Un-hardcoding stricthostkeychecking for nova user
The patch un-hardcodes stricthostkeychecking ssh paramter for
username located in ~/.ssh/config and adds compute hosts
fingerprint fot all compute nodes in full-mesh manner according
to the below pillar:
nova:
compute:
openssh:
stricthostkeychecking: True
discover_compute_hosts: True
Change-Id: If698e9465a89902c15852f0cce51e521d4beec9f
Related-PROD: PROD-27457 (PROD:27457)
diff --git a/README.rst b/README.rst
index 0184a83..147f12a 100644
--- a/README.rst
+++ b/README.rst
@@ -533,6 +533,18 @@
libvirt:
volume_use_multipath: True
+To disable or enable StrictHostKeyChecking and discover
+compute nodes fingerprints the below pillar should be used:
+
+.. code-block:: yaml
+
+ nova:
+ compute:
+ ....
+ openssh:
+ stricthostkeychecking: True
+ discover_compute_hosts: True
+
Client role
-----------
diff --git a/nova/compute.sls b/nova/compute.sls
index 6103c14..2bce682 100644
--- a/nova/compute.sls
+++ b/nova/compute.sls
@@ -76,11 +76,31 @@
/var/lib/nova/.ssh/config:
file.managed:
- user: nova
- - contents: StrictHostKeyChecking no
+ - contents: StrictHostKeyChecking {% if compute.get('openssh',{}).get('stricthostkeychecking', False) %}yes{% else %}no{% endif %}
- mode: 400
- require:
- pkg: nova_compute_packages
+{%- if compute.get('openssh',{}).get('discover_compute_hosts', False) %}
+
+ {%- set cmp_nodenames = [] %}
+
+ {%- for cmp_nodes, node_grains in salt['mine.get']('I@nova:compute', 'grains.items', 'compound').items() %}
+ {%- if node_grains.fqdn is defined %}
+ {%- do cmp_nodenames.append(node_grains.fqdn) %}
+ {%- endif %}
+ {%- endfor %}
+
+ {%- for cmp_node in cmp_nodenames %}
+ssh_host_discover_{{ cmp_node }}_fingerprint:
+ ssh_known_hosts.present:
+ - name: {{ cmp_node }}
+ - user: nova
+ - require:
+ - file: /var/lib/nova/.ssh/config
+ {%- endfor %}
+{%- endif %}
+
{%- endif %}
{%- if not pillar.nova.get('controller',{}).get('enabled') %}