search

OpenNebula / one-apps

Toolchain to build OpenNebula appliances
Apache License 2.0
12 stars 12 forks source link

CONTEXT->SSH_PUBLIC_KEY set via updateconf API call causes VM template vs authorized_keys discrepancy #21

Closed sk4zuzu closed 6 months ago

sk4zuzu commented 1 year ago

Description After setting the SSH_PUBLIC_KEY attribute with the updateconf API call (and successful recontextualization), the existing public keys (if present) are dropped from the template, but they remain in the authorized_keys file.

To Reproduce Assuming there is a VM running (ID=86) and it already has some keys defined inside the SSH_PUBLIC_KEY string, when such a pyone/python snippet is run:

vm = client.vm.info(86)

update = '''
CONTEXT = [
  SSH_PUBLIC_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2x6Z0kbP4CpmnZ+gls2CYxLCHJN1IceGwV1O3GupUTclEKmwsqhsQ0xBmnGd+vBb9V8RFumQBhopySR81yJIXcomAQKDf+tHG8H6kKRdDBzu4BfEcYiPE6h8qBqyzxttigcHak4+E+uOD3EFaLZa5YKvEepoO8SQ2OB1o20nMG9Mfe+lY8j8dS0PCb56zklUxGXir5DanWbon+/oYjJdE4qiZL+w2JXY9OQOw7/45AfQ1mOqXSnbV6DDTa/2h5rNSRkHPnwWWtwlBAX7+EXtRnR8Hbk1z9eJKj/AQAA2+BN3Z948VujO8Ocjlgo0E2B3sT7m6ygLzttaEgaGxiz7Z asd"
]
''')

client.vm.updateconf(vm.ID, update, 1)

vm = client.vm.info(vm.ID)
print(vm.TEMPLATE["CONTEXT"]["SSH_PUBLIC_KEY"])

this is the output (it indicates only a single key is present):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2x6Z0kbP4CpmnZ+gls2CYxLCHJN1IceGwV1O3GupUTclEKmwsqhsQ0xBmnGd+vBb9V8RFumQBhopySR81yJIXcomAQKDf+tHG8H6kKRdDBzu4BfEcYiPE6h8qBqyzxttigcHak4+E+uOD3EFaLZa5YKvEepoO8SQ2OB1o20nMG9Mfe+lY8j8dS0PCb56zklUxGXir5DanWbon+/oYjJdE4qiZL+w2JXY9OQOw7/45AfQ1mOqXSnbV6DDTa/2h5rNSRkHPnwWWtwlBAX7+EXtRnR8Hbk1z9eJKj/AQAA2+BN3Z948VujO8Ocjlgo0E2B3sT7m6ygLzttaEgaGxiz7Z asd

but inside the /root/.ssh/autorized_keys file, more keys are to be found (if defined previously).

Expected behavior Either the VM template should contain all the keys, or the keys should be consistently removed from the authorized_keys file. It's not that clear, because the updateconf API call has this parameter:

IN Int Update type: 0: Replace the whole template. 1: Merge new template with the existing one.

so multiple branches need to be considered.

Details

Additional context NA

Progress Status

rsmontero commented 6 months ago

This has been fixed by OpenNebula/one#6552