src: "id_rsa", dest: "id_rsa" }
|
||||||
|
- { src: "ssh_config.j2", dest: "ssh_config" }
|
||||||
when: keystone_token_provider == 'fernet'
|
when: keystone_token_provider == 'fernet'
|
||||||
|
|
||||||
- name: Copying files for keystone-ssh
|
- name: Copying files for keystone-ssh
|
||||||
@ -109,7 +111,5 @@
|
|||||||
dest: "{{ node_config_directory }}/keystone-ssh/{{ item.dest }}"
|
dest: "{{ node_config_directory }}/keystone-ssh/{{ item.dest }}"
|
||||||
with_items:
|
with_items:
|
||||||
- { src: "sshd_config.j2", dest: "sshd_config" }
|
- { src: "sshd_config.j2", dest: "sshd_config" }
|
||||||
- { src: "id_rsa", dest: "id_rsa" }
|
|
||||||
- { src: "id_rsa.pub", dest: "id_rsa.pub" }
|
- { src: "id_rsa.pub", dest: "id_rsa.pub" }
|
||||||
- { src: "ssh_config.j2", dest: "ssh_config" }
|
|
||||||
when: keystone_token_provider == 'fernet'
|
when: keystone_token_provider == 'fernet'
|
||||||
|
|||||||
@ -11,6 +11,6 @@ fi
|
|||||||
# For each host node sync tokens
|
# For each host node sync tokens
|
||||||
{% for host in groups['keystone'] %}
|
{% for host in groups['keystone'] %}
|
||||||
{% if inventory_hostname != host %}
|
{% if inventory_hostname != host %}
|
||||||
/usr/bin/rsync -azu --delete -e 'ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ keystone_ssh_port }}' keystone@{{ host }}:/etc/keystone/fernet-keys/ /etc/keystone/fernet-keys
|
/usr/bin/rsync -azu --delete -e 'ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ keystone_ssh_port }} -F /var/lib/keystone/.ssh/config' keystone@{{ host }}:/etc/keystone/fernet-keys/ /etc/keystone/fernet-keys
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
@ -4,6 +4,6 @@ keystone-manage --config-file /etc/keystone/keystone.conf fernet_rotate --keysto
|
|||||||
|
|
||||||
{% for host in groups['keystone'] %}
|
{% for host in groups['keystone'] %}
|
||||||
{% if inventory_hostname != host %}
|
{% if inventory_hostname != host %}
|
||||||
/usr/bin/rsync -az -e 'ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ keystone_ssh_port }}' --delete /etc/keystone/fernet-keys/ keystone@{{ host }}:/etc/keystone/fernet-keys
|
/usr/bin/rsync -az -e 'ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ keystone_ssh_port }} -F /var/lib/keystone/.ssh/config' --delete /etc/keystone/fernet-keys/ keystone@{{ host }}:/etc/keystone/fernet-keys
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
@ -24,6 +24,18 @@
|
|||||||
"dest": "/usr/bin/fernet-node-sync.sh",
|
"dest": "/usr/bin/fernet-node-sync.sh",
|
||||||
"owner": "root",
|
"owner": "root",
|
||||||
"perm": "0755"
|
"perm": "0755"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"source": "{{ container_config_directory }}/ssh_config",
|
||||||
|
"dest": "/var/lib/keystone/.ssh/config",
|
||||||
|
"owner": "keystone",
|
||||||
|
"perm": "0600"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"source": "{{ container_config_directory }}/id_rsa",
|
||||||
|
"dest": "/var/lib/keystone/.ssh/id_rsa",
|
||||||
|
"owner": "keystone",
|
||||||
|
"perm": "0600"
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|||||||
@ -7,18 +7,6 @@
|
|||||||
"owner": "root",
|
"owner": "root",
|
||||||
"perm": "0644"
|
"perm": "0644"
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"source": "{{ container_config_directory }}/ssh_config",
|
|
||||||
"dest": "/var/lib/keystone/.ssh/config",
|
|
||||||
"owner": "keystone",
|
|
||||||
"perm": "0600"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"source": "{{ container_config_directory }}/id_rsa",
|
|
||||||
"dest": "/var/lib/keystone/.ssh/id_rsa",
|
|
||||||
"owner": "keystone",
|
|
||||||
"perm": "0600"
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"source": "{{ container_config_directory }}/id_rsa.pub",
|
