On Monday, August 5, 2019, 8:01 PM, Dave Young <dyoung@redhat.com> wrote:
On 08/05/19 at 08:56pm, Lianbo Jiang wrote:
> When using the ssh kdump, the ssh client will use the '-o StrictHostKeyChecking=yes'
> option to connect the kdump server. To ensure the dump file is going to be sent to
> a true kdump server as opposed to any fake one, the ssh client needs to authenticate
> the server as well. A known_hosts file with server hostkey can be provisioned on the
> client side in advance to facilitate the authentication(which is added by ssh-client
> module in mkdumprd).
>
> Add a configuration in '/etc/kdump.conf' to specify the location of the known_hosts
> file to be used in the 'ssh -o UserKnownHostsFile' option.
When add a new option, we need carefully check if this is really
necessary. In this case, this is only useful for the case one want to
use ssh -o UserKnownHostsFile, but why this is necessiry, why we can
not use the global Knownhosts?
>
> Suggested-by: Jun Wang <junw99@yahoo.com>
> Signed-off-by: Lianbo Jiang <lijiang@redhat.com>
> ---
> dracut-kdump.sh | 4 ++--
> kdump-lib-initramfs.sh | 6 ++++++
> kdump.conf | 4 ++++
> kdumpctl | 12 ++++++++++--
> mkdumprd | 11 +++++++++--
> 5 files changed, 31 insertions(+), 6 deletions(-)
>
> diff --git a/dracut-kdump.sh b/dracut-kdump.sh
> index ce56459ed088..0eafe6458530 100755
> --- a/dracut-kdump.sh
> +++ b/dracut-kdump.sh
> @@ -71,7 +71,7 @@ dump_raw()
>
> dump_ssh()
> {
> - local _opt="-i $1 -o BatchMode=yes -o StrictHostKeyChecking=yes"
> + local _opt="-i $1 -o BatchMode=yes -o StrictHostKeyChecking=yes -i $3 -o UserKnownHostsFile"
> local _dir="$KDUMP_PATH/$HOST_IP-$DATEDIR"
> local _host=$2
>
> @@ -156,7 +156,7 @@ read_kdump_conf()
> add_dump_code "dump_raw $config_val"
> ;;
> ssh)
> - add_dump_code "dump_ssh $SSH_KEY_LOCATION $config_val"
> + add_dump_code "dump_ssh $SSH_KEY_LOCATION $config_val $SSH_KNOWN_HOSTS"
> ;;
> esac
> done <<< "$(read_strip_comments $KDUMP_CONF)"
> diff --git a/kdump-lib-initramfs.sh b/kdump-lib-initramfs.sh
> index 608dc6efc07e..7d595d5b7d06 100755
> --- a/kdump-lib-initramfs.sh
> +++ b/kdump-lib-initramfs.sh
> @@ -11,6 +11,7 @@ DATEDIR=`date +%Y-%m-%d-%T`
> HOST_IP='127.0.0.1'
> DUMP_INSTRUCTION=""
> SSH_KEY_LOCATION="/root/.ssh/kdump_id_rsa"
> +SSH_KNOWN_HOSTS="/root/.ssh/known_hosts"
> KDUMP_SCRIPT_DIR="/kdumpscripts"
> DD_BLKSIZE=512
> FINAL_ACTION="systemctl reboot -f"
> @@ -38,6 +39,11 @@ get_kdump_confs()
> SSH_KEY_LOCATION=$config_val
> fi
> ;;
> + known_hosts)
> + if [ -f "$config_val" ];then
> + SSH_KNOWN_HOSTS="$config_val"
> + fi
> + ;;
> kdump_pre)
> KDUMP_PRE="$config_val"
> ;;
> diff --git a/kdump.conf b/kdump.conf
> index 1f0fc2ddc40b..2b10d57ac561 100644
> --- a/kdump.conf
> +++ b/kdump.conf
> @@ -152,6 +152,9 @@
> # to send fence_kdump notifications to.
> # (this option is mandatory to enable fence_kdump).
> #
> +# known_hosts <path>
> +# - The "path" represents the path of know_hosts, the default value
> +# is /root/.ssh/known_hosts.
