Merge "deprecation of xtrabackup-restore pipeline" into release/2019.2.0
diff --git a/defaults/docker_images.yml b/defaults/docker_images.yml
index 6adab6b..edd2197 100644
--- a/defaults/docker_images.yml
+++ b/defaults/docker_images.yml
@@ -43,7 +43,7 @@
docker_image_keycloak_server: "${_param:mcp_docker_registry}/mirantis/external/jboss/keycloak:4.5.0.Final"
docker_image_keycloak_proxy: "${_param:mcp_docker_registry}/mirantis/external/jboss/keycloak:3.4.2.Final"
# CVP
- docker_image_cvp_sanity_checks: ${_param:mcp_docker_registry}/mirantis/cvp/cvp-sanity-checks:2019.2.2
+ docker_image_cvp_sanity_checks: ${_param:mcp_docker_registry}/mirantis/cvp/cvp-sanity-checks:2019.2.3
# aptly
docker_image_aptly:
base: "${_param:mcp_docker_registry}/mirantis/cicd/aptly:${_param:mcp_version}"
diff --git a/defaults/openstack/init.yml b/defaults/openstack/init.yml
index 3c46a0d..e4f686b 100644
--- a/defaults/openstack/init.yml
+++ b/defaults/openstack/init.yml
@@ -99,6 +99,24 @@
keystone_old_version: ${_param:openstack_old_version}
keystone_version: ${_param:openstack_version}
keystone_upgrade_enabled: ${_param:openstack_upgrade_enabled}
+ # (obryndzii) Rotating keys too frequently, or with ``[fernet_tokens] max_active_keys``
+ # set too low, will cause tokens to become invalid prior to their expiration.
+ # As tokens may be fetched beyond their initial expiration period (nova live migration,
+ # cider volume backup), keys should not be fully rotated within the period of
+ # ``[token] expiration``+``[token] allow_expired_window`` seconds to prevent the tokens
+ # becoming unavailable.
+ # The max_active_keys default value was adjusted according to the following defaults:
+ # [token]/allow_expired_window = 172800 (48 hours)
+ # [token]/expiration = 3600 (1 hour)
+ # rotation_frequency = 1 hour (keystone_fernet_rotate_rsync_minute/hour 0 *)
+ # max_active_keys = (allow_expired_window + expiration)/rotation_frequency + 2
+ # In case of changing those defaults the keystone_tokens_max_active_keys value should be
+ # calculated according to the definition above.
+ keystone_tokens_expiration: 3600
+ keystone_tokens_max_active_keys: 51
+ keystone_tokens_allow_expired_window: 172800
+ keystone_fernet_rotate_rsync_minute: 0
+ keystone_fernet_rotate_rsync_hour: '*'
# Manila
manila_old_version: ${_param:openstack_old_version}
manila_version: ${_param:openstack_version}
diff --git a/defaults/secrets.yml b/defaults/secrets.yml
new file mode 100644
index 0000000..65b7bce
--- /dev/null
+++ b/defaults/secrets.yml
@@ -0,0 +1,82 @@
+# All commented params just for reference, should be auto-generated
+# Actually all must be genertated but keep some uncommented for backward
+# compatibility.
+parameters:
+ _param:
+# PostgreSQL
+# postgresql_admin_user_password: <<CHANGEME>>
+# postgresql_client_password: <<CHANGEME>>
+# rundeck_db_user_password: <<CHANGEME>>
+# sfdc_db_user_password: <<CHANGEME>>
+# alertmanager_db_user_password: <<CHANGEME>>
+# pushkin_db_user_password: <<CHANGEME>>
+# postgresql_billometer_password: <<CHANGEME>>
+# postgresql_graphite_password: <<CHANGEME>>
+
+# Opencontrail
+ opencontrail_identity_password: contrail123
+# opencontrail_stats_password: <<CHANGEME>>
+ opencontrail_message_queue_password: guest
+
+# RabbitMQ
+# rabbitmq_monitor_password: <<CHANGEME>>
+# rabbitmq_admin_password: <<CHANGEME>>
+ rabbitmq_guest_password: guest
+# rabbitmq_billometer_password: <<CHANGEME>>
+# rabbitmq_graphite_password: <<CHANGEME>>
+# rabbitmq_cold_password: <<CHANGEME>>
+# rabbitmq_secret_key: <<CHANGEME>>
+
+# Keepalived
+# keepalived_k8s_apiserver_vip_password: <<CHANGEME>>
+# keepalived_openstack_web_public_vip_password: <<CHANGEME>>
+# keepalived_openstack_baremetal_password: <<CHANGEME>>
+ keepalived_openstack_telemetry_vip_password: password
+# keepalived_openstack_manila_vip_password: <<CHANGEME>>
+# keepalived_openstack_barbican_vip_password: <<CHANGEME>>
+
+# Jenkins
+# jenkins_admin_password: <<CHANGEME>>
+# jenkins_client_password: <<CHANGEME>>
+# jenkins_security_ldap_manager_password: <<CHANGEME>>
+# oss_jenkins_password: <<CHANGEME>>
+
+# Gerrit/LDAP
+ gerrit_ldap_bind_password: password
+
+# Docker
+# keycloak_admin_password: <<CHANGEME>>
+# kqueen_api_ldap_password: <<CHANGEME>>
+# kqueen_credentials:
+# kqueen_api_admin_password: <<CHANGEME>>
+# pushkin_email_sender_password: <<CHANGEME>>
+# sfdc_password: <<CHANGEME>>
+
+# Billometer
+# keystone_billometer_password: <<CHANGEME>>
+
+# Nova
+# metadata_password: <<CHANGEME>>
+# nova_compute_ssh_public: <<CHANGEME>>
+# nova_compute_ssh_private: <<CHANGEME>>
+
+
+# Grafana
+# grafana_password: <<CHANGEME>>
+# grafana_database_password: <<CHANGEME>>
+
+# Keystone
+# keystone_admin_password: <<CHANGEME>>
+# mysql_admin_password: <<CHANGEME>>
+# mysql_keystone_password: <<CHANGEME>>
+
+# Kubernetes
+ kubernetes_openstack_provider_cloud_password: password
+
+# Galera
+# galera_clustercheck_password: <<CHANGEME>>
+
+# Generic
+# root_private_key:
+# root_public_key:
+
diff --git a/jenkins/client/credential/lab.yml b/jenkins/client/credential/lab.yml
index 68375e3..e69de29 100644
--- a/jenkins/client/credential/lab.yml
+++ b/jenkins/client/credential/lab.yml
@@ -1,9 +0,0 @@
-parameters:
- _param:
- lab_ssh_user: root
- jenkins:
- client:
- credential:
- lab:
- username: ${_param:lab_ssh_user}
- key: ${_param:cluster_private_key}
diff --git a/jenkins/client/job/ceph/add-osd-upmap.yml b/jenkins/client/job/ceph/add-osd-upmap.yml
new file mode 100644
index 0000000..f6390a6
--- /dev/null
+++ b/jenkins/client/job/ceph/add-osd-upmap.yml
@@ -0,0 +1,32 @@
+parameters:
+ jenkins:
+ client:
+ job:
+ ceph-add-osd-upmap:
+ type: workflow-scm
+ concurrent: true
+ display_name: "Ceph - add osd"
+ description: "This pipeline requires ceph luminous version, all clients must be upgraded to luminous version to proceed."