"source": "{{ container_config_directory }}/id_rsa.pub",
|
||||||
"dest": "/var/lib/keystone/.ssh/authorized_keys",
|
"dest": "/var/lib/keystone/.ssh/authorized_keys",
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
Host {% for host in groups['keystone'] %}{% if inventory_hostname != host %}{{ host }} {% endif %}{% endfor %}
|
Host *
|
||||||
StrictHostKeyChecking no
|
StrictHostKeyChecking no
|
||||||
UserKnownHostsFile /dev/null
|
UserKnownHostsFile /dev/null
|
||||||
Port {{ keystone_ssh_port }}
|
Port {{ keystone_ssh_port }}
|
||||||
@ -61,13 +61,13 @@ RUN echo > /etc/apache2/ports.conf
|
|||||||
{% block keystone_source_install %}
|
{% block keystone_source_install %}
|
||||||
ADD keystone-base-archive /keystone-base-source
|
ADD keystone-base-archive /keystone-base-source
|
||||||
RUN ln -s keystone-base-source/* keystone \
|
RUN ln -s keystone-base-source/* keystone \
|
||||||
&& useradd --user-group keystone \
|
&& useradd --user-group --create-home --home-dir /var/lib/keystone keystone \
|
||||||
&& /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /keystone \
|
&& /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /keystone \
|
||||||
&& mkdir -p /etc/keystone /var/www/cgi-bin/keystone /var/log/apache2 /home/keystone \
|
&& mkdir -p /etc/keystone /var/www/cgi-bin/keystone /var/log/apache2 \
|
||||||
&& cp -r /keystone/etc/* /etc/keystone/ \
|
&& cp -r /keystone/etc/* /etc/keystone/ \
|
||||||
&& cp /var/lib/kolla/venv/bin/keystone-wsgi-admin /var/www/cgi-bin/keystone/admin \
|
&& cp /var/lib/kolla/venv/bin/keystone-wsgi-admin /var/www/cgi-bin/keystone/admin \
|
||||||
&& cp /var/lib/kolla/venv/bin/keystone-wsgi-public /var/www/cgi-bin/keystone/main \
|
&& cp /var/lib/kolla/venv/bin/keystone-wsgi-public /var/www/cgi-bin/keystone/main \
|
||||||
&& chown -R keystone: /etc/keystone /var/www/cgi-bin/keystone /var/log/apache2 /home/keystone
|
&& chown -R keystone: /etc/keystone /var/www/cgi-bin/keystone /var/log/apache2
|
||||||
{% endblock %}
|
{% endblock %}
|
||||||
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|||||||
@ -8,11 +8,13 @@ MAINTAINER {{ maintainer }}
|
|||||||
{% if base_distro in ['fedora', 'centos', 'oraclelinux', 'rhel'] %}
|
{% if base_distro in ['fedora', 'centos', 'oraclelinux', 'rhel'] %}
|
||||||
{% set keystone_fernet_packages = [
|
{% set keystone_fernet_packages = [
|
||||||
'cronie',
|
'cronie',
|
||||||
|
'openssh-clients',
|
||||||
'rsync'
|
'rsync'
|
||||||
] %}
|
] %}
|
||||||
{% elif base_distro in ['ubuntu', 'debian'] %}
|
{% elif base_distro in ['ubuntu', 'debian'] %}
|
||||||
{% set keystone_fernet_packages = [
|
{% set keystone_fernet_packages = [
|
||||||
'cron',
|
'cron',
|
||||||
|
'openssh-client',
|
||||||
'rsync'
|
'rsync'
|
||||||
] %}
|
] %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|||||||
@ -6,9 +6,15 @@ MAINTAINER {{ maintainer }}
|
|||||||
{% import "macros.j2" as macros with context %}
|
{% import "macros.j2" as macros with context %}
|
||||||
|
|
||||||
{% if base_distro in ['centos', 'fedora', 'oraclelinux', 'rhel'] %}
|
{% if base_distro in ['centos', 'fedora', 'oraclelinux', 'rhel'] %}
|
||||||
{% set keystone_ssh_packages = ['openssh-server'] %}
|
{% set keystone_ssh_packages = [
|
||||||
|
'openssh-server',
|
||||||
|
'rsync'
|
||||||
|
] %}
|
||||||
{% elif base_distro in ['ubuntu', 'debian'] %}
|
{% elif base_distro in ['ubuntu', 'debian'] %}
|
||||||
{% set keystone_ssh_packages = ['openssh-server'] %}
|
{% set keystone_ssh_packages = [
|
||||||
|
'openssh-server',
|
||||||
|
'rsync'
|
||||||
|
] %}
|
||||||
|
|
||||||
RUN mkdir -p /var/run/sshd \
|
RUN mkdir -p /var/run/sshd \
|
||||||
&& chmod 0755 /var/run/sshd
|
&& chmod 0755 /var/run/sshd
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user