When you run updatenode -k, it runs the remoteshell script on the node.
This will update the ssh hostkeys on the node. Run it in verbose mode
and you will see. Updatenode first calls xdsh -K to setup the
root/.ssh keys, which is why it prompts for root password; so that we have
passwordless ssh setup to the node. Once this is done, it can the call
xdsh command below to run the remoteshell script. This is 2.8 but yours
will be similar.
updatenode compute-01 -k
manage-02: Internal call command: xdsh compute-01 --nodestatus -s -v
-e /install/postscripts/xcatdsklspost 5 -m x.xx.xx.xx 'remoteshell'
--tftp /tftpboot --installdir /install --nfsv4 no -c -F -V
The remoteshell script running on the node calls getcredentials.pm on the
Management Node ( or Service node if hierarchical) to send it the private
hostkeys. These must be downloaded securely. If you notice
in /install/postscripts/hostkeys are the matching public hostkeys. These
do not need a secure transfer, so they are just copied from the directory,
since this directory is on the node. The keys
in /install/postscript/hostkeys are are definitely used.
remoteshell must be in your postscripts list for this to happen, which is
why it is a default.
For install, process is similar, after the install, the postscripts will
be wget to the node into /xcatpost directory. The /xcatpost/mypostscript
file will be sent to the node and run. That file list the postscripts
for the node, one of which is remoteshell. Again you are running
remoteshell on the node and the processing is as above.
Lissa K. Valletta
8-3/B10
Poughkeepsie, NY 12601
(tie 293) 433-3102
From: Xiao Peng Wang <[email protected]>
To: xCAT Users Mailing list <[email protected]>
Date: 10/09/2014 05:46 AM
Subject: Re: [xcat-user] How do provisioned nodes get their hostkeys?
See my comments inside the previous email.
Thanks
Best Regards
----------------------------------------------------------------------
Wang Xiaopeng (王晓朋)
IBM China System Technology Laboratory
Tel: 86-10-82453455
Email: [email protected]
Address: 28,ZhongGuanCun Software Park,No.8 Dong Bei Wang West Road,
Haidian District Beijing P.R.China 100193
"Russell Auld" <[email protected]> wrote on 2014/10/09 09:42:45:
> From: "Russell Auld" <[email protected]>
> To: <[email protected]>
> Date: 2014/10/09 09:42
> Subject: [xcat-user] How do provisioned nodes get their hostkeys?
>
> I’m trying to determine how the hostkeys end up on a provisioned
> node (stateful). It appears that the keys live in /etc/xcat/hostkeys.
> The man page for updatenode indicates that it can manage hostkeys
> for the nodes with the -k option.
> However, the “remoteshell” postscript also appears to manage hostkeys.
> It will use the getcredentials.awk script to pull hostkeys from the
> management node and install them in /etc/ssh.
> The Perl module /opt/xcat/lib/perl/xCAT_plugin/credentials.pm will
> handle the requests and respond by reading from /etc/xcat/hostkeys.
> The question is, when a node is provisioned, and assuming that
> ‘remoteshell’ is in the postscript list, which of these two scripts
> is used to set the hostkeys?
During deployment, the remoteshell will be used.
updatenode will rerun all the postscripts, so if remoteshell in the
postscript attribute, it will be run too.
updatenode -k can be used update the /root/.ssh/authorized_keys for
the target compute node. This is useful when remoteshell failed during
the os deployment.
> Do all the relevant host keys live in /etc/xcat/hostkeys?
Yes
> Additionally, it appears that there are copies of the public host
> keys in /xcat/postscripts/hostkeys (or /install/postscripts/
> hostkeys), however they don’t appear to be used by anything in xCAT
> (i.e. distributed to the provisioned nodes). Can someone confirm
> and/or comment on why they are in this place to begin with?
The ones in /install/postscripts/hostkeys are used by postscript sudoer.
I think you can just ignore it. They are just a copy.
> This is xCAT 2.7.5 on RHEL 6.4
> Thanks!
>
------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
> _______________________________________________
> xCAT-user mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/xcat-user
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
xCAT-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/xcat-user
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
xCAT-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/xcat-user
