[nova]Set up ssh keys auth for the nova user #446

gibizer · 2023-10-12T14:08:27Z

The nova user needs to be able to copy files between the compute nodes.
The edpm_nova role now expects that a Secret is mounted to the AnsibleEE
CR containing an ssh keypair (ssh-privatekey and ssh-publickey). This
keypair is used to set up the auth for the nova user between the
compute nodes. On the EDPM host the nova user will have the public key
added as authorized_keys. While the nova user in the nova-compute
container will have the private key added as identity in
/var/lib/nova/.ssh. Also an ssh config file is added in the container to
ensure that this identity is used for all the outgoing ssh connection.

Depends-On: openstack-k8s-operators/dataplane-operator#471

openshift-ci · 2023-10-12T14:08:32Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

softwarefactory-project-zuul · 2023-10-12T16:17:50Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/771d8fdcd545417ea7d0d1cd596c2701

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 07m 56s
❌ podified-multinode-edpm-deployment-crc FAILURE in 1h 52m 29s
❌ cifmw-crc-podified-edpm-baremetal RETRY_LIMIT in 4m 04s
✔️ edpm-ansible-molecule-edpm_podman SUCCESS in 6m 12s
✔️ edpm-ansible-molecule-edpm_module_load SUCCESS in 5m 29s
✔️ edpm-ansible-molecule-edpm_kernel SUCCESS in 11m 13s
✔️ edpm-ansible-molecule-edpm_libvirt SUCCESS in 6m 03s
❌ edpm-ansible-molecule-edpm_nova FAILURE in 5m 51s
✔️ edpm-ansible-molecule-edpm_frr SUCCESS in 6m 58s

lewisdenny · 2023-10-13T06:17:11Z

recheck
Due to a CI Blocker

softwarefactory-project-zuul · 2023-10-13T08:28:47Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/653e24168f0c4889a7321b9d4cbaa756

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 10m 00s
❌ podified-multinode-edpm-deployment-crc FAILURE in 1h 55m 26s
❌ cifmw-crc-podified-edpm-baremetal FAILURE in 1h 52m 19s
✔️ edpm-ansible-molecule-edpm_podman SUCCESS in 6m 17s
✔️ edpm-ansible-molecule-edpm_module_load SUCCESS in 5m 39s
✔️ edpm-ansible-molecule-edpm_kernel SUCCESS in 11m 31s
✔️ edpm-ansible-molecule-edpm_libvirt SUCCESS in 6m 58s
❌ edpm-ansible-molecule-edpm_nova FAILURE in 6m 28s
✔️ edpm-ansible-molecule-edpm_frr SUCCESS in 7m 21s

gibizer · 2023-10-13T08:32:30Z

The CI failure is relevant. I'm working on a fix to this PR

2023-10-12T15:37:21.586220014+00:00 stdout F �[0;31mfatal: [edpm-compute-0]: FAILED! => {"changed": false, "msg": "There was an issue creating /home/nova/.ssh as requested: [Errno 13] Permission denied: b'/home/nova/.ssh'", "path": "/home/nova/.ssh"}�[0m

softwarefactory-project-zuul · 2023-10-13T11:40:42Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/1018a42e375842b59e0fd361b1fa3f04

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 05m 13s
❌ podified-multinode-edpm-deployment-crc FAILURE in 1h 51m 54s
❌ cifmw-crc-podified-edpm-baremetal FAILURE in 1h 43m 39s
✔️ edpm-ansible-molecule-edpm_podman SUCCESS in 5m 57s
✔️ edpm-ansible-molecule-edpm_module_load SUCCESS in 5m 10s
✔️ edpm-ansible-molecule-edpm_kernel SUCCESS in 11m 01s
✔️ edpm-ansible-molecule-edpm_libvirt SUCCESS in 6m 08s
❌ edpm-ansible-molecule-edpm_nova FAILURE in 6m 04s
✔️ edpm-ansible-molecule-edpm_frr SUCCESS in 6m 50s

gibizer · 2023-10-13T13:05:07Z

CI failure is relevant. The nova role now expects an ssh key passed in so I first need to modify the OpenStackDataPlaneService/nova sample and/or the install_yamls / ci_framework scripting to provide an extra secret to service

TASK [osp.edpm.edpm_nova : Copy the migration ssh public key as authorized_keys to the nova user] ***
Friday 13 October 2023  11:01:34 +0000 (0:00:00.585)       0:00:16.505 ******** 
�[0;31mfatal: [edpm-compute-0]: FAILED! => {"changed": false, "msg": "Source /var/lib/openstack/config/nova/ssh-publickey not found"}�[0m

roles/edpm_nova/molecule/default/verify.yml

softwarefactory-project-zuul · 2023-10-13T15:15:44Z

This change depends on a change that failed to merge.

Change #445 is needed.

softwarefactory-project-zuul · 2023-10-13T15:32:12Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/2721daa9b75d4a11b786012f4f8a481c

❌ openstack-k8s-operators-content-provider FAILURE in 10m 53s
⚠️ podified-multinode-edpm-deployment-crc SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ cifmw-crc-podified-edpm-baremetal SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
❌ edpm-ansible-molecule-edpm_podman FAILURE in 13m 03s
✔️ edpm-ansible-molecule-edpm_module_load SUCCESS in 5m 43s
✔️ edpm-ansible-molecule-edpm_kernel SUCCESS in 11m 17s
❌ edpm-ansible-molecule-edpm_libvirt FAILURE in 13m 10s
❌ edpm-ansible-molecule-edpm_nova FAILURE in 12m 59s
❌ edpm-ansible-molecule-edpm_frr FAILURE in 8m 13s

The nova role in edpm-ansible requires[1] an ssh key-pair that is then used as to authenticate the nova user when it copies data between compute nodes during migration. A placeholder Secret name for this key-pair is now added to the nova DataplaneService definition. The deployer (human, ci_framework, or install_yamls) needs to make sure that a secret is created with an SSH key-pair in it. [1] openstack-k8s-operators/edpm-ansible#446

gibizer · 2023-10-16T13:46:56Z

/hold need to land the dataplane-operator change first

The nova role in edpm-ansible requires[1] an ssh key-pair that is then used as to authenticate the nova user when it copies data between compute nodes during migration. A placeholder Secret name for this key-pair is now added to the nova DataplaneService definition. The deployer (human, ci_framework, or install_yamls) needs to make sure that a secret is created with an SSH key-pair in it. [1] openstack-k8s-operators/edpm-ansible#446

softwarefactory-project-zuul · 2023-10-16T13:48:50Z

This change depends on a change that failed to merge.

Change openstack-k8s-operators/dataplane-operator#471 is needed.

roles/edpm_nova/molecule/default/prepare.yml

roles/edpm_nova/tasks/configure.yml

rebtoor

Just few minor changes, when fixed this patch is LGTM for me.

The nova user needs to be able to copy files between the compute nodes. The edpm_nova role now expects that a Secret is mounted to the AnsibleEE CR containing an ssh keypair (ssh-privatekey and ssh-publickey). This keypair is used to set up the auth for the nova user between the compute nodes. On the EDPM host the nova user will have the public key added as authorized_keys. While the nova user in the nova-compute container will have the private key added as identity in /var/lib/nova/.ssh. Also an ssh config file is added in the container to ensure that this identity is used for all the outgoing ssh connection.

gibizer · 2023-10-19T12:22:45Z

Just few minor changes, when fixed this patch is LGTM for me.

Thanks for the review. I resolved your comments.

