We use customized known-hosts file and distribute various host keys to it in our operation environment. Adding the option allows mkdumprd package the corresponding/effective known-hosts file and use it during kdump capture. The default know-host file isn’t sufficient.

Thanks,
Jun

Sent from Yahoo Mail for iPhone

On Monday, August 5, 2019, 8:01 PM, Dave Young <dyoung@redhat.com> wrote:

On 08/05/19 at 08:56pm, Lianbo Jiang wrote:
> When using the ssh kdump, the ssh client will use the '-o StrictHostKeyChecking=yes'
> option to connect the kdump server. To ensure the dump file is going to be sent to
> a true kdump server as opposed to any fake one, the ssh client needs to authenticate
> the server as well. A known_hosts file with server hostkey can be provisioned on the
> client side in advance to facilitate the authentication(which is added by ssh-client
> module in mkdumprd).
>
> Add a configuration in '/etc/kdump.conf' to specify the location of the known_hosts
> file to be used in the 'ssh -o UserKnownHostsFile' option.

When add a new option, we need carefully check if this is really
necessary.  In this case,  this is only useful for the case one want to
use ssh -o UserKnownHostsFile,  but why this is necessiry, why we can
not use the global Knownhosts?


>
> Suggested-by: Jun Wang <junw99@yahoo.com>
> Signed-off-by: Lianbo Jiang <lijiang@redhat.com>
> ---
>  dracut-kdump.sh        |  4 ++--
>  kdump-lib-initramfs.sh |  6 ++++++
>  kdump.conf            |  4 ++++
>  kdumpctl              | 12 ++++++++++--
>  mkdumprd              | 11 +++++++++--
>  5 files changed, 31 insertions(+), 6 deletions(-)
>
> diff --git a/dracut-kdump.sh b/dracut-kdump.sh
> index ce56459ed088..0eafe6458530 100755
> --- a/dracut-kdump.sh
> +++ b/dracut-kdump.sh
> @@ -71,7 +71,7 @@ dump_raw()

>  dump_ssh()
>  {
> -    local _opt="-i $1 -o BatchMode=yes -o StrictHostKeyChecking=yes"
> +    local _opt="-i $1 -o BatchMode=yes -o StrictHostKeyChecking=yes -i $3 -o UserKnownHostsFile"
>      local _dir="$KDUMP_PATH/$HOST_IP-$DATEDIR"
>      local _host=$2

> @@ -156,7 +156,7 @@ read_kdump_conf()
>              add_dump_code "dump_raw $config_val"
>              ;;
>          ssh)
> -            add_dump_code "dump_ssh $SSH_KEY_LOCATION $config_val"
> +            add_dump_code "dump_ssh $SSH_KEY_LOCATION $config_val $SSH_KNOWN_HOSTS"
>              ;;
>          esac
>      done <<< "$(read_strip_comments $KDUMP_CONF)"
> diff --git a/kdump-lib-initramfs.sh b/kdump-lib-initramfs.sh
> index 608dc6efc07e..7d595d5b7d06 100755
> --- a/kdump-lib-initramfs.sh
> +++ b/kdump-lib-initramfs.sh
> @@ -11,6 +11,7 @@ DATEDIR=`date +%Y-%m-%d-%T`
>  HOST_IP='127.0.0.1'
>  DUMP_INSTRUCTION=""
>  SSH_KEY_LOCATION="/root/.ssh/kdump_id_rsa"
> +SSH_KNOWN_HOSTS="/root/.ssh/known_hosts"
>  KDUMP_SCRIPT_DIR="/kdumpscripts"
>  DD_BLKSIZE=512
>  FINAL_ACTION="systemctl reboot -f"
> @@ -38,6 +39,11 @@ get_kdump_confs()
>                      SSH_KEY_LOCATION=$config_val
>                  fi
>              ;;
> +            known_hosts)
> +                if [ -f "$config_val" ];then
> +                    SSH_KNOWN_HOSTS="$config_val"
> +                fi
> +            ;;
>              kdump_pre)
>                  KDUMP_PRE="$config_val"
>              ;;
> diff --git a/kdump.conf b/kdump.conf
> index 1f0fc2ddc40b..2b10d57ac561 100644
> --- a/kdump.conf
> +++ b/kdump.conf
> @@ -152,6 +152,9 @@
>  #            to send fence_kdump notifications to.
>  #            (this option is mandatory to enable fence_kdump).
>  #
> +# known_hosts <path>
> +#          - The "path" represents the path of know_hosts, the default value
> +#            is /root/.ssh/known_hosts.