+ discard:
+ build:
+ keep_num: 50
+ scm:
+ type: git
+ url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+ branch: "${_param:jenkins_pipelines_branch}"
+ credentials: "gerrit"
+ script: ceph-add-osd-upmap.groovy
+ param:
+ # general parameters
+ SALT_MASTER_URL:
+ type: string
+ description: URL of Salt master
+ default: "${_param:jenkins_salt_api_url}"
+ SALT_MASTER_CREDENTIALS:
+ type: string
+ description: Credentials for login to Salt API
+ default: salt
+ HOST:
+ type: string
+ description: OSD HOST that will be added to Ceph cluster (rgw04*)
+ default: 'osd*'
diff --git a/keystone/server/cluster.yml b/keystone/server/cluster.yml
index d64a6cb..7e9ea1b 100644
--- a/keystone/server/cluster.yml
+++ b/keystone/server/cluster.yml
@@ -11,7 +11,6 @@
- system.keystone.client.os_client_config.admin_identity
parameters:
_param:
- keystone_tokens_expiration: 3600
openstack_node_role: primary
keystone_service_protocol: ${_param:cluster_internal_protocol}
linux:
@@ -58,7 +57,8 @@
tokens:
engine: fernet
expiration: ${_param:keystone_tokens_expiration}
- max_active_keys: 3
+ max_active_keys: ${_param:keystone_tokens_max_active_keys}
+ allow_expired_window: ${_param:keystone_tokens_allow_expired_window}
location: /var/lib/keystone/fernet-keys
credential:
location: /var/lib/keystone/credential-keys
diff --git a/keystone/server/fernet_rotation/cluster.yml b/keystone/server/fernet_rotation/cluster.yml
index c34c4f8..cf7b328 100644
--- a/keystone/server/fernet_rotation/cluster.yml
+++ b/keystone/server/fernet_rotation/cluster.yml
@@ -36,7 +36,8 @@
command: '/var/lib/keystone/keystone_keys_rotate.sh -r -s -t fernet >> /var/log/keystone/keystone-rotate.log 2>> /var/log/keystone/keystone-rotate.log'
enabled: true
user: keystone
- minute: 0
+ minute: ${_param:keystone_fernet_rotate_rsync_minute}
+ hour: ${_param:keystone_fernet_rotate_rsync_hour}
keystone_credential_rotate_rsync:
command: '/var/lib/keystone/keystone_keys_rotate.sh -r -s -t credential >> /var/log/keystone/keystone-rotate.log 2>> /var/log/keystone/keystone-rotate.log'
enabled: true
diff --git a/keystone/server/fernet_rotation/single.yml b/keystone/server/fernet_rotation/single.yml
index 8a3d6fb..7514086 100644
--- a/keystone/server/fernet_rotation/single.yml
+++ b/keystone/server/fernet_rotation/single.yml
@@ -22,7 +22,8 @@
command: '/var/lib/keystone/keystone_keys_rotate.sh -r -t fernet >> /var/log/keystone/keystone-rotate.log 2>> /var/log/keystone/keystone-rotate.log'
