From d4d8114a11df9e38d7c77d565d85c9c3db2f11bc Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
Date: Fri, 28 Jul 2023 13:06:06 +0200
Subject: [PATCH] Stop installing openssh and rsync to containers

With fixing keystone role there should be no need in explicitly
installing rsync and openssh everywhere.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/889934
Change-Id: I25729462fa6be7953e8ef0687ec4580509c21aaf
---
 defaults/main.yml                             | 12 -----------
 .../no_sshd_in_lxc-b73334d0c82470b4.yaml      |  6 ++++++
 tasks/lxc_cache_preparation.yml               | 20 -------------------
 tasks/main.yml                                | 18 -----------------
 vars/debian.yml                               |  3 +--
 vars/redhat.yml                               |  2 --
 6 files changed, 7 insertions(+), 54 deletions(-)
 create mode 100644 releasenotes/notes/no_sshd_in_lxc-b73334d0c82470b4.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index c20fca0f..abfcc50c 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -130,18 +130,6 @@ lxc_net6_nat: false
 lxc_kernel_options:
   - { key: 'fs.inotify.max_user_instances', value: 1024 }
 
-lxc_cache_sshd_configuration:
-  - regexp: "^PermitRootLogin"
-    line: "PermitRootLogin prohibit-password"
-  - regexp: "^TCPKeepAlive"
-    line: "TCPKeepAlive yes"
-  - regexp: "^UseDNS"
-    line: "UseDNS no"
-  - regexp: "^X11Forwarding"
-    line: "X11Forwarding no"
-  - regexp: "^PasswordAuthentication"
-    line: "PasswordAuthentication no"
-
 # The compression ratio used when creating the container cache rootfs archive
 lxc_image_compression_ratio: 0
 
diff --git a/releasenotes/notes/no_sshd_in_lxc-b73334d0c82470b4.yaml b/releasenotes/notes/no_sshd_in_lxc-b73334d0c82470b4.yaml
new file mode 100644
index 00000000..3f8e2e63
--- /dev/null
+++ b/releasenotes/notes/no_sshd_in_lxc-b73334d0c82470b4.yaml
@@ -0,0 +1,6 @@
+---
+deprecations:
+  - |
+    SSHD and rsync are no longer installed or configured for all containers.
+    This also deprecates usage of ``lxc_container_ssh_key`` and variable
+    has no effect any longer.
diff --git a/tasks/lxc_cache_preparation.yml b/tasks/lxc_cache_preparation.yml
index cf165a38..8cf6ec66 100644
--- a/tasks/lxc_cache_preparation.yml
+++ b/tasks/lxc_cache_preparation.yml
@@ -67,18 +67,6 @@
   poll: 0
   register: _lxc_cache_prepare_commands
 
-- name: Obtain the deploy system's ssh public key
-  set_fact:
-    lxc_container_ssh_key: "{{ lookup('file', '/root/.ssh/id_rsa.pub') }}"
-  when: lxc_container_ssh_key is not defined
-
-- name: Deploy ssh public key into the cached image
-  lineinfile:
-    dest: "{{ lxc_image_cache_path }}/root/.ssh/authorized_keys"
-    line: "{{ lxc_container_ssh_key }}"
-    create: true
-    mode: "0600"
-
 # NOTE(cloudnull): Wait for the cache preparation script has completed before
 #                  building the new RootFS
 - name: Ensure that the LXC cache has been prepared
@@ -98,11 +86,3 @@
     src: sudoers.j2
   when:
     - ansible_facts['pkg_mgr'] == 'dnf'
-
-- name: Adjust sshd configuration in container
-  lineinfile:
-    dest: "{{ lxc_image_cache_path }}/etc/ssh/sshd_config"
-    regexp: "{{ item.regexp }}"
-    line: "{{ item.line }}"
-    state: present
-  with_items: "{{ lxc_cache_sshd_configuration }}"
diff --git a/tasks/main.yml b/tasks/main.yml
index a4061793..c93ca640 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -13,24 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Check for the presence of a public key file on the deployment host
-  stat:
-    path: /root/.ssh/id_rsa.pub
-  register: _ssh_key
-  when: lxc_container_ssh_key is undefined
-  delegate_to: localhost
-  tags:
-    - always
-
-- name: Fail if a ssh public key is not set in a var and is not present on the deployment host
-  fail:
-    msg: "Please set the lxc_container_ssh_key variable or ensure that the deployment host has the file /root/.ssh/id_rsa.pub present."
-  when:
-    - lxc_container_ssh_key is undefined
-    - not _ssh_key.stat.exists
-  tags:
-    - always
-
 - name: Gather variables for each operating system
   include_vars: "{{ lookup('first_found', params) }}"
   vars:
diff --git a/vars/debian.yml b/vars/debian.yml
index 673ab2fc..428a5e1e 100644
--- a/vars/debian.yml
+++ b/vars/debian.yml
@@ -50,10 +50,9 @@ _lxc_cache_distro_packages:
   - libxml2
   - locales
   - netbase
-  - openssh-server
+  - procps  # needed for sysctl-container.service
   - python3
   - "{{ _lxc_cache_distro_libpython[ansible_facts['distribution_release'] | lower] }}"
-  - rsync              # os_keystone runs serial=1 and uses rsync before the distro packages have been installed on all keystone targets
   - sudo
   - systemd
   - systemd-sysv
diff --git a/vars/redhat.yml b/vars/redhat.yml
index aab795e9..bb3c99d6 100644
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@@ -46,12 +46,10 @@ _lxc_cache_distro_packages:
   - iputils
   - iproute
   - libxml2
-  - openssh-server
   - policycoreutils
   - procps
   - python3
   - python3-libs
-  - rsync              # os_keystone runs serial=1 and uses rsync before the distro packages have been installed on all keystone targets
   - setup
   - sudo
   - systemd