Support `ssh-key-dir` on OKD/FCOS by LorbusChris · Pull Request #2688 · openshift/machine-config-operator

LorbusChris · 2021-07-22T21:19:05Z

- What I did
In older versions of OKD, the SSH keys were written to
/home/core/.ssh/authorized_keys. Newer versions of OKD will
expect the keys at /home/core/.ssh/authorized_keys.d/ignition.
In the case of a newer version of OKD, the keys file is removed
from the legacy path in the updateSSHKeys function.
It will then be recreated at the new fragment path by the
atomicallyWriteSSHKey function that is called right after.

- How to verify it
CI

- Description for the changelog
Support ssh-key-dir on OKD/FCOS

openshift-ci · 2021-07-22T21:19:14Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

LorbusChris · 2021-07-22T21:23:19Z

/test e2e-aws

LorbusChris · 2021-07-22T21:34:20Z

/test e2e-aws

LorbusChris · 2021-07-22T21:42:38Z

/test e2e-aws

fortinj66 · 2021-09-28T16:59:57Z

@LorbusChris, #2087 will need to be reverted for this to work correct?

LorbusChris · 2021-09-28T17:01:38Z

@fortinj66 yes. The plan is to manage the ignition key fragment in the future.

LorbusChris · 2021-09-28T23:44:08Z

/cc @bgilbert
/cc @travier

LorbusChris · 2021-09-29T11:13:19Z

/retest-required

LorbusChris · 2021-09-29T14:41:40Z

/test e2e-aws

travier · 2021-10-01T11:51:13Z

The order in which we will merge things here will matter unfortunately as this involves Ignition package changes too. One option we have is to make sure we coordinate this to happen on a specific day.

travier

Code LGTM but I'm not really familiar with the MCO code base.

LorbusChris · 2021-10-06T15:39:00Z

/test e2e-agnostic-upgrade

LorbusChris · 2021-10-06T15:39:27Z

/test e2e-aws
/test e2e-gcp-op

LorbusChris · 2021-10-06T18:17:38Z

/test e2e-aws
/test e2e-gcp-op
/test e2e-agnostic-upgrade

LorbusChris · 2021-11-16T10:58:34Z

I've removed the RHCOS9 parts from this PR

In older versions of OKD, the SSH keys were written to `/home/core/.ssh/authorized_keys`. Newer versions of OKD will expect the keys at `/home/core/.ssh/authorized_keys.d/ignition`. In the case of a newer version of OKD, the keys file is removed from the legacy path in the updateSSHKeys function. It will then be recreated at the new fragment path by the atomicallyWriteSSHKey function that is called right after.

Usage of ssh-key-dir is now supported on FCOS (OKD)

sinnykumari

Thanks Christain for making the changes.
/lgtm

sinnykumari · 2021-11-22T13:14:12Z

Just noticed #2688 (comment) , @LorbusChris do we need any ignition update here? Putting hold until this question is addressed.
/hold

LorbusChris · 2021-11-22T13:15:21Z

Just noticed #2688 (comment) , @LorbusChris do we need any ignition update here? Putting hold until this question is addressed. /hold

No, this will only be needed for RHCOS9

LorbusChris · 2021-11-22T13:15:36Z

/hold cancel

openshift-ci · 2021-11-22T13:16:34Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: LorbusChris, sinnykumari, travier

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [sinnykumari]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-bot · 2021-11-22T13:22:52Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-11-22T13:34:47Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-11-22T13:46:43Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-11-22T14:10:47Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-ci · 2021-11-22T14:15:12Z

@LorbusChris: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-techpreview-featuregate	2f91cc6d819677c1b0c3a3428901de580b9c6f42	link	false	`/test e2e-aws-techpreview-featuregate`
ci/prow/e2e-vsphere-upgrade	`05142f3`	link	false	`/test e2e-vsphere-upgrade`
ci/prow/e2e-ovn-step-registry	`05142f3`	link	false	`/test e2e-ovn-step-registry`
ci/prow/okd-e2e-aws	`05142f3`	link	false	`/test okd-e2e-aws`
ci/prow/e2e-aws-workers-rhel7	`05142f3`	link	false	`/test e2e-aws-workers-rhel7`
ci/prow/e2e-aws-disruptive	`05142f3`	link	false	`/test e2e-aws-disruptive`
ci/prow/e2e-metal-ipi	`05142f3`	link	false	`/test e2e-metal-ipi`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

openshift-bot · 2021-11-22T14:22:43Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-11-22T14:46:46Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-11-22T14:58:47Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-11-22T15:10:43Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 22, 2021

openshift-ci Bot requested review from kikisdeliveryservice and yuqi-zhang July 22, 2021 21:19

