Fuel for OpenStack

[image based provisioning] SSH allows password authorization on image provisioned nodes

Bug #1413690 reported by Miroslav Anashkin on 2015-01-22

268

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
Fuel for OpenStack	Fix Released	Critical	Alexander Gordeev	Fuel for OpenStack 6.1
6.0.x	Fix Committed	Critical	Alexander Gordeev	Fuel for OpenStack 6.0-updates
6.1.x	Fix Released	Critical	Alexander Gordeev	Fuel for OpenStack 6.1

Bug Description

Nodes, provisioned from image have SSH password authorization turned on.

Please turn off password autrorization for such nodes.

Tags:

Revision history for this message

Miroslav Anashkin (manashkin) wrote on 2015-01-22:

Workaround:

How to fix wrong SSH settings on image provisioned nodes:

On master node as root:

1. Unpack initramfs.img

# `cp /var/www/nailgun/bootstrap/initramfs.img ./`
# `mkdir initramfs`
# `cd initramfs/`
# `cat ../initramfs.img | gunzip | cpio -imudv`

2. Make your changes to internal initramfs files as root

Edit these files:
./initramfs/usr/share/fuel-agent/cloud-init-templates/cloud_config_ubuntu.jinja2
./initramfs/usr/share/fuel-agent/cloud-init-templates/cloud_config_centos.jinja2

Change

ssh_pwauth: true

parameter to false ans save the file.

3. Assemble new initramfs.img

# `cd initramfs/` or where you did unpacked it
#`find . -xdev | cpio --create --format='newc' | gzip -9 > ../initramfs.img.updated`

4. Install updated initramfs.img

# `rm /var/lib/tftpboot/images/bootstrap/initramfs.img`
# `rm /var/www/nailgun/bootstrap/initramfs.img`
# `rm /var/www/cobbler/images/bootstrap/initramfs.img`

# `cp ../initramfs.img.updated /var/www/nailgun/bootstrap/initramfs.img`
# `chmod +r /var/www/nailgun/bootstrap/initramfs.img`

# `dockerctl shell cobbler`
# `cobbler sync`
# `exit`
# `dockerctl restart nailgun`
# `dockerctl restart nginx`

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-23: Fix proposed to fuel-web (master)

Fix proposed to branch: master
Review: https://review.openstack.org/149573

Changed in fuel:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-23: Fix proposed to fuel-web (stable/6.0)

Fix proposed to branch: stable/6.0
Review: https://review.openstack.org/149576

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-23: Fix merged to fuel-web (master)

Reviewed: https://review.openstack.org/149573
Committed: https://git.openstack.org/cgit/stackforge/fuel-web/commit/?id=82a9643434113277f50908b160e488cec07b0da7
Submitter: Jenkins
Branch: master

commit 82a9643434113277f50908b160e488cec07b0da7
Author: Alexander Gordeev <email address hidden>
Date: Fri Jan 23 14:14:42 2015 +0300

Disable SSH password auth for IBP provisioned nodes

SSH password authentification was enabled in cloud-config.
Setting it to `false`.

Change-Id: I7311006d6c050423ff31923310c5f9de8519788d
Closes-Bug: #1413690

Changed in fuel:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-23: Fix merged to fuel-web (stable/6.0)

Reviewed: https://review.openstack.org/149576
Committed: https://git.openstack.org/cgit/stackforge/fuel-web/commit/?id=2e7914200d4fb68519e1eb8b34c89d01e98b2f98
Submitter: Jenkins
Branch: stable/6.0

commit 2e7914200d4fb68519e1eb8b34c89d01e98b2f98
Author: Alexander Gordeev <email address hidden>
Date: Fri Jan 23 14:14:42 2015 +0300

Disable SSH password auth for IBP provisioned nodes

SSH password authentification was enabled in cloud-config.
Setting it to `false`.

Change-Id: I7311006d6c050423ff31923310c5f9de8519788d
Closes-Bug: #1413690

Alexander Gordeev (a-gordeev) on 2015-02-05

tags:

added: image-based provision

Revision history for this message

Dmitry Tyzhnenko (dtyzhnenko) wrote on 2015-03-23:

Verified on ISO 6.1-216

astute_sha: 4a117a1ca6bdcc34fe4d086959ace1a6d18eeca9
auth_required: true
build_id: 2015-03-22_22-54-44
build_number: '216'
feature_groups:
- mirantis
fuellib_sha: a636c680e3c7d8cc66ed3e03645f38250beb8970
fuelmain_sha: f52e4442df55a2b62637a2cf4038a24ba6f37b6f
nailgun_sha: 51974b50c3961be3ed0fdc7859570db2eeb83e9c
ostf_sha: b4d284e9364e30bf5162975c2ba0be6ca0f14ebd
production: docker
python-fuelclient_sha: b223dcaf5fdad2f714cd245958fefe03995d6207
release: '6.1'
release_versions:
  2014.2-6.1:
    VERSION:
      api: '1.0'
      astute_sha: 4a117a1ca6bdcc34fe4d086959ace1a6d18eeca9
      build_id: 2015-03-22_22-54-44
      build_number: '216'
      feature_groups:
      - mirantis
      fuellib_sha: a636c680e3c7d8cc66ed3e03645f38250beb8970
      fuelmain_sha: f52e4442df55a2b62637a2cf4038a24ba6f37b6f
      nailgun_sha: 51974b50c3961be3ed0fdc7859570db2eeb83e9c
      ostf_sha: b4d284e9364e30bf5162975c2ba0be6ca0f14ebd
      production: docker
      python-fuelclient_sha: b223dcaf5fdad2f714cd245958fefe03995d6207
      release: '6.1'

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.