>  #raw /dev/vg/lv_kdump
>  #ext4 /dev/vg/lv_kdump
> @@ -173,3 +176,4 @@ core_collector makedumpfile -l --message-level 1 -d 31
>  #dracut_args --omit-drivers "cfg80211 snd" --add-drivers "ext2 ext3"
>  #fence_kdump_args -p 7410 -f auto -c 0 -i 10
>  #fence_kdump_nodes node1 node2
> +#known_hosts /root/.ssh/known_hosts
> diff --git a/kdumpctl b/kdumpctl
> index a1a6ee24b768..7ba7e8cf2685 100755
> --- a/kdumpctl
> +++ b/kdumpctl
> @@ -9,6 +9,7 @@ MKDUMPRD="/sbin/mkdumprd -f"
>  DRACUT_MODULES_FILE="/usr/lib/dracut/modules.txt"
>  SAVE_PATH=/var/crash
>  SSH_KEY_LOCATION="/root/.ssh/kdump_id_rsa"
> +SSH_KNOWN_HOSTS="/root/.ssh/known_hosts"
>  INITRD_CHECKSUM_LOCATION="/boot/.fadump_initrd_checksum"
>  DUMP_TARGET=""
>  DEFAULT_INITRD=""
> @@ -243,7 +244,7 @@ check_config()
>          case "$config_opt" in
>          \#* | "")
>              ;;
> -        raw|ext2|ext3|ext4|minix|btrfs|xfs|nfs|ssh|sshkey|path|core_collector|kdump_post|kdump_pre|extra_bins|extra_modules|failure_action|default|final_action|force_rebuild|force_no_rebuild|dracut_args|fence_kdump_args|fence_kdump_nodes)
> +        raw|ext2|ext3|ext4|minix|btrfs|xfs|nfs|ssh|sshkey|known_hosts|path|core_collector|kdump_post|kdump_pre|extra_bins|extra_modules|failure_action|default|final_action|force_rebuild|force_no_rebuild|dracut_args|fence_kdump_args|fence_kdump_nodes)
>              # remove inline comments after the end of a directive.
>              [ -z "$config_val" ] && {
>                  echo "Invalid kdump config value for option $config_opt."
> @@ -711,6 +712,13 @@ check_ssh_config()
>                  echo "WARNING: '$config_val' doesn't exist, using default value '$SSH_KEY_LOCATION'"
>              fi
>              ;;
> +        known_hosts)
> +            if [ -f "$config_val" ];then
> +                SSH_KNOWN_HOSTS=$(/usr/bin/readlink -m $config_val)
> +            else
> +                echo "WARNING: '$config_val' doesn't exist, using default value '$SSH_KNOWN_HOSTS'"
> +            fi
> +            ;;
>          path)
>              SAVE_PATH=$config_val
>              ;;
> @@ -733,7 +741,7 @@ check_ssh_config()
>  check_ssh_target()
>  {
>      local _ret
> -    ssh -q -i $SSH_KEY_LOCATION -o BatchMode=yes $DUMP_TARGET mkdir -p $SAVE_PATH
> +    ssh -q -i $SSH_KEY_LOCATION -i $SSH_KNOWN_HOSTS -o BatchMode=yes $DUMP_TARGET mkdir -p $SAVE_PATH
>      _ret=$?
>      if [ $_ret -ne 0 ]; then
>          echo "Could not create $DUMP_TARGET:$SAVE_PATH, you probably need to run \"kdumpctl propagate\""  >&2
> diff --git a/mkdumprd b/mkdumprd
> index cf3533fe2be9..c4e2f8ba4c31 100644
> --- a/mkdumprd
> +++ b/mkdumprd
> @@ -13,6 +13,7 @@ export IN_KDUMP=1

>  conf_file="/etc/kdump.conf"
>  SSH_KEY_LOCATION="/root/.ssh/kdump_id_rsa"
> +SSH_KNOWN_HOSTS="/root/.ssh/known_hosts"
>  SAVE_PATH=$(awk '/^path/ {print $2}' $conf_file)
>  [ -z "$SAVE_PATH" ] && SAVE_PATH=$DEFAULT_PATH
>  # strip the duplicated "/"
> @@ -144,7 +145,7 @@ is_readonly_mount() {
>  #called from while loop and shouldn't read from stdin, so we're using "ssh -n"
>  get_ssh_size() {
>      local _opt _out _size
> -    _opt="-i $SSH_KEY_LOCATION -o BatchMode=yes -o StrictHostKeyChecking=yes"
> +    _opt="-i $SSH_KEY_LOCATION -o BatchMode=yes -o StrictHostKeyChecking=yes -i $SSH_KNOWN_HOSTS -o UserKnownHostsFile"
>      _out=$(ssh -q -n $_opt $1 "df -P $SAVE_PATH")
>      [ $? -ne 0 ] && {
>          perror_exit "checking remote ssh server available size failed."
> @@ -162,7 +163,7 @@ get_ssh_size() {
>  mkdir_save_path_ssh()
>  {
>      local _opt _dir
> -    _opt="-i $SSH_KEY_LOCATION -o BatchMode=yes -o StrictHostKeyChecking=yes"
> +    _opt="-i $SSH_KEY_LOCATION -o BatchMode=yes -o StrictHostKeyChecking=yes -i $SSH_KNOWN_HOSTS -o UserKnownHostsFile"
>      ssh -qn $_opt $1 mkdir -p $SAVE_PATH 2>&1 > /dev/null
>      _ret=$?
>      if [ $_ret -ne 0 ]; then
> @@ -385,6 +386,12 @@ if [ -f "$keyfile" ]; then
>      SSH_KEY_LOCATION=$(/usr/bin/readlink -m $keyfile)
>  fi

> +# if specified, get the known_hosts
> +known_hosts=$(awk '/^known_hosts/ {print $2}' $conf_file)
> +if [ -f "$known_hosts" ];then
> +    SSH_KNOWN_HOSTS=$(/usr/bin/readlink -m $known_hosts)
> +fi
> +
>  if [ "$(uname -m)" = "s390x" ]; then
>      add_dracut_module "znet"
>  fi
> --
> 2.17.1
>