Disable SSH login for nova_migration user when migration over ssh is disabled.
If migration over ssh is enabled, and then later disabled, the ssh config for the nova_migration user remains intact. This change clobbers the migration SSH key to disable login when it is not necessary. Change-Id: Icc6d5d4f4671b3525a731d334ca6fa7c5419dac3 Closes-Bug: #1688321
This commit is contained in:
parent
f8ca94a5b7
commit
fe8edab1f4
|
@ -217,31 +217,42 @@ class tripleo::profile::base::nova (
|
|||
notify => Service['sshd']
|
||||
}
|
||||
|
||||
file { '/etc/nova/migration/authorized_keys':
|
||||
content => $migration_ssh_key['public_key'],
|
||||
mode => '0640',
|
||||
owner => 'root',
|
||||
group => 'nova_migration',
|
||||
require => Package['openstack-nova-migration'],
|
||||
}
|
||||
|
||||
# Client side
|
||||
file { '/etc/nova/migration/identity':
|
||||
content => $migration_ssh_key['private_key'],
|
||||
mode => '0600',
|
||||
owner => 'nova',
|
||||
group => 'nova',
|
||||
require => Package['openstack-nova-migration'],
|
||||
}
|
||||
$migration_pkg_ensure = installed
|
||||
} else {
|
||||
$migration_pkg_ensure = absent
|
||||
$migration_authorized_keys = $migration_ssh_key['public_key']
|
||||
$migration_identity = $migration_ssh_key['private_key']
|
||||
$migration_user_shell = '/bin/bash'
|
||||
}
|
||||
else {
|
||||
# Remove the keys and prevent login when migration over SSH is not enabled
|
||||
$migration_authorized_keys = '# Migration over SSH disabled by TripleO'
|
||||
$migration_identity = '# Migration over SSH disabled by TripleO'
|
||||
$migration_user_shell = '/sbin/nologin'
|
||||
}
|
||||
|
||||
package { 'openstack-nova-migration':
|
||||
ensure => present,
|
||||
tag => ['openstack', 'nova-package'],
|
||||
}
|
||||
|
||||
file { '/etc/nova/migration/authorized_keys':
|
||||
content => $migration_authorized_keys,
|
||||
mode => '0640',
|
||||
owner => 'root',
|
||||
group => 'nova_migration',
|
||||
require => Package['openstack-nova-migration']
|
||||
}
|
||||
|
||||
file { '/etc/nova/migration/identity':
|
||||
content => $migration_identity,
|
||||
mode => '0600',
|
||||
owner => 'nova',
|
||||
group => 'nova',
|
||||
require => Package['openstack-nova-migration']
|
||||
}
|
||||
|
||||
user {'nova_migration':
|
||||
shell => $migration_user_shell,
|
||||
require => Package['openstack-nova-migration']
|
||||
}
|
||||
} else {
|
||||
$migration_pkg_ensure = absent
|
||||
}
|
||||
package {'openstack-nova-migration':
|
||||
ensure => $migration_pkg_ensure
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -95,9 +95,8 @@ describe 'tripleo::profile::base::nova' do
|
|||
is_expected.to contain_class('nova::cache')
|
||||
is_expected.to contain_class('nova::placement')
|
||||
is_expected.to_not contain_class('nova::migration::libvirt')
|
||||
is_expected.to contain_package('openstack-nova-migration').with(
|
||||
:ensure => 'absent'
|
||||
)
|
||||
is_expected.to_not contain_file('/etc/nova/migration/authorized_keys')
|
||||
is_expected.to_not contain_file('/etc/nova/migration/identity')
|
||||
}
|
||||
end
|
||||
|
||||
|
@ -132,7 +131,22 @@ describe 'tripleo::profile::base::nova' do
|
|||
:configure_nova => params[:nova_compute_enabled]
|
||||
)
|
||||
is_expected.to contain_package('openstack-nova-migration').with(
|
||||
:ensure => 'absent'
|
||||
:ensure => 'present'
|
||||
)
|
||||
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
|
||||
:content => '# Migration over SSH disabled by TripleO',
|
||||