LorbusChris force-pushed the ssh-key-dir branch from 69a0021 to 3a87d7d Compare July 22, 2021 21:32

LorbusChris force-pushed the ssh-key-dir branch from 3a87d7d to 36587fe Compare July 22, 2021 21:42

kikisdeliveryservice added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 26, 2021

LorbusChris mentioned this pull request Sep 28, 2021

Add support for authorized_keys.d/ignition in OKD #2779

Closed

LorbusChris force-pushed the ssh-key-dir branch 2 times, most recently from 1bdb52a to 2f91cc6 Compare September 28, 2021 23:37

LorbusChris marked this pull request as ready for review September 28, 2021 23:43

openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 28, 2021

openshift-ci Bot requested review from bgilbert and travier September 28, 2021 23:44

travier approved these changes Oct 1, 2021

View reviewed changes

LorbusChris force-pushed the ssh-key-dir branch 3 times, most recently from 875ded7 to 40394f8 Compare October 27, 2021 19:22

LorbusChris force-pushed the ssh-key-dir branch from 3f433ca to 1fd1e6e Compare November 16, 2021 10:56

LorbusChris changed the title ~~Support ssh-key-dir on FCOS and future RHCOS9~~ Support ssh-key-dir on OKD/FCOS Nov 16, 2021

LorbusChris force-pushed the ssh-key-dir branch from 1fd1e6e to efb7685 Compare November 16, 2021 13:28

sinnykumari reviewed Nov 22, 2021

View reviewed changes

Comment thread pkg/daemon/update.go Outdated

sinnykumari reviewed Nov 22, 2021

View reviewed changes

Comment thread pkg/daemon/update.go Outdated

sinnykumari reviewed Nov 22, 2021

View reviewed changes

Comment thread pkg/daemon/update.go Outdated

LorbusChris added 2 commits November 22, 2021 12:45

templates: Remove sshd config disabling ssh-key-dir

05142f3

Usage of ssh-key-dir is now supported on FCOS (OKD)

LorbusChris force-pushed the ssh-key-dir branch from efb7685 to 05142f3 Compare November 22, 2021 11:46

sinnykumari approved these changes Nov 22, 2021

View reviewed changes

openshift-ci Bot assigned sinnykumari Nov 22, 2021

openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Nov 22, 2021

openshift-ci Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 22, 2021

openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 22, 2021

openshift-merge-robot merged commit 21fd183 into openshift:master Nov 22, 2021

LorbusChris mentioned this pull request Nov 22, 2021

Merge OKD-specific changes into master #2778

Merged

Conversation

LorbusChris commented Jul 22, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci Bot commented Jul 22, 2021

Uh oh!

LorbusChris commented Jul 22, 2021

Uh oh!

LorbusChris commented Jul 22, 2021

Uh oh!

LorbusChris commented Jul 22, 2021

Uh oh!

fortinj66 commented Sep 28, 2021

Uh oh!

LorbusChris commented Sep 28, 2021

Uh oh!

LorbusChris commented Sep 28, 2021

Uh oh!

LorbusChris commented Sep 29, 2021

Uh oh!

LorbusChris commented Sep 29, 2021

Uh oh!

travier commented Oct 1, 2021

Uh oh!

travier left a comment

Choose a reason for hiding this comment

Uh oh!

LorbusChris commented Oct 6, 2021

Uh oh!

LorbusChris commented Oct 6, 2021

Uh oh!

LorbusChris commented Oct 6, 2021

Uh oh!

LorbusChris commented Nov 16, 2021

Uh oh!

Uh oh!

Uh oh!

Uh oh!

sinnykumari left a comment

Choose a reason for hiding this comment

Uh oh!

sinnykumari commented Nov 22, 2021

Uh oh!

LorbusChris commented Nov 22, 2021

Uh oh!

LorbusChris commented Nov 22, 2021

Uh oh!

openshift-ci Bot commented Nov 22, 2021

Uh oh!

openshift-bot commented Nov 22, 2021

Uh oh!

openshift-bot commented Nov 22, 2021

Uh oh!

openshift-bot commented Nov 22, 2021

Uh oh!

openshift-bot commented Nov 22, 2021

Uh oh!

openshift-ci Bot commented Nov 22, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-bot commented Nov 22, 2021

Uh oh!

openshift-bot commented Nov 22, 2021

Uh oh!

openshift-bot commented Nov 22, 2021

Uh oh!

openshift-bot commented Nov 22, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

LorbusChris commented Jul 22, 2021 •

edited

Loading

openshift-ci Bot commented Nov 22, 2021 •

edited

Loading