[nova-api] Inject public key without create key pair in nova ?
Hi OpenStack Community We have some requirements that need to create instance via API. However nova-api is accept only key_name of key pair created earlier. Can we create instance by passing only public key data without creating a key pair in nova ? Thank you.
Hi, would cloud-init [1] be an option here to add the key via user-data during instance creation? Regards, Eugen [1] https://cloudinit.readthedocs.io/en/latest/reference/examples.html#configure... Zitat von Pureewat Kaewpoi <pureewat.k@bangmod.co.th>:
Hi OpenStack Community
We have some requirements that need to create instance via API. However nova-api is accept only key_name of key pair created earlier. Can we create instance by passing only public key data without creating a key pair in nova ?
Thank you.
On Mon, 2023-08-21 at 10:11 +0000, Pureewat Kaewpoi wrote:
Hi OpenStack Community
We have some requirements that need to create instance via API. However nova-api is accept only key_name of key pair created earlier. Can we create instance by passing only public key data without creating a key pair in nova ? you have 2 options. either you can upload only the public key to nova api, it does not need to create the private and public key you can just import an existing public key. Your second option is to not use the api to inject the public key and instead use user_data. Effectively you could embed the public key in the cloud-init userdata and install it your self via user_data and cloud init.
Thank you.
On 2023-08-21 12:59:37 +0100 (+0100), smooney@redhat.com wrote: [...]
you have 2 options. [...]
More than that I'm sure. Another option which comes to mind, since we do it for the community CI/CD system: if you're building and uploading your own images, you can simply bake the authorized public keys straight into the filesystem. -- Jeremy Stanley
Hi I forgot to give crucial information. I want to use with Windows instance that needs to use cloudbase-init. As I read this code https://github.com/cloudbase/cloudbase-init/blob/master/cloudbaseinit/metada... It looks like cloudbase-init does not support to use public key via user-data. It only read it from 'public-keys' key in meta-data.json Maybe I have to patch something to make this work? Thank you, Pureewat ________________________________ From: Jeremy Stanley <fungi@yuggoth.org> Sent: Monday, August 21, 2023 7:19 PM To: openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org> Subject: Re: [nova-api] Inject public key without create key pair in nova ? Caution:This email send from outside the company. DO NOT click links, open attachments or forward unless you recognize the sender and know the content is safe.
On Mon, 2023-08-21 at 12:41 +0000, Pureewat Kaewpoi wrote:
Hi
I forgot to give crucial information. I want to use with Windows instance that needs to use cloudbase-init.
As I read this code https://github.com/cloudbase/cloudbase-init/blob/master/cloudbaseinit/metada... It looks like cloudbase-init does not support to use public key via user-data. It only read it from 'public-keys' key in meta-data.json
Maybe I have to patch something to make this work? oh well for windows instances when you import a key you can import a non ssh key by settign the keytype. https://docs.openstack.org/api-ref/compute/?expanded=import-or-create-keypai... simple set the type to x509 i.e. instead of { "keypair": { "name": "keypair-d20a3d59-9433-4b79-8726-20b431d89c78", "type": "ssh", "public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDx8nkQv/zgGgB4rMYmIf+6A4l6Rr+o/6lHBQdW5aYd44bd8JttDCE/F/pNRr0lRE+PiqSPO8nDPHw0010JeMH9gYgn nFlyY3/OcJ02RhIPyyxYpv9FhY+2YiUkpwFOcLImyrxEsYXpD/0d3ac30bNH6Sw9JD9UZHYcpSxsIbECHw== Generated-by-Nova", "user_id": "fake" } }
{ "keypair": { "name": "keypair-d20a3d59-9433-4b79-8726-20b431d89c78", "type": "x509", "public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDx8nkQv/zgGgB4rMYmIf+6A4l6Rr+o/6lHBQdW5aYd44bd8JttDCE/F/pNRr0lRE+PiqSPO8nDPHw0010JeMH9gYgn nFlyY3/OcJ02RhIPyyxYpv9FhY+2YiUkpwFOcLImyrxEsYXpD/0d3ac30bNH6Sw9JD9UZHYcpSxsIbECHw== Generated-by-Nova", "user_id": "fake" } } x509 certs are what windows uses for winrm or powershell remote exec (i think winrm is using that under the hood). That shoudl enable cloudbase-init to find the keypair and import it when we said use user_data we were actully suggesting embdedin the key in the userdata and writing a script (in bash/powershell) in the the user data to install the key where it is requried. this woudl not require cloudbase- init to support it since you are just using cloudbase-init to execute the script.
