root / doc / design-ssh-setup.rst @ 340ae7da
History | View | Annotate | Download (3 kB)
1 |
Design for setting up SSH |
---|---|
2 |
===================================== |
3 |
|
4 |
.. contents:: :depth: 3 |
5 |
|
6 |
|
7 |
Current state and shortcomings |
8 |
------------------------------ |
9 |
|
10 |
Before a node can be added to a cluster, its SSH daemon must be |
11 |
re-configured to use the cluster-wide SSH host key. Ganeti 2.3.0 changed |
12 |
the way this is done by moving all related code to a separate script, |
13 |
``tools/setup-ssh``, using Paramiko. Before all such configuration was |
14 |
done from ``lib/bootstrap.py`` using the system's own SSH client and a |
15 |
shell script given to said client through parameters. |
16 |
|
17 |
Both solutions controlled all actions on the connecting machine; the |
18 |
newly added node was merely executing commands. This implies and |
19 |
requires a tight coupling and equality between nodes (e.g. paths to |
20 |
files being the same). Most of the logic and error handling is also done |
21 |
on the connecting machine. |
22 |
|
23 |
|
24 |
Proposed changes |
25 |
---------------- |
26 |
|
27 |
The main goal is to move more logic to the newly added node. Instead of |
28 |
having a relatively large script executed on the master node, most of it |
29 |
is moved over to the added node. |
30 |
|
31 |
A new script named ``prepare-node-join`` is added. It receives a JSON |
32 |
data structure (defined :ref:`below <prepare-node-join-json>`) on its |
33 |
standard input. Once the data has been successfully decoded, it proceeds |
34 |
to configure the local node's SSH daemon and root's SSH settings, after |
35 |
which the SSH daemon is restarted. |
36 |
|
37 |
All the master node has to do to add a new node is to gather all |
38 |
required data, build the data structure, and invoke the script on the |
39 |
node to be added. This will enable us to once again use the system's own |
40 |
SSH client and to drop the dependency on Paramiko for Ganeti itself |
41 |
(``ganeti-listrunner`` is going to continue using Paramiko). |
42 |
|
43 |
Eventually ``setup-ssh`` can be removed. |
44 |
|
45 |
.. _prepare-node-join-json: |
46 |
|
47 |
JSON structure |
48 |
~~~~~~~~~~~~~~ |
49 |
|
50 |
The data is given in an object containing the keys described below. |
51 |
Unless specified otherwise, all entries are optional. |
52 |
|
53 |
``cluster_name`` |
54 |
Required string with the cluster name. If a local cluster name is |
55 |
found, the join process is aborted unless the passed cluster name |
56 |
matches the local name. |
57 |
``node_daemon_certificate`` |
58 |
Public part of cluster's node daemon certificate in PEM format. If a |
59 |
local node certificate and key is found, the join process is aborted |
60 |
unless this passed public part can be verified with the local key. |
61 |
``ssh_host_key`` |
62 |
List containing public and private parts of SSH host key. See below |
63 |
for definition. |
64 |
``ssh_root_key`` |
65 |
List containing public and private parts of root's key for SSH |
66 |
authorization. See below for definition. |
67 |
|
68 |
Lists of SSH keys use a tuple with three values. The first describes the |
69 |
key variant (``rsa`` or ``dsa``). The second and third are the private |
70 |
and public part of the key. Example: |
71 |
|
72 |
.. highlight:: javascript |
73 |
|
74 |
:: |
75 |
|
76 |
[ |
77 |
("rsa", "-----BEGIN RSA PRIVATE KEY-----...", "ssh-rss AAAA..."), |
78 |
("dsa", "-----BEGIN DSA PRIVATE KEY-----...", "ssh-dss AAAA..."), |
79 |
] |
80 |
|
81 |
.. vim: set textwidth=72 : |
82 |
.. Local Variables: |
83 |
.. mode: rst |
84 |
.. fill-column: 72 |
85 |
.. End: |