templates: Disable SSH keys lookup from authorized_keys.d on FCOS#2087
Conversation
openshift-ci-robot
added
the
do-not-merge/hold
|
/cc @bgilbert |
ashcrow
left a comment
ashcrow
left a comment
There was a problem hiding this comment.
The code makes sense 👍 . My only question is should this be done whenever update is called or should it be done once (bootstrap/firstboot)? I don't think it matters right now from the functionality perspective but still worth thinking about.
bgilbert
left a comment
bgilbert
left a comment
There was a problem hiding this comment.
My only question is should this be done whenever update is called or should it be done once (bootstrap/firstboot)? I don't think it matters right now from the functionality perspective but still worth thinking about.
On some platforms, Afterburn may run on subsequent boots and recreate its fragment file.
Note that this PR makes a tradeoff: to avoid having to programmatically restart sshd, it disables authorized_keys.d at provisioning time. As a result, after an FCOS node first boots but before the MCO first syncs SSH keys, it will be impossible to SSH into the machine.
If we're comfortable with that tradeoff, there are a couple consequences:
- Since we're disabling
authorized_keys.dfrom a template, we don't actually need to remove the fragment files at all, except perhaps as documentation that they're not being used. On FCOS they'll never be read because of thesshd_config.dfragment. On RHCOS, we can simply not re-enable reading of.ssh/authorized_keys.d/ignitioninsshd_config. - Furthermore, we could consider having Ignition on RHCOS continue to write the
authorized_keysfile directly. That would enable SSHing into an RHCOS node before the MCO SSH key sync runs, at the cost of divergent behavior between the OSes.
Ah, great point 👍 |
LorbusChris
force-pushed
the
rm-ssh-fragments
branch
from
f70c681 to
910a66e
Compare
|
@bgilbert updated, PTAL. |
LorbusChris
force-pushed
the
rm-ssh-fragments
branch
from
910a66e to
79ca51f
Compare
bgilbert
left a comment
bgilbert
left a comment
There was a problem hiding this comment.
@LorbusChris Any thoughts on #2087 (review)? I see this version is still deleting the fragment files.
|
@bgilbert if we're ok with Ignition continuing to write directly to |
LorbusChris
force-pushed
the
rm-ssh-fragments
branch
from
79ca51f to
05e5d9a
Compare
On FCOS, this sshd config dropin ensures that only SSH keys from the `/home/core/.ssh/authorized_keys` file are picked up, and not ones present in the `/home/core/.ssh/authorized_keys.d/` directory, which might be written by Ignition and/or Afterburn. On RHCOS this is a no-op, as it already looks up SSH keys from the authorized_keys file only.
LorbusChris
force-pushed
the
rm-ssh-fragments
branch
from
05e5d9a to
5ed6fa3
Compare
LorbusChris
changed the title
bgilbert
left a comment
bgilbert
left a comment
There was a problem hiding this comment.
LGTM, provided we're okay with the tradeoffs in #2087 (review).
|
Random aside, a lot of our thinking now is "rhcos == rhel8" but that will change - it's likely rhcos9 would potentially inherit any default changes we make to OpenSSH for example, so down the line ideally we'd do more "feature detection" rather than hardcode expectations that "rhcos" means a whole set of things. |
ashcrow
left a comment
ashcrow
left a comment
There was a problem hiding this comment.
LGTM too ... cc @yuqi-zhang @runcom
openshift-ci-robot
added
the
approved
In this case there shouldn't be an issue. If future RHEL versions start reading |
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
@LorbusChris: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest |
1 similar comment
|
/retest |
|
/cc @yuqi-zhang @runcom |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
6 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/cherry-pick release-4.6 |
|
@LorbusChris: once the present PR merges, I will cherry-pick it on top of release-4.6 in a new PR and assign it to you. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
8 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/refresh |
|
@LorbusChris: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest |
|
@LorbusChris: new pull request created: #2245 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
9 participants
- What I did
On FCOS, this sshd config dropin ensures that only SSH keys from the
/home/core/.ssh/authorized_keysfile are picked up, and not onespresent in the
/home/core/.ssh/authorized_keys.d/directory,which might be written by Ignition and/or Afterburn.
On RHCOS this is a no-op, as it already looks up SSH keys from the
authorized_keys file only.
- How to verify it
CI e2e testing
- Description for the changelog
templates: Disable SSH keys lookup from authorized_keys.d on FCOS
/hold
for testing