[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How does OpenShift use ssh root access



OpenShift Online does limit authorized keys to a particular rsync subset.  Your suggestion is a little better.  My only concern is it would require everyone currently limiting to rsync to make a change.

----- Original Message -----
> Thanks for your response.  This really helps.
> 
> I’ve tracked oo-admin-move to mcollective_application_container_proxy.rb.  Is
> the move command initiated from the broker?  I’m guessing that the broker is
> telling one node to copy the gear to another node.  Is that right?
> 
>    `eval \`ssh-agent\`; ssh-add #{rsync_keyfile}; ssh -o
>    StrictHostKeyChecking=no -A root #{source_container get_ip_address}
>    "rsync -aAX -e 'ssh -o StrictHostKeyChecking=no'
>    /var/lib/openshift/#{gear.uuid}/
>    root #{destination_container get_ip_address}:/var/lib/openshift/#{gear.uuid}/";
>    exit_code=$?; ssh-agent -k; exit $exit_code`
> 
> I’m wondering if the rsync command being executed could be refactored so that
> the root ssh authorized_keys file could limit the ability to execute
> commands to only oo-rsync-node-to-node or similar.
> 
> What are your thoughts?
> 
> Brandon Richins
> Software Engineer, Web Operations
> Office: 801.442.5523 | Cell: 801.200.2738
> 
> 
> From: Dan McPherson <dmcphers redhat com<mailto:dmcphers redhat com>>
> Date: Friday, September 12, 2014 at 2:11 PM
> To: "dev lists openshift redhat com<mailto:dev lists openshift redhat com>"
> <dev lists openshift redhat com<mailto:dev lists openshift redhat com>>
> Subject: Re: How does OpenShift use ssh root access
> 
> It's only used for oo-admin-move to move gears from one node to another via
> rsync.
> 
> 
> On 12/09/14 15:58, Brandon Richins wrote:
> I'm trying to track down more information on how OpenShift Origin uses the
> root ssh key that is setup as part of 9.2 in the comprehensive install guide
> (http://openshift.github.io/documentation/oo_deployment_guide_comprehensive.html#configure-ssh-key-authentication).
> From my brief exposure to OpenShift remote root ssh access seems to be used
> by brokers to execute commands on nodes.  Traditionally I block root from
> using SSH by setting "PermitRootLogin no” in /etc/ssh/sshd_config.
> 
> Could anyone elaborate on how root SSH is used and if I can limit it to only
> certain commands?
> 
> Thanks,
> 
> Brandon Richins
> 
> 
> 
> 
> _______________________________________________
> dev mailing list
> dev lists openshift redhat com<mailto:dev lists openshift redhat com>http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
> 
> 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]