From e0c8cfc43cf33e9d0dc893dc2618dbd2a5750cd3 Mon Sep 17 00:00:00 2001 From: Andy McCrae Date: Thu, 9 Jul 2015 11:10:09 +0100 Subject: [PATCH] Adjust key distribution mechanism for Swift In preparation for Swift global cluster we need a solution that moves away from a centralised "memcache" server as a distribution mechanism, since we can't guarantee that all swift hosts will have access to one memcache server. This patch uses ansible variables (which were already being set) as the distribution mechanism so that the authorized_keys file can be generated by using the ansible variables set for each host as part of the tasks. Additionally this moves away from using "shell" commands to generate the key and adjust the authorized_keys file and instead uses the built in ansible "authorized_keys" module as well as the built in "generate_ssh_key" option for the "user" module. Finally this adds a "swift_recreate_keys" option which can be set to "True" in order to recreate all the swift keys, and recreate the authorized_keys file. This was happening on every run and will now not happen by default, unless the variable is set to "True". Change-Id: Ic4eb05042244c32050233e1445633d5731f9603b Partially-Implements: blueprint multi-region-swift --- defaults/main.yml | 2 + tasks/swift_key_create.yml | 74 ------------------- tasks/swift_key_distribute.yml | 21 ++---- ...t_key_store.yml => swift_key_populate.yml} | 27 ++++--- tasks/swift_key_setup.yml | 12 +-- tasks/swift_pre_install.yml | 16 ++++ 6 files changed, 39 insertions(+), 113 deletions(-) delete mode 100644 tasks/swift_key_create.yml rename tasks/{swift_key_store.yml => swift_key_populate.yml} (57%) diff --git a/defaults/main.yml b/defaults/main.yml index 5152ac06..5cefef63 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -72,6 +72,8 @@ swift_default_drive_weight: 100 swift_allow_versions: True # This will allow all users to create containers and upload to swift if set to True swift_allow_all_users: False +# If you want to regenerate the swift keys, on a run, for rsync purposes set this var to True otherwise keys will be generated on the first run and not regenerated each run. +swift_recreate_keys: False swift_account_server_program_config_options: /etc/swift/account-server/account-server.conf swift_account_replicator_program_config_options: /etc/swift/account-server/account-server-replicator.conf diff --git a/tasks/swift_key_create.yml b/tasks/swift_key_create.yml deleted file mode 100644 index fd8cf342..00000000 --- a/tasks/swift_key_create.yml +++ /dev/null @@ -1,74 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Remove old key file(s) if found - file: - path: "{{ item }}" - state: "absent" - with_items: - - "{{ swift_system_home_folder }}/.ssh/authorized_keys" - - "{{ swift_system_home_folder }}/.ssh/id_rsa" - - "{{ swift_system_home_folder }}/.ssh/id_rsa.pub" - tags: - - swift-key - - swift-key-create - -- name: Create the swift SSH key if it doesnt exist - command: | - ssh-keygen -f {{ swift_system_home_folder }}/.ssh/id_rsa -t rsa -q -N "" - sudo: yes - sudo_user: "{{ swift_system_user_name }}" - tags: - - swift-key - - swift-key-create - -- name: Create empty 'authorized_keys' file - file: - path: "{{ swift_system_home_folder }}/.ssh/authorized_keys" - state: "touch" - tags: - - swift-key - - swift-key-create - -- name: Change permissions on the generated keys - file: - path: "{{ item.path }}" - group: "{{ swift_system_user_name }}" - owner: "{{ swift_system_user_name }}" - mode: "{{ item.mode }}" - with_items: - - { path: "{{ swift_system_home_folder }}/.ssh/authorized_keys", mode: "0700" } - - { path: "{{ swift_system_home_folder }}/.ssh/id_rsa", mode: "0600" } - - { path: "{{ swift_system_home_folder }}/.ssh/id_rsa.pub", mode: "0644" } - tags: - - swift-key - - swift-key-create - -- name: Get public key contents - command: | - cat {{ swift_system_home_folder }}/.ssh/id_rsa.pub - register: swift_pub - changed_when: false - tags: - - swift-key - - swift-key-create - -- name: Build authorized keys - shell: | - echo "{{ swift_pub.stdout }}" | tee -a {{ swift_system_home_folder }}/.ssh/authorized_keys - delegate_to: "{{ groups['swift_hosts'][0] }}" - tags: - - swift-key - - swift-key-create diff --git a/tasks/swift_key_distribute.yml b/tasks/swift_key_distribute.yml index 8fca6f8a..f812921d 100644 --- a/tasks/swift_key_distribute.yml +++ b/tasks/swift_key_distribute.yml @@ -13,21 +13,12 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Retrieve authorized keys - memcached: - name: "{{ item.name }}" - file_path: "{{ item.src }}" - state: "retrieve" - file_mode: "{{ item.file_mode }}" - dir_mode: "{{ item.dir_mode }}" - server: "{{ memcached_servers }}" - encrypt_string: "{{ memcached_encryption_key }}" - with_items: - - { src: "{{ swift_system_home_folder }}/.ssh/authorized_keys", name: "authorized_keys", file_mode: "0640", dir_mode: "0750" } - register: memcache_keys - until: memcache_keys|success - retries: 5 - delay: 2 +- name: Create authorized keys file from host vars + authorized_key: + user: "{{ swift_system_user_name }}" + key: "{{ hostvars[item]['swift_pubkey'] }}" + with_items: groups['swift_all'] tags: - swift-key + - swift-key-create - swift-key-distribute diff --git a/tasks/swift_key_store.yml b/tasks/swift_key_populate.yml similarity index 57% rename from tasks/swift_key_store.yml rename to tasks/swift_key_populate.yml index 6f847c87..10c55362 100644 --- a/tasks/swift_key_store.yml +++ b/tasks/swift_key_populate.yml @@ -13,19 +13,18 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Distribute authorized keys for cluster consumption - memcached: - name: "{{ item.name }}" - file_path: "{{ item.src }}" - state: "present" - server: "{{ memcached_servers }}" - encrypt_string: "{{ memcached_encryption_key }}" - with_items: - - { src: "{{ swift_system_home_folder }}/.ssh/authorized_keys", name: "authorized_keys" } - register: memcache_keys - until: memcache_keys|success - retries: 5 - delay: 2 +- name: Get public key contents and store as var + command: | + cat {{ swift_system_home_folder }}/.ssh/id_rsa.pub + register: swift_pub + changed_when: false tags: - swift-key - - swift-key-store + - swift-key-create + +- name: Register a fact for the swift pub key + set_fact: + swift_pubkey: "{{ swift_pub.stdout }}" + tags: + - swift-key + - swift-key-create diff --git a/tasks/swift_key_setup.yml b/tasks/swift_key_setup.yml index 376d40ca..bfd10060 100644 --- a/tasks/swift_key_setup.yml +++ b/tasks/swift_key_setup.yml @@ -13,21 +13,13 @@ # See the License for the specific language governing permissions and # limitations under the License. -- include: swift_key_create.yml +- include: swift_key_populate.yml tags: - swift-key - swift-key-create -- include: swift_key_store.yml - when: > - inventory_hostname == groups['swift_hosts'][0] - tags: - - swift-key - - swift-key-store - - include: swift_key_distribute.yml - when: > - inventory_hostname != groups['swift_hosts'][0] tags: - swift-key + - swift-key-create - swift-key-distribute diff --git a/tasks/swift_pre_install.yml b/tasks/swift_pre_install.yml index b17dd405..f9e7c01a 100644 --- a/tasks/swift_pre_install.yml +++ b/tasks/swift_pre_install.yml @@ -21,6 +21,19 @@ tags: - swift-group +- name: Remove old key file(s) if found + file: + path: "{{ item }}" + state: "absent" + with_items: + - "{{ swift_system_home_folder }}/.ssh/authorized_keys" + - "{{ swift_system_home_folder }}/.ssh/id_rsa" + - "{{ swift_system_home_folder }}/.ssh/id_rsa.pub" + when: swift_recreate_keys == True + tags: + - swift-key + - swift-key-create + - name: Create the swift system user user: name: "{{ swift_system_user_name }}" @@ -30,8 +43,11 @@ system: "yes" createhome: "yes" home: "{{ swift_system_home_folder }}" + generate_ssh_key: "yes" tags: - swift-user + - swift-key + - swift-key-create - name: Create swift dir file: