diff --git a/doc/man/8/cephadm.rst b/doc/man/8/cephadm.rst index 565de37798f..b1eb9648e11 100644 --- a/doc/man/8/cephadm.rst +++ b/doc/man/8/cephadm.rst @@ -61,7 +61,9 @@ Synopsis | [--initial-dashboard-user INITIAL_DASHBOARD_USER] | [--initial-dashboard-password INITIAL_DASHBOARD_PASSWORD] | [--dashboard-key DASHBOARD_KEY] -| [--dashboard-crt DASHBOARD_CRT] [--skip-mon-network] +| [--dashboard-crt DASHBOARD_CRT] +| [--ssh-private-key SSH_PRIVATE_KEY] +| [--ssh-public-key SSH_PUBLIC_KEY] [--skip-mon-network] | [--skip-dashboard] [--dashboard-password-noupdate] | [--no-minimize-config] [--skip-ping-check] | [--skip-pull] [--skip-firewalld] [--allow-overwrite] @@ -198,6 +200,8 @@ Arguments: * [--initial-dashboard-password INITIAL_DASHBOARD_PASSWORD] Initial password for the initial dashboard user * [--dashboard-key DASHBOARD_KEY] Dashboard key * [--dashboard-crt DASHBOARD_CRT] Dashboard certificate +* [--ssh-private-key SSH_PRIVATE_KEY] SSH private key +* [--ssh-public-key SSH_PUBLIC_KEY] SSH public key * [--skip-mon-network] set mon public_network based on bootstrap mon ip * [--skip-dashboard] do not enable the Ceph Dashboard * [--dashboard-password-noupdate] stop forced dashboard password change diff --git a/src/cephadm/cephadm b/src/cephadm/cephadm index 43da104b136..3f998da77ed 100755 --- a/src/cephadm/cephadm +++ b/src/cephadm/cephadm @@ -2562,31 +2562,40 @@ def command_bootstrap(): logger.info('Setting orchestrator backend to cephadm...') cli(['orch', 'set', 'backend', 'cephadm']) - logger.info('Generating ssh key...') - cli(['cephadm', 'generate-key']) - ssh_pub = cli(['cephadm', 'get-pub-key']) + if args.ssh_private_key and args.ssh_public_key: + logger.info('Using provided ssh keys...') + mounts = { + pathify(args.ssh_private_key.name): '/tmp/cephadm-ssh-key:z', + pathify(args.ssh_public_key.name): '/tmp/cephadm-ssh-key.pub:z' + } + cli(['cephadm', 'set-priv-key', '-i', '/tmp/cephadm-ssh-key'], extra_mounts=mounts) + cli(['cephadm', 'set-pub-key', '-i', '/tmp/cephadm-ssh-key.pub'], extra_mounts=mounts) + else: + logger.info('Generating ssh key...') + cli(['cephadm', 'generate-key']) + ssh_pub = cli(['cephadm', 'get-pub-key']) - with open(args.output_pub_ssh_key, 'w') as f: - f.write(ssh_pub) - logger.info('Wrote public SSH key to to %s' % args.output_pub_ssh_key) + with open(args.output_pub_ssh_key, 'w') as f: + f.write(ssh_pub) + logger.info('Wrote public SSH key to to %s' % args.output_pub_ssh_key) - logger.info('Adding key to root@localhost\'s authorized_keys...') - if not os.path.exists('/root/.ssh'): - os.mkdir('/root/.ssh', 0o700) - auth_keys_file = '/root/.ssh/authorized_keys' - add_newline = False - if os.path.exists(auth_keys_file): - with open(auth_keys_file, 'r') as f: - f.seek(0, os.SEEK_END) - if f.tell() > 0: - f.seek(f.tell()-1, os.SEEK_SET) # go to last char - if f.read() != '\n': - add_newline = True - with open(auth_keys_file, 'a') as f: - os.fchmod(f.fileno(), 0o600) # just in case we created it - if add_newline: - f.write('\n') - f.write(ssh_pub.strip() + '\n') + logger.info('Adding key to root@localhost\'s authorized_keys...') + if not os.path.exists('/root/.ssh'): + os.mkdir('/root/.ssh', 0o700) + auth_keys_file = '/root/.ssh/authorized_keys' + add_newline = False + if os.path.exists(auth_keys_file): + with open(auth_keys_file, 'r') as f: + f.seek(0, os.SEEK_END) + if f.tell() > 0: + f.seek(f.tell()-1, os.SEEK_SET) # go to last char + if f.read() != '\n': + add_newline = True + with open(auth_keys_file, 'a') as f: + os.fchmod(f.fileno(), 0o600) # just in case we created it + if add_newline: + f.write('\n') + f.write(ssh_pub.strip() + '\n') host = get_hostname() logger.info('Adding host %s...' % host) @@ -4464,6 +4473,15 @@ def _get_parser(): '--dashboard-crt', help='Dashboard certificate') + parser_bootstrap.add_argument( + '--ssh-private-key', + type=argparse.FileType('r'), + help='SSH private key') + parser_bootstrap.add_argument( + '--ssh-public-key', + type=argparse.FileType('r'), + help='SSH public key') + parser_bootstrap.add_argument( '--skip-mon-network', action='store_true', diff --git a/src/pybind/mgr/cephadm/module.py b/src/pybind/mgr/cephadm/module.py index 9db98b977b9..29a56a5a0f1 100644 --- a/src/pybind/mgr/cephadm/module.py +++ b/src/pybind/mgr/cephadm/module.py @@ -747,6 +747,28 @@ class CephadmOrchestrator(orchestrator.Orchestrator, MgrModule): self._reconfig_ssh() return 0, '', '' + @orchestrator._cli_write_command( + 'cephadm set-priv-key', + desc='Set cluster SSH private key (use -i )') + def _set_priv_key(self, inbuf=None): + if inbuf is None or len(inbuf) == 0: + return -errno.EINVAL, "", "empty private ssh key provided" + self.set_store("ssh_identity_key", inbuf) + self.log.info('Set ssh private key') + self._reconfig_ssh() + return 0, "", "" + + @orchestrator._cli_write_command( + 'cephadm set-pub-key', + desc='Set cluster SSH public key (use -i )') + def _set_pub_key(self, inbuf=None): + if inbuf is None or len(inbuf) == 0: + return -errno.EINVAL, "", "empty public ssh key provided" + self.set_store("ssh_identity_pub", inbuf) + self.log.info('Set ssh public key') + self._reconfig_ssh() + return 0, "", "" + @orchestrator._cli_write_command( 'cephadm clear-key', desc='Clear cluster SSH key')