Remote ssh administration user creation not working with split stack

Bug #1708180 reported by Jiří Stránský on 2017-08-02
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
John Fulton

Bug Description

Validations, ceph-ansible and k8s installation depend on having a user that they can ssh as. Until now we've been reusing the heat-admin user for this, but that approach only works with envs that created the overcloud via Nova. On split stack, we cannot make any assumption about existing users, so we have to create a new one.

Changed in tripleo:
assignee: nobody → Jiří Stránský (jistr)
status: Triaged → In Progress
Bogdan Dobrelya (bogdando) wrote :

@jistr, PTAL the approach I took to parametrize a user and a key in this patch https://review.openstack.org/#/c/463701/

Changed in tripleo:
assignee: Jiří Stránský (jistr) → John Fulton (jfulton-org)

Reviewed: https://review.openstack.org/489613
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=77dbe9295b282c54aab65c6b9815a575ce29a49c
Submitter: Jenkins
Branch: master

commit 77dbe9295b282c54aab65c6b9815a575ce29a49c
Author: Jiri Stransky <email address hidden>
Date: Mon Jul 31 15:27:41 2017 +0200

    Allow tripleo-admin creation both for Nova-managed and split-stack

    When we deploy with split-stack, we can no longer count on the
    heat-admin user existing, as all the methods that we currently use to
    create it depend on provisioning overcloud with Nova.

    Previously the ssh access on the overcloud for administrative
    tasks (manual vs. automated) was as follows for the two deployment
    scenarios (Nova+Ironic vs. Split Stack):

    +-----------+---------------+------------------+
    | | Nova + Ironic | Split Stack |
    +-----------+---------------+------------------+
    | manual | heat-admin | (differs by env) |
    +-----------+---------------+------------------+
    | automated | heat-admin | N/A |
    +-----------+---------------+------------------+

    With this patch we'd start moving towards:

    +-----------+---------------+------------------+
    | | Nova + Ironic | Split Stack |
    +-----------+---------------+------------------+
    | manual | heat-admin | (differs by env) |
    +-----------+---------------+------------------+
    | automated | tripleo-admin | tripleo-admin |
    +-----------+---------------+------------------+

    I haven't reused the heat-admin name, as that is discontinued even in
    Heat, and using this name would be confusing, because our usage of the
    admin user has nothing to do with Heat really. We just originally
    reused heat-admin for validations because it already existed. (Should
    anyone wish to keep using heat-admin also for Mistral automated tasks,
    they can set overcloud_admin parameter of the workflow.)

    By default the new workflow initializes the tripleo-admin user the
    Nova way, and no parameters are required. However, when the workflow
    gets ssh_user, ssh_private_key, and ssh_servers parameters, it does
    the initialization using the provided ssh connection instead of trying
    to look up servers in Nova. This makes it possible to use the workflow
    for Split Stack environments too.

    Closes-Bug: #1708180
    Change-Id: Ibe8e54f7b38d8c6c8d944d2b13f0eed004c34c4c

Changed in tripleo:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/490458
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=507bed1da9fb9288b8ddcff5535b56710ac43d5f
Submitter: Jenkins
Branch: master

commit 507bed1da9fb9288b8ddcff5535b56710ac43d5f
Author: Jiri Stransky <email address hidden>
Date: Thu Aug 3 14:23:27 2017 +0200

    Add script to create tripleo-admin on deployed servers

    When using deployed servers, we want to create a standard
    tripleo-admin user for Mistral's ssh tasks (e.g. running Ansible on
    overcloud). This script wraps the respective Mistral workflow.

    Change-Id: I2de698b4aae07f74569243a9e7c1c56eb578e700
    Related-Bug: #1708180
    Depends-On: Ibe8e54f7b38d8c6c8d944d2b13f0eed004c34c4c

Reviewed: https://review.openstack.org/490470
Committed: https://git.openstack.org/cgit/openstack/tripleo-quickstart-extras/commit/?id=0941ec4652f83dfea77a43b7e88f840b916035af
Submitter: Jenkins
Branch: master

commit 0941ec4652f83dfea77a43b7e88f840b916035af
Author: Jiri Stransky <email address hidden>
Date: Thu Aug 3 15:07:35 2017 +0200

    Create tripleo-admin user on deployed servers

    This user is necessary for automated admin access (e.g. Ansible) to
    the overcloud nodes.

    Change-Id: I2b67e578c8d718a53cfeeee2b5d391233efae05e
    Depends-On: Ie486b918c100c8cccdc57c74e35e09a9a213787e
    Depends-On: I2de698b4aae07f74569243a9e7c1c56eb578e700
    Related-Bug #1708180

This issue was fixed in the openstack/tripleo-common 7.5.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers