From da42f3d139e595d09edfb30334fbc7ce17ffa3fe Mon Sep 17 00:00:00 2001 From: Teoman ONAY Date: Mon, 7 Feb 2022 14:23:49 +0100 Subject: [PATCH] Enable user to change the account used for ssh connection By default cephadm uses root account to connect remotely to other nodes in the cluster. This change allows to choose another account. This commit also allows to use a dedicated subnet for cephadm mgmt. Signed-off-by: Teoman ONAY --- group_vars/all.yml.sample | 5 +++ group_vars/rhcs.yml.sample | 5 +++ infrastructure-playbooks/cephadm-adopt.yml | 52 +++++++++++++++++++--- roles/ceph-defaults/defaults/main.yml | 5 +++ 4 files changed, 60 insertions(+), 7 deletions(-) diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample index ad6bc08ad..d785dbc18 100644 --- a/group_vars/all.yml.sample +++ b/group_vars/all.yml.sample @@ -75,6 +75,11 @@ dummy: #ceph_dashboard_firewall_zone: public #ceph_rgwloadbalancer_firewall_zone: public +# cephadm account for remote connections +#cephadm_ssh_user: root +#cephadm_ssh_priv_key_path: "/home/{{ cephadm_ssh_user }}/.ssh/id_rsa" +#cephadm_ssh_pub_key_path: "{{ cephadm_ssh_priv_key_path }}.pub" +#cephadm_mgmt_network: "{{ public_network }}" ############ # PACKAGES # diff --git a/group_vars/rhcs.yml.sample b/group_vars/rhcs.yml.sample index d57830ceb..534dc271c 100644 --- a/group_vars/rhcs.yml.sample +++ b/group_vars/rhcs.yml.sample @@ -75,6 +75,11 @@ dummy: #ceph_dashboard_firewall_zone: public #ceph_rgwloadbalancer_firewall_zone: public +# cephadm account for remote connections +#cephadm_ssh_user: root +#cephadm_ssh_priv_key_path: "/home/{{ cephadm_ssh_user }}/.ssh/id_rsa" +#cephadm_ssh_pub_key_path: "{{ cephadm_ssh_priv_key_path }}.pub" +#cephadm_mgmt_network: "{{ public_network }}" ############ # PACKAGES # diff --git a/infrastructure-playbooks/cephadm-adopt.yml b/infrastructure-playbooks/cephadm-adopt.yml index 24ed0632d..1a2973160 100644 --- a/infrastructure-playbooks/cephadm-adopt.yml +++ b/infrastructure-playbooks/cephadm-adopt.yml @@ -249,12 +249,50 @@ run_once: true delegate_to: '{{ groups[mon_group_name][0] }}' - - name: generate cephadm ssh key + - name: check if there is an existing ssh keypair + stat: + path: "{{ item }}" + loop: + - "{{ cephadm_ssh_priv_key_path }}" + - "{{ cephadm_ssh_pub_key_path }}" + register: ssh_keys + changed_when: false + run_once: true + delegate_to: '{{ groups[mon_group_name][0] }}' + + - name: set fact + set_fact: + stat_ssh_key_pair: "{{ ssh_keys.results | map(attribute='stat.exists') | list }}" + + - name: fail if either ssh public or private key is missing + fail: + msg: "One part of the ssh keypair of user {{ cephadm_ssh_user }} is missing" + when: + - false in stat_ssh_key_pair + - true in stat_ssh_key_pair + + - name: generate cephadm ssh key if there is none command: "{{ ceph_cmd }} cephadm generate-key" + when: not true in stat_ssh_key_pair changed_when: false run_once: true delegate_to: '{{ groups[mon_group_name][0] }}' + - name: use existing user keypair for remote connections + when: not false in stat_ssh_key_pair + delegate_to: "{{ groups[mon_group_name][0] }}" + run_once: true + command: > + {{ container_binary + ' run --rm --net=host --security-opt label=disable + -v /etc/ceph:/etc/ceph:z + -v /var/lib/ceph:/var/lib/ceph:ro + -v /var/run/ceph:/var/run/ceph:z + -v ' + item.1 + ':/etc/ceph/cephadm.' + item.0 + ':ro --entrypoint=ceph '+ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment | bool else 'ceph' }} + --cluster {{ cluster }} config-key set mgr/cephadm/ssh_identity_{{ item.0 }} -i /etc/ceph/cephadm.