And also sprinkle reminders of when to update them across the codebase.
Signed-off-by: Hrvoje Ribicic <[email protected]>
---
lib/ssh.py | 1 +
man/gnt-cluster.rst | 19 +++++++++++++++++++
src/Ganeti/Constants.hs | 1 +
3 files changed, 21 insertions(+)
diff --git a/lib/ssh.py b/lib/ssh.py
index 7b27214..a8fe86d 100644
--- a/lib/ssh.py
+++ b/lib/ssh.py
@@ -1100,6 +1100,7 @@ def ReadRemoteSshPubKeys(pub_key_file, node,
cluster_name, port, ask_key,
return result.stdout
+# Update gnt-cluster.rst when changing which combinations are valid.
KeyBitInfo = namedtuple('KeyBitInfo', ['default', 'validation_fn'])
SSH_KEY_VALID_BITS = {
constants.SSHK_DSA: KeyBitInfo(1024, lambda b: b == 1024),
diff --git a/man/gnt-cluster.rst b/man/gnt-cluster.rst
index 7b0e135..e9c47f3 100644
--- a/man/gnt-cluster.rst
+++ b/man/gnt-cluster.rst
@@ -206,6 +206,8 @@ INIT
| [\--zeroing-image *image*]
| [\--compression-tools [*tool*, [*tool*]]]
| [\--user-shutdown {yes \| no}]
+| [\--ssh-key-type *type*]
+| [\--ssh-key-bits *bits*]
| {*clustername*}
This commands is only run once initially on the first node of the
@@ -632,6 +634,18 @@ of testing whether the executable exists. These
requirements are
compatible with the gzip command line options, allowing many tools to
be easily wrapped and used.
+The ``--ssh-key-type`` and ``--ssh-key-bits`` options determine the
+properties of the SSH keys Ganeti generates and uses to execute
+commands on nodes. The supported types are currently 'dsa', 'rsa', and
+'ecdsa'. The supported bit sizes vary across keys, reflecting the
+options **ssh-keygen**\(1) exposes. These are currently:
+
+- dsa: 1024 bits
+- rsa: >=768 bits
+- ecdsa: 256, 384, or 521 bits
+
+Ganeti defaults to using 2048-bit RSA keys.
+
MASTER-FAILOVER
~~~~~~~~~~~~~~~
@@ -857,6 +871,7 @@ RENEW-CRYPTO
| \--spice-ca-certificate *spice-ca-cert*]
| [\--new-ssh-keys] [\--no-ssh-key-check]
| [\--new-cluster-domain-secret] [\--cluster-domain-secret *filename*]
+| [\--ssh-key-type *type*] | [\--ssh-key-bits *bits*]
This command will stop all Ganeti daemons in the cluster and start
them again once the new certificates and keys are replicated. The
@@ -898,6 +913,10 @@ cluster domain secret, and ``--cluster-domain-secret``
reads the
secret from a file. The cluster domain secret is used to sign
information exchanged between separate clusters via a third party.
+The options ``--ssh-key-type`` and ``ssh-key-bits`` determine the
+properties of the disk types used. They are described in more detail
+in the ``init`` option description.
+
REPAIR-DISK-SIZES
~~~~~~~~~~~~~~~~~
diff --git a/src/Ganeti/Constants.hs b/src/Ganeti/Constants.hs
index c9ca540..08a4f21 100644
--- a/src/Ganeti/Constants.hs
+++ b/src/Ganeti/Constants.hs
@@ -4703,6 +4703,7 @@ sshakAll :: FrozenSet String
sshakAll = ConstantUtils.mkSet [sshakDss, sshakRsa]
-- * SSH key default values
+-- Document the change in gnt-cluster.rst when changing these
sshDefaultKeyType :: String
sshDefaultKeyType = sshkRsa
--
2.6.0.rc2.230.g3dd15c0