enabled: true
user: keystone
- minute: 0
+ minute: ${_param:keystone_fernet_rotate_rsync_minute}
+ hour: ${_param:keystone_fernet_rotate_rsync_hour}
keystone_credential_rotate_rsync:
command: '/var/lib/keystone/keystone_keys_rotate.sh -r -t credential >> /var/log/keystone/keystone-rotate.log 2>> /var/log/keystone/keystone-rotate.log'
enabled: true
diff --git a/keystone/server/single.yml b/keystone/server/single.yml
index 6996968..9663488 100644
--- a/keystone/server/single.yml
+++ b/keystone/server/single.yml
@@ -13,7 +13,6 @@
mysql_admin_user: root
mysql_admin_password: password
mysql_keystone_password: password
- keystone_tokens_expiration: 3600
openstack_node_role: primary
keystone_service_protocol: ${_param:cluster_internal_protocol}
linux:
@@ -57,7 +56,8 @@
tokens:
engine: fernet
expiration: ${_param:keystone_tokens_expiration}
- max_active_keys: 3
+ max_active_keys: ${_param:keystone_tokens_max_active_keys}
+ allow_expired_window: ${_param:keystone_tokens_allow_expired_window}
location: /var/lib/keystone/fernet-keys
credential:
location: /var/lib/keystone/credential-keys
diff --git a/nova/compute/cluster.yml b/nova/compute/cluster.yml
index c3f60f8..39fcd2d 100644
--- a/nova/compute/cluster.yml
+++ b/nova/compute/cluster.yml
@@ -8,35 +8,6 @@
nova_compute_virtualization: kvm
nova_compute_avail_zone:
nova_aggregates: []
- nova_compute_ssh_public: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCltIn93BcTMzNK/n2eBze6PyTkmIgdDkeXNR9X4DqE48Va80ojv2pq8xuaBxiNITJzyl+4p4UvTTXo+HmuX8qbHvqgMGXvuPUCpndEfb2r67f6vpMqPwMgBrUg2ZKgN4OsSDHU+H0dia0cEaTjz5pvbUy9lIsSyhrqOUVF9reJq+boAvVEedm8fUqiZuiejAw2D27+rRtdEPgsKMnh3626YEsr963q4rjU/JssV/iKMNu7mk2a+koOrJ+aHvcVU8zJjfA0YghoeVT/I3GLU/MB/4tD/RyR8GM+UYbI4sgAC7ZOCdQyHdJgnEzx3SJIwcS65U0T2XYvn2qXHXqJ9iGZ root@mirantis.com
- nova_compute_ssh_private: |
- -----BEGIN RSA PRIVATE KEY-----
- MIIEpAIBAAKCAQEApbSJ/dwXEzMzSv59ngc3uj8k5JiIHQ5HlzUfV+A6hOPFWvNK
- I79qavMbmgcYjSEyc8pfuKeFL0016Ph5rl/Kmx76oDBl77j1AqZ3RH29q+u3+r6T
- Kj8DIAa1INmSoDeDrEgx1Ph9HYmtHBGk48+ab21MvZSLEsoa6jlFRfa3iavm6AL1
- RHnZvH1KombonowMNg9u/q0bXRD4LCjJ4d+tumBLK/et6uK41PybLFf4ijDbu5pN
- mvpKDqyfmh73FVPMyY3wNGIIaHlU/yNxi1PzAf+LQ/0ckfBjPlGGyOLIAAu2TgnU
- Mh3SYJxM8d0iSMHEuuVNE9l2L59qlx16ifYhmQIDAQABAoIBAQCYpqbwvE5tm59H
- GQb0C8Ykx4LfLD1INx1wiLmlJKYEQihPTw0fvXj1qZvl21+cs9ZcoTRpUbn6B3EA
- e9bs8sYc/P75j1x46LSdimkZKZUPygkk72d3ZbElUciOyKCxBDNDBQcTIQ9xpKFa
