From: Teoman ONAY Date: Mon, 7 Feb 2022 13:23:49 +0000 (+0100) Subject: Enable user to change the account used for ssh connection X-Git-Tag: v5.0.12~13 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=10a5e54f8fe885f99b73c1c7ed5dccbed71f78fa;p=ceph-ansible.git Enable user to change the account used for ssh connection By default cephadm uses root account to connect remotely to other nodes in the cluster. This change allows to choose another account. This commit also allows to use a dedicated subnet for cephadm mgmt. Signed-off-by: Teoman ONAY (cherry picked from commit da42f3d139e595d09edfb30334fbc7ce17ffa3fe) --- diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample index 8551568a3..664ec12e8 100644 --- a/group_vars/all.yml.sample +++ b/group_vars/all.yml.sample @@ -74,6 +74,11 @@ dummy: #ceph_dashboard_firewall_zone: public #ceph_rgwloadbalancer_firewall_zone: public +# cephadm account for remote connections +#cephadm_ssh_user: root +#cephadm_ssh_priv_key_path: "/home/{{ cephadm_ssh_user }}/.ssh/id_rsa" +#cephadm_ssh_pub_key_path: "{{ cephadm_ssh_priv_key_path }}.pub" +#cephadm_mgmt_network: "{{ public_network }}" ############ # PACKAGES # diff --git a/group_vars/rhcs.yml.sample b/group_vars/rhcs.yml.sample index e863233ec..b8715d96b 100644 --- a/group_vars/rhcs.yml.sample +++ b/group_vars/rhcs.yml.sample @@ -74,6 +74,11 @@ dummy: #ceph_dashboard_firewall_zone: public #ceph_rgwloadbalancer_firewall_zone: public +# cephadm account for remote connections +#cephadm_ssh_user: root +#cephadm_ssh_priv_key_path: "/home/{{ cephadm_ssh_user }}/.ssh/id_rsa" +#cephadm_ssh_pub_key_path: "{{ cephadm_ssh_priv_key_path }}.pub" +#cephadm_mgmt_network: "{{ public_network }}" ############ # PACKAGES # diff --git a/infrastructure-playbooks/cephadm-adopt.yml b/infrastructure-playbooks/cephadm-adopt.yml index 14e2e4a53..8bdb360fb 100644 --- a/infrastructure-playbooks/cephadm-adopt.yml +++ b/infrastructure-playbooks/cephadm-adopt.yml @@ -213,12 +213,50 @@ run_once: true delegate_to: '{{ groups[mon_group_name][0] }}' - - name: generate cephadm ssh key + - name: check if there is an existing ssh keypair + stat: + path: "{{ item }}" + loop: + - "{{ cephadm_ssh_priv_key_path }}" + - "{{ cephadm_ssh_pub_key_path }}" + register: ssh_keys + changed_when: false + run_once: true + delegate_to: '{{ groups[mon_group_name][0] }}' + + - name: set fact + set_fact: + stat_ssh_key_pair: "{{ ssh_keys.results | map(attribute='stat.exists') | list }}" + + - name: fail if either ssh public or private key is missing + fail: + msg: "One part of the ssh keypair of user {{ cephadm_ssh_user }} is missing" + when: + - false in stat_ssh_key_pair + - true in stat_ssh_key_pair + + - name: generate cephadm ssh key if there is none command: "{{ ceph_cmd }} cephadm generate-key" + when: not true in stat_ssh_key_pair changed_when: false run_once: true delegate_to: '{{ groups[mon_group_name][0] }}' + - name: use existing user keypair for remote connections + when: not false in stat_ssh_key_pair + delegate_to: "{{ groups[mon_group_name][0] }}" + run_once: true + command: > + {{ container_binary + ' run --rm --net=host --security-opt label=disable + -v /etc/ceph:/etc/ceph:z + -v /var/lib/ceph:/var/lib/ceph:ro + -v /var/run/ceph:/var/run/ceph:z + -v ' + item.1 + ':/etc/ceph/cephadm.' + item.0 + ':ro --entrypoint=ceph '+ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment | bool else 'ceph' }} + --cluster {{ cluster }} config-key set mgr/cephadm/ssh_identity_{{ item.0 }} -i /etc/ceph/cephadm.