From 8199744e9cee88127291b22ebeb9e78142cc4ade Mon Sep 17 00:00:00 2001 From: Markos Chandras Date: Tue, 3 Apr 2018 11:14:11 +0100 Subject: xci: osa: Move tasks for managing SSH keys to a new file The tasks that manage the SSH keys are common across hosts and also common across different installers. As such, lets move them to a new file so we can share them more easily. Change-Id: If235877394f224a47a2f2b8de748a2330eabcec1 Signed-off-by: Markos Chandras --- .../osa/playbooks/configure-opnfvhost.yml | 32 +-------------- .../osa/playbooks/configure-targethosts.yml | 32 +-------------- xci/playbooks/manage-ssh-keys.yml | 47 ++++++++++++++++++++++ 3 files changed, 51 insertions(+), 60 deletions(-) create mode 100644 xci/playbooks/manage-ssh-keys.yml (limited to 'xci') diff --git a/xci/installer/osa/playbooks/configure-opnfvhost.yml b/xci/installer/osa/playbooks/configure-opnfvhost.yml index 11957cdc..6c2b1d35 100644 --- a/xci/installer/osa/playbooks/configure-opnfvhost.yml +++ b/xci/installer/osa/playbooks/configure-opnfvhost.yml @@ -43,15 +43,6 @@ proxy_settings_no_proxy: "{{ lookup('env','no_proxy') }}" tasks: - - name: Configure SSH key for root user - user: - name: root - generate_ssh_key: yes - ssh_key_bits: 2048 - ssh_key_comment: xci - ssh_key_type: rsa - state: present - - name: Copy releng-xci to remote host synchronize: src: "{{ xci_path }}/" @@ -206,24 +197,5 @@ dest: "{{ xci_path }}/.cache/openrc" flat: true - - name: Determine local user - become: no - local_action: command whoami - changed_when: False - register: _ansible_user - - - name: Fetch local SSH key - delegate_to: localhost - become: no - slurp: - src: "/home/{{ _ansible_user.stdout }}/.ssh/id_rsa.pub" - register: _local_ssh_key - - - name: Configure OPNFV authorized_keys file - authorized_key: - exclusive: yes - user: root - state: present - manage_dir: yes - comment: "{{ _ansible_user.stdout }} key" - key: "{{ _local_ssh_key['content'] | b64decode }}" + - name: Manage SSH keys + include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssh-keys.yml" diff --git a/xci/installer/osa/playbooks/configure-targethosts.yml b/xci/installer/osa/playbooks/configure-targethosts.yml index b76a5950..cb817cfc 100644 --- a/xci/installer/osa/playbooks/configure-targethosts.yml +++ b/xci/installer/osa/playbooks/configure-targethosts.yml @@ -33,33 +33,5 @@ - xci_ceph_enabled == "true" - "'compute' in group_names" tasks: - - name: Determine local user - become: no - local_action: command whoami - changed_when: False - register: _ansible_user - - - name: Fetch local SSH key - delegate_to: localhost - become: no - slurp: - src: "/home/{{ _ansible_user.stdout }}/.ssh/id_rsa.pub" - register: _local_ssh_key - - - name: Fetch OPNFV SSH key - delegate_to: opnfv - slurp: - src: "{{ ansible_env.HOME }}/.ssh/id_rsa.pub" - register: _opnfv_ssh_key - - - name: "Configure {{ inventory_hostname }} authorized_keys file" - authorized_key: - exclusive: "{{ item.exclusive }}" - user: root - state: present - manage_dir: yes - key: "{{ item.key }}" - comment: "{{ item.comment }}" - with_items: - - { key: "{{ _local_ssh_key['content'] | b64decode }}", comment: "{{ _ansible_user.stdout }} key", exclusive: yes } - - { key: "{{ _opnfv_ssh_key['content'] | b64decode }}", comment: "opnfv host key", exclusive: no } + - name: Manage SSH keys + include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssh-keys.yml" diff --git a/xci/playbooks/manage-ssh-keys.yml b/xci/playbooks/manage-ssh-keys.yml new file mode 100644 index 00000000..ff797aad --- /dev/null +++ b/xci/playbooks/manage-ssh-keys.yml @@ -0,0 +1,47 @@ +# SPDX-license-identifier: Apache-2.0 +############################################################################## +# Copyright (c) 2018 SUSE Linux GmbH and others. +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +- name: Configure SSH key for root user + user: + name: root + generate_ssh_key: yes + ssh_key_bits: 2048 + ssh_key_comment: xci + ssh_key_type: rsa + state: present + +- name: Determine local user + become: no + local_action: command whoami + changed_when: False + register: _ansible_user + +- name: Fetch local SSH key + delegate_to: localhost + become: no + slurp: + src: "/home/{{ _ansible_user.stdout }}/.ssh/id_rsa.pub" + register: _local_ssh_key + +- name: Fetch OPNFV SSH key + delegate_to: opnfv + slurp: + src: "{{ ansible_env.HOME }}/.ssh/id_rsa.pub" + register: _opnfv_ssh_key + +- name: "Configure {{ inventory_hostname }} authorized_keys file" + authorized_key: + exclusive: "{{ item.exclusive }}" + user: root + state: present + manage_dir: yes + key: "{{ item.key }}" + comment: "{{ item.comment }}" + with_items: + - { key: "{{ _local_ssh_key['content'] | b64decode }}", comment: "{{ _ansible_user.stdout }} key", exclusive: yes } + - { key: "{{ _opnfv_ssh_key['content'] | b64decode }}", comment: "opnfv host key", exclusive: no } -- cgit 1.2.3-korg From 9fc661b56dbd90df944755140bfff88fb1197fbd Mon Sep 17 00:00:00 2001 From: Markos Chandras Date: Tue, 3 Apr 2018 12:47:54 +0100 Subject: xci: osa: Use Ansible modules to create ssl certificates Ansible already provides modules to create ssl certificates so we can use these instead of running the openssl commands directly. Moreover, we can drop all the tasks which create the ssl directories since there are being created by the openssl package which also creates the appropriate symlinks. Finally, there is no need to generate the certificate on localhost if only the OPNFV host consumes it, so move these steps to the appropriate playbook. Change-Id: I0045945c502013be3d76440876e894a44a092690 Signed-off-by: Markos Chandras --- .../osa/playbooks/configure-opnfvhost.yml | 45 ++++++++++------------ xci/playbooks/configure-localhost.yml | 36 +++++------------ 2 files changed, 30 insertions(+), 51 deletions(-) (limited to 'xci') diff --git a/xci/installer/osa/playbooks/configure-opnfvhost.yml b/xci/installer/osa/playbooks/configure-opnfvhost.yml index 6c2b1d35..0e6fdd16 100644 --- a/xci/installer/osa/playbooks/configure-opnfvhost.yml +++ b/xci/installer/osa/playbooks/configure-opnfvhost.yml @@ -123,6 +123,7 @@ - pyyaml - python-neutronclient - python-openstackclient + - pyOpenSSL - name: Install ARA callback plugin in OSA virtualenv pip: name: ara @@ -148,30 +149,26 @@ args: chdir: "{{openstack_osa_path}}/scripts" changed_when: True - - name: check if certificate directory /etc/ssl/certs exists already - stat: path=/etc/ssl/certs - register: check_etc_ssl_certs - - name: create certificate directory /etc/ssl/certs - file: - path: "/etc/ssl/certs" - state: directory - when: check_etc_ssl_certs.stat.exists == false - - name: create key directory /etc/ssl/private - file: - path: "/etc/ssl/private" - state: directory - - name: copy certificate to /etc/ssl/certs - copy: - src: "/etc/ssl/certs/xci.crt" - dest: "/etc/ssl/certs/" - - name: read remote key from /etc/ssl/private - set_fact: - xci_ssl_key: "{{ lookup('pipe', 'sudo cat /etc/ssl/private/xci.key' ) }}" - - name: copy key to /etc/ssl/private - copy: - content: "{{ xci_ssl_key }}" - dest: "/etc/ssl/private/xci.key" - become: true + + - name: Generate XCI private key + openssl_privatekey: + path: /etc/ssl/private/xci.key + size: 2048 + + - name: Generate XCI certificate request + openssl_csr: + privatekey_path: /etc/ssl/private/xci.key + path: /etc/ssl/private/xci.csr + common_name: "{{ xci_ssl_subject }}" + + - name: Generate XCI self signed certificate + openssl_certificate: + path: /etc/ssl/certs/xci.crt + privatekey_path: /etc/ssl/private/xci.key + csr_path: /etc/ssl/private/xci.csr + provider: selfsigned + selfsigned_not_after: 20800101000000Z + - name: fetch xci environment copy: src: "{{ xci_path }}/.cache/xci.env" diff --git a/xci/playbooks/configure-localhost.yml b/xci/playbooks/configure-localhost.yml index 1f010528..5f091c92 100644 --- a/xci/playbooks/configure-localhost.yml +++ b/xci/playbooks/configure-localhost.yml @@ -69,34 +69,16 @@ path: "{{log_path}}" state: directory recurse: no - - block: - - name: check if certificate directory /etc/ssl/certs exists already - stat: path=/etc/ssl/certs - register: check_etc_ssl_certs - - name: create certificate directory /etc/ssl/certs - become: true - file: - path: "/etc/ssl/certs" - state: directory - when: check_etc_ssl_certs.stat.exists == false - - name: create key directory /etc/ssl/private - become: true - file: - path: "/etc/ssl/private" - state: directory - - name: generate self signed certificate - command: openssl req -new -nodes -x509 -subj "{{ xci_ssl_subject }}" -days 3650 -keyout "/etc/ssl/private/xci.key" -out "/etc/ssl/certs/xci.crt" -extensions v3_ca - become: true - - name: Synchronize local development OSA repository to XCI paths - # command module is much faster than the copy module - synchronize: - src: "{{ openstack_osa_dev_path }}" - dest: "{{ xci_cache }}/repos/openstack-ansible" - recursive: yes - delete: yes - when: - - openstack_osa_dev_path != "" + + - name: Synchronize local development OSA repository to XCI paths + # command module is much faster than the copy module + synchronize: + src: "{{ openstack_osa_dev_path }}" + dest: "{{ xci_cache }}/repos/openstack-ansible" + recursive: yes + delete: yes when: + - openstack_osa_dev_path != "" - installer_type == "osa" - name: Configure SSH key for local user -- cgit 1.2.3-korg