Allow partial override about SshServerOptions

When operator needs to change any options described in sshd_config, he/she should use the parameter named SshServerOptions to define the updated configuration. However the problem here is that he/she should define the whole content instead of the actual lines to be overridden, otherwise some of the lines defined in its default can be missing from configuration. This makes it difficutlt to properly update the parameter during update or upgrade, since operators always need to check whetehr any change has been made about the default of SshServerOptions. This change introduces a new parameter, SshServerOptionsOverride, which can be used to override specific line in SshServerOptions. Note that SshServerOptions should still be used if any of the lines in SshServerOptions needs to be removed. Change-Id: I8a018c8c7435a753c8ed5b5fa211d91d053f8d67
openstack-archive · Sep 30, 2020 · bfd97da · bfd97da
1 parent 619eda0
commit bfd97da
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 2 deletions.
diff --git a/deployment/sshd/sshd-baremetal-ansible.yaml b/deployment/sshd/sshd-baremetal-ansible.yaml
@@ -60,6 +60,11 @@ parameters:
       Subsystem: 'sftp  /usr/libexec/openssh/sftp-server'
     description: Mapping of sshd_config values
     type: json
+  SshServerOptionsOverrides:
+    default: {}
+    description: Mapping of sshd_config values to override definitions in
+                 SshServerOptions
+    type: json
   PasswordAuthentication:
     default: 'no'
     description: Whether or not disable password authentication
@@ -89,7 +94,10 @@ outputs:
         - include_role:
             name: tripleo_ssh
           vars:
-            tripleo_sshd_server_options: {get_param: SshServerOptions}
+            tripleo_sshd_server_options:
+              map_merge:
+                - {get_param: SshServerOptions}
+                - {get_param: SshServerOptionsOverrides}
             tripleo_sshd_password_authentication: {get_param: PasswordAuthentication}
             tripleo_sshd_banner_enabled:
               if:

diff --git a/deployment/sshd/sshd-baremetal-puppet.yaml b/deployment/sshd/sshd-baremetal-puppet.yaml
@@ -60,6 +60,11 @@ parameters:
       Subsystem: 'sftp  /usr/libexec/openssh/sftp-server'
     description: Mapping of sshd_config values
     type: json
+  SshServerOptionsOverrides:
+    default: {}
+    description: Mapping of sshd_config values to override definitions in
+                 SshServerOptions
+    type: json
   PasswordAuthentication:
     default: 'no'
     description: Whether or not disable password authentication
@@ -86,7 +91,10 @@ outputs:
       config_settings:
         tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
         tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
-        tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
+        tripleo::profile::base::sshd::options:
+          map_merge:
+            - {get_param: SshServerOptions}
+            - {get_param: SshServerOptionsOverrides}
         tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication}
       step_config: |
         include tripleo::profile::base::sshd
diff --git a/releasenotes/notes/ssh-server-options-overrides-f677913bfd65efe1.yaml b/releasenotes/notes/ssh-server-options-overrides-f677913bfd65efe1.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    The new ``SshServerOptionsOverrides`` parameter has been added. This
+    parameter can be used to override a part of sshd_config, which is defined
+    by the ``SshServerOptions``.