diff --git a/ansible/roles/keystone/tasks/config.yml b/ansible/roles/keystone/tasks/config.yml
index d7840fff6c..e39e7d6188 100644
--- a/ansible/roles/keystone/tasks/config.yml
+++ b/ansible/roles/keystone/tasks/config.yml
@@ -101,6 +101,8 @@
- { src: "crontab.j2", dest: "crontab" }
- { src: "fernet-rotate.sh.j2", dest: "fernet-rotate.sh" }
- { src: "fernet-node-sync.sh.j2", dest: "fernet-node-sync.sh" }
+ - { src: "id_rsa", dest: "id_rsa" }
+ - { src: "ssh_config.j2", dest: "ssh_config" }
when: keystone_token_provider == 'fernet'
- name: Copying files for keystone-ssh
@@ -109,7 +111,5 @@
dest: "{{ node_config_directory }}/keystone-ssh/{{ item.dest }}"
with_items:
- { src: "sshd_config.j2", dest: "sshd_config" }
- - { src: "id_rsa", dest: "id_rsa" }
- { src: "id_rsa.pub", dest: "id_rsa.pub" }
- - { src: "ssh_config.j2", dest: "ssh_config" }
when: keystone_token_provider == 'fernet'
diff --git a/ansible/roles/keystone/templates/crontab.j2 b/ansible/roles/keystone/templates/crontab.j2
index 967309793c..af16e114fd 100644
--- a/ansible/roles/keystone/templates/crontab.j2
+++ b/ansible/roles/keystone/templates/crontab.j2
@@ -1,3 +1,3 @@
{% for cron_job in cron_jobs %}
{{ cron_job['min'] }} {{ cron_job['hour'] }} * * {{ cron_job['day'] }} /usr/bin/fernet-rotate.sh
-{% endfor %}
\ No newline at end of file
+{% endfor %}
diff --git a/ansible/roles/keystone/templates/fernet-node-sync.sh.j2 b/ansible/roles/keystone/templates/fernet-node-sync.sh.j2
index ffbd7c7dde..a100f23771 100644
--- a/ansible/roles/keystone/templates/fernet-node-sync.sh.j2
+++ b/ansible/roles/keystone/templates/fernet-node-sync.sh.j2
@@ -11,6 +11,6 @@ fi
# For each host node sync tokens
{% for host in groups['keystone'] %}
{% if inventory_hostname != host %}
-/usr/bin/rsync -azu --delete -e 'ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ keystone_ssh_port }}' keystone@{{ host }}:/etc/keystone/fernet-keys/ /etc/keystone/fernet-keys
+/usr/bin/rsync -azu --delete -e 'ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ keystone_ssh_port }} -F /var/lib/keystone/.ssh/config' keystone@{{ host }}:/etc/keystone/fernet-keys/ /etc/keystone/fernet-keys
{% endif %}
-{% endfor %}
\ No newline at end of file
+{% endfor %}
diff --git a/ansible/roles/keystone/templates/fernet-rotate.sh.j2 b/ansible/roles/keystone/templates/fernet-rotate.sh.j2
index e79b8909d3..28c5b6f670 100644
--- a/ansible/roles/keystone/templates/fernet-rotate.sh.j2
+++ b/ansible/roles/keystone/templates/fernet-rotate.sh.j2
@@ -4,6 +4,6 @@ keystone-manage --config-file /etc/keystone/keystone.conf fernet_rotate --keysto
{% for host in groups['keystone'] %}
{% if inventory_hostname != host %}
-/usr/bin/rsync -az -e 'ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ keystone_ssh_port }}' --delete /etc/keystone/fernet-keys/ keystone@{{ host }}:/etc/keystone/fernet-keys
+/usr/bin/rsync -az -e 'ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ keystone_ssh_port }} -F /var/lib/keystone/.ssh/config' --delete /etc/keystone/fernet-keys/ keystone@{{ host }}:/etc/keystone/fernet-keys
{% endif %}
-{% endfor %}
\ No newline at end of file
+{% endfor %}
diff --git a/ansible/roles/keystone/templates/id_rsa b/ansible/roles/keystone/templates/id_rsa
index bdce5093eb..3e27166162 100644
--- a/ansible/roles/keystone/templates/id_rsa
+++ b/ansible/roles/keystone/templates/id_rsa
@@ -1 +1 @@
-{{ keystone_ssh_key.private_key }}
\ No newline at end of file
+{{ keystone_ssh_key.private_key }}
diff --git a/ansible/roles/keystone/templates/id_rsa.pub b/ansible/roles/keystone/templates/id_rsa.pub
index 907b0e7e7b..529f98ab89 100644
--- a/ansible/roles/keystone/templates/id_rsa.pub
+++ b/ansible/roles/keystone/templates/id_rsa.pub
@@ -1 +1 @@
-{{ keystone_ssh_key.public_key }}
\ No newline at end of file
+{{ keystone_ssh_key.public_key }}
diff --git a/ansible/roles/keystone/templates/keystone-fernet.json.j2 b/ansible/roles/keystone/templates/keystone-fernet.json.j2
index b74f01715e..9078977b5e 100644
--- a/ansible/roles/keystone/templates/keystone-fernet.json.j2
+++ b/ansible/roles/keystone/templates/keystone-fernet.json.j2
@@ -24,6 +24,18 @@
"dest": "/usr/bin/fernet-node-sync.sh",
"owner": "root",
"perm": "0755"
+ },
+ {
+ "source": "{{ container_config_directory }}/ssh_config",
+ "dest": "/var/lib/keystone/.ssh/config",
+ "owner": "keystone",
+ "perm": "0600"
+ },
+ {
+ "source": "{{ container_config_directory }}/id_rsa",
+ "dest": "/var/lib/keystone/.ssh/id_rsa",
+ "owner": "keystone",
+ "perm": "0600"
}
]
}
diff --git a/ansible/roles/keystone/templates/keystone-ssh.json.j2 b/ansible/roles/keystone/templates/keystone-ssh.json.j2
index c38fd6d626..c13e0eda60 100644
--- a/ansible/roles/keystone/templates/keystone-ssh.json.j2
+++ b/ansible/roles/keystone/templates/keystone-ssh.json.j2
@@ -7,18 +7,6 @@
"owner": "root",
"perm": "0644"
},
- {
- "source": "{{ container_config_directory }}/ssh_config",
- "dest": "/var/lib/keystone/.ssh/config",
- "owner": "keystone",
- "perm": "0600"
- },
- {
- "source": "{{ container_config_directory }}/id_rsa",
- "dest": "/var/lib/keystone/.ssh/id_rsa",
- "owner": "keystone",
- "perm": "0600"
- },
{
"source": "{{ container_config_directory }}/id_rsa.pub",
"dest": "/var/lib/keystone/.ssh/authorized_keys",
@@ -26,4 +14,4 @@
"perm": "0600"
}
]
-}
\ No newline at end of file
+}
diff --git a/ansible/roles/keystone/templates/ssh_config.j2 b/ansible/roles/keystone/templates/ssh_config.j2
index f30dee26d0..4a177f6552 100644
--- a/ansible/roles/keystone/templates/ssh_config.j2
+++ b/ansible/roles/keystone/templates/ssh_config.j2
@@ -1,4 +1,4 @@
-Host {% for host in groups['keystone'] %}{% if inventory_hostname != host %}{{ host }} {% endif %}{% endfor %}
+Host *
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
- Port {{ keystone_ssh_port }}
\ No newline at end of file
+ Port {{ keystone_ssh_port }}
diff --git a/ansible/roles/keystone/templates/sshd_config.j2 b/ansible/roles/keystone/templates/sshd_config.j2
index 8ccb340625..8b66f42c7d 100644
--- a/ansible/roles/keystone/templates/sshd_config.j2
+++ b/ansible/roles/keystone/templates/sshd_config.j2
@@ -2,4 +2,4 @@ Port {{ keystone_ssh_port }}
ListenAddress {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
SyslogFacility AUTHPRIV
-UsePAM yes
\ No newline at end of file
+UsePAM yes
diff --git a/docker/keystone/keystone-base/Dockerfile.j2 b/docker/keystone/keystone-base/Dockerfile.j2
index bd583e8033..fe4c5cf1d7 100644
--- a/docker/keystone/keystone-base/Dockerfile.j2
+++ b/docker/keystone/keystone-base/Dockerfile.j2
@@ -61,13 +61,13 @@ RUN echo > /etc/apache2/ports.conf
{% block keystone_source_install %}
ADD keystone-base-archive /keystone-base-source
RUN ln -s keystone-base-source/* keystone \
- && useradd --user-group keystone \
+ && useradd --user-group --create-home --home-dir /var/lib/keystone keystone \
&& /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /keystone \
- && mkdir -p /etc/keystone /var/www/cgi-bin/keystone /var/log/apache2 /home/keystone \
+ && mkdir -p /etc/keystone /var/www/cgi-bin/keystone /var/log/apache2 \
&& cp -r /keystone/etc/* /etc/keystone/ \
&& cp /var/lib/kolla/venv/bin/keystone-wsgi-admin /var/www/cgi-bin/keystone/admin \
&& cp /var/lib/kolla/venv/bin/keystone-wsgi-public /var/www/cgi-bin/keystone/main \
- && chown -R keystone: /etc/keystone /var/www/cgi-bin/keystone /var/log/apache2 /home/keystone
+ && chown -R keystone: /etc/keystone /var/www/cgi-bin/keystone /var/log/apache2
{% endblock %}
{% endif %}
diff --git a/docker/keystone/keystone-fernet/Dockerfile.j2 b/docker/keystone/keystone-fernet/Dockerfile.j2
index bda73bcf38..8c058e2055 100644
--- a/docker/keystone/keystone-fernet/Dockerfile.j2
+++ b/docker/keystone/keystone-fernet/Dockerfile.j2
@@ -8,11 +8,13 @@ MAINTAINER {{ maintainer }}
{% if base_distro in ['fedora', 'centos', 'oraclelinux', 'rhel'] %}
{% set keystone_fernet_packages = [
'cronie',
+ 'openssh-clients',
'rsync'
] %}
{% elif base_distro in ['ubuntu', 'debian'] %}
{% set keystone_fernet_packages = [
'cron',
+ 'openssh-client',
'rsync'
] %}
{% endif %}
diff --git a/docker/keystone/keystone-ssh/Dockerfile.j2 b/docker/keystone/keystone-ssh/Dockerfile.j2
index cf3e90851e..92fa412551 100644
--- a/docker/keystone/keystone-ssh/Dockerfile.j2
+++ b/docker/keystone/keystone-ssh/Dockerfile.j2
@@ -6,9 +6,15 @@ MAINTAINER {{ maintainer }}
{% import "macros.j2" as macros with context %}
{% if base_distro in ['centos', 'fedora', 'oraclelinux', 'rhel'] %}
- {% set keystone_ssh_packages = ['openssh-server'] %}
+ {% set keystone_ssh_packages = [
+ 'openssh-server',
+ 'rsync'
+ ] %}
{% elif base_distro in ['ubuntu', 'debian'] %}
- {% set keystone_ssh_packages = ['openssh-server'] %}
+ {% set keystone_ssh_packages = [
+ 'openssh-server',
+ 'rsync'
+ ] %}
RUN mkdir -p /var/run/sshd \
&& chmod 0755 /var/run/sshd