diff options
| -rw-r--r-- | deployed-server/deployed-server-roles-data.yaml | 22 | ||||
| -rwxr-xr-x | deployed-server/scripts/enable-ssh-admin.sh | 33 | ||||
| -rw-r--r-- | environments/docker.yaml | 2 | ||||
| -rw-r--r-- | extraconfig/pre_deploy/rhel-registration/scripts/rhel-registration | 17 | ||||
| -rw-r--r-- | releasenotes/notes/sat_capsule-bb59fad44c17f97f.yaml | 7 |
5 files changed, 48 insertions, 33 deletions
diff --git a/deployed-server/deployed-server-roles-data.yaml b/deployed-server/deployed-server-roles-data.yaml index 877fc7dc..8611940a 100644 --- a/deployed-server/deployed-server-roles-data.yaml +++ b/deployed-server/deployed-server-roles-data.yaml @@ -34,12 +34,6 @@ - StorageMgmt - Tenant HostnameFormatDefault: '%stackname%-controller-%index%' - # Deprecated & backward-compatible values (FIXME: Make parameters consistent) - # Set uses_deprecated_params to True if any deprecated params are used. - uses_deprecated_params: True - deprecated_param_extraconfig: 'controllerExtraConfig' - deprecated_param_flavor: 'OvercloudControlFlavor' - deprecated_param_image: 'controllerImage' ServicesDefault: - OS::TripleO::Services::AodhApi - OS::TripleO::Services::AodhEvaluator @@ -174,15 +168,6 @@ - InternalApi - Tenant - Storage - # Deprecated & backward-compatible values (FIXME: Make parameters consistent) - # Set uses_deprecated_params to True if any deprecated params are used. - uses_deprecated_params: True - deprecated_param_image: 'NovaImage' - deprecated_param_extraconfig: 'NovaComputeExtraConfig' - deprecated_param_metadata: 'NovaComputeServerMetadata' - deprecated_param_scheduler_hints: 'NovaComputeSchedulerHints' - deprecated_param_ips: 'NovaComputeIPs' - deprecated_server_resource_name: 'NovaCompute' ServicesDefault: - OS::TripleO::Services::AuditD - OS::TripleO::Services::CACerts @@ -256,13 +241,6 @@ - InternalApi - Storage - StorageMgmt - # Deprecated & backward-compatible values (FIXME: Make parameters consistent) - # Set uses_deprecated_params to True if any deprecated params are used. - uses_deprecated_params: True - deprecated_param_metadata: 'SwiftStorageServerMetadata' - deprecated_param_ips: 'SwiftStorageIPs' - deprecated_param_image: 'SwiftStorageImage' - deprecated_param_flavor: 'OvercloudSwiftStorageFlavor' disable_upgrade_deployment: True ServicesDefault: - OS::TripleO::Services::AuditD diff --git a/deployed-server/scripts/enable-ssh-admin.sh b/deployed-server/scripts/enable-ssh-admin.sh index dcabeadf..daff3907 100755 --- a/deployed-server/scripts/enable-ssh-admin.sh +++ b/deployed-server/scripts/enable-ssh-admin.sh @@ -10,6 +10,7 @@ SUBNODES_SSH_KEY=${SUBNODES_SSH_KEY:-"$HOME/.ssh/id_rsa"} # this is the intended variable for overriding OVERCLOUD_SSH_KEY=${OVERCLOUD_SSH_KEY:-"$SUBNODES_SSH_KEY"} +SHORT_TERM_KEY_COMMENT="TripleO split stack short term key" SLEEP_TIME=5 function overcloud_ssh_hosts_json { @@ -22,7 +23,7 @@ print(json.dumps(re.split("\s+", sys.stdin.read().strip())))' function overcloud_ssh_key_json { # we pass the contents to Mistral instead of just path, otherwise # the key file would have to be readable for the mistral user - cat "$OVERCLOUD_SSH_KEY" | python -c 'import json,sys; print(json.dumps(sys.stdin.read()))' + cat "$1" | python -c 'import json,sys; print(json.dumps(sys.stdin.read()))' } function workflow_finished { @@ -30,6 +31,12 @@ function workflow_finished { openstack workflow execution show -f shell $execution_id | grep 'state="SUCCESS"' > /dev/null } +function generate_short_term_keys { + local tmpdir=$(mktemp -d) + ssh-keygen -N '' -t rsa -b 4096 -f "$tmpdir/id_rsa" -C "$SHORT_TERM_KEY_COMMENT" > /dev/null + echo "$tmpdir" +} + if [ -z "$OVERCLOUD_HOSTS" ]; then echo 'Please set $OVERCLOUD_HOSTS' exit 1 @@ -41,7 +48,20 @@ echo "SSH key file: $OVERCLOUD_SSH_KEY" echo "Hosts: $OVERCLOUD_HOSTS" echo -EXECUTION_PARAMS="{\"ssh_user\": \"$OVERCLOUD_SSH_USER\", \"ssh_servers\": $(overcloud_ssh_hosts_json), \"ssh_private_key\": $(overcloud_ssh_key_json)}" +SHORT_TERM_KEY_DIR=$(generate_short_term_keys) +SHORT_TERM_KEY_PRIVATE="$SHORT_TERM_KEY_DIR/id_rsa" +SHORT_TERM_KEY_PUBLIC="$SHORT_TERM_KEY_DIR/id_rsa.pub" +SHORT_TERM_KEY_PUBLIC_CONTENT=$(cat $SHORT_TERM_KEY_PUBLIC) + +for