Bad ssh configuration is generated on compute nodes if one of the migration networks is missing

Bug #1688308 reported by Alex Schultz
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Oliver Walsh

Bug Description

https://review.openstack.org/#/c/458077/19/manifests/profile/base/nova.pp@187

If either NovaLibvirtNetwork or NovaColdMigrationNetwork is missing, the code results in blocking an operator from being able to ssh into the node as heat-admin. We should improve the checks to ensure that we don't generate a bad ssh configuration.

Oliver Walsh (owalsh)
Changed in tripleo:
assignee: nobody → Oliver Walsh (owalsh)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/462765

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/462765
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=05e696c62d02ef64180d611413ae10f0418c002a
Submitter: Jenkins
Branch: master

commit 05e696c62d02ef64180d611413ae10f0418c002a
Author: Oliver Walsh <email address hidden>
Date: Fri May 5 01:30:21 2017 +0100

    Handle duplicate/invalid entries in migration SSH inbound addresses

    An error (e.g a typo) in a custom tripleo-heat-templates environment
    file could lead to an invalid match block in /etc/ssh/sshd_config.
    SSH fails-safe and refuses all logins in this case.

    This change validates the migration_ssh_localaddrs parameter is an
    array of IP addresses and removes and duplicate entries.

    Change-Id: Ibcf144d960fe52f0eab0d5015bd30cf7c1e37e25
    Closes-Bug: #1688308

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 7.1.0

This issue was fixed in the openstack/puppet-tripleo 7.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/510791

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/510799

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/ocata)

Reviewed: https://review.openstack.org/510791
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=3d36307bcb2a75933945f5ab5d4241d0e6051cce
Submitter: Jenkins
Branch: stable/ocata

commit 3d36307bcb2a75933945f5ab5d4241d0e6051cce
Author: Oliver Walsh <email address hidden>
Date: Fri May 5 01:30:21 2017 +0100

    Handle duplicate/invalid entries in migration SSH inbound addresses

    An error (e.g a typo) in a custom tripleo-heat-templates environment
    file could lead to an invalid match block in /etc/ssh/sshd_config.
    SSH fails-safe and refuses all logins in this case.

    This change validates the migration_ssh_localaddrs parameter is an
    array of IP addresses and removes and duplicate entries.

    Ica3f79d6d0cfae446e276172146f3a9407f2971f requires this to remove
    duplicates.

    Change-Id: Ibcf144d960fe52f0eab0d5015bd30cf7c1e37e25
    Closes-Bug: #1688308
    (cherry picked from commit 05e696c62d02ef64180d611413ae10f0418c002a)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/newton)

Reviewed: https://review.openstack.org/510799
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=04db75783624ba52185e34fcff3959dc8d8f24ce
Submitter: Jenkins
Branch: stable/newton

commit 04db75783624ba52185e34fcff3959dc8d8f24ce
Author: Oliver Walsh <email address hidden>
Date: Fri May 5 01:30:21 2017 +0100

    Handle duplicate/invalid entries in migration SSH inbound addresses

    An error (e.g a typo) in a custom tripleo-heat-templates environment
    file could lead to an invalid match block in /etc/ssh/sshd_config.
    SSH fails-safe and refuses all logins in this case.

    This change validates the migration_ssh_localaddrs parameter is an
    array of IP addresses and removes and duplicate entries.

    Ica3f79d6d0cfae446e276172146f3a9407f2971f requires this to remove
    duplicates.

    Change-Id: Ibcf144d960fe52f0eab0d5015bd30cf7c1e37e25
    Closes-Bug: #1688308
    (cherry picked from commit 05e696c62d02ef64180d611413ae10f0418c002a)
    (cherry picked from commit 3d36307bcb2a75933945f5ab5d4241d0e6051cce)

tags: added: in-stable-newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 5.6.5

This issue was fixed in the openstack/puppet-tripleo 5.6.5 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 6.5.4

This issue was fixed in the openstack/puppet-tripleo 6.5.4 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers