how to wrap ssh calls from nova-compute?

asked 2014-09-18 04:58:01 -0600

Daniel P gravatar image

updated 2014-09-18 04:58:54 -0600

Hi,

I have a wrapper script for ssh that I need nova-compute to call when performing live migration.

The reason for this is when attempting live migration, I'm seeing this error:

Command: ssh <computeHost> mkdir -p
/var/lib/nova/instances/7c8cf258-02e7-4fa2-85b0-a3ec26b0ddd6
Exit code: 255
Stdout: ''
Stderr: 'Permission denied (gssapi-keyex,gssapi-with-mic).'

This error is expected since we use kerberos for authentication; our security policy doesn't allow ssh via keys.

So I've written a simple wrapper script for ssh that first runs kinit to grab the relevant tgt, then passes the original ssh parameters to the system ssh binary.

The question now is how best to redirect nova-compute's ssh calls to my ssh wrapper script?

I've looked through the config reference but don't see any specific ssh path parameters, nor do I see anything that allows me to prepend to PATH for nova-compute.

What is the best way to do this? Can I do this from within Openstack, or do I need something configured externally?

If it's any help, I'm on Ubuntu Trusty.

edit retag flag offensive close merge delete