Root SSH keys configuration
Ansible is designed to help system administrators drive greater efficiency in the datacenter by being able to configure and operate many servers using orchestration playbooks. In order for Ansible to be able to fulfill its duties, it needs an SSH connection on the Linux systems it is managing. Furthermore, in order to have a greater degree of freedom and flexibility, a hands-off approach using SSH public private key pairs is required.
As the installation of OpenStack is expected to run as root, this stage expects the deployment host's root public key to be propagated across all servers.
Getting ready
Ensure that you are root
on the deployment host. In most cases, this is the first infrastructure controller node that we have named for the purposes of this book to be called infra01
. We will be assuming that all Ansible commands will be run from this host, and that it expects to be able to connect to the rest of the servers on this network over the host network via SSH.
How to do it…
In order to allow a hands-free, orchestrated OpenStack-Ansible deployment, follow these steps to create and propagate root SSH public key of infra01
across all servers required of the installation:
As root, execute the following command to create an SSH key pair:
ssh-keygen -t rsa -f ~/.ssh/id_rsa -N ""
The output should look similar to this:
Generating public/private rsa key pair. Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:q0mdqJI3TTFaiLrMaPABBboTsyr3pRnCaylLU5WEDCw root@infra01 The key's randomart image is: +---[RSA 2048]----+ |ooo .. | |E..o. . | |=. . + | |.=. o + | |+o . o oS | |+oo . .o | |B=++.o+ + | |*=B+oB.o | |o+.o=.o | +----[SHA256]-----+
This has created two files in
/root/.ssh
, calledid_rsa
andid_rsa.pub
. The file,id_rsa
is the private key, and must not be copied across the network. It is not required to be anywhere other than on this server. The file,id_rsa.pub
, is the public key and can be shared to other servers on the network. If you have other nodes (for example, named infra02), use the following to copy this key to that node in your environment:ssh-copy-id root@infra02
Note
Tip: Ensure that you can resolve
infra02
and the other servers, else amend the preceding command to use its host IP address instead.Now repeat step 2 for all servers on your network.
Important: finally, ensure that you execute the following command to be able to SSH to itself:
ssh-copy-id root@infra01
Test that you can
ssh
, as the root user, frominfra01
to other servers on your network. You should be presented with a Terminal ready to accept commands if successful, without being prompted for a passphrase. Consult/var/log/auth.log
on the remote server if this behavior is incorrect.
How it works…
We first generated a key pair file for use by SSH. The -t
option specified the rsa
type encryption, -f
specified the output of the private key, where the public portion will get .pub
appended to its name, and -N ""
specified that no passphrase is to be used on this key. Consult your own security standards if the presented options differ from your company's requirements.