[nova-api] Inject public key without create key pair in nova ?
Pureewat Kaewpoi
pureewat.k at bangmod.co.th
Mon Aug 21 17:04:12 UTC 2023
Hi
This method still need to create / import public key in nova and use key_name when create instace.
But In my use case I want to inject public-keys when create instance then use cloudbase-init for set account password and then retrieve password via Horizon Dashboard.
BTW running script via user-data is a good idea ! Thank for advice.
Thank you,
PUREEWAT
________________________________
From: smooney at redhat.com <smooney at redhat.com>
Sent: Monday, August 21, 2023 8:05 PM
To: Pureewat Kaewpoi <pureewat.k at bangmod.co.th>; Jeremy Stanley <fungi at yuggoth.org>; openstack-discuss at lists.openstack.org <openstack-discuss at lists.openstack.org>
Subject: Re: [nova-api] Inject public key without create key pair in nova ?
Caution:This email send from outside the company. DO NOT click links, open attachments or forward unless you recognize the sender and know the content is safe.
On Mon, 2023-08-21 at 12:41 +0000, Pureewat Kaewpoi wrote:
> Hi
>
> I forgot to give crucial information. I want to use with Windows instance that needs to use cloudbase-init.
>
> As I read this code
> https://github.com/cloudbase/cloudbase-init/blob/master/cloudbaseinit/metadata/services/baseopenstackservice.py#L76
> It looks like cloudbase-init does not support to use public key via user-data.
> It only read it from 'public-keys' key in meta-data.json
>
> Maybe I have to patch something to make this work?
oh well for windows instances when you import a key you can import a non ssh key by settign the keytype.
https://docs.openstack.org/api-ref/compute/?expanded=import-or-create-keypair-detail#import-or-create-keypair
simple set the type to x509
i.e. instead of
{
"keypair": {
"name": "keypair-d20a3d59-9433-4b79-8726-20b431d89c78",
"type": "ssh",
"public_key": "ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDx8nkQv/zgGgB4rMYmIf+6A4l6Rr+o/6lHBQdW5aYd44bd8JttDCE/F/pNRr0lRE+PiqSPO8nDPHw0010JeMH9gYgn
nFlyY3/OcJ02RhIPyyxYpv9FhY+2YiUkpwFOcLImyrxEsYXpD/0d3ac30bNH6Sw9JD9UZHYcpSxsIbECHw== Generated-by-Nova",
"user_id": "fake"
}
}
{
"keypair": {
"name": "keypair-d20a3d59-9433-4b79-8726-20b431d89c78",
"type": "x509",
"public_key": "ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDx8nkQv/zgGgB4rMYmIf+6A4l6Rr+o/6lHBQdW5aYd44bd8JttDCE/F/pNRr0lRE+PiqSPO8nDPHw0010JeMH9gYgn
nFlyY3/OcJ02RhIPyyxYpv9FhY+2YiUkpwFOcLImyrxEsYXpD/0d3ac30bNH6Sw9JD9UZHYcpSxsIbECHw== Generated-by-Nova",
"user_id": "fake"
}
}
x509 certs are what windows uses for winrm or powershell remote exec (i think winrm is using that under the hood).
That shoudl enable cloudbase-init to find the keypair and import it
when we said use user_data we were actully suggesting embdedin the key in the userdata and writing a script
(in bash/powershell) in the the user data to install the key where it is requried. this woudl not require cloudbase-
init to support it since you are just using cloudbase-init to execute the script.
>
> Thank you,
> Pureewat
>
> ________________________________
> From: Jeremy Stanley <fungi at yuggoth.org>
> Sent: Monday, August 21, 2023 7:19 PM
> To: openstack-discuss at lists.openstack.org <openstack-discuss at lists.openstack.org>
> Subject: Re: [nova-api] Inject public key without create key pair in nova ?
>
> Caution:This email send from outside the company. DO NOT click links, open attachments or forward unless you recognize
> the sender and know the content is safe.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230821/e167290d/attachment.htm>
More information about the openstack-discuss
mailing list