- StorageMgmt
- Tenant
HostnameFormatDefault: '%stackname%-controller-%index%'
- # Deprecated & backward-compatible values (FIXME: Make parameters consistent)
- # Set uses_deprecated_params to True if any deprecated params are used.
- uses_deprecated_params: True
- deprecated_param_extraconfig: 'controllerExtraConfig'
- deprecated_param_flavor: 'OvercloudControlFlavor'
- deprecated_param_image: 'controllerImage'
ServicesDefault:
- OS::TripleO::Services::AodhApi
- OS::TripleO::Services::AodhEvaluator
- InternalApi
- Tenant
- Storage
- # Deprecated & backward-compatible values (FIXME: Make parameters consistent)
- # Set uses_deprecated_params to True if any deprecated params are used.
- uses_deprecated_params: True
- deprecated_param_image: 'NovaImage'
- deprecated_param_extraconfig: 'NovaComputeExtraConfig'
- deprecated_param_metadata: 'NovaComputeServerMetadata'
- deprecated_param_scheduler_hints: 'NovaComputeSchedulerHints'
- deprecated_param_ips: 'NovaComputeIPs'
- deprecated_server_resource_name: 'NovaCompute'
ServicesDefault:
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::CACerts
- InternalApi
- Storage
- StorageMgmt
- # Deprecated & backward-compatible values (FIXME: Make parameters consistent)
- # Set uses_deprecated_params to True if any deprecated params are used.
- uses_deprecated_params: True
- deprecated_param_metadata: 'SwiftStorageServerMetadata'
- deprecated_param_ips: 'SwiftStorageIPs'
- deprecated_param_image: 'SwiftStorageImage'
- deprecated_param_flavor: 'OvercloudSwiftStorageFlavor'
disable_upgrade_deployment: True
ServicesDefault:
- OS::TripleO::Services::AuditD
# this is the intended variable for overriding
OVERCLOUD_SSH_KEY=${OVERCLOUD_SSH_KEY:-"$SUBNODES_SSH_KEY"}
+SHORT_TERM_KEY_COMMENT="TripleO split stack short term key"
SLEEP_TIME=5
function overcloud_ssh_hosts_json {
function overcloud_ssh_key_json {
# we pass the contents to Mistral instead of just path, otherwise
# the key file would have to be readable for the mistral user
- cat "$OVERCLOUD_SSH_KEY" | python -c 'import json,sys; print(json.dumps(sys.stdin.read()))'
+ cat "$1" | python -c 'import json,sys; print(json.dumps(sys.stdin.read()))'
}
function workflow_finished {
openstack workflow execution show -f shell $execution_id | grep 'state="SUCCESS"' > /dev/null
}
+function generate_short_term_keys {
+ local tmpdir=$(mktemp -d)
+ ssh-keygen -N '' -t rsa -b 4096 -f "$tmpdir/id_rsa" -C "$SHORT_TERM_KEY_COMMENT" > /dev/null
+ echo "$tmpdir"
+}
+
if [ -z "$OVERCLOUD_HOSTS" ]; then
echo 'Please set $OVERCLOUD_HOSTS'
exit 1
echo "Hosts: $OVERCLOUD_HOSTS"
echo
-EXECUTION_PARAMS="{\"ssh_user\": \"$OVERCLOUD_SSH_USER\", \"ssh_servers\": $(overcloud_ssh_hosts_json), \"ssh_private_key\": $(overcloud_ssh_key_json)}"
+SHORT_TERM_KEY_DIR=$(generate_short_term_keys)
+SHORT_TERM_KEY_PRIVATE="$SHORT_TERM_KEY_DIR/id_rsa"
+SHORT_TERM_KEY_PUBLIC="$SHORT_TERM_KEY_DIR/id_rsa.pub"
+SHORT_TERM_KEY_PUBLIC_CONTENT=$(cat $SHORT_TERM_KEY_PUBLIC)
+
+for HOST in $OVERCLOUD_HOSTS; do
+ echo "Inserting TripleO short term key for $HOST"
+ # prepending an extra newline so that if authorized_keys didn't
+ # end with a newline previously, we don't end up garbling it up
+ ssh -i "$OVERCLOUD_SSH_KEY" -l "$OVERCLOUD_SSH_USER" "$HOST" "echo -e '\n$SHORT_TERM_KEY_PUBLIC_CONTENT' >> \$HOME/.ssh/authorized_keys"
+done
+
+echo "Starting ssh admin enablement workflow"
+EXECUTION_PARAMS="{\"ssh_user\": \"$OVERCLOUD_SSH_USER\", \"ssh_servers\": $(overcloud_ssh_hosts_json), \"ssh_private_key\": $(overcloud_ssh_key_json "$SHORT_TERM_KEY_PRIVATE")}"
EXECUTION_CREATE_OUTPUT=$(openstack workflow execution create -f shell -d 'deployed server ssh admin creation' tripleo.access.v1.enable_ssh_admin "$EXECUTION_PARAMS")
echo "$EXECUTION_CREATE_OUTPUT"
EXECUTION_ID=$(echo "$EXECUTION_CREATE_OUTPUT" | grep '^id=' | awk '-F"' '{ print $2 }')
sleep $SLEEP_TIME
echo -n .
