On 08/06/19 at 11:37am, lijiang wrote:
在 2019年08月06日 11:01, Dave Young 写道:
> On 08/05/19 at 08:56pm, Lianbo Jiang wrote:
>> When using the ssh kdump, the ssh client will use the '-o
StrictHostKeyChecking=yes'
>> option to connect the kdump server. To ensure the dump file is going to be sent
to
>> a true kdump server as opposed to any fake one, the ssh client needs to
authenticate
>> the server as well. A known_hosts file with server hostkey can be provisioned on
the
>> client side in advance to facilitate the authentication(which is added by
ssh-client
>> module in mkdumprd).
>>
>> Add a configuration in '/etc/kdump.conf' to specify the location of the
known_hosts
>> file to be used in the 'ssh -o UserKnownHostsFile' option.
>
> When add a new option, we need carefully check if this is really
> necessary. In this case, this is only useful for the case one want to
> use ssh -o UserKnownHostsFile, but why this is necessiry, why we can
> not use the global Knownhosts?
>
In general, the root user will make a kdump operation, so i used the
/root/.ssh/known_hosts
as default, but, if need, the user can still specify this option in /etc/kdump.conf.
I'm not objecting to allow UserKnownHostsFile, but I want to double
check if we should use another new kdump config option.
You can check the dracut ssh-client module, if one setup ssh_config
correctly I assume ssh will use the knownhost file automatically, if not
maybe we should fix the dracut module.
>
> Thanks.
>
> >>
> >> Suggested-by: Jun Wang <junw99(a)yahoo.com>
> >> Signed-off-by: Lianbo Jiang <lijiang(a)redhat.com>
> >> ---
> >> dracut-kdump.sh | 4 ++--
> >> kdump-lib-initramfs.sh | 6 ++++++
> >> kdump.conf | 4 ++++
> >> kdumpctl | 12 ++++++++++--
> >> mkdumprd | 11 +++++++++--
> >> 5 files changed, 31 insertions(+), 6 deletions(-)
> >>
> >> diff --git a/dracut-kdump.sh b/dracut-kdump.sh
> >> index ce56459ed088..0eafe6458530 100755
> >> --- a/dracut-kdump.sh
> >> +++ b/dracut-kdump.sh
> >> @@ -71,7 +71,7 @@ dump_raw()
> >>
> >> dump_ssh()
> >> {
> >> - local _opt="-i $1 -o BatchMode=yes -o
StrictHostKeyChecking=yes"
> >> + local _opt="-i $1 -o BatchMode=yes -o StrictHostKeyChecking=yes -i
$3 -o UserKnownHostsFile"
> >> local _dir="$KDUMP_PATH/$HOST_IP-$DATEDIR"
> >> local _host=$2
> >>
> >> @@ -156,7 +156,7 @@ read_kdump_conf()
> >> add_dump_code "dump_raw $config_val"
> >> ;;
> >> ssh)
> >> - add_dump_code "dump_ssh $SSH_KEY_LOCATION
$config_val"
> >> + add_dump_code "dump_ssh $SSH_KEY_LOCATION $config_val
$SSH_KNOWN_HOSTS"
> >> ;;
> >> esac
> >> done <<< "$(read_strip_comments $KDUMP_CONF)"
> >> diff --git a/kdump-lib-initramfs.sh b/kdump-lib-initramfs.sh
> >> index 608dc6efc07e..7d595d5b7d06 100755
> >> --- a/kdump-lib-initramfs.sh
> >> +++ b/kdump-lib-initramfs.sh
> >> @@ -11,6 +11,7 @@ DATEDIR=`date +%Y-%m-%d-%T`
> >> HOST_IP='127.0.0.1'
> >> DUMP_INSTRUCTION=""
> >> SSH_KEY_LOCATION="/root/.ssh/kdump_id_rsa"
> >> +SSH_KNOWN_HOSTS="/root/.ssh/known_hosts"
> >> KDUMP_SCRIPT_DIR="/kdumpscripts"
> >> DD_BLKSIZE=512
> >> FINAL_ACTION="systemctl reboot -f"
> >> @@ -38,6 +39,11 @@ get_kdump_confs()
> >> SSH_KEY_LOCATION=$config_val
> >> fi
> >> ;;
> >> + known_hosts)
> >> + if [ -f "$config_val" ];then
> >> + SSH_KNOWN_HOSTS="$config_val"
> >> + fi
> >> + ;;
> >> kdump_pre)
> >> KDUMP_PRE="$config_val"
> >> ;;
> >> diff --git a/kdump.conf b/kdump.conf
> >> index 1f0fc2ddc40b..2b10d57ac561 100644
> >> --- a/kdump.conf
> >> +++ b/kdump.conf
> >> @@ -152,6 +152,9 @@
> >> # to send fence_kdump notifications to.
> >> # (this option is mandatory to enable fence_kdump).
> >> #
> >> +# known_hosts <path>
> >> +# - The "path" represents the path of know_hosts, the
default value
> >> +# is /root/.ssh/known_hosts.
