Live migrations fail on CIS hardened environments
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Nova Compute Charm |
New
|
Undecided
|
Unassigned |
Bug Description
On CIS hardened environments, root login is disabled in /etc/ssh/
PermitRootLogin no
that makes live migrations failing regardless VMs are on shared storage or not.
The error is:
```
2023-10-17 08:34:42.602 3904 ERROR nova.virt.
root@10.10.10.23: Permission denied (publickey).: Connection reset by peer: libvirt.
2023-10-17 08:34:42.815 3904 WARNING nova.compute.
2023-10-17 08:34:43.014 3904 ERROR nova.virt.
2023-10-17 08:34:43.034 3904 ERROR nova.compute.
```
Charm should override that settings adding a config to /etc/ssh/
with something like
```
PermitRootLogin yes
Allowusers root@<libvirt-
```
description: | updated |
description: | updated |
tags: | added: cis-hardening |
> Charm should override that settings adding a config to /etc/ssh/ sshd_config. d migration- network- ip>
>
> with something like
>
> ```
> PermitRootLogin yes
> Allowusers root@<libvirt-
> ```
It will be overwritten by another run of CIS hardening scripts though. Root login for live-migration is a long standing issue in Charmed OpenStack. /bugs.launchpad .net/charm- nova-compute/ +bug/1375109
https:/
I haven't looked into what kind of changes are potentially made in the upstream, but I do really hope there is a way in the upstream to avoid the root login by now...