Skip to content

Fix hostkeys in IPA not matching host when persisting keys #863

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
sjpb wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Fix hostkeys in IPA not matching host when persisting keys #863

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions ansible/extras.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,8 @@
ansible.builtin.fail:
msg: Reboot handler for stackhpc.linux.vgpu role fired unexpectedly. This was supposed to be unreachable.

<<<<<<< HEAD
- name: Persist hostkeys across rebuilds

Check failure on line 75 in ansible/extras.yml

View workflow job for this annotation

GitHub Actions / Lint / Lint

syntax-check[specific] 

YAML parsing failed: While scanning a simple key could not find expected ':'.

Check warning on line 75 in ansible/extras.yml

View workflow job for this annotation

GitHub Actions / Lint / Lint

load-failure[yaml] 

Failed to load YAML file
# Must be after filesystems.yml (for storage)
# and before portal.yml (where OOD login node hostkeys are scanned)
hosts: persist_hostkeys:!builder
Expand All @@ -81,6 +82,8 @@
- ansible.builtin.import_role:
name: persist_hostkeys

=======
>>>>>>> 31751b79 (fix hostkeys in IPA not matching host when persisting keys)
- name: Install k9s
become: true
hosts: k9s
Expand Down
12 changes: 12 additions & 0 deletions ansible/iam.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,18 @@
tasks_from: addhost.yml
when: groups['freeipa_server'] | length > 0

- name: Persist hostkeys across rebuilds
# Must be:
# - after filesystems.yml (for storage)
# - before ipa (re)enrolment, which updates IPA record to match actual hostkey
# - before portal.yml (where OOD login node hostkeys are scanned)
hosts: persist_hostkeys:!builder
become: true
gather_facts: false
tasks:
- ansible.builtin.import_role:
name: persist_hostkeys

- hosts: freeipa_client
tags:
- freeipa
Expand Down
8 changes: 8 additions & 0 deletions ansible/roles/freeipa/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,16 @@ Support FreeIPA in the appliance. In production use it is expected the FreeIPA s
- This is implemented when using the site OpenTofu; on the control node `appliances_state_dir` defaults to `/var/lib/state` which is mounted from a volume.
- Nodes are not re-enroled by a [Slurm-driven reimage](../../collections/ansible_collections/stackhpc/slurm_openstack_tools/roles/rebuild/README.md) (as that does not run this role).
- If both a backed-up keytab and `freeipa_host_password` exist, the former is used.
<<<<<<< HEAD

### Role Variables for Clients
=======
- When re-enroling, the host record in FreeIPA host record is updated with the
current hostkey. The `persist_hostkeys` role may be used if rebuilds/reimages
should not change keys.

## Role Variables for Clients
>>>>>>> 31751b79 (fix hostkeys in IPA not matching host when persisting keys)

- `freeipa_host_password`. Required for initial enrolment only, FreeIPA host password as described above.
- `freeipa_setup_dns`: Optional, whether to use the FreeIPA server as the client's nameserver. Defaults to `true` when `freeipa_server` contains a host, otherwise `false`.
Expand Down
Loading