Commit dd97b051 authored by Thomas Goirand's avatar Thomas Goirand

* Provision ssh public / private keypair between nova nodes in the

    /var/lib/nova/.ssh folder, to allow (live) migration using ssh / scp.
parent 3346982e
......@@ -12,6 +12,8 @@ openstack-cluster-installer (21) UNRELEASED; urgency=medium
the slave image.
* Add option to show the calculated IPMI console command.
* Add some sysctl customization (low swappiness, higher conntrack, etc.).
* Provision ssh public / private keypair between nova nodes in the
/var/lib/nova/.ssh folder, to allow (live) migration using ssh / scp.
[ Oliver Chaze ]
* swift: do not log in syslog general logs
......
......@@ -17,6 +17,8 @@ class oci::compute(
$use_ssl = true,
$pass_nova_messaging = undef,
$pass_nova_authtoken = undef,
$pass_nova_ssh_pub = undef,
$pass_nova_ssh_priv = undef,
$pass_neutron_authtoken = undef,
$pass_metadata_proxy_shared_secret = undef,
$pass_neutron_messaging = undef,
......@@ -130,6 +132,8 @@ class oci::compute(
glance_api_servers => "${base_url}/image",
notification_driver => 'messagingv2',
notify_on_state_change => 'vm_and_task_state',
nova_public_key => { type => 'ssh-rsa', key => $pass_nova_ssh_pub },
nova_private_key => { type => 'ssh-rsa', key => base64('decode', $pass_nova_ssh_priv) },
}
class { '::nova::keystone::authtoken':
......@@ -139,8 +143,11 @@ class oci::compute(
cafile => '/etc/ssl/certs/oci-pki-oci-ca-chain.pem',
}
if ($::memorysize_mb < 16000) {
$reserved_host_memory_mb = 1024
# The +0 is there for converting the string to an int,
# 1536 is for the PoC, 8192 is for real deployments where we do expect
# hosts to hold more than 16GB of RAM.
if (($::memorysize_mb + 0) < 16000) {
$reserved_host_memory_mb = 1536
}else{
$reserved_host_memory_mb = 8192
}
......
......@@ -309,6 +309,10 @@ export OS_CACERT=/etc/ssl/certs/oci-pki-oci-ca-chain.pem
##############################
# needed for Telemetry / metric / rating
if $has_subrole_gnocchi {
class { 'zookeeper':
client_ip => $machine_ip,
servers => $all_masters,
}
if $is_first_master {
class { '::redis':
bind => $machine_ip,
......
......@@ -14,7 +14,7 @@ $con = connectme($conf);
function get_cluster_password($con, $conf, $cluster_id, $service_type, $password_type){
$json["status"] = "success";
$json["message"] = "Successfuly queried API.";
$q = "SELECT pass FROM passwords WHERE cluster='$cluster_id' AND service='$service_type' AND passtype='$password_type'";
$q = "SELECT pass,passtxt1,passtxt2 FROM passwords WHERE cluster='$cluster_id' AND service='$service_type' AND passtype='$password_type'";
$r = mysqli_query($con, $q);
if($r === FALSE){
$json["status"] = "error";
......@@ -25,7 +25,7 @@ function get_cluster_password($con, $conf, $cluster_id, $service_type, $password
if($n != 1){
# If password doesn't exist, generate it!
insert_cluster_pass($con, $conf, $cluster_id, $service_type, $password_type);
$q = "SELECT pass FROM passwords WHERE cluster='$cluster_id' AND service='$service_type' AND passtype='$password_type'";
$q = "SELECT pass,passtxt1,passtxt2 FROM passwords WHERE cluster='$cluster_id' AND service='$service_type' AND passtype='$password_type'";
$r = mysqli_query($con, $q);
$r = mysqli_query($con, $q);
if($r === FALSE){
......@@ -41,7 +41,12 @@ function get_cluster_password($con, $conf, $cluster_id, $service_type, $password
}
}
$pass_a = mysqli_fetch_array($r);
$json["data"] = $pass_a["pass"];
if($service_type == "nova" && $password_type == "ssh"){
$json["data"]["ssh_pub"] = $pass_a["passtxt1"];
$json["data"]["ssh_priv"] = $pass_a["passtxt2"];
}else{
$json["data"] = $pass_a["pass"];
}
return $json;
}
......@@ -1040,6 +1045,11 @@ function api_actions($con,$conf){
if($json["status"] != "success"){ return $json; }
$enc_file .= " pass_nova_authtoken: " . $json["data"] . "\n";
$json = get_cluster_password($con, $conf, $cluster_id, 'nova', 'ssh');
if($json["status"] != "success"){ return $json; }
$enc_file .= " pass_nova_ssh_pub: " . unserialize($json["data"]["ssh_pub"]) . "\n";
$enc_file .= " pass_nova_ssh_priv: " . base64_encode(unserialize($json["data"]["ssh_priv"])) . "\n";
$json = get_cluster_password($con, $conf, $cluster_id, 'novaneutron', 'shared_secret');
if($json["status"] != "success"){ return $json; }
$enc_file .= " pass_metadata_proxy_shared_secret: " . $json["data"] . "\n";
......
