Skip to content

Commit

Permalink
Enable user to change the account used for ssh connection
Browse files Browse the repository at this point in the history
By default cephadm uses root account to connect remotely
to other nodes in the cluster. This change allows to choose
another account.
This commit also allows to use a dedicated subnet for cephadm mgmt.

Signed-off-by: Teoman ONAY <[email protected]>
(cherry picked from commit da42f3d)
(cherry picked from commit c3ce6fc)
  • Loading branch information
asm0deuz authored and guits committed Mar 3, 2022
1 parent 445acc9 commit 11677d6
Show file tree
Hide file tree
Showing 4 changed files with 60 additions and 7 deletions.
5 changes: 5 additions & 0 deletions group_vars/all.yml.sample
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,11 @@ dummy:
#ceph_dashboard_firewall_zone: public
#ceph_rgwloadbalancer_firewall_zone: public

# cephadm account for remote connections
#cephadm_ssh_user: root
#cephadm_ssh_priv_key_path: "/home/{{ cephadm_ssh_user }}/.ssh/id_rsa"
#cephadm_ssh_pub_key_path: "{{ cephadm_ssh_priv_key_path }}.pub"
#cephadm_mgmt_network: "{{ public_network }}"

############
# PACKAGES #
Expand Down
5 changes: 5 additions & 0 deletions group_vars/rhcs.yml.sample
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,11 @@ dummy:
#ceph_dashboard_firewall_zone: public
#ceph_rgwloadbalancer_firewall_zone: public

# cephadm account for remote connections
#cephadm_ssh_user: root
#cephadm_ssh_priv_key_path: "/home/{{ cephadm_ssh_user }}/.ssh/id_rsa"
#cephadm_ssh_pub_key_path: "{{ cephadm_ssh_priv_key_path }}.pub"
#cephadm_mgmt_network: "{{ public_network }}"

############
# PACKAGES #
Expand Down
52 changes: 45 additions & 7 deletions infrastructure-playbooks/cephadm-adopt.yml
Original file line number Diff line number Diff line change
Expand Up @@ -249,26 +249,64 @@
run_once: true
delegate_to: '{{ groups[mon_group_name][0] }}'

- name: generate cephadm ssh key
- name: check if there is an existing ssh keypair
stat:
path: "{{ item }}"
loop:
- "{{ cephadm_ssh_priv_key_path }}"
- "{{ cephadm_ssh_pub_key_path }}"
register: ssh_keys
changed_when: false
run_once: true
delegate_to: '{{ groups[mon_group_name][0] }}'

- name: set fact
set_fact:
stat_ssh_key_pair: "{{ ssh_keys.results | map(attribute='stat.exists') | list }}"

- name: fail if either ssh public or private key is missing
fail:
msg: "One part of the ssh keypair of user {{ cephadm_ssh_user }} is missing"
when:
- false in stat_ssh_key_pair
- true in stat_ssh_key_pair

- name: generate cephadm ssh key if there is none
command: "{{ ceph_cmd }} cephadm generate-key"
when: not true in stat_ssh_key_pair
changed_when: false
run_once: true
delegate_to: '{{ groups[mon_group_name][0] }}'

- name: use existing user keypair for remote connections
when: not false in stat_ssh_key_pair
delegate_to: "{{ groups[mon_group_name][0] }}"
run_once: true
command: >
{{ container_binary + ' run --rm --net=host --security-opt label=disable
-v /etc/ceph:/etc/ceph:z
-v /var/lib/ceph:/var/lib/ceph:ro
-v /var/run/ceph:/var/run/ceph:z
-v ' + item.1 + ':/etc/ceph/cephadm.' + item.0 + ':ro --entrypoint=ceph '+ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment | bool else 'ceph' }}
--cluster {{ cluster }} config-key set mgr/cephadm/ssh_identity_{{ item.0 }} -i /etc/ceph/cephadm.{{ item.0 }}
with_together:
- [ 'pub', 'key' ]
- [ '{{ cephadm_ssh_pub_key_path }}', '{{ cephadm_ssh_priv_key_path }}' ]

- name: get the cephadm ssh pub key
command: "{{ ceph_cmd }} cephadm get-pub-key"
changed_when: false
run_once: true
register: cephadm_pubpkey
delegate_to: '{{ groups[mon_group_name][0] }}'

- name: allow cephadm key for {{ cephadm_ssh_user | default('root') }} account
- name: allow cephadm key for {{ cephadm_ssh_user }} account
authorized_key:
user: "{{ cephadm_ssh_user | default('root') }}"
user: "{{ cephadm_ssh_user }}"
key: '{{ cephadm_pubpkey.stdout }}'

- name: set cephadm ssh user to {{ cephadm_ssh_user | default('root') }}
command: "{{ ceph_cmd }} cephadm set-user {{ cephadm_ssh_user | default('root') }}"
- name: set cephadm ssh user to {{ cephadm_ssh_user }}
command: "{{ ceph_cmd }} cephadm set-user {{ cephadm_ssh_user }}"
changed_when: false
run_once: true
delegate_to: "{{ groups[mon_group_name][0] }}"
Expand Down Expand Up @@ -323,13 +361,13 @@
when: is_hci | bool

- name: manage nodes with cephadm - ipv4
command: "{{ ceph_cmd }} orch host add {{ ansible_facts['nodename'] }} {{ ansible_facts['all_ipv4_addresses'] | ips_in_ranges(public_network.split(',')) | first }} {{ group_names | join(' ') }}"
command: "{{ ceph_cmd }} orch host add {{ ansible_facts['nodename'] }} {{ ansible_facts['all_ipv4_addresses'] | ips_in_ranges(cephadm_mgmt_network.split(',')) | first }} {{ group_names | join(' ') }}"
changed_when: false
delegate_to: '{{ groups[mon_group_name][0] }}'
when: ip_version == 'ipv4'

- name: manage nodes with cephadm - ipv6
command: "{{ ceph_cmd }} orch host add {{ ansible_facts['nodename'] }} {{ ansible_facts['all_ipv6_addresses'] | ips_in_ranges(public_network.split(',')) | last | ipwrap }} {{ group_names | join(' ') }}"
command: "{{ ceph_cmd }} orch host add {{ ansible_facts['nodename'] }} {{ ansible_facts['all_ipv6_addresses'] | ips_in_ranges(cephadm_mgmt_network.split(',')) | last | ipwrap }} {{ group_names | join(' ') }}"
changed_when: false
delegate_to: '{{ groups[mon_group_name][0] }}'
when: ip_version == 'ipv6'
Expand Down
5 changes: 5 additions & 0 deletions roles/ceph-defaults/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,11 @@ ceph_iscsi_firewall_zone: public
ceph_dashboard_firewall_zone: public
ceph_rgwloadbalancer_firewall_zone: public

# cephadm account for remote connections
cephadm_ssh_user: root
cephadm_ssh_priv_key_path: "/home/{{ cephadm_ssh_user }}/.ssh/id_rsa"
cephadm_ssh_pub_key_path: "{{ cephadm_ssh_priv_key_path }}.pub"
cephadm_mgmt_network: "{{ public_network }}"

############
# PACKAGES #
Expand Down

0 comments on commit 11677d6

Please sign in to comment.