Updating undercloud user’s ssh key¶
In order to update the ssh key for the user on the undercloud, a few steps must be done to ensure you do not lock yourself out of the overcloud nodes. When the undercloud is installed, an ssh key is created and added to Nova running on the undercloud for provisioning the overcloud nodes. This key is uploaded into Nova as the default keypair. To view the keypair run:
source stackrc
openstack keypair list
Process to rotate ssh key¶
The process to rotate the user key is as follows:
Generate new key and do not replace the existing key. For example:
ssh-keygen -t rsa -N '' -f ~/new_ssh_key
Copy ssh key to all existing hosts for the heat-admin user:
for HOST in $(openstack server list -f value -c Networks | sed -e 's/ctlplane=//'); do ssh-copy-id -i ~/new_ssh_key heat-admin@$HOST done
Update the Undercloud’s Nova default keypair:
openstack keypair delete default openstack keypair create --public-key ~/new_ssh_key.pub default
Backup old key and replace it with the new keys:
mkdir ~/.ssh/old_keys mv ~/.ssh/id_rsa ~/.ssh/old_keys/id_rsa.backup-$(date +'%Y-%m-%d') mv ~/.ssh/id_rsa.pub ~/.ssh/old_keys/id_rsa.pub.backup-$(date +'%Y-%m-%d') mv ~/new_ssh_key ~/.ssh/id_rsa mv ~/new_ssh_key.pub ~/.ssh/id_rsa.pub
Remove old key from the allowed hosts on the nodes.