Research non password-less deployments

[OpenNebulaSupport]

one-deploy has been development based on passwordless ssh connections. This means every task executed that requires some sort of ssh connection has been tested and assumes a connection where ssh keys have been whitelisted.

Due to company policies, it might be required an ssh connection with a password. This can have some unexpected consequences during the execution of certain tasks, for example, syncing HA information

TASK [opennebula.deploy.opennebula/server : Distribute AUTH and SSH data (ha)] ***********************************************************************************************************
skipping: [fe1]
fatal: [fe2 -> fe1(10.61.223.45)]: FAILED! => changed=false
  cmd: sshpass
  msg: '[Errno 2] No such file or directory: b''sshpass'''
  rc: 2
  stderr: ''
  stderr_lines: <omitted>
  stdout: ''
  stdout_lines: <omitted>
fatal: [fe3 -> fe1(10.61.223.45)]: FAILED! => changed=false
  cmd: sshpass
  msg: '[Errno 2] No such file or directory: b''sshpass'''
  rc: 2
  stderr: ''
  stderr_lines: <omitted>
  stdout: ''
  stdout_lines: <omitted>

Connection Requirements

• A passwordless ssh connection between oneadmin users in opennebula frontend and virtualization hosts is a strict requirement for the operation of OpenNebula.
• However, a passwordless connection between the ansible controller and the ansible hosts isn't a requirement for OpenNebula to operate.

Ideally one-deploy could support this, but as it isn't a tested scenario we don't know the implications of setting ansible_ssh_pass and/or ansible_sudo_pass on the inventory file. This also means there is no documentation showcasing password ssh connections.

[sk4zuzu]

Hello.

We don't really consider connecting to ssh endpoints using passwords as something that we want to support, there is really no good reason to do so, moreover we don't want to encourage using bad security practices among OpenNebula users (I believe it's unethical for an open source project). Ubuntu creators for example seem to thinking just the same, since /etc/ssh/sshd_config.d/60-cloudimg-settings.conf started to disable password auth for the whole sshd process always (which makes users to do extra explicit effort to re-enable password auth).

But anyways, to make one-deploy work with passwords, users need to:

1. Set PasswordAuthentication yes in sshd (inside the target cluster).
2. Install sshpass on the ansible controller.
3. Install sshpass on all FE machines, that's because of constructions of this type https://github.com/OpenNebula/one-deploy/blob/c831098f4d8bbb03698ea080692962090ba1f0bd/roles/opennebula/server/tasks/sync_ha.yml#L137-L138 , where synchronize module runs rsync+ssh combo and this is direct communication not involving the ansible controller.
4. As soon as steps 1. 2. 3. are completed before running one-deploy (for example in packer scripts) we find that deployment of a HA cluster seems to be working without errors.