tripleo

Bad ssh configuration is generated on compute nodes if one of the migration networks is missing

Bug #1688308 reported by Alex Schultz
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Oliver Walsh
tripleo pike-2 "pike-2"

Bug Description

https://review.openstack.org/#/c/458077/19/manifests/profile/base/nova.pp@187

If either NovaLibvirtNetwork or NovaColdMigrationNetwork is missing, the code results in blocking an operator from being able to ssh into the node as heat-admin. We should improve the checks to ensure that we don't generate a bad ssh configuration.

Oliver Walsh (owalsh)
Changed in tripleo:
assignee: nobody → Oliver Walsh (owalsh)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/462765

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/462765
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=05e696c62d02ef64180d611413ae10f0418c002a
Submitter: Jenkins
Branch: master

commit 05e696c62d02ef64180d611413ae10f0418c002a
Author: Oliver Walsh <email address hidden>
Date: Fri May 5 01:30:21 2017 +0100

    Handle duplicate/invalid entries in migration SSH inbound addresses

    An error (e.g a typo) in a custom tripleo-heat-templates environment
    file could lead to an invalid match block in /etc/ssh/sshd_config.
    SSH fails-safe and refuses all logins in this case.

    This change validates the migration_ssh_localaddrs parameter is an
    array of IP addresses and removes and duplicate entries.

    Change-Id: Ibcf144d960fe52f0eab0d5015bd30cf7c1e37e25
    Closes-Bug: #1688308

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 7.1.0

This issue was fixed in the openstack/puppet-tripleo 7.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/510791

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/510799

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/ocata)

Reviewed: https://review.openstack.org/510791
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=3d36307bcb2a75933945f5ab5d4241d0e6051cce
Submitter: Jenkins
Branch: stable/ocata

commit 3d36307bcb2a75933945f5ab5d4241d0e6051cce
Author: Oliver Walsh <email address hidden>
Date: Fri May 5 01:30:21 2017 +0100

    Handle duplicate/invalid entries in migration SSH inbound addresses

    An error (e.g a typo) in a custom tripleo-heat-templates environment
    file could lead to an invalid match block in /etc/ssh/sshd_config.
    SSH fails-safe and refuses all logins in this case.

    This change validates the migration_ssh_localaddrs parameter is an
    array of IP addresses and removes and duplicate entries.

    Ica3f79d6d0cfae446e276172146f3a9407f2971f requires this to remove
    duplicates.

    Change-Id: Ibcf144d960fe52f0eab0d5015bd30cf7c1e37e25
    Closes-Bug: #1688308
    (cherry picked from commit 05e696c62d02ef64180d611413ae10f0418c002a)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/newton)

Reviewed: https://review.openstack.org/510799
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=04db75783624ba52185e34fcff3959dc8d8f24ce
Submitter: Jenkins
Branch: stable/newton

commit 04db75783624ba52185e34fcff3959dc8d8f24ce
Author: Oliver Walsh <email address hidden>
Date: Fri May 5 01:30:21 2017 +0100

    Handle duplicate/invalid entries in migration SSH inbound addresses

    An error (e.g a typo) in a custom tripleo-heat-templates environment
    file could lead to an invalid match block in /etc/ssh/sshd_config.
    SSH fails-safe and refuses all logins in this case.

    This change validates the migration_ssh_localaddrs parameter is an
    array of IP addresses and removes and duplicate entries.

    Ica3f79d6d0cfae446e276172146f3a9407f2971f requires this to remove
    duplicates.

    Change-Id: Ibcf144d960fe52f0eab0d5015bd30cf7c1e37e25
    Closes-Bug: #1688308
    (cherry picked from commit 05e696c62d02ef64180d611413ae10f0418c002a)
    (cherry picked from commit 3d36307bcb2a75933945f5ab5d4241d0e6051cce)

tags: added: in-stable-newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 5.6.5

This issue was fixed in the openstack/puppet-tripleo 5.6.5 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 6.5.4

This issue was fixed in the openstack/puppet-tripleo 6.5.4 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.