root / doc / cluster-keys-replacement.rst @ bced76fd
History | View | Annotate | Download (3.3 kB)
1 | bced76fd | Jose A. Lopes | ======================== |
---|---|---|---|
2 | bced76fd | Jose A. Lopes | Cluster Keys Replacement |
3 | bced76fd | Jose A. Lopes | ======================== |
4 | bced76fd | Jose A. Lopes | |
5 | bced76fd | Jose A. Lopes | Ganeti uses both SSL and SSH keys, and actively modifies the SSH keys |
6 | bced76fd | Jose A. Lopes | on the nodes. As result, in order to replace these keys, a few extra |
7 | bced76fd | Jose A. Lopes | steps need to be followed. |
8 | bced76fd | Jose A. Lopes | |
9 | bced76fd | Jose A. Lopes | For an example when this could be needed, see the thread at |
10 | bced76fd | Jose A. Lopes | `Regenerating SSL and SSH keys after the security bug in Debian's |
11 | bced76fd | Jose A. Lopes | OpenSSL |
12 | bced76fd | Jose A. Lopes | <http://groups.google.com/group/ganeti/browse_thread/thread/30cc95102dc2123e>`_. |
13 | bced76fd | Jose A. Lopes | |
14 | bced76fd | Jose A. Lopes | Ganeti uses OpenSSL for encryption on the RPC layer and SSH for |
15 | bced76fd | Jose A. Lopes | executing commands. The SSL certificate is automatically generated |
16 | bced76fd | Jose A. Lopes | when the cluster is initialized and it's copied to added nodes |
17 | bced76fd | Jose A. Lopes | automatically together with the master's SSH host key. |
18 | bced76fd | Jose A. Lopes | |
19 | bced76fd | Jose A. Lopes | Note that paths below may vary depending on your distribution. In |
20 | bced76fd | Jose A. Lopes | general, modifications should be done on the master node and then |
21 | bced76fd | Jose A. Lopes | distributed to all nodes of a cluster (possibly using a pendrive - but |
22 | bced76fd | Jose A. Lopes | don't forget to use "shred" to remove files securely afterwards). |
23 | bced76fd | Jose A. Lopes | |
24 | bced76fd | Jose A. Lopes | Replacing SSL keys |
25 | bced76fd | Jose A. Lopes | ================== |
26 | bced76fd | Jose A. Lopes | |
27 | bced76fd | Jose A. Lopes | The cluster SSL key is stored in ``/var/lib/ganeti/server.pem``. |
28 | bced76fd | Jose A. Lopes | |
29 | bced76fd | Jose A. Lopes | Run the following command to generate a new key:: |
30 | bced76fd | Jose A. Lopes | |
31 | bced76fd | Jose A. Lopes | gnt-cluster renew-crypto --new-cluster-certificate |
32 | bced76fd | Jose A. Lopes | |
33 | bced76fd | Jose A. Lopes | # Older version, which don't have this command, can instead use: |
34 | bced76fd | Jose A. Lopes | chmod 0600 /var/lib/ganeti/server.pem && |
35 | bced76fd | Jose A. Lopes | openssl req -new -newkey rsa:1024 -days 1825 -nodes \ |
36 | bced76fd | Jose A. Lopes | -x509 -keyout /var/lib/ganeti/server.pem \ |
37 | bced76fd | Jose A. Lopes | -out /var/lib/ganeti/server.pem -batch && |
38 | bced76fd | Jose A. Lopes | chmod 0400 /var/lib/ganeti/server.pem && |
39 | bced76fd | Jose A. Lopes | /etc/init.d/ganeti restart |
40 | bced76fd | Jose A. Lopes | |
41 | bced76fd | Jose A. Lopes | gnt-cluster copyfile /var/lib/ganeti/server.pem |
42 | bced76fd | Jose A. Lopes | |
43 | bced76fd | Jose A. Lopes | gnt-cluster command /etc/init.d/ganeti restart |
44 | bced76fd | Jose A. Lopes | |
45 | bced76fd | Jose A. Lopes | Replacing SSH keys |
46 | bced76fd | Jose A. Lopes | ================== |
47 | bced76fd | Jose A. Lopes | |
48 | bced76fd | Jose A. Lopes | There are two sets of SSH keys in the cluster: the host keys (both DSA |
