[openstack-dev] [TripleO] os-cloud-config ssh access to cloud

Imre Farkas ifarkas at redhat.com
Fri Mar 7 13:50:08 UTC 2014

On 03/07/2014 10:30 AM, Jiří Stránský wrote:
> Hi,
> there's one step in cloud initialization that is performed over SSH --
> calling "keystone-manage pki_setup". Here's the relevant code in
> keystone-init [1], here's a review for moving the functionality to
> os-cloud-config [2].
> The consequence of this is that Tuskar will need passwordless ssh key to
> access overcloud controller. I consider this suboptimal for two reasons:
> * It creates another security concern.
> * AFAIK nova is only capable of injecting one public SSH key into
> authorized_keys on the deployed machine, which means we can either give
> it Tuskar's public key and allow Tuskar to initialize overcloud, or we
> can give it admin's custom public key and allow admin to ssh into
> overcloud, but not both. (Please correct me if i'm mistaken.) We could
> probably work around this issue by having Tuskar do the user key
> injection as part of os-cloud-config, but it's a bit clumsy.
> This goes outside the scope of my current knowledge, i'm hoping someone
> knows the answer: Could pki_setup be run by combining powers of Heat and
> os-config-refresh? (I presume there's some reason why we're not doing
> this already.) I think it would help us a good bit if we could avoid
> having to SSH from Tuskar to overcloud.

Yeah, it came up a couple times on the list. The current solution is 
because if you have an HA setup, the nodes can't decide on its own, 
which one should run pki_setup.
Robert described this topic and why it needs to be initialized 
externally during a weekly meeting in last December. Check the topic 
'After heat stack-create init operations (lsmola)': 


More information about the OpenStack-dev mailing list