On Fri, 13 Nov 2015 at 11:18 'Hrvoje Ribicic' via ganeti-devel < [email protected]> wrote:
> And also sprinkle reminders of when to update them across the codebase. > > Signed-off-by: Hrvoje Ribicic <[email protected]> > --- > lib/ssh.py | 1 + > man/gnt-cluster.rst | 19 +++++++++++++++++++ > src/Ganeti/Constants.hs | 1 + > 3 files changed, 21 insertions(+) > > diff --git a/lib/ssh.py b/lib/ssh.py > index 7b27214..a8fe86d 100644 > --- a/lib/ssh.py > +++ b/lib/ssh.py > @@ -1100,6 +1100,7 @@ def ReadRemoteSshPubKeys(pub_key_file, node, > cluster_name, port, ask_key, > return result.stdout > > > +# Update gnt-cluster.rst when changing which combinations are valid. > KeyBitInfo = namedtuple('KeyBitInfo', ['default', 'validation_fn']) > SSH_KEY_VALID_BITS = { > constants.SSHK_DSA: KeyBitInfo(1024, lambda b: b == 1024), > diff --git a/man/gnt-cluster.rst b/man/gnt-cluster.rst > index 7b0e135..e9c47f3 100644 > --- a/man/gnt-cluster.rst > +++ b/man/gnt-cluster.rst > @@ -206,6 +206,8 @@ INIT > | [\--zeroing-image *image*] > | [\--compression-tools [*tool*, [*tool*]]] > | [\--user-shutdown {yes \| no}] > +| [\--ssh-key-type *type*] > +| [\--ssh-key-bits *bits*] > | {*clustername*} > > This commands is only run once initially on the first node of the > @@ -632,6 +634,18 @@ of testing whether the executable exists. These > requirements are > compatible with the gzip command line options, allowing many tools to > be easily wrapped and used. > > +The ``--ssh-key-type`` and ``--ssh-key-bits`` options determine the > +properties of the SSH keys Ganeti generates and uses to execute > +commands on nodes. The supported types are currently 'dsa', 'rsa', and > +'ecdsa'. The supported bit sizes vary across keys, reflecting the > +options **ssh-keygen**\(1) exposes. These are currently: > + > +- dsa: 1024 bits > +- rsa: >=768 bits > +- ecdsa: 256, 384, or 521 bits > + > +Ganeti defaults to using 2048-bit RSA keys. > + > MASTER-FAILOVER > ~~~~~~~~~~~~~~~ > > @@ -857,6 +871,7 @@ RENEW-CRYPTO > | \--spice-ca-certificate *spice-ca-cert*] > | [\--new-ssh-keys] [\--no-ssh-key-check] > | [\--new-cluster-domain-secret] [\--cluster-domain-secret *filename*] > +| [\--ssh-key-type *type*] | [\--ssh-key-bits *bits*] > > This command will stop all Ganeti daemons in the cluster and start > them again once the new certificates and keys are replicated. The > @@ -898,6 +913,10 @@ cluster domain secret, and > ``--cluster-domain-secret`` reads the > secret from a file. The cluster domain secret is used to sign > information exchanged between separate clusters via a third party. > > +The options ``--ssh-key-type`` and ``ssh-key-bits`` determine the > +properties of the disk types used. They are described in more detail > +in the ``init`` option description. > + > REPAIR-DISK-SIZES > ~~~~~~~~~~~~~~~~~ > > diff --git a/src/Ganeti/Constants.hs b/src/Ganeti/Constants.hs > index c9ca540..08a4f21 100644 > --- a/src/Ganeti/Constants.hs > +++ b/src/Ganeti/Constants.hs > @@ -4703,6 +4703,7 @@ sshakAll :: FrozenSet String > sshakAll = ConstantUtils.mkSet [sshakDss, sshakRsa] > > -- * SSH key default values > +-- Document the change in gnt-cluster.rst when changing these > > sshDefaultKeyType :: String > sshDefaultKeyType = sshkRsa > -- > 2.6.0.rc2.230.g3dd15c0 > > LGTM, thanks -- Helga Velroyen Software Engineer [email protected] Google Germany GmbH Dienerstraße 12 80331 München Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Diese E-Mail ist vertraulich. Wenn Sie nicht der richtige Adressat sind, leiten Sie diese bitte nicht weiter, informieren Sie den Absender und löschen Sie die E-Mail und alle Anhänge. Vielen Dank. This e-mail is confidential. If you are not the right addressee please do not forward it, please inform the sender, and please erase this e-mail including any attachments. Thanks.
