ssh_known_hosts changes are not propagated to running containers

Bug #1810932 reported by Oliver Walsh on 2019-01-08
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Oliver Walsh

Bug Description

More info in https://bugzilla.redhat.com/show_bug.cgi?id=1664165, https://github.com/ansible/ansible/issues/20633, and https://github.com/moby/moby/issues/15793.

Ansible attempts atomic updates of files (copy, modify, then mv on top of the original). The unsafe_writes option does not alter this (only applies if the atomic update fails).

As as result, altering a file using the copy or lineinfile ansible module will change the inode of the target, and the changes are be reflected in running containers that bind-mount the file.

This results in missing /etc/ssh/ssh_known_hosts entries in the nova_compute and nova_libvirt container after scaling up the compute nodes, and live_migration (unless TLS) or cold-migration fail with an ssh host key verification error.

Oliver Walsh (owalsh) on 2019-01-08
tags: added: queens-backport-potential

Reviewed: https://review.openstack.org/629076
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=ca60b82be840a91e76a965438f0cdd35c9a2baca
Submitter: Zuul
Branch: master

commit ca60b82be840a91e76a965438f0cdd35c9a2baca
Author: Oliver Walsh <email address hidden>
Date: Tue Jan 8 00:53:01 2019 +0000

    Workaround ssh_known_hosts changes not being propagated to containers

    We need an in-place update of /etc/ssh/ssh_known_hosts for the changes to be
    visible to running containers. This works around the issue until we have a
    better long-term solution - make a copy, update using lineinfile, then
    clobber the original file.

    Closes-bug: #1810932
    Change-Id: Ie6af5908d4b79bad094bce31e8e853678c0e843c

Changed in tripleo:
status: In Progress → Fix Released
tags: added: pike-backport-potential
Oliver Walsh (owalsh) wrote :

Don't have config-download in pike (and it's non-default in queens, but worth fixing).

tags: removed: pike-backport-potential

Reviewed: https://review.openstack.org/629370
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=0077402bbbb79ca97af19452f8b60a57d2219fc6
Submitter: Zuul
Branch: stable/rocky

commit 0077402bbbb79ca97af19452f8b60a57d2219fc6
Author: Oliver Walsh <email address hidden>
Date: Tue Jan 8 00:53:01 2019 +0000

    Workaround ssh_known_hosts changes not being propagated to containers

    We need an in-place update of /etc/ssh/ssh_known_hosts for the changes to be
    visible to running containers. This works around the issue until we have a
    better long-term solution - make a copy, update using lineinfile, then
    clobber the original file.

    Closes-bug: #1810932
    Change-Id: Ie6af5908d4b79bad094bce31e8e853678c0e843c
    (cherry picked from commit ca60b82be840a91e76a965438f0cdd35c9a2baca)

tags: added: in-stable-rocky

This issue was fixed in the openstack/tripleo-common 10.3.0 release.

This issue was fixed in the openstack/tripleo-common 9.5.0 release.

Reviewed: https://review.opendev.org/660585
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=83c08960e88e85100f0ddbe7902fe907a003ee3a
Submitter: Zuul
Branch: stable/queens

commit 83c08960e88e85100f0ddbe7902fe907a003ee3a
Author: Oliver Walsh <email address hidden>
Date: Tue Jan 8 00:53:01 2019 +0000

    Workaround ssh_known_hosts changes not being propagated to containers

    We need an in-place update of /etc/ssh/ssh_known_hosts for the changes to be
    visible to running containers. This works around the issue until we have a
    better long-term solution - make a copy, update using lineinfile, then
    clobber the original file.

    Closes-bug: #1810932
    Change-Id: Ie6af5908d4b79bad094bce31e8e853678c0e843c
    (cherry picked from commit ca60b82be840a91e76a965438f0cdd35c9a2baca)
    (cherry picked from commit 0077402bbbb79ca97af19452f8b60a57d2219fc6)

tags: added: in-stable-queens

This issue was fixed in the openstack/tripleo-common 8.7.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers