root / doc / design-ssh-setup.rst @ f98efa98
History | View | Annotate | Download (2.9 kB)
1 |
Design for setting up SSH |
---|---|
2 |
===================================== |
3 |
|
4 |
.. contents:: :depth: 3 |
5 |
|
6 |
|
7 |
Current state and shortcomings |
8 |
------------------------------ |
9 |
|
10 |
Before a node can be added to a cluster, its SSH daemon must be |
11 |
re-configured to use the cluster-wide SSH host key. Ganeti 2.3.0 changed |
12 |
the way this is done by moving all related code to a separate script, |
13 |
``tools/setup-ssh``, using Paramiko. Before all such configuration was |
14 |
done from ``lib/bootstrap.py`` using the system's own SSH client and a |
15 |
shell script given to said client through parameters. |
16 |
|
17 |
Both solutions controlled all actions on the connecting machine; the |
18 |
newly added node was merely executing commands. This implies and |
19 |
requires a tight coupling and equality between nodes (e.g. paths to |
20 |
files being the same). Most of the logic and error handling is also done |
21 |
on the connecting machine. |
22 |
|
23 |
|
24 |
Proposed changes |
25 |
---------------- |
26 |
|
27 |
The main goal is to move more logic to the newly added node. Instead of |
28 |
having a relatively large script executed on the master node, most of it |
29 |
is moved over to the added node. |
30 |
|
31 |
A new script named ``prepare-node-join`` is added. It receives a JSON |
32 |
data structure (defined :ref:`below <prepare-node-join-json>`) on its |
33 |
standard input. Once the data has been successfully decoded, it proceeds |
34 |
to configure the local node's SSH daemon, the Ganeti node daemon and |
35 |
restarts both. |
36 |
|
37 |
All the master node has to do to add a new node is to gather all |
38 |
required data, build the data structure, and invoke the script on the |
39 |
node to be added. This will enable us to once again use the system's own |
40 |
SSH client and to drop the dependency on Paramiko for Ganeti itself |
41 |
(``ganeti-listrunner`` is going to continue using Paramiko). |
42 |
|
43 |
Eventually ``setup-ssh`` can be removed. |
44 |
|
45 |
.. _prepare-node-join-json: |
46 |
|
47 |
JSON structure |
48 |
~~~~~~~~~~~~~~ |
49 |
|
50 |
The data is given in an object containing the keys described below. All |
51 |
entries are optional with the condition that for cryptography keys, |
52 |
private and public parts or nothing at all must be given. |
53 |
|
54 |
``ssh_host_key`` |
55 |
List containing public and private parts of SSH host key. See below |
56 |
for definition. |
57 |
``ssh_root_key`` |
58 |
List containing public and private parts of root's key for SSH |
59 |
authorization. See below for definition. |
60 |
``node_daemon_certificate`` |
61 |
Node daemon certificate in PEM format, to be stored in ``server.pem``. |
62 |
``start_node_daemon`` |
63 |
Boolean value describing whether the node daemon should be |
64 |
started/restarted. If not given, the daemon is not started. |
65 |
|
66 |
Lists of SSH keys use a tuple with three values. The first describes the |
67 |
key variant (``rsa`` or ``dsa``). The second and third are the public |
68 |
and private part of the key. Example: |
69 |
|
70 |
.. highlight:: javascript |
71 |
|
72 |
:: |
73 |
|
74 |
[ |
75 |
("rsa", "AAAA...", "-----BEGIN RSA PRIVATE KEY-----..."), |
76 |
("dsa", "AAAA...", "-----BEGIN DSA PRIVATE KEY-----..."), |
77 |
] |
78 |
|
79 |
.. vim: set textwidth=72 : |
80 |
.. Local Variables: |
81 |
.. mode: rst |
82 |
.. fill-column: 72 |
83 |
.. End: |