SSH AllowUsers Settings on Compute Node Causes Live Migration Failure
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
High
|
Zhu Shengli |
Bug Description
Description
===========
If sshd is configured with AllowUsers, for example:
~~~
AllowUsers 'heat-admin tripleo-admin'
~~~
then live migration will fail because `nova_migration` which is used as ssh user during live migration is not in the allow list.
Steps to reproduce
* Configure AllowUsers via SshServerOptions parameter
* Deploy the overcloud
* Try live migration
Expected result
===============
Live migration succeed.
Actual result
=============
Migration failed due to SSH connection failure.
Environment
===========
OSP 16
Logs & Configs
==============
Relevant heat template parameters.
```
parameter_defaults:
SshServerOptions:
AllowUsers: 'heat-admin tripleo-admin'
```
nova-compute.log on the source host:
```
2020-10-15 15:17:11.970 7 ERROR nova.virt.
Received disconnect from 172.16.1.34 port 2022:2: Too many authentication failures^M
Disconnected from 172.16.1.34 port 2022: Connection reset by peer: libvirt.
```
Relevant `sshd_config` settings for `nova_migration
```
$ cat /var/lib/
...
...
Match LocalAddress 172.16.1.34 User nova_migration
AllowTcpFor
AuthorizedK
ForceCommand /bin/nova-
PasswordAut
X11Forwarding no
Match LocalAddress !172.16.1.34
DenyUsers nova_migration
```
summary: |
- SSH AllowUsers Settings on Compute Node Causes Live Migration Fail + SSH AllowUsers Settings on Compute Node Causes Live Migration Failure |
tags: | added: puppet-tripleo |
tags: | added: tripleo tripleo-heat-templates |
description: | updated |
Changed in tripleo: | |
importance: | Undecided → High |
milestone: | none → victoria-3 |
tags: | added: train-backport-potential ussuri-backport-potential |
This problem is pretty difficult to debug, because there is absolutely no error message from the user interface(either Horizon Dashboard or command line) when you execute the live migration. The instance just stays on the original host with active status.
I think it's better to add AllowUsers to the match block
```
$allow_name = 'nova_migration'
name => $allow_name,
type => $allow_type,
order => 1,
options => {
+ 'AllowUsers' => $allow_name,
},
notify => Service['sshd']
}
```