summaryrefslogtreecommitdiffstats
path: root/deployed-server/scripts/enable-ssh-admin.sh
blob: daff39079b95e7405368848f7ca2436d3682ffbd (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#!/bin/bash

set -eu

# whitespace (space or newline) separated list
OVERCLOUD_HOSTS=${OVERCLOUD_HOSTS:-""}
OVERCLOUD_SSH_USER=${OVERCLOUD_SSH_USER:-"$USER"}
# this is just for compatibility with CI
SUBNODES_SSH_KEY=${SUBNODES_SSH_KEY:-"$HOME/.ssh/id_rsa"}
# this is the intended variable for overriding
OVERCLOUD_SSH_KEY=${OVERCLOUD_SSH_KEY:-"$SUBNODES_SSH_KEY"}

SHORT_TERM_KEY_COMMENT="TripleO split stack short term key"
SLEEP_TIME=5

function overcloud_ssh_hosts_json {
    echo "$OVERCLOUD_HOSTS" | python -c '
from __future__ import print_function
import json, re, sys
print(json.dumps(re.split("\s+", sys.stdin.read().strip())))'
}

function overcloud_ssh_key_json {
    # we pass the contents to Mistral instead of just path, otherwise
    # the key file would have to be readable for the mistral user
    cat "$1" | python -c 'import json,sys; print(json.dumps(sys.stdin.read()))'
}

function workflow_finished {
    local execution_id="$1"
    openstack workflow execution show -f shell $execution_id | grep 'state="SUCCESS"' > /dev/null
}

function generate_short_term_keys {
    local tmpdir=$(mktemp -d)
    ssh-keygen -N '' -t rsa -b 4096 -f "$tmpdir/id_rsa" -C "$SHORT_TERM_KEY_COMMENT" > /dev/null
    echo "$tmpdir"
}

if [ -z "$OVERCLOUD_HOSTS" ]; then
    echo 'Please set $OVERCLOUD_HOSTS'
    exit 1
fi

echo "Starting workflow to create ssh admin on deployed servers."
echo "SSH user: $OVERCLOUD_SSH_USER"
echo "SSH key file: $OVERCLOUD_SSH_KEY"
echo "Hosts: $OVERCLOUD_HOSTS"
echo

SHORT_TERM_KEY_DIR=$(generate_short_term_keys)
SHORT_TERM_KEY_PRIVATE="$SHORT_TERM_KEY_DIR/id_rsa"
SHORT_TERM_KEY_PUBLIC="$SHORT_TERM_KEY_DIR/id_rsa.pub"
SHORT_TERM_KEY_PUBLIC_CONTENT=$(cat $SHORT_TERM_KEY_PUBLIC)

for HOST in $OVERCLOUD_HOSTS; do
    echo "Inserting TripleO short term key for $HOST"
    # prepending an extra newline so that if authorized_keys didn't
    # end with a newline previously, we don't end up garbling it up
    ssh -i "$OVERCLOUD_SSH_KEY" -l "$OVERCLOUD_SSH_USER" "$HOST" "echo -e '\n$SHORT_TERM_KEY_PUBLIC_CONTENT' >> \$HOME/.ssh/authorized_keys"
done

echo "Starting ssh admin enablement workflow"
EXECUTION_PARAMS="{\"ssh_user\": \"$OVERCLOUD_SSH_USER\", \"ssh_servers\": $(overcloud_ssh_hosts_json), \"ssh_private_key\": $(overcloud_ssh_key_json "$SHORT_TERM_KEY_PRIVATE")}"
EXECUTION_CREATE_OUTPUT=$(openstack workflow execution create -f shell -d 'deployed server ssh admin creation' tripleo.access.v1.enable_ssh_admin "$EXECUTION_PARAMS")
echo "$EXECUTION_CREATE_OUTPUT"
EXECUTION_ID=$(echo "$EXECUTION_CREATE_OUTPUT" | grep '^id=' | awk '-F"' '{ print $2 }')

if [ -z "$EXECUTION_ID" ]; then
    echo "Failed to get workflow execution ID for ssh admin creation workflow"
    exit 1
fi

echo -n "Waiting for the workflow execution to finish (id $EXECUTION_ID)."
while ! workflow_finished $EXECUTION_ID; do
    sleep $SLEEP_TIME
    echo -n .
done
echo  # newline after the previous dots

for HOST in $OVERCLOUD_HOSTS; do
    echo "Removing TripleO short term key from $HOST"
    ssh -l "$OVERCLOUD_SSH_USER" "$HOST" "sed -i -e '/$SHORT_TERM_KEY_COMMENT/d' \$HOME/.ssh/authorized_keys"
done

echo "Removing short term keys locally"
rm -r "$SHORT_TERM_KEY_DIR"

echo "Success."