{{ item.0 }} + with_together: + - [ 'pub', 'key' ] + - [ '{{ cephadm_ssh_pub_key_path }}', '{{ cephadm_ssh_priv_key_path }}' ] + - name: get the cephadm ssh pub key command: "{{ ceph_cmd }} cephadm get-pub-key" changed_when: false @@ -262,13 +300,13 @@ register: cephadm_pubpkey delegate_to: '{{ groups[mon_group_name][0] }}' - - name: allow cephadm key for {{ cephadm_ssh_user | default('root') }} account + - name: allow cephadm key for {{ cephadm_ssh_user }} account authorized_key: - user: "{{ cephadm_ssh_user | default('root') }}" + user: "{{ cephadm_ssh_user }}" key: '{{ cephadm_pubpkey.stdout }}' - - name: set cephadm ssh user to {{ cephadm_ssh_user | default('root') }} - command: "{{ ceph_cmd }} cephadm set-user {{ cephadm_ssh_user | default('root') }}" + - name: set cephadm ssh user to {{ cephadm_ssh_user }} + command: "{{ ceph_cmd }} cephadm set-user {{ cephadm_ssh_user }}" changed_when: false run_once: true delegate_to: "{{ groups[mon_group_name][0] }}" @@ -323,13 +361,13 @@ when: is_hci | bool - name: manage nodes with cephadm - ipv4 - command: "{{ ceph_cmd }} orch host add {{ ansible_facts['nodename'] }} {{ ansible_facts['all_ipv4_addresses'] | ips_in_ranges(public_network.split(',')) | first }} {{ group_names | join(' ') }}" + command: "{{ ceph_cmd }} orch host add {{ ansible_facts['nodename'] }} {{ ansible_facts['all_ipv4_addresses'] | ips_in_ranges(cephadm_mgmt_network.split(',')) | first }} {{ group_names | join(' ') }}" changed_when: false delegate_to: '{{ groups[mon_group_name][0] }}' when: ip_version == 'ipv4' - name: manage nodes with cephadm - ipv6 - command: "{{ ceph_cmd }} orch host add {{ ansible_facts['nodename'] }} {{ ansible_facts['all_ipv6_addresses'] | ips_in_ranges(public_network.split(',')) | last | ipwrap }} {{ group_names | join(' ') }}" + command: "{{ ceph_cmd }} orch host add {{ ansible_facts['nodename'] }} {{ ansible_facts['all_ipv6_addresses'] | ips_in_ranges(cephadm_mgmt_network.split(',')) | last | ipwrap }} {{ group_names | join(' ') }}" changed_when: false delegate_to: '{{ groups[mon_group_name][0] }}' when: ip_version == 'ipv6' diff --git a/roles/ceph-defaults/defaults/main.yml b/roles/ceph-defaults/defaults/main.yml index f4e55dbde..4e7ed67e7 100644 --- a/roles/ceph-defaults/defaults/main.yml +++ b/roles/ceph-defaults/defaults/main.yml @@ -67,6 +67,11 @@ ceph_iscsi_firewall_zone: public ceph_dashboard_firewall_zone: public ceph_rgwloadbalancer_firewall_zone: public +# cephadm account for remote connections +cephadm_ssh_user: root +cephadm_ssh_priv_key_path: "/home/{{ cephadm_ssh_user }}/.ssh/id_rsa" +cephadm_ssh_pub_key_path: "{{ cephadm_ssh_priv_key_path }}.pub" +cephadm_mgmt_network: "{{ public_network }}" ############ # PACKAGES # -- 2.39.5