- 2E5Ep72npNMrWqp71r/Qwo20lEIkikIgAFPBgraxn5xIEdo59vzXNZsvyoIRi5p4
- ayH9nWSAXdF1YU3p3ljtHD8o2G/0d2TWGmjrd9vztc6tgXjp0PF60vDNgcJiudBg
- oNLDK/e5a44GJxlVDdJ84ESb7GprRStYmddl22xnI1SXlg87+t0QQwzR0CCtWXrz
- neXkicHhAoGBANkG9tOZfErhSL/jmsElQTNPcMNQkPiJzEmOIpr6jgSzCusPT/QD
- PnVwB42GC5+Zhd4e88BsTzECxPXmKk7r1cBKeJTg/ejgsrSfVAZqMsfhbp3mGOiH
- jymF+zC6Urj5q/Zkof8pEFICtyA5zlHvZmsQL9PDiqXIWALki2JvIDPdAoGBAMN2
- O+LWOM9qqwgSMaFY8VUdDdbmLx/ZMGWQ//Tx42WM8SU+cCpGTLDHHR0qC0gnRsV7
- V63DySEwiHn4I1cQ/AMijRxuw4Dkgk2YMRlgsAbVWO7aIlECWjSg+pRjNeA7If4D
- 5L/gu6wZIv1vu8/fvOwRpPUzhWjGN5Z0RyvYc7btAoGALNnrmL9XmIIGbuGy0cfJ
- OblpLHQyAas4tNrS/ARb5Uy7LOj1NRCWj96fMPhK3qjzqXvsFBBOLWrNGaR/id/j
- ROIfGWWGE+KcDAgBbXH1HKnSGn+7FhMt2v79coyPG/s9NqaFdB4gaVJ2VgqcQQKg
- v++QcssulCRbS/2/cJBWr2ECgYAJFCDL9G9HEwlGorGzcNIkxeiyppZhwFDDJuz8
- j4+kU9uPg0rqa8F8JINxq1ZCz7A10/jKlWFuLTbpk2Dw1lUeQCiVvX9PKU30FLGT
- IC6M4rPyxCb75EQUVbXN1p3WAGkfx0aEsweEgtZhNyNeEGJSBK/Iw8/agfpq/pOf
- sboOMQKBgQClKmrAYKWnwdPPka3msyjl/AXDruR4XFvMlOPKbs3nYstolE7eR94F
- 7xDyBz85icFU0rceYQetwFH2p5tRL0GcUQhJmJFgIL0OXdCQvRNJrT3iS00N1aUo
- SG9MrLHCd5l60aCUQg0UA5ed7Hd6SA314k+HwxJno9/wJ+voBeacMg==
- -----END RSA PRIVATE KEY-----
openssh:
client:
enabled: True
diff --git a/nova/compute/single.yml b/nova/compute/single.yml
index 5d161e2..ddcf583 100644
--- a/nova/compute/single.yml
+++ b/nova/compute/single.yml
@@ -7,36 +7,7 @@
parameters:
_param:
nova_vncproxy_url: https://${_param:cluster_public_host}:6080
- nova_compute_ssh_public: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCltIn93BcTMzNK/n2eBze6PyTkmIgdDkeXNR9X4DqE48Va80ojv2pq8xuaBxiNITJzyl+4p4UvTTXo+HmuX8qbHvqgMGXvuPUCpndEfb2r67f6vpMqPwMgBrUg2ZKgN4OsSDHU+H0dia0cEaTjz5pvbUy9lIsSyhrqOUVF9reJq+boAvVEedm8fUqiZuiejAw2D27+rRtdEPgsKMnh3626YEsr963q4rjU/JssV/iKMNu7mk2a+koOrJ+aHvcVU8zJjfA0YghoeVT/I3GLU/MB/4tD/RyR8GM+UYbI4sgAC7ZOCdQyHdJgnEzx3SJIwcS65U0T2XYvn2qXHXqJ9iGZ root@mirantis.com
nova_compute_avail_zone:
- nova_compute_ssh_private: |
- -----BEGIN RSA PRIVATE KEY-----
- MIIEpAIBAAKCAQEApbSJ/dwXEzMzSv59ngc3uj8k5JiIHQ5HlzUfV+A6hOPFWvNK
- I79qavMbmgcYjSEyc8pfuKeFL0016Ph5rl/Kmx76oDBl77j1AqZ3RH29q+u3+r6T
- Kj8DIAa1INmSoDeDrEgx1Ph9HYmtHBGk48+ab21MvZSLEsoa6jlFRfa3iavm6AL1
- RHnZvH1KombonowMNg9u/q0bXRD4LCjJ4d+tumBLK/et6uK41PybLFf4ijDbu5pN
- mvpKDqyfmh73FVPMyY3wNGIIaHlU/yNxi1PzAf+LQ/0ckfBjPlGGyOLIAAu2TgnU
- Mh3SYJxM8d0iSMHEuuVNE9l2L59qlx16ifYhmQIDAQABAoIBAQCYpqbwvE5tm59H
- GQb0C8Ykx4LfLD1INx1wiLmlJKYEQihPTw0fvXj1qZvl21+cs9ZcoTRpUbn6B3EA
- e9bs8sYc/P75j1x46LSdimkZKZUPygkk72d3ZbElUciOyKCxBDNDBQcTIQ9xpKFa
- 2E5Ep72npNMrWqp71r/Qwo20lEIkikIgAFPBgraxn5xIEdo59vzXNZsvyoIRi5p4
- ayH9nWSAXdF1YU3p3ljtHD8o2G/0d2TWGmjrd9vztc6tgXjp0PF60vDNgcJiudBg
- oNLDK/e5a44GJxlVDdJ84ESb7GprRStYmddl22xnI1SXlg87+t0QQwzR0CCtWXrz
- neXkicHhAoGBANkG9tOZfErhSL/jmsElQTNPcMNQkPiJzEmOIpr6jgSzCusPT/QD
- PnVwB42GC5+Zhd4e88BsTzECxPXmKk7r1cBKeJTg/ejgsrSfVAZqMsfhbp3mGOiH
- jymF+zC6Urj5q/Zkof8pEFICtyA5zlHvZmsQL9PDiqXIWALki2JvIDPdAoGBAMN2
- O+LWOM9qqwgSMaFY8VUdDdbmLx/ZMGWQ//Tx42WM8SU+cCpGTLDHHR0qC0gnRsV7
- V63DySEwiHn4I1cQ/AMijRxuw4Dkgk2YMRlgsAbVWO7aIlECWjSg+pRjNeA7If4D
- 5L/gu6wZIv1vu8/fvOwRpPUzhWjGN5Z0RyvYc7btAoGALNnrmL9XmIIGbuGy0cfJ
- OblpLHQyAas4tNrS/ARb5Uy7LOj1NRCWj96fMPhK3qjzqXvsFBBOLWrNGaR/id/j
- ROIfGWWGE+KcDAgBbXH1HKnSGn+7FhMt2v79coyPG/s9NqaFdB4gaVJ2VgqcQQKg
- v++QcssulCRbS/2/cJBWr2ECgYAJFCDL9G9HEwlGorGzcNIkxeiyppZhwFDDJuz8
- j4+kU9uPg0rqa8F8JINxq1ZCz7A10/jKlWFuLTbpk2Dw1lUeQCiVvX9PKU30FLGT
- IC6M4rPyxCb75EQUVbXN1p3WAGkfx0aEsweEgtZhNyNeEGJSBK/Iw8/agfpq/pOf
- sboOMQKBgQClKmrAYKWnwdPPka3msyjl/AXDruR4XFvMlOPKbs3nYstolE7eR94F
- 7xDyBz85icFU0rceYQetwFH2p5tRL0GcUQhJmJFgIL0OXdCQvRNJrT3iS00N1aUo
- SG9MrLHCd5l60aCUQg0UA5ed7Hd6SA314k+HwxJno9/wJ+voBeacMg==
- -----END RSA PRIVATE KEY-----
openssh:
client:
enabled: True
diff --git a/openssh/client/lab.yml b/openssh/client/lab.yml
index 7a65847..e69de29 100644
--- a/openssh/client/lab.yml
+++ b/openssh/client/lab.yml
@@ -1,44 +0,0 @@
-applications:
-- openssh
-parameters:
- _param:
- cluster_private_key: |
- -----BEGIN RSA PRIVATE KEY-----
- MIIEowIBAAKCAQEAxL6/rVgCetsETpZaUmXmkj8cZ1WN0eubH1FvMDOi/La9ZJyT
- k0C6AYpJnIyEm93pMj5cLm08qRqMW+2pdOhYjcH69yg5MrX5SkRk8jCmIHIYoIbh
- Qnwbnj3dd3I39ZdfU2FO7u2vlbglVou6ZoQxlJDItuLNtzq6EG+w9eF19e7+OsC6
- 6iUItp618zfw1l3J/8nKvCGe2RYDf7mJW6XwCl/DwryJmwwzvPgYJ3QMuDD8/HFj
- lrJ3xjFTXj4b4Ws1XIoy78fFbtiLr4OwqCYkho03u2E5rOOP1qZxZB63sivHMLMO
- MM5bOAQKbulFNoyALADGYfc7sf0bZ4u9XXDXxQIDAQABAoIBAQCfmc2MJRT97KW1
- yqpCpX9BrAiymuiNHf+cjEcSZxEUyHkjIRFmJt+9WB0W7ba1anM92vCUiPDojSzH
- dig9Oi578JxR20NrK8uqv4jUHzrknynzLveVI3CUEcOSnglfJQijbxDFKfOCFPvV
- FUyE1UATMNBh6+LNfMprgu+exuMWOPnDyUiYQ+WZ0JfuZY8fuaZte4woJJOb9LUu
- 5rsMG/smIzjpgZ0Z9ZVDMurfq565qhpaXRAqKeIuyht8pacTo31iMQdHB78AvY/3
- g0z21Gk8k3z0Kr/YFKr2r4FmXY5m/gAUvZly2ZrVQM5XsbTVCzq/JpI5fssNvSbU
- AKmXzf4RAoGBAOO3d4/cstxERzW6hyOTjZIN1ppR52CsnZTsVPbfd0pCtmzmVZce
