Re: How does OpenShift use ssh root access

Thanks for your response.  This really helps.

I’ve tracked oo-admin-move to mcollective_application_container_proxy.rb.  Is the move command initiated from the broker?  I’m guessing that the broker is telling one node to copy the gear to another node.  Is that right?

   `eval \`ssh-agent\`; ssh-add #{rsync_keyfile}; ssh -o StrictHostKeyChecking=no -A root #{source_container get_ip_address} "rsync -aAX -e 'ssh -o StrictHostKeyChecking=no' /var/lib/openshift/#{gear.uuid}/ root #{destination_container get_ip_address}:/var/lib/openshift/#{gear.uuid}/"; exit_code=$?; ssh-agent -k; exit $exit_code`

I’m wondering if the rsync command being executed could be refactored so that the root ssh authorized_keys file could limit the ability to execute commands to only oo-rsync-node-to-node or similar.

What are your thoughts?

Brandon Richins
Software Engineer, Web Operations

Office: 801.442.5523 | Cell: 801.200.2738

From: Dan McPherson <dmcphers redhat com>
Date: Friday, September 12, 2014 at 2:11 PM
To: "dev lists openshift redhat com" <dev lists openshift redhat com>
Subject: Re: How does OpenShift use ssh root access

It's only used for oo-admin-move to move gears from one node to another via rsync.

On 12/09/14 15:58, Brandon Richins wrote:
I'm trying to track down more information on how OpenShift Origin uses the root ssh key that is setup as part of 9.2 in the comprehensive install guide (http://openshift.github.io/documentation/oo_deployment_guide_comprehensive.html#configure-ssh-key-authentication).  From my brief exposure to OpenShift remote root ssh access seems to be used by brokers to execute commands on nodes.  Traditionally I block root from using SSH by setting "PermitRootLogin no” in /etc/ssh/sshd_config.

Could anyone elaborate on how root SSH is used and if I can limit it to only certain commands?


Brandon Richins

