tripleo

ssh_known_hosts changes are not propagated to running containers

Bug #1810932 reported by Oliver Walsh
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Oliver Walsh
tripleo stein-2

Bug Description

More info in https://bugzilla.redhat.com/show_bug.cgi?id=1664165, https://github.com/ansible/ansible/issues/20633, and https://github.com/moby/moby/issues/15793.

Ansible attempts atomic updates of files (copy, modify, then mv on top of the original). The unsafe_writes option does not alter this (only applies if the atomic update fails).

As as result, altering a file using the copy or lineinfile ansible module will change the inode of the target, and the changes are be reflected in running containers that bind-mount the file.

This results in missing /etc/ssh/ssh_known_hosts entries in the nova_compute and nova_libvirt container after scaling up the compute nodes, and live_migration (unless TLS) or cold-migration fail with an ssh host key verification error.

Oliver Walsh (owalsh)
tags: added: queens-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-common (master)

Reviewed: https://review.openstack.org/629076
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=ca60b82be840a91e76a965438f0cdd35c9a2baca
Submitter: Zuul
Branch: master

commit ca60b82be840a91e76a965438f0cdd35c9a2baca
Author: Oliver Walsh <email address hidden>
Date: Tue Jan 8 00:53:01 2019 +0000

    Workaround ssh_known_hosts changes not being propagated to containers

    We need an in-place update of /etc/ssh/ssh_known_hosts for the changes to be
    visible to running containers. This works around the issue until we have a
    better long-term solution - make a copy, update using lineinfile, then
    clobber the original file.

    Closes-bug: #1810932
    Change-Id: Ie6af5908d4b79bad094bce31e8e853678c0e843c

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-common (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/629370

Bogdan Dobrelya (bogdando)
tags: added: pike-backport-potential
Revision history for this message
Oliver Walsh (owalsh) wrote :

Don't have config-download in pike (and it's non-default in queens, but worth fixing).

tags: removed: pike-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-common (stable/rocky)

Reviewed: https://review.openstack.org/629370
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=0077402bbbb79ca97af19452f8b60a57d2219fc6
Submitter: Zuul
Branch: stable/rocky

commit 0077402bbbb79ca97af19452f8b60a57d2219fc6
Author: Oliver Walsh <email address hidden>
Date: Tue Jan 8 00:53:01 2019 +0000

    Workaround ssh_known_hosts changes not being propagated to containers

    We need an in-place update of /etc/ssh/ssh_known_hosts for the changes to be
    visible to running containers. This works around the issue until we have a
    better long-term solution - make a copy, update using lineinfile, then
    clobber the original file.

    Closes-bug: #1810932
    Change-Id: Ie6af5908d4b79bad094bce31e8e853678c0e843c
    (cherry picked from commit ca60b82be840a91e76a965438f0cdd35c9a2baca)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-common 10.3.0

This issue was fixed in the openstack/tripleo-common 10.3.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-common 9.5.0

This issue was fixed in the openstack/tripleo-common 9.5.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-common (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/660585

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-common (stable/queens)

Reviewed: https://review.opendev.org/660585
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=83c08960e88e85100f0ddbe7902fe907a003ee3a
Submitter: Zuul
Branch: stable/queens

commit 83c08960e88e85100f0ddbe7902fe907a003ee3a
Author: Oliver Walsh <email address hidden>
Date: Tue Jan 8 00:53:01 2019 +0000

    Workaround ssh_known_hosts changes not being propagated to containers

    We need an in-place update of /etc/ssh/ssh_known_hosts for the changes to be
    visible to running containers. This works around the issue until we have a
    better long-term solution - make a copy, update using lineinfile, then
    clobber the original file.

    Closes-bug: #1810932
    Change-Id: Ie6af5908d4b79bad094bce31e8e853678c0e843c
    (cherry picked from commit ca60b82be840a91e76a965438f0cdd35c9a2baca)
    (cherry picked from commit 0077402bbbb79ca97af19452f8b60a57d2219fc6)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-common 8.7.0

This issue was fixed in the openstack/tripleo-common 8.7.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.