- CtHKdcXSbTwZvvkK09QSWAp3MoSpd0gIOiLU8Wx/R/RIZsu9BlhTS3r3EQLnk72d
- H/1TTA+j4T/LIYLSojQ1RxvIrHetAD44j732aTwKAHj/SybEAVqNkOB/AoGBAN0u
- gLcrgqIHGrk4VjWSvlCGymfF40equcx+ud7XhfZDGETUOSahW4dPZ52cjPAkrCBQ
- MMfcDwSVGsOAjd+mNt11BHUKobnhXwFaWWuyqyn9NmWFbjMbICVh7E3Of5aVN38o
- lrmo/7LuKMVG7XRwphCv5NkaJmQG4njDyUQWlaW7AoGADCd8wDb9bPhP/LQqBmIX
- ylXmwHHisaxE9O/wUQT4bwREjGd25gv6c9wkkRx8LBsLsGs9hzI7dMOL9Ly+2x9l
- SvqmsC3S/1zl77X1Ir2/Z57MT6Vgo1xBmtnZU3Rhz2/eKAdqFPNLClaZrgGT475N
- HcyLLWMzR0IJFtabY+Puea0CgYA8Zb5wRkldxWLewSuJZZDinGwY+kieAVjLJq/K
- 0j+ah6fQ48LXcah0wpIgz+cMjHcUO9GWQdk3/x9X03rqX5EL2DBnZYfUIl63F9zj
- M97ZkHOSNWVqPzX//0Vv2butewG0j3jZKfTo/2/SrxOYgEpYtC9huWpSVi7xm0US
- erhSkQKBgFIf9JEsfgE57ANhvITZ3ZI0uZXNxZkXQaVg8jvScDi79IIhy9iPzhKC
- aIIQoDNIlWv1ftCRZ5AlBvVXgvQ/QNrwy48JiQTzWZlb9Ezg8w+olQmSbG6fq7Y+
- 7r3i+QUZ7RBdOb24QcQ618q54ozNTCB7OywY78ptFzeoBeptiNr1
- -----END RSA PRIVATE KEY-----
- openssh:
- client:
- enabled: true
- user:
- root:
- enabled: true
- user: ${linux:system:user:root}
- private_key: ${private_keys:lab}
- private_keys:
- lab:
- type: rsa
- key: ${_param:cluster_private_key}
diff --git a/openssh/client/root.yml b/openssh/client/root.yml
index 66f8f88..24dc801 100644
--- a/openssh/client/root.yml
+++ b/openssh/client/root.yml
@@ -1,44 +1,14 @@
applications:
- openssh
parameters:
- _param:
- root_private_key: |
- -----BEGIN RSA PRIVATE KEY-----
- MIIEpQIBAAKCAQEAsy1IhygI3xV4md37IMd+blxelYr3wuVhWn7uEDGpcZo+lvrN
- u+6An3VgPA7uX9cLUFzO91UOZx5F4TNlCH1DGq7MoVyvgcSla3IBATR3SpQ8rWnn
- FD8rjsUw3RloTfwz7+f7y/DWFsHhGAWzWy4FNE3e0b5udk1Fyk4SA43he1w8V+Eo
- V1oqQUsFOG6DlAbUfCln4GvH7KngTfnmnLgEBUdzK6zn1bwLllugbH9OO3Jnflek
- L9K2qFu9zbuDP2QHU7GkeZOtmtHB7EkaIt4QpjUasPgmWkIvKa0FOrdunljxLc54
- 6eRJDxfiy4fC8VKAn1qlk/i8XvEEME9Z8fywjQIDAQABAoIBAQCdMsuBGNS/tDy8
- 8g5TsfLwrEWneebprQl+tgHzXz7EFol3OM+rZBKg0//8cTUeDLM2bFaAlLUwL1Ur
- wUWQ7yUikd2ibIjmlzpyS/Ept3g5jFi35EQCdXGnrsWyFYp3cR+4CZXWVZPfH3Z2
- 9vlms7eJLhChgCu1yxHB7kDLsXz0Fn5jaWPd2TDY+3Y3t3LCFxNgfIQ+Mljzj/6f
- +MG7bp/5UuEA76oZnPfp2fj1vqWYCI6ftk4Wam1AkHVUNP3jjl48cao7EKeH5v4E
- 0PL+AY3av4SoUQWf1ZlkkJrhIyRRdVDavX86t17NXmrQvaz3brz8yI2Hh08ho413
- AH8C0zyZAoGBANcea55n9vBoA4FQRX2HEA9ljdPWIFdvkKXvxb7R/UxhzublicBm
- 3JwcDCwbiGhEzYhMlDmt0hZ4YPA3fL7WwP2EXkrYyqn1tSGSS2CkfhpuB2xgPTSr
- cxbJj5iuKM0eS9GdPqae2k4ME3sC5pi+eiiWuUuvzhqid8EMAGFvYdcXAoGBANU6
- R4OLghz2FaTSeFFHfHCoAym03qMe9pRCugnM2Np0vEZ650G2xez8OtYim8nttkTE
- xCWppxBtHIjN6mm4pOHsGxr0LqrKtHgMxkawyBx9hZTZSNudAMupPXBRHlPm/+hL
- EXt4xUiBd4GVkWw2esEKINi83dXHnECugknJN7v7AoGBAJHy4bEneDLDXx1tCLiR
- 2iOYExGWRXsNBmaOtuswLVqVQXsGYN9Y6nQ/00JZq8KSa5/91NMNS2xTX/Gas9gG
- fAmEtTSywU1uluWgC+QVtjjYTdEJunzxlbPwLKy5/JSt6WLd/JOvUw2Aw/bBkRIw
- qVDAchcXwA3yDK29JsT0fL0hAoGBAMqu0zufaNbOtFQwHF5mbUtI6XjDjL3RuOHF
- a8HVDmzZef4k5Z35drqGKAdUbnHLm+5Se4CxezSKAw2nbqN/+HsoS7ubUKDYfiN/
- QRoBALbUOh37TN40p4TwIo6ZDRMECU1tzfhoHF+HcWmkGs+aGaVVU1Oyc8u6KjTx
- rLcmpevxAoGAFz4bvKyBt/wq8TPTVzU/iJtwBLq8WdZpKJcuVkF7/DWY3A3maOFs
- P9IMHeDD+tlfIu0Y3qmPmEaLzXsMfRh+3Eb6itrgDRFEuE/HyPIWxHvDt1jjfIFu
- O87TLcnZIoW99nyY0RixwuK6ZeCmmyktX0iO7dNDIOyBReCs6ZwXSSc=
- -----END RSA PRIVATE KEY-----
openssh:
client:
enabled: true
user:
root:
- enabled: true
+ # never-ever enable root globally. it must be enabled per-case|node
+ enabled: false
user: ${linux:system:user:root}
- private_key: ${private_keys:root}
- private_keys:
- root:
- type: rsa
- key: ${_param:root_private_key}
+ private_key:
+ key: ${_param:root_private_key}
+ type: rsa
diff --git a/openssh/server/team/all.yml b/openssh/server/team/all.yml
index e8e25c4..3a9b453 100644
--- a/openssh/server/team/all.yml
+++ b/openssh/server/team/all.yml
@@ -1,6 +1,5 @@
classes:
# avoid teams w/sudo group restrictions, or override restrictions
-- system.openssh.server.team.lab
- system.openssh.server.team.cicd
- system.openssh.server.team.mcp_qa
- system.openssh.server.team.mcp_ci
diff --git a/openssh/server/team/lab.yml b/openssh/server/team/lab.yml
index b6c90f8..5dc415e 100644
--- a/openssh/server/team/lab.yml
+++ b/openssh/server/team/lab.yml
@@ -1,10 +1,4 @@
parameters:
- _param:
- linux_system_user_sudo: true
- # This is the public key associated to the default private key setup in
- # openssh.client.lab
- cluster_public_key: >-
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEvr+tWAJ62wROllpSZeaSPxxnVY3R65sfUW8wM6L8tr1knJOTQLoBikmcjISb3ekyPlwubTypGoxb7al06FiNwfr3KDkytflKRGTyMKYgchighuFCfBuePd13cjf1l19TYU7u7a+VuCVWi7pmhDGUkMi24s23OroQb7D14XX17v46wLrqJQi2nrXzN/DWXcn/ycq8IZ7ZFgN/uYlbpfAKX8PCvImbDDO8+BgndAy4MPz8cWOWsnfGMVNePhvhazVcijLvx8Vu2Iuvg7CoJiSGjTe7YTms44/WpnFkHreyK8cwsw4wzls4BApu6UU2jIAsAMZh9zux/Rtni71dcNfF
linux:
system:
user:
@@ -17,10 +11,10 @@
permit_root_login: true
user:
root:
- enabled: true
+ enabled: false
user: ${linux:system:user:root}
public_keys:
- ${public_keys:root}
public_keys:
root:
- key: ${_param:cluster_public_key}
+ key: ${_param:root_public_key}