49 | bced76fd | Jose A. Lopes | and RSA, though Ganeti only uses the RSA one) and the root's DSA key |
50 | bced76fd | Jose A. Lopes | (Ganeti uses DSA for historically reasons, in the future RSA will be |
51 | bced76fd | Jose A. Lopes | used). |
52 | bced76fd | Jose A. Lopes | |
53 | bced76fd | Jose A. Lopes | host keys |
54 | bced76fd | Jose A. Lopes | +++++++++ |
55 | bced76fd | Jose A. Lopes | |
56 | bced76fd | Jose A. Lopes | These are the files named ``/etc/ssh/ssh_host_*``. You need to |
57 | bced76fd | Jose A. Lopes | manually recreate them; it's possibly that the startup script of |
58 | bced76fd | Jose A. Lopes | OpenSSH will generate them if they don't exist, or that the package |
59 | bced76fd | Jose A. Lopes | system regenerates them. |
60 | bced76fd | Jose A. Lopes | |
61 | bced76fd | Jose A. Lopes | Also make sure to copy the master's SSH host keys to all other nodes. |
62 | bced76fd | Jose A. Lopes | |
63 | bced76fd | Jose A. Lopes | cluster public key file |
64 | bced76fd | Jose A. Lopes | +++++++++++++++++++++++ |
65 | bced76fd | Jose A. Lopes | |
66 | bced76fd | Jose A. Lopes | The new public rsa host key created in the previous step must be added |
67 | bced76fd | Jose A. Lopes | in two places: |
68 | bced76fd | Jose A. Lopes | |
69 | bced76fd | Jose A. Lopes | #. known hosts file, ``/var/lib/ganeti/known_hosts`` |
70 | bced76fd | Jose A. Lopes | #. cluster configuration file, ``/var/lib/ganeti/config.data`` |
71 | bced76fd | Jose A. Lopes | |
72 | bced76fd | Jose A. Lopes | Edit these two files and update them with newly generated SSH host key |
73 | bced76fd | Jose A. Lopes | (in the previous step, take it from the |
74 | bced76fd | Jose A. Lopes | ``/etc/ssh/ssh_host_rsa_key.pub``). |
75 | bced76fd | Jose A. Lopes | |
76 | bced76fd | Jose A. Lopes | For the ``config.data`` file, please look for an entry named |
77 | bced76fd | Jose A. Lopes | ``rsahostkeypub`` and replace the value for it with the contents of |
78 | bced76fd | Jose A. Lopes | the ``.pub`` file. For the ``known_hosts`` file, you need to replace |
79 | bced76fd | Jose A. Lopes | the old key with the new one on each line (for each host). |
80 | bced76fd | Jose A. Lopes | |
81 | bced76fd | Jose A. Lopes | root's key |
82 | bced76fd | Jose A. Lopes | ++++++++++ |
83 | bced76fd | Jose A. Lopes | |
84 | bced76fd | Jose A. Lopes | These are the files named ``~root/.ssh/id_dsa*``. |
85 | bced76fd | Jose A. Lopes | |
86 | bced76fd | Jose A. Lopes | Run this command to rebuild them:: |
87 | bced76fd | Jose A. Lopes | |
88 | bced76fd | Jose A. Lopes | ssh-keygen -t dsa -f ~root/.ssh/id_dsa -q -N "" |
89 | bced76fd | Jose A. Lopes | |
90 | bced76fd | Jose A. Lopes | root's ``authorized_keys`` |
91 | bced76fd | Jose A. Lopes | ++++++++++++++++++++++++++ |
92 | bced76fd | Jose A. Lopes | |
93 | bced76fd | Jose A. Lopes | This is the file named ``~root/.ssh/authorized_keys``. |
94 | bced76fd | Jose A. Lopes | |
95 | bced76fd | Jose A. Lopes | Edit file and update it with the newly generated root key, from the |
96 | bced76fd | Jose A. Lopes | ``id_dsa.pub`` file generated in the previous step. |
97 | bced76fd | Jose A. Lopes | |
98 | bced76fd | Jose A. Lopes | Finish |
99 | bced76fd | Jose A. Lopes | ====== |
100 | bced76fd | Jose A. Lopes | |
101 | bced76fd | Jose A. Lopes | In the end, the files mentioned above should be identical for all |
102 | bced76fd | Jose A. Lopes | nodes in a cluster. Also do not forget to run ``gnt-cluster verify``. |