[pve-devel] [PATCH cluster 4/4] pvecm: stop merging SSH known hosts by default

Fabian Grünbichler Thu, 11 Jan 2024 02:52:47 -0800

and allow explicitly unmerging to remove the symlink altogether.

Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com>
---
 src/PVE/CLI/pvecm.pm     | 10 ++++++++--
 src/PVE/Cluster/Setup.pm |  9 ++++++---
 2 files changed, 14 insertions(+), 5 deletions(-)


diff --git a/src/PVE/CLI/pvecm.pm b/src/PVE/CLI/pvecm.pm
index 0005e4b..0e8ca8f 100755
--- a/src/PVE/CLI/pvecm.pm
+++ b/src/PVE/CLI/pvecm.pm
@@ -567,12 +567,18 @@ __PACKAGE__->register_method ({
                type => 'boolean',
                optional => 1,
            },
+           'unmerge-known-hosts' => {
+               description => "Unmerge legacy SSH known hosts.",
+               type => 'boolean',
+               optional => 1,
+               default => 0,
+           },
        },
     },
     returns => { type => 'null' },
     code => sub {
        my ($param) = @_;
-       my ($force_new_cert, $silent) = $param->@{qw(force silent)};
+       my ($force_new_cert, $silent, $unmerge) = $param->@{qw(force silent 
unmerge-known-hosts)};
 
        # pveproxy's ExecStartPre calls this, and as we do IO (on /etc/pve) 
that can hang
        # (uninterruptible D state) we could fail the whole service, rendering 
the API guaranteed
@@ -585,7 +591,7 @@ __PACKAGE__->register_method ({
                usleep(100 * 1000);
            }
 
-           PVE::Cluster::Setup::updatecerts_and_ssh($force_new_cert, $silent);
+           PVE::Cluster::Setup::updatecerts_and_ssh($force_new_cert, $silent, 
$unmerge);
            PVE::Cluster::prepare_observed_file_basedirs();
        });
        if ($got_timeout) {
diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
index 4b6f013..42dff85 100644
--- a/src/PVE/Cluster/Setup.pm
+++ b/src/PVE/Cluster/Setup.pm
@@ -816,7 +816,7 @@ sub generate_local_files {
 }
 
 sub updatecerts_and_ssh {
-    my ($force_new_cert, $silent) = @_;
+    my ($force_new_cert, $silent, $unmerge_ssh) = @_;
 
     my $p = sub { print "$_[0]\n" if !$silent };
 
@@ -834,9 +834,12 @@ sub updatecerts_and_ssh {
     $p->("generate new node certificate") if $force_new_cert;
     gen_pve_node_files($nodename, $local_ip_address, $force_new_cert);
 
-    $p->("merge authorized SSH keys and known hosts");
+    $p->("merge authorized SSH keys");
     ssh_merge_keys();
-    ssh_merge_known_hosts($nodename, $local_ip_address, 1);
+    if ($unmerge_ssh) {
+       $p->("unmerge SSH known hosts");
+       ssh_unmerge_known_hosts();
+    }
     ssh_create_node_known_hosts($nodename);
     gen_pve_vzdump_files();
 }
-- 
2.39.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH cluster 4/4] pvecm: stop merging SSH known hosts by default

Reply via email to