:mode => '0640',
|
||||
:owner => 'root',
|
||||
:group => 'nova_migration',
|
||||
)
|
||||
is_expected.to contain_file('/etc/nova/migration/identity').with(
|
||||
:content => '# Migration over SSH disabled by TripleO',
|
||||
:mode => '0600',
|
||||
:owner => 'nova',
|
||||
:group => 'nova',
|
||||
)
|
||||
is_expected.to contain_user('nova_migration').with(
|
||||
:shell => '/sbin/nologin'
|
||||
)
|
||||
}
|
||||
end
|
||||
|
@ -169,7 +183,22 @@ describe 'tripleo::profile::base::nova' do
|
|||
:configure_nova => params[:nova_compute_enabled],
|
||||
)
|
||||
is_expected.to contain_package('openstack-nova-migration').with(
|
||||
:ensure => 'absent'
|
||||
:ensure => 'present'
|
||||
)
|
||||
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
|
||||
:content => '# Migration over SSH disabled by TripleO',
|
||||
:mode => '0640',
|
||||
:owner => 'root',
|
||||
:group => 'nova_migration',
|
||||
)
|
||||
is_expected.to contain_file('/etc/nova/migration/identity').with(
|
||||
:content => '# Migration over SSH disabled by TripleO',
|
||||
:mode => '0600',
|
||||
:owner => 'nova',
|
||||
:group => 'nova',
|
||||
)
|
||||
is_expected.to contain_user('nova_migration').with(
|
||||
:shell => '/sbin/nologin'
|
||||
)
|
||||
}
|
||||
end
|
||||
|
@ -223,6 +252,9 @@ describe 'tripleo::profile::base::nova' do
|
|||
}
|
||||
)
|
||||
is_expected.to_not contain_ssh__server__match_block('nova_migration deny')
|
||||
is_expected.to contain_package('openstack-nova-migration').with(
|
||||
:ensure => 'present'
|
||||
)
|
||||
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
|
||||
:content => 'ssh-rsa bar',
|
||||
:mode => '0640',
|
||||
|
@ -235,8 +267,8 @@ describe 'tripleo::profile::base::nova' do
|
|||
:owner => 'nova',
|
||||
:group => 'nova',
|
||||
)
|
||||
is_expected.to contain_package('openstack-nova-migration').with(
|
||||
:ensure => 'installed'
|
||||
is_expected.to contain_user('nova_migration').with(
|
||||
:shell => '/bin/bash'
|
||||
)
|
||||
}
|
||||
end
|
||||
|
@ -297,6 +329,9 @@ describe 'tripleo::profile::base::nova' do
|
|||
'DenyUsers' => 'nova_migration'
|
||||
}
|
||||
)
|
||||
is_expected.to contain_package('openstack-nova-migration').with(
|
||||
:ensure => 'present'
|
||||
)
|
||||
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
|
||||
:content => 'ssh-rsa bar',
|
||||
:mode => '0640',
|
||||
|
@ -309,8 +344,8 @@ describe 'tripleo::profile::base::nova' do
|
|||
:owner => 'nova',
|
||||
:group => 'nova',
|
||||
)
|
||||
is_expected.to contain_package('openstack-nova-migration').with(
|
||||
:ensure => 'installed'
|
||||
is_expected.to contain_user('nova_migration').with(
|
||||
:shell => '/bin/bash'
|
||||
)
|
||||
}
|
||||
end
|
||||
|
@ -365,6 +400,9 @@ describe 'tripleo::profile::base::nova' do
|
|||
}
|
||||
)
|
||||
is_expected.to_not contain_ssh__server__match_block('nova_migration deny')
|
||||
is_expected.to contain_package('openstack-nova-migration').with(
|
||||
:ensure => 'present'
|
||||
)
|
||||
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
|
||||
:content => 'ssh-rsa bar',
|
||||
:mode => '0640',
|
||||
|
@ -377,8 +415,8 @@ describe 'tripleo::profile::base::nova' do
|
|||
:owner => 'nova',
|
||||
:group => 'nova',
|
||||
)
|
||||
is_expected.to contain_package('openstack-nova-migration').with(
|
||||
:ensure => 'installed'
|
||||
is_expected.to contain_user('nova_migration').with(
|
||||
:shell => '/bin/bash'
|
||||
)
|
||||
}
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue