When using the ssh kdump, the ssh client will use the '-o StrictHostKeyChecking=yes'
option to connect the kdump server. To ensure the dump file is going to be sent to
a true kdump server as opposed to any fake one, the ssh client needs to authenticate
the server as well. A known_hosts file with server hostkey can be provisioned on the
client side in advance to facilitate the authentication(which is added by ssh-client
module in mkdumprd).
Add a configuration in '/etc/kdump.conf' to specify the location of the known_hosts
file to be used in the 'ssh -o UserKnownHostsFile' option.
Suggested-by: Jun Wang <junw99(a)yahoo.com>
Signed-off-by: Lianbo Jiang <lijiang(a)redhat.com>
---
dracut-kdump.sh | 4 ++--
kdump-lib-initramfs.sh | 6 ++++++
kdump.conf | 4 ++++
kdumpctl | 12 ++++++++++--
mkdumprd | 11 +++++++++--
5 files changed, 31 insertions(+), 6 deletions(-)
diff --git a/dracut-kdump.sh b/dracut-kdump.sh
index ce56459ed088..0eafe6458530 100755
--- a/dracut-kdump.sh
+++ b/dracut-kdump.sh
@@ -71,7 +71,7 @@ dump_raw()
dump_ssh()
{
- local _opt="-i $1 -o BatchMode=yes -o StrictHostKeyChecking=yes"
+ local _opt="-i $1 -o BatchMode=yes -o StrictHostKeyChecking=yes -i $3 -o UserKnownHostsFile"
local _dir="$KDUMP_PATH/$HOST_IP-$DATEDIR"
local _host=$2
@@ -156,7 +156,7 @@ read_kdump_conf()
add_dump_code "dump_raw $config_val"
;;
ssh)
- add_dump_code "dump_ssh $SSH_KEY_LOCATION $config_val"
+ add_dump_code "dump_ssh $SSH_KEY_LOCATION $config_val $SSH_KNOWN_HOSTS"
;;
esac
done <<< "$(read_strip_comments $KDUMP_CONF)"
diff --git a/kdump-lib-initramfs.sh b/kdump-lib-initramfs.sh
index 608dc6efc07e..7d595d5b7d06 100755
--- a/kdump-lib-initramfs.sh
+++ b/kdump-lib-initramfs.sh
@@ -11,6 +11,7 @@ DATEDIR=`date +%Y-%m-%d-%T`
HOST_IP='127.0.0.1'
DUMP_INSTRUCTION=""
SSH_KEY_LOCATION="/root/.ssh/kdump_id_rsa"
+SSH_KNOWN_HOSTS="/root/.ssh/known_hosts"
KDUMP_SCRIPT_DIR="/kdumpscripts"
DD_BLKSIZE=512
FINAL_ACTION="systemctl reboot -f"
@@ -38,6 +39,11 @@ get_kdump_confs()
SSH_KEY_LOCATION=$config_val
fi
;;
+ known_hosts)
+ if [ -f "$config_val" ];then
+ SSH_KNOWN_HOSTS="$config_val"
+ fi
+ ;;
kdump_pre)
KDUMP_PRE="$config_val"
;;
diff --git a/kdump.conf b/kdump.conf
index 1f0fc2ddc40b..2b10d57ac561 100644
--- a/kdump.conf
+++ b/kdump.conf
@@ -152,6 +152,9 @@
# to send fence_kdump notifications to.
# (this option is mandatory to enable fence_kdump).
#
+# known_hosts <path>
+# - The "path" represents the path of know_hosts, the default value
+# is /root/.ssh/known_hosts.
#raw /dev/vg/lv_kdump
#ext4 /dev/vg/lv_kdump
@@ -173,3 +176,4 @@ core_collector makedumpfile -l --message-level 1 -d 31
#dracut_args --omit-drivers "cfg80211 snd" --add-drivers "ext2 ext3"
#fence_kdump_args -p 7410 -f auto -c 0 -i 10
#fence_kdump_nodes node1 node2
+#known_hosts /root/.ssh/known_hosts
diff --git a/kdumpctl b/kdumpctl
index a1a6ee24b768..7ba7e8cf2685 100755
--- a/kdumpctl
+++ b/kdumpctl
@@ -9,6 +9,7 @@ MKDUMPRD="/sbin/mkdumprd -f"
DRACUT_MODULES_FILE="/usr/lib/dracut/modules.txt"
SAVE_PATH=/var/crash
SSH_KEY_LOCATION="/root/.ssh/kdump_id_rsa"
+SSH_KNOWN_HOSTS="/root/.ssh/known_hosts"
INITRD_CHECKSUM_LOCATION="/boot/.fadump_initrd_checksum"
DUMP_TARGET=""
DEFAULT_INITRD=""
@@ -243,7 +244,7 @@ check_config()
case "$config_opt" in
\#* | "")
;;
- raw|ext2|ext3|ext4|minix|btrfs|xfs|nfs|ssh|sshkey|path|core_collector|kdump_post|kdump_pre|extra_bins|extra_modules|failure_action|default|final_action|force_rebuild|force_no_rebuild|dracut_args|fence_kdump_args|fence_kdump_nodes)
+ raw|ext2|ext3|ext4|minix|btrfs|xfs|nfs|ssh|sshkey|known_hosts|path|core_collector|kdump_post|kdump_pre|extra_bins|extra_modules|failure_action|default|final_action|force_rebuild|force_no_rebuild|dracut_args|fence_kdump_args|fence_kdump_nodes)
# remove inline comments after the end of a directive.
[ -z "$config_val" ] && {
echo "Invalid kdump config value for option $config_opt."
@@ -711,6 +712,13 @@ check_ssh_config()
echo "WARNING: '$config_val' doesn't exist, using default value '$SSH_KEY_LOCATION'"
fi
;;
+ known_hosts)
+ if [ -f "$config_val" ];then
+ SSH_KNOWN_HOSTS=$(/usr/bin/readlink -m $config_val)
+ else
+ echo "WARNING: '$config_val' doesn't exist, using default value '$SSH_KNOWN_HOSTS'"
+ fi
+ ;;
path)
SAVE_PATH=$config_val
;;
@@ -733,7 +741,7 @@ check_ssh_config()
check_ssh_target()
{
local _ret
- ssh -q -i $SSH_KEY_LOCATION -o BatchMode=yes $DUMP_TARGET mkdir -p $SAVE_PATH
+ ssh -q -i $SSH_KEY_LOCATION -i $SSH_KNOWN_HOSTS -o BatchMode=yes $DUMP_TARGET mkdir -p $SAVE_PATH
_ret=$?
if [ $_ret -ne 0 ]; then
echo "Could not create $DUMP_TARGET:$SAVE_PATH, you probably need to run \"kdumpctl propagate\"" >&2
diff --git a/mkdumprd b/mkdumprd
index cf3533fe2be9..c4e2f8ba4c31 100644
--- a/mkdumprd
+++ b/mkdumprd
@@ -13,6 +13,7 @@ export IN_KDUMP=1
conf_file="/etc/kdump.conf"
SSH_KEY_LOCATION="/root/.ssh/kdump_id_rsa"
+SSH_KNOWN_HOSTS="/root/.ssh/known_hosts"
SAVE_PATH=$(awk '/^path/ {print $2}' $conf_file)
[ -z "$SAVE_PATH" ] && SAVE_PATH=$DEFAULT_PATH
# strip the duplicated "/"
@@ -144,7 +145,7 @@ is_readonly_mount() {
#called from while loop and shouldn't read from stdin, so we're using "ssh -n"
get_ssh_size() {
local _opt _out _size
- _opt="-i $SSH_KEY_LOCATION -o BatchMode=yes -o StrictHostKeyChecking=yes"
+ _opt="-i $SSH_KEY_LOCATION -o BatchMode=yes -o StrictHostKeyChecking=yes -i $SSH_KNOWN_HOSTS -o UserKnownHostsFile"
_out=$(ssh -q -n $_opt $1 "df -P $SAVE_PATH")
[ $? -ne 0 ] && {
perror_exit "checking remote ssh server available size failed."
@@ -162,7 +163,7 @@ get_ssh_size() {
mkdir_save_path_ssh()
{
local _opt _dir
- _opt="-i $SSH_KEY_LOCATION -o BatchMode=yes -o StrictHostKeyChecking=yes"
+ _opt="-i $SSH_KEY_LOCATION -o BatchMode=yes -o StrictHostKeyChecking=yes -i $SSH_KNOWN_HOSTS -o UserKnownHostsFile"
ssh -qn $_opt $1 mkdir -p $SAVE_PATH 2>&1 > /dev/null
_ret=$?
if [ $_ret -ne 0 ]; then
@@ -385,6 +386,12 @@ if [ -f "$keyfile" ]; then
SSH_KEY_LOCATION=$(/usr/bin/readlink -m $keyfile)
fi
+# if specified, get the known_hosts
+known_hosts=$(awk '/^known_hosts/ {print $2}' $conf_file)
+if [ -f "$known_hosts" ];then
+ SSH_KNOWN_HOSTS=$(/usr/bin/readlink -m $known_hosts)
+fi
+
if [ "$(uname -m)" = "s390x" ]; then
add_dracut_module "znet"
fi
--
2.17.1