Hacker-Software
/
proxmox-cluster-network-changer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

added sshconfig alternate place for keys

This commit is contained in:
duffyduck 2026-03-04 22:59:31 +01:00
parent fff5402226
commit 955fad399e
1 changed files with 64 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
migrator.py
View File

@ -164,51 +164,97 @@ class Migrator:
return True return True
def _preserve_ssh_keys(self, nodes: list, dry_run: bool) -> bool: def _preserve_ssh_keys(self, nodes: list, dry_run: bool) -> bool:
"""Copy /etc/pve/priv/authorized_keys to ~/.ssh/ on all nodes. """Ensure SSH keeps working after pve-cluster stop.
When pve-cluster (pmxcfs) is stopped, /etc/pve gets unmounted and When pve-cluster (pmxcfs) is stopped, /etc/pve gets unmounted and
the cluster SSH keys disappear. This breaks SSH between nodes. the cluster SSH keys in /etc/pve/priv/authorized_keys disappear.
We temporarily copy them to ~/.ssh/authorized_keys so SSH keeps working. This breaks SSH between nodes.
Fix: Copy PVE keys to ~/.ssh/authorized_keys AND ensure sshd is
configured to actually check that file (Proxmox may only check /etc/pve/).
""" """
for node in nodes: for node in nodes:
if dry_run: if dry_run:
print(f" [{node.name}] Würde SSH-Keys sichern") print(f" [{node.name}] Würde SSH-Keys sichern")
continue continue
# Append pve keys to ~/.ssh/authorized_keys (avoid duplicates) # Step 1: Copy PVE keys to ~/.ssh/authorized_keys
cmd = ( copy_cmd = (
"mkdir -p /root/.ssh && "
"cp /root/.ssh/authorized_keys /root/.ssh/authorized_keys.pre_migration 2>/dev/null; "
"if [ -f /etc/pve/priv/authorized_keys ]; then " "if [ -f /etc/pve/priv/authorized_keys ]; then "
" mkdir -p /root/.ssh && "
" cp /root/.ssh/authorized_keys /root/.ssh/authorized_keys.pre_migration 2>/dev/null; "
" cat /etc/pve/priv/authorized_keys >> /root/.ssh/authorized_keys && " " cat /etc/pve/priv/authorized_keys >> /root/.ssh/authorized_keys && "
" sort -u -o /root/.ssh/authorized_keys /root/.ssh/authorized_keys && " " sort -u /root/.ssh/authorized_keys > /root/.ssh/authorized_keys.tmp && "
" mv /root/.ssh/authorized_keys.tmp /root/.ssh/authorized_keys && "
" chmod 600 /root/.ssh/authorized_keys && " " chmod 600 /root/.ssh/authorized_keys && "
" echo ok; " " echo keys_copied; "
"else " "else "
" echo no_pve_keys; " " echo no_pve_keys; "
"fi" "fi"
) )
rc, stdout, err = self.ssh.run_on_node( rc, stdout, err = self.ssh.run_on_node(
node.ssh_host, cmd, node.is_local node.ssh_host, copy_cmd, node.is_local
) )
if rc == 0 and "ok" in stdout: if "keys_copied" in stdout:
print(f" [{node.name}] SSH-Keys gesichert") print(f" [{node.name}] PVE-Keys nach ~/.ssh/authorized_keys kopiert")
elif "no_pve_keys" in stdout: elif "no_pve_keys" in stdout:
print(f" [{node.name}] Keine PVE-Keys gefunden (übersprungen)") print(f" [{node.name}] Keine PVE-Keys gefunden (übersprungen)")
else: else:
print(f" [{node.name}] WARNUNG SSH-Keys: {err}") print(f" [{node.name}] WARNUNG Key-Kopie: rc={rc} {err}")
# Step 2: Ensure sshd checks ~/.ssh/authorized_keys
# Proxmox sshd_config may only list /etc/pve/priv/authorized_keys
sshd_cmd = (
"cp /etc/ssh/sshd_config /etc/ssh/sshd_config.pre_migration && "
"if grep -q '^AuthorizedKeysFile' /etc/ssh/sshd_config; then "
" if grep '^AuthorizedKeysFile' /etc/ssh/sshd_config | grep -q '.ssh/authorized_keys'; then "
" echo sshd_already_ok; "
" else "
" sed -i '/^AuthorizedKeysFile/s|$| .ssh/authorized_keys|' /etc/ssh/sshd_config && "
" systemctl reload sshd && "
" echo sshd_modified; "
" fi; "
"else "
" echo sshd_already_ok; "
"fi"
)
rc2, stdout2, err2 = self.ssh.run_on_node(
node.ssh_host, sshd_cmd, node.is_local
)
if "sshd_modified" in stdout2:
print(f" [{node.name}] sshd_config angepasst (.ssh/authorized_keys hinzugefügt)")
elif "sshd_already_ok" in stdout2:
print(f" [{node.name}] sshd_config OK")
else:
print(f" [{node.name}] WARNUNG sshd: {err2}")
# Step 3: Verify SSH will still work after pve-cluster stop
# Test that ~/.ssh/authorized_keys is readable on all remote nodes
print(" [Verifikation] Prüfe ob SSH-Keys korrekt gesichert sind...")
for node in nodes:
if node.is_local:
continue
rc, stdout, _ = self.ssh.run_on_node(
node.ssh_host,
"wc -l /root/.ssh/authorized_keys 2>/dev/null || echo 0",
False,
)
key_count = stdout.strip().split()[0] if stdout.strip() else "0"
print(f" [{node.name}] authorized_keys: {key_count} Zeilen")
return True return True
def _restore_ssh_keys(self, nodes: list): def _restore_ssh_keys(self, nodes: list):
"""Restore original ~/.ssh/authorized_keys after migration.""" """Restore original ~/.ssh/authorized_keys and sshd_config after migration."""
for node in nodes: for node in nodes:
new_host = node.new_ip if not node.is_local else node.ssh_host new_host = node.new_ip if not node.is_local else node.ssh_host
cmd = ( cmd = (
"if [ -f /root/.ssh/authorized_keys.pre_migration ]; then " "if [ -f /root/.ssh/authorized_keys.pre_migration ]; then "
" mv /root/.ssh/authorized_keys.pre_migration /root/.ssh/authorized_keys && " " mv /root/.ssh/authorized_keys.pre_migration /root/.ssh/authorized_keys; "
" echo restored; " "fi; "
"else " "if [ -f /etc/ssh/sshd_config.pre_migration ]; then "
" echo no_backup; " " mv /etc/ssh/sshd_config.pre_migration /etc/ssh/sshd_config && "
" systemctl reload sshd 2>/dev/null; "
"fi" "fi"
) )
self.ssh.run_on_node(new_host, cmd, node.is_local) self.ssh.run_on_node(new_host, cmd, node.is_local)