HOST in $OVERCLOUD_HOSTS; do + echo "Inserting TripleO short term key for $HOST" + # prepending an extra newline so that if authorized_keys didn't + # end with a newline previously, we don't end up garbling it up + ssh -i "$OVERCLOUD_SSH_KEY" -l "$OVERCLOUD_SSH_USER" "$HOST" "echo -e '\n$SHORT_TERM_KEY_PUBLIC_CONTENT' >> \$HOME/.ssh/authorized_keys" +done + +echo "Starting ssh admin enablement workflow" +EXECUTION_PARAMS="{\"ssh_user\": \"$OVERCLOUD_SSH_USER\", \"ssh_servers\": $(overcloud_ssh_hosts_json), \"ssh_private_key\": $(overcloud_ssh_key_json "$SHORT_TERM_KEY_PRIVATE")}" EXECUTION_CREATE_OUTPUT=$(openstack workflow execution create -f shell -d 'deployed server ssh admin creation' tripleo.access.v1.enable_ssh_admin "$EXECUTION_PARAMS") echo "$EXECUTION_CREATE_OUTPUT" EXECUTION_ID=$(echo "$EXECUTION_CREATE_OUTPUT" | grep '^id=' | awk '-F"' '{ print $2 }') @@ -56,5 +76,14 @@ while ! workflow_finished $EXECUTION_ID; do sleep $SLEEP_TIME echo -n . done +echo # newline after the previous dots + +for HOST in $OVERCLOUD_HOSTS; do + echo "Removing TripleO short term key from $HOST" + ssh -l "$OVERCLOUD_SSH_USER" "$HOST" "sed -i -e '/$SHORT_TERM_KEY_COMMENT/d' \$HOME/.ssh/authorized_keys" +done + +echo "Removing short term keys locally" +rm -r "$SHORT_TERM_KEY_DIR" echo "Success." diff --git a/environments/docker.yaml b/environments/docker.yaml index 57379925..58691cc1 100644 --- a/environments/docker.yaml +++ b/environments/docker.yaml @@ -58,6 +58,8 @@ resource_registry: # OS::TripleO::Services::CinderBackup: ../docker/services/cinder-backup.yaml # OS::TripleO::Services::CinderVolume: ../docker/services/cinder-volume.yaml # + OS::TripleO::Services::SwiftDispersion: OS::Heat::None + # If SR-IOV is enabled on the compute nodes, it will need the SR-IOV # host configuration. OS::TripleO::Services::NeutronSriovHostConfig: OS::Heat::None diff --git a/extraconfig/pre_deploy/rhel-registration/scripts/rhel-registration b/extraconfig/pre_deploy/rhel-registration/scripts/rhel-registration index 487857ef..d754aafd 100644 --- a/extraconfig/pre_deploy/rhel-registration/scripts/rhel-registration +++ b/extraconfig/pre_deploy/rhel-registration/scripts/rhel-registration @@ -186,14 +186,13 @@ function retry() { set -e } -function detect_satellite_version { - ping_api=$REG_SAT_URL/katello/api/ping - if curl --retry ${retry_max_count} --retry-delay 10 --max-time 30 -L -k -s -D - -o /dev/null $ping_api | grep "200 OK"; then - echo Satellite 6 detected at $REG_SAT_URL - satellite_version=6 +function detect_satellite_server { + if curl --retry ${retry_max_count} --retry-delay 10 --max-time 30 -L -k -s -D - -o /dev/null $REG_SAT_URL/pub/katello-ca-consumer-latest.noarch.rpm | grep "200 OK"; then + echo Satellite 6 or beyond with Katello API detected at $REG_SAT_URL + katello_api_enabled=1 elif curl --retry ${retry_max_count} --retry-delay 10 --max-time 30 -L -k -s -D - -o /dev/null $REG_SAT_URL/rhn/Login.do | grep "200 OK"; then - echo Satellite 5 detected at $REG_SAT_URL - satellite_version=5 + echo Satellite 5 with RHN detected at $REG_SAT_URL + katello_api_enabled=0 else echo No Satellite detected at $REG_SAT_URL exit 1 @@ -231,8 +230,8 @@ case "${REG_METHOD:-}" in retry subscription-manager $repos ;; satellite) - detect_satellite_version - if [ "$satellite_version" = "6" ]; then + detect_satellite_server + if [ "$katello_api_enabled" = "1" ]; then repos="$repos --enable ${satellite_repo}" curl --retry ${retry_max_count} --retry-delay 10 --max-time 30 -L -k -O "$REG_SAT_URL/pub/katello-ca-consumer-latest.noarch.rpm" diff --git a/releasenotes/notes/sat_capsule-bb59fad44c17f97f.yaml b/releasenotes/notes/sat_capsule-bb59fad44c17f97f.yaml new file mode 100644 index 00000000..58298d36 --- /dev/null +++ b/releasenotes/notes/sat_capsule-bb59fad44c17f97f.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + For deployments running on RHEL with Satellite 6 (or beyond) with Capsule (Katello API enabled), + the Katello API is available on 8443 port, so the previous API ping didn't work for this case. + Capsule is now supported since we just check if katello-ca-consumer-latest rpm is available + to tell that Satellite version is 6 or beyond. |