nova 冷迁移配置nova用户互信

openstack 虚拟机冷迁移是nova用户通过scp命令将镜像文件拷贝至目标服务器，该过程需要设置nova用户各个节点之间（如compute81、compute82、compute83）互信，操作如下：

方案1：

#查看nova用户状态

[root@linux-node1 ~]# cat /etc/passwd|grep nova

nova:x:162:162:OpenStack Nova Daemons:/var/lib/nova:/sbin/nologin

#/sbin/nologin说明此时nova用户无法登录bash

#修改nova允许登录bash
[root@linux-node1 ~]# usermod -s /bin/bash nova
#查看修改后内容
[root@linux-node1 ~]# cat /etc/passwd|grep nova
nova:x:162:162:OpenStack Nova Daemons:/var/lib/nova:/bin/bash

#给nova用户创建密码

[root@linux-node1 ~]# passwd nova
Changing password for user nova.
New password: nova
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: nova

passwd: all authentication tokens updated successfully.

#切换用户
[root@linux-node1 ~]# su - nova
#创建秘钥对
-bash-4.2$  ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/var/lib/nova/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /var/lib/nova/.ssh/id_rsa.
Your public key has been saved in /var/lib/nova/.ssh/id_rsa.pub.
The key fingerprint is:
1a:58:b0:cf:b7:df:9d:c3:e6:47:09:26:e1:2b:42:b5 nova@compute83
The key's randomart image is:

#将公钥拷贝至其他计算节点

ssh-copy-id -i .ssh/id_rsa.pub nova@compute82

ssh-copy-id -i .ssh/id_rsa.pub nova@compute83

#验证是否能免密码ssh到目标服务器

-bash-4.2$ ssh nova@compute82

-bash-4.2$ ssh nova@compute83

#其他服务器重复以上过程

方案2：

若节点过多以上过程工作量会很繁琐，且当有新节点加入时需要所有节点操作互信新节点，一种简单的方式是所有节点共用一套公钥、私钥

本示例共三个节点compute81、compute82、compute83

#compute81生成公钥、私钥

-bash-4.2$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/var/lib/nova/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /var/lib/nova/.ssh/id_rsa.
Your public key has been saved in /var/lib/nova/.ssh/id_rsa.pub.
The key fingerprint is:
2b:84:f9:39:0f:3e:f1:2b:4e:26:a2:f4:52:b4:20:d8 nova@compute81
The key's randomart image is:

#在compute81 /var/lib/nova/.ssh目录下创建config文件，内容如下

Host *
StrictHostKeyChecking no #首次ssh不会显示确认信息

#在compute81生成authorized_keys文件

ssh-copy-id nova@compute81

#将compute81上authorized_keys config id_rsa拷贝至其他节点

scp authorized_keys config id_rsa nova@compute82:~/.ssh/

scp authorized_keys config id_rsa nova@compute83:~/.ssh/

#至此各节点已经完成互信，可以互相免密码访问，秘钥登录过程为：

发起方数据包经过私钥（id_rsa）加密->对端使用authorized_keys中的公钥解密，由于所有节点公钥秘钥对相同，所以能完成验证、互信.

验证过程中也发现authorized_keys中如果存在多个公钥，会像iptables规则一样逐个尝试解密