root / doc / cluster-keys-replacement.rst @ bced76fd
History | View | Annotate | Download (3.3 kB)
1 |
======================== |
---|---|
2 |
Cluster Keys Replacement |
3 |
======================== |
4 |
|
5 |
Ganeti uses both SSL and SSH keys, and actively modifies the SSH keys |
6 |
on the nodes. As result, in order to replace these keys, a few extra |
7 |
steps need to be followed. |
8 |
|
9 |
For an example when this could be needed, see the thread at |
10 |
`Regenerating SSL and SSH keys after the security bug in Debian's |
11 |
OpenSSL |
12 |
<http://groups.google.com/group/ganeti/browse_thread/thread/30cc95102dc2123e>`_. |
13 |
|
14 |
Ganeti uses OpenSSL for encryption on the RPC layer and SSH for |
15 |
executing commands. The SSL certificate is automatically generated |
16 |
when the cluster is initialized and it's copied to added nodes |
17 |
automatically together with the master's SSH host key. |
18 |
|
19 |
Note that paths below may vary depending on your distribution. In |
20 |
general, modifications should be done on the master node and then |
21 |
distributed to all nodes of a cluster (possibly using a pendrive - but |
22 |
don't forget to use "shred" to remove files securely afterwards). |
23 |
|
24 |
Replacing SSL keys |
25 |
================== |
26 |
|
27 |
The cluster SSL key is stored in ``/var/lib/ganeti/server.pem``. |
28 |
|
29 |
Run the following command to generate a new key:: |
30 |
|
31 |
gnt-cluster renew-crypto --new-cluster-certificate |
32 |
|
33 |
# Older version, which don't have this command, can instead use: |
34 |
chmod 0600 /var/lib/ganeti/server.pem && |
35 |
openssl req -new -newkey rsa:1024 -days 1825 -nodes \ |
36 |
-x509 -keyout /var/lib/ganeti/server.pem \ |
37 |
-out /var/lib/ganeti/server.pem -batch && |
38 |
chmod 0400 /var/lib/ganeti/server.pem && |
39 |
/etc/init.d/ganeti restart |
40 |
|
41 |
gnt-cluster copyfile /var/lib/ganeti/server.pem |
42 |
|
43 |
gnt-cluster command /etc/init.d/ganeti restart |
44 |
|
45 |
Replacing SSH keys |
46 |
================== |
47 |
|
48 |
There are two sets of SSH keys in the cluster: the host keys (both DSA |
49 |
and RSA, though Ganeti only uses the RSA one) and the root's DSA key |
50 |
(Ganeti uses DSA for historically reasons, in the future RSA will be |
51 |
used). |
52 |
|
53 |
host keys |
54 |
+++++++++ |
55 |
|
56 |
These are the files named ``/etc/ssh/ssh_host_*``. You need to |
57 |
manually recreate them; it's possibly that the startup script of |
58 |
OpenSSH will generate them if they don't exist, or that the package |
59 |
system regenerates them. |
60 |
|
61 |
Also make sure to copy the master's SSH host keys to all other nodes. |
62 |
|
63 |
cluster public key file |
64 |
+++++++++++++++++++++++ |
65 |
|
66 |
The new public rsa host key created in the previous step must be added |
67 |
in two places: |
68 |
|
69 |
#. known hosts file, ``/var/lib/ganeti/known_hosts`` |
70 |
#. cluster configuration file, ``/var/lib/ganeti/config.data`` |
71 |
|
72 |
Edit these two files and update them with newly generated SSH host key |
73 |
(in the previous step, take it from the |
74 |
``/etc/ssh/ssh_host_rsa_key.pub``). |
75 |
|
76 |
For the ``config.data`` file, please look for an entry named |
77 |
``rsahostkeypub`` and replace the value for it with the contents of |
78 |
the ``.pub`` file. For the ``known_hosts`` file, you need to replace |
79 |
the old key with the new one on each line (for each host). |
80 |
|
81 |
root's key |
82 |
++++++++++ |
83 |
|
84 |
These are the files named ``~root/.ssh/id_dsa*``. |
85 |
|
86 |
Run this command to rebuild them:: |
87 |
|
88 |
ssh-keygen -t dsa -f ~root/.ssh/id_dsa -q -N "" |
89 |
|
90 |
root's ``authorized_keys`` |
91 |
++++++++++++++++++++++++++ |
92 |
|
93 |
This is the file named ``~root/.ssh/authorized_keys``. |
94 |
|
95 |
Edit file and update it with the newly generated root key, from the |
96 |
``id_dsa.pub`` file generated in the previous step. |
97 |
|
98 |
Finish |
99 |
====== |
100 |
|
101 |
In the end, the files mentioned above should be identical for all |
102 |
nodes in a cluster. Also do not forget to run ``gnt-cluster verify``. |