......@@ -119,6 +119,8 @@ $q[] = "CREATE TABLE IF NOT EXISTS `passwords` (
`service` varchar(64) NOT NULL,
`passtype` varchar(64) NOT NULL,
`pass` varchar(128) NOT NULL,
`passtxt1` text,
`passtxt2` text,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;";
......
......@@ -120,6 +120,21 @@ function add_node_to_cluster($con, $conf, $machine_id, $cluster_id, $role_name,
return $json;
}
function sshEncodePublicKey($privKey) {
$keyInfo = openssl_pkey_get_details($privKey);
$buffer = pack("N", 7) . "ssh-rsa" . sshEncodeBuffer($keyInfo['rsa']['e']) . sshEncodeBuffer($keyInfo['rsa']['n']);
return "ssh-rsa " . base64_encode($buffer);
}
function sshEncodeBuffer($buffer) {
$len = strlen($buffer);
if (ord($buffer[0]) & 0x80) {
$len++;
$buffer = "\x00" . $buffer;
}
return pack("Na*", $len, $buffer);
}
function insert_cluster_pass($con, $conf, $cluster_id, $service, $passtype){
if($service == "ceph" || $service == "gnocchi"){
if($passtype == "fsid" || $passtype == "libvirtuuid" || $passtype == "uuid"){
......@@ -139,6 +154,25 @@ function insert_cluster_pass($con, $conf, $cluster_id, $service, $passtype){
exec($cmd, $output, $return_var);
$hex = $output[0];
}
}elseif($service == "nova" && $passtype == "ssh"){
# Generate the keypair
$privKey = openssl_pkey_new(array(
'private_key_bits' => 4096,
'private_key_type' => OPENSSL_KEYTYPE_RSA));
# Convert public key to OpenSSH format
$keyInfo = openssl_pkey_get_details($privKey);
$data = pack("Na*", 7, 'ssh-rsa');
$data .= pack("Na*", strlen($keyInfo['rsa']['e']), $keyInfo['rsa']['e']);
$data .= pack("Na*", strlen($keyInfo['rsa']['n']), $keyInfo['rsa']['n']);
$pubKey = base64_encode($data);
openssl_pkey_export($privKey, $pem);
# Store it
$q = "INSERT INTO passwords (cluster, service, passtype, passtxt1, passtxt2) VALUES ('$cluster_id', '$service', '$passtype', '" . serialize($pubKey) . "', '" . serialize($pem) . "')";
$r = mysqli_query($con, $q);
return;
}else{
$bytes = openssl_random_pseudo_bytes(32, $crypto_strong);
$hex = bin2hex($bytes);
......@@ -191,6 +225,7 @@ function new_cluster($con, $conf, $cluster_name, $cluster_domain){
insert_cluster_pass($con, $conf, $cluster_id, 'nova', 'apidb');
insert_cluster_pass($con, $conf, $cluster_id, 'nova', 'messaging');
insert_cluster_pass($con, $conf, $cluster_id, 'nova', 'authtoken');
insert_cluster_pass($con, $conf, $cluster_id, 'nova', 'ssh');
insert_cluster_pass($con, $conf, $cluster_id, 'novaneutron', 'shared_secret');
insert_cluster_pass($con, $conf, $cluster_id, 'placement','db');
insert_cluster_pass($con, $conf, $cluster_id, 'placement','authtoken');
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment