Create and insert private key on a VM when provisioning



I want to create a ssh key pair when provisioning a VM and copy the private part on the user’s home folder. It looks to me like this is the type of task that can be done with State Machine.
Is State Machine the right approach?
has anyone done something like this so I can learn from?



It really all depends on the back-end provider. There is literately many different answers to this. VMware you may want to look at the vix api StartProgramInGuest, which allows you to run a script remotely and pass arguments. In openstack you could leverage cloud-init to do some post work for you, as well as in RHEV with the latest release. Sometimes the best answer is why not do this with some sort of post configuration management tool like puppet, chef or salt to do so once the VM is provisioned/cloned or what have you. This way regardless of what you are using to control your provisioning lifecycle you have one component that can server multiple methods of deployment or hypervisor type.


Thanks for your answer.
The provider is oVirt we are also using Puppet already for many tasks in the infrastructure. The question is, if I do it with Puppet or Cloud-init I still need a way of triggering the process of dropping the key in the new VM.
In that sense I imagine that I could modify current post provision state to trigger the puppet task, is this a good approach?



Thats how I have seen it in the past. Insert a step in the workflow for the Puppet kick off. IMO if there is a provision process happening I don’t want Cloudforms/ManageIQ to say it completed when there are some other components still being kicked off. For example, I would kick the puppet process, and then have a step to check to see if it completed. Then I would add a retry within this method to keep retrying until it receives a return message of success or fail. if fail, then MIQ_ABORT, if success then go to the next step. This way if you are using emails in the last step of the provisioning workflow then when the user gets the email it is completed to the point they can start using it. This works for many cases, and there are time where you would actually want Cloudforms and Puppet to be 2 complete different processes. It all depends in your use case in the end. If you have auto-signing of puppet keys for each host then you can just do so at that time to push out the config changes. Others may do it with cloud init, but you get the point. Leverage what you can from what is being used in the enterprise so you don’t have to reinvent the wheel.



It depends on your use case. Do you want to create a brand new key pair for
each machine ? Then, how do you manage who ows what key pair(s) ? If you
want a user to be able to connect to his virtual machine once the virtual
machine is provisioned, you may want to use different methods: IPA (with or
without AD Trust) with Kerberos, IPA with key pairs, Puppet that would
deploy your keys, etc…

A simple way to go, is to have the CloudForms SSH public key in your VM
template and in a post provision state you connect to your VM and set it
up. This requires to wait for the VM to be up so I would add a new state
right after “CheckProvisioned”, maybe called “WaitForSsh” that just wait
for SSH to be available (returns something else than 255 when trying to
connect). And then you can add a state called “InstallSshKeys” that upload
the keys through SCP.

Hope this helps.


the public key is what should be posted to the VM.
if you generate the public/private keypair, oVirt supports accepting the public ssh key as part of the VM config, will pass it to cloud-init, which will put it in the right place.
so iiuc, you just need CFME to support passing the public ssh key to ovirt