F #2152: Add OpenNebula SSH agent support (#4597)

Signed-off-by: Petr Ospalý <pospaly@opennebula.io> Co-authored-by: Petr Ospalý <pospaly@opennebula.io>
2025-03-16 22:50:10 +03:00 · 2020-04-23 19:37:27 +02:00 · 2020-04-23 19:37:27 +02:00 · 1e0b6d2aa9
commit 1e0b6d2aa9
parent 72ce344399
5 changed files with 42 additions and 3 deletions
--- a/share/oneprovision/ansible/roles/opennebula-ssh/defaults/main.yml
+++ b/share/oneprovision/ansible/roles/opennebula-ssh/defaults/main.yml
@ -11,3 +11,6 @@ opennebula_ssh_sshd_permitrootlogin: 'without-password'

 # Deploy local oneadmin's SSH key to remote host
 opennebula_ssh_deploy_local: True
+
+# Deploy local oneadmin's SSH private key to remote host
+opennebula_ssh_deploy_private_key: False
--- a/share/oneprovision/ansible/roles/opennebula-ssh/tasks/deploy_local.yml
+++ b/share/oneprovision/ansible/roles/opennebula-ssh/tasks/deploy_local.yml
@ -26,6 +26,16 @@
    group: 9869
    mode: "{{ item.mode }}"
  with_items:
-    - { name: 'id_rsa',      mode: '0600' }
    - { name: 'id_rsa.pub',  mode: '0644' }
    - { name: 'known_hosts', mode: '0644' }
+
+- name: Copy local private SSH keys
+  copy:
+    src: /var/lib/one/.ssh/{{ item.name }}
+    dest: /var/lib/one/.ssh/{{ item.name }}
+    owner: 9869
+    group: 9869
+    mode: "{{ item.mode }}"
+  with_items:
+    - { name: 'id_rsa',      mode: '0600' }
+  when: opennebula_ssh_deploy_private_key == True
--- a/share/pkgs/services/systemd/opennebula-ssh-agent.service
+++ b/share/pkgs/services/systemd/opennebula-ssh-agent.service
@ -0,0 +1,23 @@
+[Unit]
+Description=OpenNebula SSH agent
+
+[Service]
+Type=forking
+Group=oneadmin
+User=oneadmin
+Environment=SSH_AUTH_SOCK=/run/one/ssh-agent.sock
+# ssh-agent is executed via shell wrapper to workaround a SELinux issue
+ExecStartPre=/bin/sh -c "echo SSH_AUTH_SOCK=$SSH_AUTH_SOCK > /run/one/ssh-agent.env"
+ExecStart=/bin/sh -c "exec /usr/bin/ssh-agent -a $SSH_AUTH_SOCK"
+ExecStartPost=/bin/sh -c "/usr/bin/ssh-add"
+ExecStopPost=/usr/bin/rm -f /run/one/ssh-agent.env
+ExecReload=/bin/sh -c "/usr/bin/ssh-add -D && /usr/bin/ssh-add"
+Restart=on-failure
+# NOTE: ssh-agent returns "2" as the exit code on SIGTERM or on termination via:
+#   SSH_AGENT_PID=??? ssh-agent -k
+# without this following directive the "systemctl stop" would fail and cleanup
+# (ExecStopPost) would not be triggered...
+SuccessExitStatus=2
+
+[Install]
+WantedBy=default.target
--- a/share/pkgs/services/systemd/opennebula.service
+++ b/share/pkgs/services/systemd/opennebula.service
@ -2,12 +2,15 @@
 Description=OpenNebula Cloud Controller Daemon
 After=syslog.target network.target remote-fs.target
 After=mariadb.service mysql.service
+After=opennebula-ssh-agent.service
 Wants=opennebula-scheduler.service opennebula-hem.service
+Wants=opennebula-ssh-agent.service

 [Service]
 Type=notify
 Group=oneadmin
 User=oneadmin
+EnvironmentFile=-/run/one/ssh-agent.env
 ExecStartPre=-/usr/sbin/logrotate -f /etc/logrotate.d/opennebula -s /var/lib/one/.logrotate.status
 ExecStart=/usr/bin/oned -f
 ExecStopPost=/usr/share/one/follower_cleanup
--- a/src/mad/sh/scripts_common.sh
+++ b/src/mad/sh/scripts_common.sh
@ -45,9 +45,9 @@ RBD=${RBD:-rbd}
 READLINK=${READLINK:-readlink}
 RM=${RM:-rm}
 CP=${CP:-cp}
-SCP=${SCP:-scp}
+SCP=${SCP:-scp -o ForwardAgent=yes}
 SED=${SED:-sed}
-SSH=${SSH:-ssh}
+SSH=${SSH:-ssh -o ForwardAgent=yes}
 SUDO=${SUDO:-sudo -n}
 SYNC=${SYNC:-sync}
 TAR=${TAR:-tar}