diff options
author | Oliver Walsh <owalsh@redhat.com> | 2017-05-04 20:21:51 +0100 |
---|---|---|
committer | Oliver Walsh <owalsh@redhat.com> | 2017-05-05 12:36:05 +0100 |
commit | fe8edab1f4c761dcd6bad8eb6ccadd62627b077a (patch) | |
tree | 48c07e3f595e600c0beed8dc52b588ec698c8b12 /manifests | |
parent | f8ca94a5b7c7658631f5b0a9b010251ebbcff65e (diff) |
Disable SSH login for nova_migration user when migration over ssh is disabled.
If migration over ssh is enabled, and then later disabled, the ssh config
for the nova_migration user remains intact. This change clobbers the migration
SSH key to disable login when it is not necessary.
Change-Id: Icc6d5d4f4671b3525a731d334ca6fa7c5419dac3
Closes-Bug: #1688321
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/profile/base/nova.pp | 57 |
1 files changed, 34 insertions, 23 deletions
diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp index 65355d4..6065e62 100644 --- a/manifests/profile/base/nova.pp +++ b/manifests/profile/base/nova.pp @@ -217,31 +217,42 @@ class tripleo::profile::base::nova ( notify => Service['sshd'] } - file { '/etc/nova/migration/authorized_keys': - content => $migration_ssh_key['public_key'], - mode => '0640', - owner => 'root', - group => 'nova_migration', - require => Package['openstack-nova-migration'], - } + $migration_authorized_keys = $migration_ssh_key['public_key'] + $migration_identity = $migration_ssh_key['private_key'] + $migration_user_shell = '/bin/bash' + } + else { + # Remove the keys and prevent login when migration over SSH is not enabled + $migration_authorized_keys = '# Migration over SSH disabled by TripleO' + $migration_identity = '# Migration over SSH disabled by TripleO' + $migration_user_shell = '/sbin/nologin' + } - # Client side - file { '/etc/nova/migration/identity': - content => $migration_ssh_key['private_key'], - mode => '0600', - owner => 'nova', - group => 'nova', - require => Package['openstack-nova-migration'], - } - $migration_pkg_ensure = installed - } else { - $migration_pkg_ensure = absent + package { 'openstack-nova-migration': + ensure => present, + tag => ['openstack', 'nova-package'], + } + + file { '/etc/nova/migration/authorized_keys': + content => $migration_authorized_keys, + mode => '0640', + owner => 'root', + group => 'nova_migration', + require => Package['openstack-nova-migration'] + } + + file { '/etc/nova/migration/identity': + content => $migration_identity, + mode => '0600', + owner => 'nova', + group => 'nova', + require => Package['openstack-nova-migration'] + } + + user {'nova_migration': + shell => $migration_user_shell, + require => Package['openstack-nova-migration'] } - } else { - $migration_pkg_ensure = absent - } - package {'openstack-nova-migration': - ensure => $migration_pkg_ensure } } } |