diff --git a/defaults/main.yml b/defaults/main.yml index cb0e55dd..16772c07 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -123,18 +123,6 @@ lxc_net6_nat: false lxc_kernel_options: - { key: 'fs.inotify.max_user_instances', value: 1024 } -lxc_cache_sshd_configuration: - - regexp: "^PermitRootLogin" - line: "PermitRootLogin prohibit-password" - - regexp: "^TCPKeepAlive" - line: "TCPKeepAlive yes" - - regexp: "^UseDNS" - line: "UseDNS no" - - regexp: "^X11Forwarding" - line: "X11Forwarding no" - - regexp: "^PasswordAuthentication" - line: "PasswordAuthentication no" - # The compression ratio used when creating the container cache rootfs archive lxc_image_compression_ratio: 0 diff --git a/releasenotes/notes/no_sshd_in_lxc-b73334d0c82470b4.yaml b/releasenotes/notes/no_sshd_in_lxc-b73334d0c82470b4.yaml new file mode 100644 index 00000000..3f8e2e63 --- /dev/null +++ b/releasenotes/notes/no_sshd_in_lxc-b73334d0c82470b4.yaml @@ -0,0 +1,6 @@ +--- +deprecations: + - | + SSHD and rsync are no longer installed or configured for all containers. + This also deprecates usage of ``lxc_container_ssh_key`` and variable + has no effect any longer. diff --git a/tasks/lxc_cache_preparation.yml b/tasks/lxc_cache_preparation.yml index b6ddb214..35787508 100644 --- a/tasks/lxc_cache_preparation.yml +++ b/tasks/lxc_cache_preparation.yml @@ -67,18 +67,6 @@ poll: 0 register: _lxc_cache_prepare_commands -- name: Obtain the deploy system's ssh public key - set_fact: - lxc_container_ssh_key: "{{ lookup('file', '/root/.ssh/id_rsa.pub') }}" - when: lxc_container_ssh_key is not defined - -- name: Deploy ssh public key into the cached image - lineinfile: - dest: "{{ lxc_image_cache_path }}/root/.ssh/authorized_keys" - line: "{{ lxc_container_ssh_key }}" - create: true - mode: "0600" - # NOTE(cloudnull): Wait for the cache preparation script has completed before # building the new RootFS - name: Ensure that the LXC cache has been prepared @@ -98,11 +86,3 @@ src: sudoers.j2 when: - ansible_facts['pkg_mgr'] == 'dnf' - -- name: Adjust sshd configuration in container - lineinfile: - dest: "{{ lxc_image_cache_path }}/etc/ssh/sshd_config" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - state: present - with_items: "{{ lxc_cache_sshd_configuration }}" diff --git a/tasks/main.yml b/tasks/main.yml index a4061793..c93ca640 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -13,24 +13,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Check for the presence of a public key file on the deployment host - stat: - path: /root/.ssh/id_rsa.pub - register: _ssh_key - when: lxc_container_ssh_key is undefined - delegate_to: localhost - tags: - - always - -- name: Fail if a ssh public key is not set in a var and is not present on the deployment host - fail: - msg: "Please set the lxc_container_ssh_key variable or ensure that the deployment host has the file /root/.ssh/id_rsa.pub present." - when: - - lxc_container_ssh_key is undefined - - not _ssh_key.stat.exists - tags: - - always - - name: Gather variables for each operating system include_vars: "{{ lookup('first_found', params) }}" vars: diff --git a/vars/debian.yml b/vars/debian.yml index bbff28e6..51223e49 100644 --- a/vars/debian.yml +++ b/vars/debian.yml @@ -46,10 +46,9 @@ _lxc_cache_distro_packages: - libxml2 - locales - netbase - - openssh-server + - procps # needed for sysctl-container.service - python3 - "{{ _lxc_cache_distro_libpython[ansible_facts['distribution_release'] | lower] }}" - - rsync # os_keystone runs serial=1 and uses rsync before the distro packages have been installed on all keystone targets - sudo - systemd - systemd-sysv diff --git a/vars/redhat.yml b/vars/redhat.yml index 4e99183e..2047e471 100644 --- a/vars/redhat.yml +++ b/vars/redhat.yml @@ -42,12 +42,10 @@ _lxc_cache_distro_packages: - iputils - iproute - libxml2 - - openssh-server - policycoreutils - procps - python3 - python3-libs - - rsync # os_keystone runs serial=1 and uses rsync before the distro packages have been installed on all keystone targets - setup - sudo - systemd