Workaround ssh_known_hosts changes not being propagated to containers

We need an in-place update of /etc/ssh/ssh_known_hosts for the changes to be visible to running containers. This works around the issue until we have a better long-term solution - make a copy, update using lineinfile, then clobber the original file. Closes-bug: #1810932 Change-Id: Ie6af5908d4b79bad094bce31e8e853678c0e843c (cherry picked from commit ca60b82be8)
2019-01-08 00:53:01 +00:00 · 2019-01-08 00:53:01 +00:00 · 0077402bbb
parent c51cce0c4a
commit 0077402bbb
2 changed files with 29 additions and 6 deletions
--- a/releasenotes/notes/workaround_ssh_known_host_atomic_update-481e0baf3b3d6342.yaml
+++ b/releasenotes/notes/workaround_ssh_known_host_atomic_update-481e0baf3b3d6342.yaml
@ -0,0 +1,5 @@
+---
+fixes:
+  - Workaround `bug 1810932 <https://bugs.launchpad.net/tripleo/+bug/1810932>`__ by
+    scripting an in-place update of ssh_known_hosts
+
--- a/roles/tripleo-ssh-known-hosts/tasks/main.yml
+++ b/roles/tripleo-ssh-known-hosts/tasks/main.yml
@ -1,11 +1,29 @@
 ---
- name: Add hosts key in /etc/ssh/ssh_known_hosts for live/cold-migration
+- name: Add host keys in /etc/ssh/ssh_known_hosts for live/cold-migration
  become: true
-  lineinfile:
-    path: /etc/ssh/ssh_known_hosts
-    line: "{{ ssh_known_hosts[hostvars[item]['ansible_hostname'] | lower] + ' ssh-rsa ' + hostvars[item]['ansible_ssh_host_key_rsa_public'] }}"
-    create: yes
-  with_items: "{{ groups['overcloud']|intersect(play_hosts) }}"
+  block:
+    # Workaround https://bugs.launchpad.net/tripleo/+bug/1810932
+    # Ansible modules perform a replace instead of in-place modification.
+    # This breaks propagation of changes to containers that bind mount ssh_known_hosts
+    - name: Create temporary file for ssh_known_hosts
+      tempfile:
+        state: file
+      register: ssh_known_hosts_tmp
+    - name: Create a temporary copy of ssh_known_hosts
+      shell: |
+        if [[ -e /etc/ssh/ssh_known_hosts ]]; then
+          cat /etc/ssh/ssh_known_hosts > '{{ ssh_known_hosts_tmp.path }}'
+        fi
+    - name: Add host keys to temporary ssh_known_hosts
+      lineinfile:
+        path: "{{ ssh_known_hosts_tmp.path }}"
+        line: "{{ ssh_known_hosts[hostvars[item]['ansible_hostname'] | lower] + ' ssh-rsa ' + hostvars[item]['ansible_ssh_host_key_rsa_public'] }}"
+        create: yes
+      with_items: "{{ groups['overcloud']|intersect(play_hosts) }}"
+    - name: In-place update of /etc/ssh_known_hosts
+      shell: |
+        cat '{{ ssh_known_hosts_tmp.path }}' > /etc/ssh/ssh_known_hosts
+        rm -f '{{ ssh_known_hosts_tmp.path }}'
  tags:
    - tripleo_ssh_known_hosts