Enable user to change the account used for ssh connection

By default cephadm uses root account to connect remotely
to other nodes in the cluster. This change allows to choose
another account.
This commit also allows to use a dedicated subnet for cephadm mgmt.

Signed-off-by: Teoman ONAY <tonay@redhat.com>
pull/7109/head
Teoman ONAY 2022-02-07 14:23:49 +01:00 committed by Guillaume Abrioux
parent 2f11982590
commit da42f3d139
4 changed files with 61 additions and 8 deletions

View File

@ -75,6 +75,11 @@ dummy:
#ceph_dashboard_firewall_zone: public
#ceph_rgwloadbalancer_firewall_zone: public
# cephadm account for remote connections
#cephadm_ssh_user: root
#cephadm_ssh_priv_key_path: "/home/{{ cephadm_ssh_user }}/.ssh/id_rsa"
#cephadm_ssh_pub_key_path: "{{ cephadm_ssh_priv_key_path }}.pub"
#cephadm_mgmt_network: "{{ public_network }}"
############
# PACKAGES #

View File

@ -75,6 +75,11 @@ dummy:
#ceph_dashboard_firewall_zone: public
#ceph_rgwloadbalancer_firewall_zone: public
# cephadm account for remote connections
#cephadm_ssh_user: root
#cephadm_ssh_priv_key_path: "/home/{{ cephadm_ssh_user }}/.ssh/id_rsa"
#cephadm_ssh_pub_key_path: "{{ cephadm_ssh_priv_key_path }}.pub"
#cephadm_mgmt_network: "{{ public_network }}"
############
# PACKAGES #

View File

@ -249,12 +249,50 @@
run_once: true
delegate_to: '{{ groups[mon_group_name][0] }}'
- name: generate cephadm ssh key
command: "{{ ceph_cmd }} cephadm generate-key"
- name: check if there is an existing ssh keypair
stat:
path: "{{ item }}"
loop:
- "{{ cephadm_ssh_priv_key_path }}"
- "{{ cephadm_ssh_pub_key_path }}"
register: ssh_keys
changed_when: false
run_once: true
delegate_to: '{{ groups[mon_group_name][0] }}'
- name: set fact
set_fact:
stat_ssh_key_pair: "{{ ssh_keys.results | map(attribute='stat.exists') | list }}"
- name: fail if either ssh public or private key is missing
fail:
msg: "One part of the ssh keypair of user {{ cephadm_ssh_user }} is missing"
when:
- false in stat_ssh_key_pair
- true in stat_ssh_key_pair
- name: generate cephadm ssh key if there is none
command: "{{ ceph_cmd }} cephadm generate-key"
when: not true in stat_ssh_key_pair
changed_when: false
run_once: true
delegate_to: '{{ groups[mon_group_name][0] }}'
- name: use existing user keypair for remote connections
when: not false in stat_ssh_key_pair
delegate_to: "{{ groups[mon_group_name][0] }}"
run_once: true
command: >
{{ container_binary + ' run --rm --net=host --security-opt label=disable
-v /etc/ceph:/etc/ceph:z
-v /var/lib/ceph:/var/lib/ceph:ro
-v /var/run/ceph:/var/run/ceph:z
-v ' + item.1 + ':/etc/ceph/cephadm.' + item.0 + ':ro --entrypoint=ceph '+ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment | bool else 'ceph' }}
--cluster {{ cluster }} config-key set mgr/cephadm/ssh_identity_{{ item.0 }} -i /etc/ceph/cephadm.{{ item.0 }}
with_together:
- [ 'pub', 'key' ]
- [ '{{ cephadm_ssh_pub_key_path }}', '{{ cephadm_ssh_priv_key_path }}' ]
- name: get the cephadm ssh pub key
command: "{{ ceph_cmd }} cephadm get-pub-key"
changed_when: false
@ -262,13 +300,13 @@
register: cephadm_pubpkey
delegate_to: '{{ groups[mon_group_name][0] }}'
- name: allow cephadm key for {{ cephadm_ssh_user | default('root') }} account
- name: allow cephadm key for {{ cephadm_ssh_user }} account
authorized_key:
user: "{{ cephadm_ssh_user | default('root') }}"
user: "{{ cephadm_ssh_user }}"
key: '{{ cephadm_pubpkey.stdout }}'
- name: set cephadm ssh user to {{ cephadm_ssh_user | default('root') }}
command: "{{ ceph_cmd }} cephadm set-user {{ cephadm_ssh_user | default('root') }}"
- name: set cephadm ssh user to {{ cephadm_ssh_user }}
command: "{{ ceph_cmd }} cephadm set-user {{ cephadm_ssh_user }}"
changed_when: false
run_once: true
delegate_to: "{{ groups[mon_group_name][0] }}"
@ -323,13 +361,13 @@
when: is_hci | bool
- name: manage nodes with cephadm - ipv4
command: "{{ ceph_cmd }} orch host add {{ ansible_facts['nodename'] }} {{ ansible_facts['all_ipv4_addresses'] | ips_in_ranges(public_network.split(',')) | first }} {{ group_names | join(' ') }}"
command: "{{ ceph_cmd }} orch host add {{ ansible_facts['nodename'] }} {{ ansible_facts['all_ipv4_addresses'] | ips_in_ranges(cephadm_mgmt_network.split(',')) | first }} {{ group_names | join(' ') }}"
changed_when: false
delegate_to: '{{ groups[mon_group_name][0] }}'
when: ip_version == 'ipv4'
- name: manage nodes with cephadm - ipv6
command: "{{ ceph_cmd }} orch host add {{ ansible_facts['nodename'] }} {{ ansible_facts['all_ipv6_addresses'] | ips_in_ranges(public_network.split(',')) | last | ipwrap }} {{ group_names | join(' ') }}"
command: "{{ ceph_cmd }} orch host add {{ ansible_facts['nodename'] }} {{ ansible_facts['all_ipv6_addresses'] | ips_in_ranges(cephadm_mgmt_network.split(',')) | last | ipwrap }} {{ group_names | join(' ') }}"
changed_when: false
delegate_to: '{{ groups[mon_group_name][0] }}'
when: ip_version == 'ipv6'

View File

@ -67,6 +67,11 @@ ceph_iscsi_firewall_zone: public
ceph_dashboard_firewall_zone: public
ceph_rgwloadbalancer_firewall_zone: public
# cephadm account for remote connections
cephadm_ssh_user: root
cephadm_ssh_priv_key_path: "/home/{{ cephadm_ssh_user }}/.ssh/id_rsa"
cephadm_ssh_pub_key_path: "{{ cephadm_ssh_priv_key_path }}.pub"
cephadm_mgmt_network: "{{ public_network }}"
############
# PACKAGES #