Hi! please consider the following interdiff:
diff --git a/man/gnt-cluster.rst b/man/gnt-cluster.rst index 416afda..f84fef8 100644 --- a/man/gnt-cluster.rst +++ b/man/gnt-cluster.rst @@ -890,7 +890,8 @@ The option ``--new-ssh-keys`` renews all SSH keys of all nodes and updates the ``authorized_keys`` files of all nodes to contain only the (new) public keys of all master candidates. To avoid having to confirm the fingerprint of each node use the -``--no-ssh-key-check`` option. +``--no-ssh-key-check`` option. Be aware of that this includes a +security risk as you omit verifying the machines' identities. Finally ``--new-cluster-domain-secret`` generates a new, random cluster domain secret, and ``--cluster-domain-secret`` reads the Cheers, Helga On Thu, 23 Jul 2015 at 12:02 Klaus Aehlig <[email protected]> wrote: > On Thu, Jul 23, 2015 at 09:56:01AM +0200, 'Helga Velroyen' via > ganeti-devel wrote: > > The option was implemented a while ago, but was missing > > in the man page of gnt-cluster renew-crypto so far. > > > > Signed-off-by: Helga Velroyen <[email protected]> > > --- > > man/gnt-cluster.rst | 6 ++++-- > > 1 file changed, 4 insertions(+), 2 deletions(-) > > > > diff --git a/man/gnt-cluster.rst b/man/gnt-cluster.rst > > index dec446a..416afda 100644 > > --- a/man/gnt-cluster.rst > > +++ b/man/gnt-cluster.rst > > @@ -855,7 +855,7 @@ RENEW-CRYPTO > > | [\--new-rapi-certificate] [\--rapi-certificate *rapi-cert*] > > | [\--new-spice-certificate | \--spice-certificate *spice-cert* > > | \--spice-ca-certificate *spice-ca-cert*] > > -| [\--new-ssh-keys] > > +| [\--new-ssh-keys] [\--no-ssh-key-check] > > | [\--new-cluster-domain-secret] [\--cluster-domain-secret *filename*] > > > > This command will stop all Ganeti daemons in the cluster and start > > @@ -888,7 +888,9 @@ signing CA certificate to ``--spice-ca-certificate``. > > > > The option ``--new-ssh-keys`` renews all SSH keys of all nodes > > and updates the ``authorized_keys`` files of all nodes to contain > > -only the (new) public keys of all master candidates. > > +only the (new) public keys of all master candidates. To avoid having > > +to confirm the fingerprint of each node use the > > +``--no-ssh-key-check`` option. > > Maybe add a word of the security implications of not verifying ssh > host keys? After all, this is a secuirity related... > > -- > Klaus Aehlig > Google Germany GmbH, Dienerstr. 12, 80331 Muenchen > Registergericht und -nummer: Hamburg, HRB 86891 > Sitz der Gesellschaft: Hamburg > Geschaeftsfuehrer: Graham Law, Christine Elizabeth Flores > -- Helga Velroyen Software Engineer [email protected] Google Germany GmbH Dienerstraße 12 80331 München Geschäftsführer: Graham Law, Christine Elizabeth Flores Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Diese E-Mail ist vertraulich. Wenn Sie nicht der richtige Adressat sind, leiten Sie diese bitte nicht weiter, informieren Sie den Absender und löschen Sie die E-Mail und alle Anhänge. Vielen Dank. This e-mail is confidential. If you are not the right addressee please do not forward it, please inform the sender, and please erase this e-mail including any attachments. Thanks.
