Fuel for OpenStack

SSH does not listen on fuel master external interface

Bug #1612675 reported by Bob Ball on 2016-08-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Fuel for OpenStack	Invalid	High	Maksim Malchuk	Fuel for OpenStack 10.0
	Mitaka	Invalid	High	Maksim Malchuk	Fuel for OpenStack 9.1

Bug Description

Detailed bug description:

Steps to reproduce:
* Get a host with two interfaces; eth0 for PXE and eth1 for external access
* Install with showmenu=yes (so external access can be set up so the base image can be built)
* After exiting fuel menu, host setup completes, but /etc/ssh/sshd_config is overwritten with a single IP address to listen on - the (private) PXE address of the FM.

Expected results:
SSH and FM Web should listen on all interfaces. (FM web already does)

Actual result:
Only FM web listens on the external interface

Reproducibility:
100%

Workaround:
Post-install edit /etc/ssh/sshd_config to change ListenAddress to 0.0.0.0. May require physical access to the machine on which fuel master is installed.

Note that this file is managed by puppet, so this workaround is not sufficient since puppet might replace the file at any time.

Impact:
SSH access the FM server (for installing plugins, getting access to compute/controller hosts, etc) is not possible without the workaround.

Tags:

Dmitry Guryanov (dguryanov) on 2016-08-12

Changed in fuel:
status:	New → Confirmed
importance:	Undecided → High
assignee:	nobody → Fuel Sustaining (fuel-sustaining-team)
milestone:	none → 10.0

Revision history for this message

Maksim Malchuk (mmalchuk) wrote on 2016-08-12:

by default the sshd service listens on 0.0.0.0 :
https://github.com/openstack/fuel-library/blob/master/deployment/puppet/fuel/examples/host.pp#L130
but the access limited to the network provided in the fuel-menu (by default, in save-only mode it admin network) :
https://github.com/openstack/fuel-library/blob/master/deployment/puppet/fuel/examples/host.pp#L136

Changed in fuel:
status:	Confirmed → Invalid
assignee:	Fuel Sustaining (fuel-sustaining-team) → Maksim Malchuk (mmalchuk)
tags:	added: area-library

Revision history for this message

Bob Ball (bob-ball) wrote on 2016-08-15:

Reverted to 'New'; comment #1 above is talking about the OpenStack deployment where as the bug report is for the Fuel Master.

There are no issues with SSH for the OpenStack deployment; the issue is getting SSH access to the fuel master which is prevented because puppet sets the ListenAddress to be the PXE management address, and there does not seem to be any way to set it to listen on an external address.

Changed in fuel:
status:	Invalid → New

Revision history for this message

Bob Ball (bob-ball) wrote on 2016-08-15:

Perhaps my comment shows a lack of understanding of where the puppet scripts are run; but I believe the main issue is not invalid:

If the PXE interface is not routable, there seems to be no way to give SSH access to the fuel master (as mentioned above, since the sshd_config is written by puppet and could be replaced at any time, manually modifying that isn't really suitable)

Revision history for this message

Bob Ball (bob-ball) wrote on 2016-08-15:

I've discovered that Fuel 9 has added a new item in the fuel menu to specify the ListenAddress for SSH.

My testing until now was based on previous knowledge and up to Fuel 8.

Sorry for the bug report - agreed that it's already been fixed in Fuel 9.

Changed in fuel:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.