{{ item.0 }} + with_together: + - [ 'pub', 'key' ] + - [ '{{ cephadm_ssh_pub_key_path }}', '{{ cephadm_ssh_priv_key_path }}' ] + - name: get the cephadm ssh pub key command: "{{ ceph_cmd }} cephadm get-pub-key" changed_when: false @@ -226,13 +264,13 @@ register: cephadm_pubpkey delegate_to: '{{ groups[mon_group_name][0] }}' - - name: allow cephadm key for {{ cephadm_ssh_user | default('root') }} account + - name: allow cephadm key for {{ cephadm_ssh_user }} account authorized_key: - user: "{{ cephadm_ssh_user | default('root') }}" + user: "{{ cephadm_ssh_user }}" key: '{{ cephadm_pubpkey.stdout }}' - - name: set cephadm ssh user to {{ cephadm_ssh_user | default('root') }} - command: "{{ ceph_cmd }} cephadm set-user {{ cephadm_ssh_user | default('root') }}" + - name: set cephadm ssh user to {{ cephadm_ssh_user }} + command: "{{ ceph_cmd }} cephadm set-user {{ cephadm_ssh_user }}" changed_when: false run_once: true delegate_to: "{{ groups[mon_group_name][0] }}" @@ -287,13 +325,13 @@ when: is_hci | bool - name: manage nodes with cephadm - ipv4 - command: "{{ ceph_cmd }} orch host add {{ ansible_facts['nodename'] }} {{ ansible_facts['all_ipv4_addresses'] | ips_in_ranges(public_network.split(',')) | first }} {{ group_names | join(' ') }}" + command: "{{ ceph_cmd }} orch host add {{ ansible_facts['nodename'] }} {{ ansible_facts['all_ipv4_addresses'] | ips_in_ranges(cephadm_mgmt_network.split(',')) | first }} {{ group_names | join(' ') }}" changed_when: false delegate_to: '{{ groups[mon_group_name][0] }}' when: ip_version == 'ipv4' - name: manage nodes with cephadm - ipv6 - command: "{{ ceph_cmd }} orch host add {{ ansible_facts['nodename'] }} {{ ansible_facts['all_ipv6_addresses'] | ips_in_ranges(public_network.split(',')) | last | ipwrap }} {{ group_names | join(' ') }}" + command: "{{ ceph_cmd }} orch host add {{ ansible_facts['nodename'] }} {{ ansible_facts['all_ipv6_addresses'] | ips_in_ranges(cephadm_mgmt_network.split(',')) | last | ipwrap }} {{ group_names | join(' ') }}" changed_when: false delegate_to: '{{ groups[mon_group_name][0] }}' when: ip_version == 'ipv6' diff --git a/roles/ceph-defaults/defaults/main.yml b/roles/ceph-defaults/defaults/main.yml index 783bcbec2..9488374aa 100644 --- a/roles/ceph-defaults/defaults/main.yml +++ b/roles/ceph-defaults/defaults/main.yml @@ -66,6 +66,11 @@ ceph_iscsi_firewall_zone: public ceph_dashboard_firewall_zone: public ceph_rgwloadbalancer_firewall_zone: public +# cephadm account for remote connections +cephadm_ssh_user: root +cephadm_ssh_priv_key_path: "/home/{{ cephadm_ssh_user }}/.ssh/id_rsa" +cephadm_ssh_pub_key_path: "{{ cephadm_ssh_priv_key_path }}.pub" +cephadm_mgmt_network: "{{ public_network }}" ############ # PACKAGES #