>
> #raw /dev/vg/lv_kdump
> #ext4 /dev/vg/lv_kdump
> @@ -173,3 +176,4 @@ core_collector makedumpfile -l --message-level 1 -d 31
> #dracut_args --omit-drivers "cfg80211 snd" --add-drivers "ext2 ext3"
> #fence_kdump_args -p 7410 -f auto -c 0 -i 10
> #fence_kdump_nodes node1 node2
> +#known_hosts /root/.ssh/known_hosts
> diff --git a/kdumpctl b/kdumpctl
> index a1a6ee24b768..7ba7e8cf2685 100755
> --- a/kdumpctl
> +++ b/kdumpctl
> @@ -9,6 +9,7 @@ MKDUMPRD="/sbin/mkdumprd -f"
> DRACUT_MODULES_FILE="/usr/lib/dracut/modules.txt"
> SAVE_PATH=/var/crash
> SSH_KEY_LOCATION="/root/.ssh/kdump_id_rsa"
> +SSH_KNOWN_HOSTS="/root/.ssh/known_hosts"
> INITRD_CHECKSUM_LOCATION="/boot/.fadump_initrd_checksum"
> DUMP_TARGET=""
> DEFAULT_INITRD=""
> @@ -243,7 +244,7 @@ check_config()
> case "$config_opt" in
> \#* | "")
> ;;
> - raw|ext2|ext3|ext4|minix|btrfs|xfs|nfs|ssh|sshkey|path|core_collector|kdump_post|kdump_pre|extra_bins|extra_modules|failure_action|default|final_action|force_rebuild|force_no_rebuild|dracut_args|fence_kdump_args|fence_kdump_nodes)
> + raw|ext2|ext3|ext4|minix|btrfs|xfs|nfs|ssh|sshkey|known_hosts|path|core_collector|kdump_post|kdump_pre|extra_bins|extra_modules|failure_action|default|final_action|force_rebuild|force_no_rebuild|dracut_args|fence_kdump_args|fence_kdump_nodes)
> # remove inline comments after the end of a directive.
> [ -z "$config_val" ] && {
> echo "Invalid kdump config value for option $config_opt."
> @@ -711,6 +712,13 @@ check_ssh_config()
> echo "WARNING: '$config_val' doesn't exist, using default value '$SSH_KEY_LOCATION'"
> fi
> ;;
> + known_hosts)
> + if [ -f "$config_val" ];then
> + SSH_KNOWN_HOSTS=$(/usr/bin/readlink -m $config_val)
> + else
> + echo "WARNING: '$config_val' doesn't exist, using default value '$SSH_KNOWN_HOSTS'"
> + fi
> + ;;
> path)
> SAVE_PATH=$config_val
> ;;
> @@ -733,7 +741,7 @@ check_ssh_config()
> check_ssh_target()
> {
> local _ret
> - ssh -q -i $SSH_KEY_LOCATION -o BatchMode=yes $DUMP_TARGET mkdir -p $SAVE_PATH
> + ssh -q -i $SSH_KEY_LOCATION -i $SSH_KNOWN_HOSTS -o BatchMode=yes $DUMP_TARGET mkdir -p $SAVE_PATH
> _ret=$?
> if [ $_ret -ne 0 ]; then
> echo "Could not create $DUMP_TARGET:$SAVE_PATH, you probably need to run \"kdumpctl propagate\"" >&2
> diff --git a/mkdumprd b/mkdumprd
> index cf3533fe2be9..c4e2f8ba4c31 100644
> --- a/mkdumprd
> +++ b/mkdumprd
> @@ -13,6 +13,7 @@ export IN_KDUMP=1
>
> conf_file="/etc/kdump.conf"
> SSH_KEY_LOCATION="/root/.ssh/kdump_id_rsa"
> +SSH_KNOWN_HOSTS="/root/.ssh/known_hosts"
> SAVE_PATH=$(awk '/^path/ {print $2}' $conf_file)
> [ -z "$SAVE_PATH" ] && SAVE_PATH=$DEFAULT_PATH
> # strip the duplicated "/"
> @@ -144,7 +145,7 @@ is_readonly_mount() {
> #called from while loop and shouldn't read from stdin, so we're using "ssh -n"
> get_ssh_size() {
> local _opt _out _size
> - _opt="-i $SSH_KEY_LOCATION -o BatchMode=yes -o StrictHostKeyChecking=yes"
> + _opt="-i $SSH_KEY_LOCATION -o BatchMode=yes -o StrictHostKeyChecking=yes -i $SSH_KNOWN_HOSTS -o UserKnownHostsFile"
> _out=$(ssh -q -n $_opt $1 "df -P $SAVE_PATH")
> [ $? -ne 0 ] && {
> perror_exit "checking remote ssh server available size failed."
> @@ -162,7 +163,7 @@ get_ssh_size() {
> mkdir_save_path_ssh()
> {
> local _opt _dir
> - _opt="-i $SSH_KEY_LOCATION -o BatchMode=yes -o StrictHostKeyChecking=yes"
> + _opt="-i $SSH_KEY_LOCATION -o BatchMode=yes -o StrictHostKeyChecking=yes -i $SSH_KNOWN_HOSTS -o UserKnownHostsFile"
> ssh -qn $_opt $1 mkdir -p $SAVE_PATH 2>&1 > /dev/null
> _ret=$?
> if [ $_ret -ne 0 ]; then
> @@ -385,6 +386,12 @@ if [ -f "$keyfile" ]; then
> SSH_KEY_LOCATION=$(/usr/bin/readlink -m $keyfile)
> fi
>
> +# if specified, get the known_hosts
> +known_hosts=$(awk '/^known_hosts/ {print $2}' $conf_file)
> +if [ -f "$known_hosts" ];then
> + SSH_KNOWN_HOSTS=$(/usr/bin/readlink -m $known_hosts)
> +fi
> +
> if [ "$(uname -m)" = "s390x" ]; then
> add_dracut_module "znet"
> fi
> --
> 2.17.1
>