Thank you, Pureewat
________________________________ From: Jeremy Stanley <fungi@yuggoth.org> Sent: Monday, August 21, 2023 7:19 PM To: openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org> Subject: Re: [nova-api] Inject public key without create key pair in nova ?
Caution:This email send from outside the company. DO NOT click links, open attachments or forward unless you recognize the sender and know the content is safe.
Hi This method still need to create / import public key in nova and use key_name when create instace. But In my use case I want to inject public-keys when create instance then use cloudbase-init for set account password and then retrieve password via Horizon Dashboard. BTW running script via user-data is a good idea ! Thank for advice. Thank you, PUREEWAT ________________________________ From: smooney@redhat.com <smooney@redhat.com> Sent: Monday, August 21, 2023 8:05 PM To: Pureewat Kaewpoi <pureewat.k@bangmod.co.th>; Jeremy Stanley <fungi@yuggoth.org>; openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org> Subject: Re: [nova-api] Inject public key without create key pair in nova ? Caution:This email send from outside the company. DO NOT click links, open attachments or forward unless you recognize the sender and know the content is safe. On Mon, 2023-08-21 at 12:41 +0000, Pureewat Kaewpoi wrote:
Hi
I forgot to give crucial information. I want to use with Windows instance that needs to use cloudbase-init.
As I read this code https://github.com/cloudbase/cloudbase-init/blob/master/cloudbaseinit/metada... It looks like cloudbase-init does not support to use public key via user-data. It only read it from 'public-keys' key in meta-data.json
Maybe I have to patch something to make this work? oh well for windows instances when you import a key you can import a non ssh key by settign the keytype. https://docs.openstack.org/api-ref/compute/?expanded=import-or-create-keypai... simple set the type to x509 i.e. instead of { "keypair": { "name": "keypair-d20a3d59-9433-4b79-8726-20b431d89c78", "type": "ssh", "public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDx8nkQv/zgGgB4rMYmIf+6A4l6Rr+o/6lHBQdW5aYd44bd8JttDCE/F/pNRr0lRE+PiqSPO8nDPHw0010JeMH9gYgn nFlyY3/OcJ02RhIPyyxYpv9FhY+2YiUkpwFOcLImyrxEsYXpD/0d3ac30bNH6Sw9JD9UZHYcpSxsIbECHw== Generated-by-Nova", "user_id": "fake" } }
{ "keypair": { "name": "keypair-d20a3d59-9433-4b79-8726-20b431d89c78", "type": "x509", "public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDx8nkQv/zgGgB4rMYmIf+6A4l6Rr+o/6lHBQdW5aYd44bd8JttDCE/F/pNRr0lRE+PiqSPO8nDPHw0010JeMH9gYgn nFlyY3/OcJ02RhIPyyxYpv9FhY+2YiUkpwFOcLImyrxEsYXpD/0d3ac30bNH6Sw9JD9UZHYcpSxsIbECHw== Generated-by-Nova", "user_id": "fake" } } x509 certs are what windows uses for winrm or powershell remote exec (i think winrm is using that under the hood). That shoudl enable cloudbase-init to find the keypair and import it when we said use user_data we were actully suggesting embdedin the key in the userdata and writing a script (in bash/powershell) in the the user data to install the key where it is requried. this woudl not require cloudbase- init to support it since you are just using cloudbase-init to execute the script.
Thank you, Pureewat
________________________________ From: Jeremy Stanley <fungi@yuggoth.org> Sent: Monday, August 21, 2023 7:19 PM To: openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org> Subject: Re: [nova-api] Inject public key without create key pair in nova ?
Caution:This email send from outside the company. DO NOT click links, open attachments or forward unless you recognize the sender and know the content is safe.
participants (4)
-
Eugen Block
-
Jeremy Stanley
-
Pureewat Kaewpoi
-
smooney@redhat.com