This procedure sets up passwordless SSH from management nodes to other management nodes and from management nodes to managed nodes such as compute nodes running Cray Operating System (COS) software and User Access Nodes (UANs). This procedure does not configure passwordless SSH from managed nodes to management nodes.
This procedure should be run during CSM installation and any later time when the SSH keys need to be changed per site requirements.
An SSH key pair is automatically created and maintained by a Kubernetes deployment provided by Cray
System Management (CSM). The public and private keys are store in a Kubernetes ConfigMap
(csm-public-key) and a Kubernetes secret (csm-private-key) in the services namespace,
respectively. Administrators can use these provided keys, provide their own keys, or use their own
solution for authentication.
The CSM product provides two Ansible roles which configure nodes with this SSH keypair. The
passwordless-ssh role puts the public and private key files in the SSH configuration directory.
The passwordless-ssh role is only used on management nodes, ensuring that passwordless SSH is only
configured from management nodes to other nodes. The trust-csm-ssh-keys Ansible role adds the CSM
public key to the authorized_keys file, which allows passwordless SSH with the CSM private key.
The trust-csm-ssh-keys role is used on management nodes and on managed nodes, ensuring that
passwordless SSH works to either of these node types.
NOTECFS itself does not use the CSM-provided (or user-supplied) SSH keys to make connections between nodes. CFS will continue to function if passwordless SSH is disabled between as described in Option 3: Disable CSM-provided passwordless SSH
There are four options to choose from to set up passwordless SSH. Choose only one of the following options:
The installation of CSM automatically provides an SSH keypair in a Kubernetes ConfigMap and secret, and the default CSM Ansible plays enable passwordless SSH. No further action is necessary to accept this CSM default.
(ncn-mw#) Administrators may elect to replace the CSM-provided keys with their own custom
keys.
Set variables to the locations of the public and private SSH key files.
Replace the values in the examples below with the paths to the desired key files on the system.
PUBLIC_KEY_FILE=/path/to/id_rsa-csm.pub
PRIVATE_KEY_FILE=/path/to/id_rsa-csm
Provide the custom keys by script or manually.
There are two options for providing the keys.
Provide custom SSH keys by script.
The replace_ssh_keys.sh script can be used to replace the keys from files.
The
docs-csmRPM must be installed in order to use this script. See Check for Latest Documentation
/usr/share/doc/csm/scripts/operations/configuration/replace_ssh_keys.sh \
--public-key-file "${PUBLIC_KEY_FILE}" --private-key-file "${PRIVATE_KEY_FILE}"
Manually provide custom SSH keys.
The keys stored in Kubernetes can be updated directly.
Replace the private key half:
KEY64=$(cat "${PRIVATE_KEY_FILE}" | base64) &&
kubectl get secret -n services csm-private-key -o json | \
jq --arg value "$KEY64" '.data["value"]=$value' | kubectl apply -f - &&
unset KEY64
Replace the public key half:
kubectl delete configmap -n services csm-public-key &&
cat "${PUBLIC_KEY_FILE}" | base64 > ./value &&
kubectl create configmap --from-file value csm-public-key --namespace services &&
rm ./value
Passwordless SSH with the provided keys will be set up once node personalization runs on the management nodes.
NOTE: This keypair may be the same keypair used for therootuser on management nodes, but it is not required to be the same. Either option is valid.
Proceed to Apply configuration with CFS node personalization.
Local site security requirements may preclude use of passwordless SSH access between management nodes. A variable has been added to the associated Ansible roles that allows disabling of passwordless SSH setup to any or all nodes.
(ncn-mw#) From the cloned csm-config-management repository directory:
grep csm_passwordless_ssh_enabled roles/trust-csm-ssh-keys/defaults/main.yaml
Example output:
csm_passwordless_ssh_enabled: 'false'
This variable can be overwritten using either a host-specific setting or global to affect
all nodes where the playbook is run. See
Customize Configuration Values
for more detailed information. Do not modify the value in the roles/trust-csm-ssh-keys/defaults/main.yaml
file.
Published roles within product configuration repositories can contain more comprehensive
information regarding these role-specific flags. Reference any role-specific associated Readme.md
documents for additional information, because role documentation is updated more frequently as
changes are introduced.
Consult the manual for each product in order to change the default configuration by referring to the HPE Cray EX System Software Getting Started Guide S-8000 on the HPE Customer Support Center. Similar configuration values for disabling the role will be required in these product-specific configuration repositories.
Modifying Ansible plays in a configuration repository will require a new commit and subsequent update of the configuration layer associated with the product. For more information on configuration layers, see CFS Configurations.
Proceed to Apply configuration with CFS node personalization.
Use this procedure if switching from custom keys to the default CSM SSH keys only.
(ncn-mw#) In order to restore the default CSM keys, there are two options:
Restore by script.
The
docs-csmRPM must be installed in order to use this script. See Check for Latest Documentation
/usr/share/doc/csm/scripts/operations/configuration/restore_ssh_keys.sh
Restore manually.
The keys can be deleted from Kubernetes directly. The csm-ssh-keys Kubernetes deployment
provided by CSM periodically checks the ConfigMap and secret containing the key information.
If these entries do not exist, it will recreate them from the default CSM keys. Therefore, in
order to manually restore the keys, delete the associated ConfigMap and secret. The default CSM-provided
keys will be republished.
Delete the csm-private-key Kubernetes secret.
kubectl delete secret -n services csm-private-key
Delete the csm-public-key Kubernetes ConfigMap.
kubectl delete configmap -n services csm-public-key
Proceed to Apply configuration with CFS node personalization.
This step is only necessary if performing this procedure as an operational task. If performing this procedure as part of a CSM install, skip this step and return to Configure Administrative Access.
After the SSH keys have been set in the Kubernetes secret and ConfigMap, passwordless SSH will be configured on management nodes during node personalization. CFS automatically re-configures the management nodes via the CFS Batcher whenever the CFS configuration applied to the components changes, the nodes reboot, or the component state is cleared in CFS. See Automatic Configuration Management for more information about the CFS Batcher. Since the changes here are made in a Kubernetes secret and ConfigMap, the CFS Batcher will not automatically apply the new passwordless SSH configuration.
See the Re-run node personalization on management nodes procedure to re-run NCN node personalization on management nodes.