Comment 0 for bug 1928717

Revision history for this message
John Fulton (jfulton-org) wrote :

The distribution of the private key should be limited only to mons/mgrs within
a ceph cluster. It should not be distributed to just any server within the ceph
cluster, i.e. hosts in the osd group don't need the private key (having the public
key in authorized_hosts is sufficient).

When ceph-admin-user-playbook.yml [1] calls the tripleo_create_admin role it uses
distribute_private_key=true [2] and a private SSH key to access the mon/mgr nodes
from ceph storage nodes is created [3] unnecessarily.

[1] https://github.com/openstack/tripleo-ansible/blob/master/tripleo_ansible/playbooks/ceph-admin-user-playbook.yml#L59

[2] https://github.com/openstack/tripleo-ansible/commit/3d65bce9b3efdbadacee85b0593f4bdcf917528c

[3]
2021-04-23 17:40:08,434 p=830710 u=stack n=ansible | 2021-04-23 17:40:08.433870 | 24420180-73f1-94e9-9575-000000000028 | TASK | Install private key on nodes for user ceph-admin
2021-04-23 17:40:09,171 p=830710 u=stack n=ansible | 2021-04-23 17:40:09.170774 | 24420180-73f1-94e9-9575-000000000028 | CHANGED | Install private key on nodes for user ceph-admin | oc0-controller-0
2021-04-23 17:40:09,183 p=830710 u=stack n=ansible | 2021-04-23 17:40:09.183393 | 24420180-73f1-94e9-9575-000000000028 | CHANGED | Install private key on nodes for user ceph-admin | oc0-ceph-0
2021-04-23 17:40:09,208 p=830710 u=stack n=ansible | 2021-04-23 17:40:09.208432 | 24420180-73f1-94e9-9575-000000000028 | CHANGED | Install private key on nodes for user ceph-admin | oc0-controller-2
2021-04-23 17:40:09,231 p=830710 u=stack n=ansible | 2021-04-23 17:40:09.230506 | 24420180-73f1-94e9-9575-000000000028 | CHANGED | Install private key on nodes for user ceph-admin | oc0-compute-0
2021-04-23 17:40:09,242 p=830710 u=stack n=ansible | 2021-04-23 17:40:09.242402 | 24420180-73f1-94e9-9575-000000000028 | CHANGED | Install private key on nodes for user ceph-admin | oc0-controller-1