Now that the deployment is configured to support cold migration we can enable the relevant tempest tests as well. Depends-On: openstack-k8s-operators/edpm-ansible#446

openshift-ci · 2023-10-19T12:35:24Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gibizer, rebtoor

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [gibizer,rebtoor]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

gibizer · 2023-10-19T13:21:14Z

/unhold
dataplane dependency landed

softwarefactory-project-zuul · 2023-10-19T14:37:16Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/2610e2b604214950a04780089bc29012

gibizer · 2023-10-19T14:57:55Z

recheck
just the baremetal job failed with unrelated reasons

Warning: resource namespaces/openstack-operators is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by oc apply. oc apply should only be used on resources created declaratively by either oc create --save-config or oc apply. The missing annotation will be patched automatically.
error: unable to default to a user name: the server is currently unable to handle the request (get users.user.openshift.io ~)
gmake: *** [Makefile:450: operator_namespace] Error 1

softwarefactory-project-zuul · 2023-10-19T17:15:33Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/ccf6af9709f7447a86eb5e2747d37be0

gibizer · 2023-10-19T17:20:44Z

As this was green before I think the depends-on is not working correctly. I guess when the needed dataplane-operator PR was still open the job picket it up, but now it is merged so the job thinks that it is available automatically, however it is not built into the openstack-operator yet so it is not available in the deployment.

TASK [osp.edpm.edpm_nova : Copy the migration ssh public key as authorized_keys to the nova user] ***
Thursday 19 October 2023  16:48:26 +0000 (0:00:00.707)       0:00:20.519 ****** 
�[0;31mfatal: [edpm-compute-0]: FAILED! => {"changed": false, "msg": "Source /var/lib/openstack/config/nova/ssh-publickey not found"}�[0m

SeanMooney · 2023-10-19T19:43:55Z

recheck dep is now merged

SeanMooney · 2023-10-19T19:46:26Z

the content provider job is proably not setup to support depends on currently.
or it is but podified-multinode-edpm-deployment-crc and cifmw-crc-podified-edpm-baremetal
are not using it properly i missed your comment about it not being built into the operator yet hopefully that is now resolved

softwarefactory-project-zuul · 2023-10-19T21:54:47Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/42d17eda73034e429b86a2fa415cdc45

gibizer · 2023-10-20T07:47:50Z

recheck
openstack-operator bump merged that updated to the latest dataplane-operator. I hope this is enough

Now that the deployment is configured to support cold migration we can enable the relevant tempest tests as well. Depends-On: openstack-k8s-operators/edpm-ansible#446

openshift-ci bot added the do-not-merge/work-in-progress label Oct 12, 2023

openshift-ci bot added the approved label Oct 12, 2023

gibizer changed the title ~~Copy nova migration keys~~ [nova]Set up ssh keys auth for the nova user Oct 12, 2023

gibizer force-pushed the copy-nova-migration-keys branch from f15b3ba to bc01d7f Compare October 13, 2023 09:15

ielod reviewed Oct 13, 2023

View reviewed changes

roles/edpm_nova/molecule/default/verify.yml Outdated Show resolved Hide resolved

gibizer mentioned this pull request Oct 13, 2023

[nova]Add nova user to the EDPM host #445

Merged

gibizer force-pushed the copy-nova-migration-keys branch from 20e8205 to ca21079 Compare October 13, 2023 15:06

gibizer force-pushed the copy-nova-migration-keys branch from ca21079 to c5793bc Compare October 13, 2023 15:16

gibizer mentioned this pull request Oct 16, 2023

[DataplaneService/nova]Add migration ssh key openstack-k8s-operators/dataplane-operator#471

Merged

gibizer force-pushed the copy-nova-migration-keys branch from c5793bc to dec6f38 Compare October 16, 2023 13:46

gibizer marked this pull request as ready for review October 16, 2023 13:46

openshift-ci bot removed the do-not-merge/work-in-progress label Oct 16, 2023

openshift-ci bot requested review from abays and frenzyfriday October 16, 2023 13:46

openshift-ci bot added the do-not-merge/hold label Oct 16, 2023

rebtoor reviewed Oct 19, 2023

View reviewed changes

roles/edpm_nova/molecule/default/prepare.yml Outdated Show resolved Hide resolved

rebtoor reviewed Oct 19, 2023

View reviewed changes

roles/edpm_nova/tasks/configure.yml Outdated Show resolved Hide resolved

rebtoor reviewed Oct 19, 2023

View reviewed changes

roles/edpm_nova/tasks/configure.yml Outdated Show resolved Hide resolved

rebtoor requested changes Oct 19, 2023

View reviewed changes

openshift-ci bot assigned rebtoor Oct 19, 2023

gibizer added 2 commits October 19, 2023 14:21

[nova]Ensure ssh_knonw_hosts are mounted

2f45fb5

gibizer force-pushed the copy-nova-migration-keys branch from b9ca9a5 to 2f45fb5 Compare October 19, 2023 12:22

gibizer mentioned this pull request Oct 19, 2023

[tempest]Enable cold migration tests openstack-k8s-operators/nova-operator#577

Merged

rebtoor approved these changes Oct 19, 2023

View reviewed changes

openshift-ci bot added the lgtm label Oct 19, 2023

openshift-ci bot removed the do-not-merge/hold label Oct 19, 2023

openshift-ci bot merged commit 41da5bf into openstack-k8s-operators:main Oct 20, 2023

rebtoor mentioned this pull request Nov 9, 2023

Disable HTTP2 in webhooks openstack-k8s-operators/openstack-ansibleee-operator#263

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[nova]Set up ssh keys auth for the nova user #446

[nova]Set up ssh keys auth for the nova user #446

gibizer commented Oct 12, 2023 •

edited

Loading

openshift-ci bot commented Oct 12, 2023

softwarefactory-project-zuul bot commented Oct 12, 2023

lewisdenny commented Oct 13, 2023

softwarefactory-project-zuul bot commented Oct 13, 2023

gibizer commented Oct 13, 2023

softwarefactory-project-zuul bot commented Oct 13, 2023

gibizer commented Oct 13, 2023

softwarefactory-project-zuul bot commented Oct 13, 2023

softwarefactory-project-zuul bot commented Oct 13, 2023

gibizer commented Oct 16, 2023

softwarefactory-project-zuul bot commented Oct 16, 2023

rebtoor left a comment

gibizer commented Oct 19, 2023

openshift-ci bot commented Oct 19, 2023

gibizer commented Oct 19, 2023

softwarefactory-project-zuul bot commented Oct 19, 2023

gibizer commented Oct 19, 2023

softwarefactory-project-zuul bot commented Oct 19, 2023

gibizer commented Oct 19, 2023

SeanMooney commented Oct 19, 2023

SeanMooney commented Oct 19, 2023

softwarefactory-project-zuul bot commented Oct 19, 2023

gibizer commented Oct 20, 2023

[nova]Set up ssh keys auth for the nova user #446

[nova]Set up ssh keys auth for the nova user #446

Conversation

gibizer commented Oct 12, 2023 • edited Loading

openshift-ci bot commented Oct 12, 2023

softwarefactory-project-zuul bot commented Oct 12, 2023

lewisdenny commented Oct 13, 2023

softwarefactory-project-zuul bot commented Oct 13, 2023

gibizer commented Oct 13, 2023

softwarefactory-project-zuul bot commented Oct 13, 2023

gibizer commented Oct 13, 2023

softwarefactory-project-zuul bot commented Oct 13, 2023

softwarefactory-project-zuul bot commented Oct 13, 2023

gibizer commented Oct 16, 2023

softwarefactory-project-zuul bot commented Oct 16, 2023

rebtoor left a comment

Choose a reason for hiding this comment

gibizer commented Oct 19, 2023

openshift-ci bot commented Oct 19, 2023

gibizer commented Oct 19, 2023

softwarefactory-project-zuul bot commented Oct 19, 2023

gibizer commented Oct 19, 2023

softwarefactory-project-zuul bot commented Oct 19, 2023

gibizer commented Oct 19, 2023

SeanMooney commented Oct 19, 2023

SeanMooney commented Oct 19, 2023

softwarefactory-project-zuul bot commented Oct 19, 2023

gibizer commented Oct 20, 2023

gibizer commented Oct 12, 2023 •

edited

Loading