> >>
> >> #raw /dev/vg/lv_kdump
> >> #ext4 /dev/vg/lv_kdump
> >> @@ -173,3 +176,4 @@ core_collector makedumpfile -l --message-level 1 -d 31
> >> #dracut_args --omit-drivers "cfg80211 snd" --add-drivers
"ext2 ext3"
> >> #fence_kdump_args -p 7410 -f auto -c 0 -i 10
> >> #fence_kdump_nodes node1 node2
> >> +#known_hosts /root/.ssh/known_hosts
> >> diff --git a/kdumpctl b/kdumpctl
> >> index a1a6ee24b768..7ba7e8cf2685 100755
> >> --- a/kdumpctl
> >> +++ b/kdumpctl
> >> @@ -9,6 +9,7 @@ MKDUMPRD="/sbin/mkdumprd -f"
> >> DRACUT_MODULES_FILE="/usr/lib/dracut/modules.txt"
> >> SAVE_PATH=/var/crash
> >> SSH_KEY_LOCATION="/root/.ssh/kdump_id_rsa"
> >> +SSH_KNOWN_HOSTS="/root/.ssh/known_hosts"
> >> INITRD_CHECKSUM_LOCATION="/boot/.fadump_initrd_checksum"
> >> DUMP_TARGET=""
> >> DEFAULT_INITRD=""
> >> @@ -243,7 +244,7 @@ check_config()
> >> case "$config_opt" in
> >> \#* | "")
> >> ;;
> >>
- raw|ext2|ext3|ext4|minix|btrfs|xfs|nfs|ssh|sshkey|path|core_collector|kdump_post|kdump_pre|extra_bins|extra_modules|failure_action|default|final_action|force_rebuild|force_no_rebuild|dracut_args|fence_kdump_args|fence_kdump_nodes)
> >>
+ raw|ext2|ext3|ext4|minix|btrfs|xfs|nfs|ssh|sshkey|known_hosts|path|core_collector|kdump_post|kdump_pre|extra_bins|extra_modules|failure_action|default|final_action|force_rebuild|force_no_rebuild|dracut_args|fence_kdump_args|fence_kdump_nodes)
> >> # remove inline comments after the end of a directive.
> >> [ -z "$config_val" ] && {
> >> echo "Invalid kdump config value for option $config_opt."
> >> @@ -711,6 +712,13 @@ check_ssh_config()
> >> echo "WARNING: '$config_val' doesn't exist, using
default value '$SSH_KEY_LOCATION'"
> >> fi
> >> ;;
> >> + known_hosts)
> >> + if [ -f "$config_val" ];then
> >> + SSH_KNOWN_HOSTS=$(/usr/bin/readlink -m $config_val)
> >> + else
> >> + echo "WARNING: '$config_val' doesn't exist, using
default value '$SSH_KNOWN_HOSTS'"
> >> + fi
> >> + ;;
> >> path)
> >> SAVE_PATH=$config_val
> >> ;;
> >> @@ -733,7 +741,7 @@ check_ssh_config()
> >> check_ssh_target()
> >> {
> >> local _ret
> >> - ssh -q -i $SSH_KEY_LOCATION -o BatchMode=yes $DUMP_TARGET mkdir -p
$SAVE_PATH
> >> + ssh -q -i $SSH_KEY_LOCATION -i $SSH_KNOWN_HOSTS -o BatchMode=yes
$DUMP_TARGET mkdir -p $SAVE_PATH
> >> _ret=$?
> >> if [ $_ret -ne 0 ]; then
> >> echo "Could not create $DUMP_TARGET:$SAVE_PATH, you probably need to
run \"kdumpctl propagate\"" >&2
> >> diff --git a/mkdumprd b/mkdumprd
> >> index cf3533fe2be9..c4e2f8ba4c31 100644
> >> --- a/mkdumprd
> >> +++ b/mkdumprd
> >> @@ -13,6 +13,7 @@ export IN_KDUMP=1
> >>
> >> conf_file="/etc/kdump.conf"
> >> SSH_KEY_LOCATION="/root/.ssh/kdump_id_rsa"
> >> +SSH_KNOWN_HOSTS="/root/.ssh/known_hosts"
> >> SAVE_PATH=$(awk '/^path/ {print $2}' $conf_file)
> >> [ -z "$SAVE_PATH" ] && SAVE_PATH=$DEFAULT_PATH
> >> # strip the duplicated "/"
> >> @@ -144,7 +145,7 @@ is_readonly_mount() {
> >> #called from while loop and shouldn't read from stdin, so we're
using "ssh -n"
> >> get_ssh_size() {
> >> local _opt _out _size
> >> - _opt="-i $SSH_KEY_LOCATION -o BatchMode=yes -o
StrictHostKeyChecking=yes"
> >> + _opt="-i $SSH_KEY_LOCATION -o BatchMode=yes -o
StrictHostKeyChecking=yes -i $SSH_KNOWN_HOSTS -o UserKnownHostsFile"
> >> _out=$(ssh -q -n $_opt $1 "df -P $SAVE_PATH")
> >> [ $? -ne 0 ] && {
> >> perror_exit "checking remote ssh server available size
failed."
> >> @@ -162,7 +163,7 @@ get_ssh_size() {
> >> mkdir_save_path_ssh()
> >> {
> >> local _opt _dir
> >> - _opt="-i $SSH_KEY_LOCATION -o BatchMode=yes -o
StrictHostKeyChecking=yes"
> >> + _opt="-i $SSH_KEY_LOCATION -o BatchMode=yes -o
StrictHostKeyChecking=yes -i $SSH_KNOWN_HOSTS -o UserKnownHostsFile"
> >> ssh -qn $_opt $1 mkdir -p $SAVE_PATH 2>&1 > /dev/null
> >> _ret=$?
> >> if [ $_ret -ne 0 ]; then
> >> @@ -385,6 +386,12 @@ if [ -f "$keyfile" ]; then
> >> SSH_KEY_LOCATION=$(/usr/bin/readlink -m $keyfile)
> >> fi
> >>
> >> +# if specified, get the known_hosts
> >> +known_hosts=$(awk '/^known_hosts/ {print $2}' $conf_file)
> >> +if [ -f "$known_hosts" ];then
> >> + SSH_KNOWN_HOSTS=$(/usr/bin/readlink -m $known_hosts)
> >> +fi
> >> +
> >> if [ "$(uname -m)" = "s390x" ]; then
> >> add_dracut_module "znet"
> >> fi
> >> --
> >> 2.17.1
> >>