done
+echo # newline after the previous dots
+
+for HOST in $OVERCLOUD_HOSTS; do
+ echo "Removing TripleO short term key from $HOST"
+ ssh -l "$OVERCLOUD_SSH_USER" "$HOST" "sed -i -e '/$SHORT_TERM_KEY_COMMENT/d' \$HOME/.ssh/authorized_keys"
+done
+
+echo "Removing short term keys locally"
+rm -r "$SHORT_TERM_KEY_DIR"
echo "Success."
# OS::TripleO::Services::CinderBackup: ../docker/services/cinder-backup.yaml
# OS::TripleO::Services::CinderVolume: ../docker/services/cinder-volume.yaml
#
+ OS::TripleO::Services::SwiftDispersion: OS::Heat::None
+
# If SR-IOV is enabled on the compute nodes, it will need the SR-IOV
# host configuration.
OS::TripleO::Services::NeutronSriovHostConfig: OS::Heat::None
set -e
}
-function detect_satellite_version {
- ping_api=$REG_SAT_URL/katello/api/ping
- if curl --retry ${retry_max_count} --retry-delay 10 --max-time 30 -L -k -s -D - -o /dev/null $ping_api | grep "200 OK"; then
- echo Satellite 6 detected at $REG_SAT_URL
- satellite_version=6
+function detect_satellite_server {
+ if curl --retry ${retry_max_count} --retry-delay 10 --max-time 30 -L -k -s -D - -o /dev/null $REG_SAT_URL/pub/katello-ca-consumer-latest.noarch.rpm | grep "200 OK"; then
+ echo Satellite 6 or beyond with Katello API detected at $REG_SAT_URL
+ katello_api_enabled=1
elif curl --retry ${retry_max_count} --retry-delay 10 --max-time 30 -L -k -s -D - -o /dev/null $REG_SAT_URL/rhn/Login.do | grep "200 OK"; then
- echo Satellite 5 detected at $REG_SAT_URL
- satellite_version=5
+ echo Satellite 5 with RHN detected at $REG_SAT_URL
+ katello_api_enabled=0
else
echo No Satellite detected at $REG_SAT_URL
exit 1
retry subscription-manager $repos
;;
satellite)
- detect_satellite_version
- if [ "$satellite_version" = "6" ]; then
+ detect_satellite_server
+ if [ "$katello_api_enabled" = "1" ]; then
repos="$repos --enable ${satellite_repo}"
curl --retry ${retry_max_count} --retry-delay 10 --max-time 30 -L -k -O "$REG_SAT_URL/pub/katello-ca-consumer-latest.noarch.rpm"
--- /dev/null
+---
+fixes:
+ - |
+ For deployments running on RHEL with Satellite 6 (or beyond) with Capsule (Katello API enabled),
+ the Katello API is available on 8443 port, so the previous API ping didn't work for this case.
+ Capsule is now supported since we just check if katello-ca-consumer-latest rpm is available
+ to tell that Satellite version is 6 or beyond.
Code Review / apex-tripleo-heat-templates.git / commitdiff