CLOUDSTACK-5822: keep user-added sshkeys in authorized_keys#1044
Conversation
|
makes sense and looks good. @ustcweizhou I assume you have tested this in production already, no? |
|
Makes sense and looks good, but I am surprised you are still using these scripts instead of cloud-init. |
|
Looks good, sane commit. I agree with @NuxRo that cloud-init is imho the way forward. We probably want to ditch these legacy scripts at some point. |
|
How did you test it? Ping @remibergsma @DaanHoogland @ustcweizhou @karuturi @borisroman @Runseb @wido @NuxRo @bhaisaab @miguelaferreira I think we should stick to a LGTM being given only if tests have been done and steps, on how to test, have been made clear. Cheers, |
|
On a second thought - and something worth pondering on - this could have some security implications. Imagine you have a private cloud, a developer/employee leaves and you want to remove his key from the instances because "security". People used to the old behaviour might think they're safe when they are in fact not. Now, multi-key support, that'd be terrific. :-) |
|
@NuxRo valid point but isn't this unexpected behavior instead of expected? The key was not added by the UI (or API) but will be removed by it. If we need this a seperate API, resetAllSshKeysInVm should be made. An angry employee having keys on a vm (out of band) is a real and present danger, indeed. |
|
Good point as well with the "unexpected". I definitely see where Wei is coming from, but I think it could be misleading. Perhaps a better way to do this is mark the ACS key and only reset that one. i.e. Am I overcomplicating this? I might be, especially as these scripts are being slowly phased out. |
|
@NuxRo @ustcweizhou is using "cloudstack@apache.org$" for this. |
|
Ah, right, checking the code is important. :-D |
|
regression tests executed: |
|
LGTM |
CLOUDSTACK-5822: keep user-added sshkeys in authorized_keysFor now, if we add the ssh key inside the vm (not on cloudstack UI), the sshkey will be removed if we reset the sshkey on cloudstack UI. After this commit, the sshkey (added by cloudstack) will end with cloudstack@apache.org. We will only control the sshkeys with cloudstack@apache.org. This will be used for multiple sshkey support for vm in the future. * pr/1044: CLOUDSTACK-5822: keep user-added sshkeys in authorized_keys Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
For now, if we add the ssh key inside the vm (not on cloudstack UI), the sshkey will be removed if we reset the sshkey on cloudstack UI.
After this commit, the sshkey (added by cloudstack) will end with cloudstack@apache.org.
We will only control the sshkeys with cloudstack@apache.org.
This will be used for multiple sshkey support for vm in the future.