migrate accounts
44 views
Skip to first unread message
Scott Givan
Oct 26, 2017, 4:29:57 PM10/26/17
to rocks7-beta
Is there a recommended procedure for migrating accounts from rocks 6 to rocks 7? I transferred lines from passwd, shadow, group and auto.home for a user from a rocks6 to a rocks7 cluster. It mostly worked, I could log into the head node and all my stuff was there, but I couldn't log into cluster nodes withought entering a password. I "fixed" that by running ssh-keygen and appending the new public key to the authorized_keys file. Will I have to do that for all the users I tranfer?
Cooper, Trevor
Oct 26, 2017, 5:23:06 PM10/26/17
to Scott Givan, rocks7-beta
It depends...
The lowest UID and GID for user accounts, and conversely the highest UID and GID for service accounts changed between CentOS 6 and 7. The boundary in CentOS 6 was 500 while the boundary in CentOS 7 is 1000.
There are already some changes in the Rocks rolls to deal with this and some have been added more recently to 'fix' 411 to NOT sync service accounts and groups in the standard configuration.
So... part of the behavior may depend on the UID/GID of the users you are trying to transfer and part may depend on the version of the Rocks rolls you have on your beta 7 system (some of these updates/fixes are from this week).
In short...
IF your frontend and all nodes are running the latest rocks7-beta code AS OF TODAY, your transferred user had both UID and GID >= 1000, you brought over all the correct information (/etc/{passwd,shadow,group,gshadow,auto.home}) as well as have access to the user home directory (either by access to external NFS server or copy of /export/home/$USER to your frontend) it should all work.
That said...
I have definitely NOT done this and have only created new accounts in my current test systems.
On another note...
Other recent updates 'fixed' host-based authentication which should be used INSTEAD of self-trusted, password-less SSH keys inside your cluster for all users except the root user.
If attempting to SSH between nodes without self-trusted, password-less SSH keys inside your cluster isn't working you should fix that.
Check by removing all self-trusted, password-less keys from ~/.ssh, drop all keys from a forwarded ssh-agent and explicitly request hostbased auth.
For example...
[testuser@rocks7-beta ~]$ ssh-add -D
All identities removed.
[testuser@rocks7-beta ~]$ find ~/.ssh -name "id*"
[testuser@rocks7-beta ~]$ ssh -o HostbasedAuthentication=true \
-o HostbasedKeyTypes=ssh-rsa rocks7-beta-03
Last login: Thu Oct 26 14:16:00 2017 from rocks7-beta.local
Rocks Compute Node
Rocks 7.0 (Manzanita)
Profile built 08:58 26-Oct-2017
Kickstarted 09:05 26-Oct-2017
[testuser@rocks7-beta-03 ~]$
If this doesn't work iterate the last command with increasing verbosity to track down the problem.
Hope this helps,
Trevor
> On Oct 26, 2017, at 1:29 PM, Scott Givan <f1n...@gmail.com> wrote:
>
> Is there a recommended procedure for migrating accounts from rocks 6 to rocks 7? I transferred lines from passwd, shadow, group and auto.home for a user from a rocks6 to a rocks7 cluster. It mostly worked, I could log into the head node and all my stuff was there, but I couldn't log into cluster nodes withought entering a password. I "fixed" that by running ssh-keygen and appending the new public key to the authorized_keys file. Will I have to do that for all the users I tranfer?
>
> --
> You received this message because you are subscribed to the Google Groups "rocks7-beta" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rocks7-beta...@googlegroups.com.
> To post to this group, send email to rocks...@googlegroups.com.
> Visit this group at https://groups.google.com/group/rocks7-beta.
> To view this discussion on the web visit https://groups.google.com/d/msgid/rocks7-beta/bdbb4ddf-bca9-44c5-a363-87971ac955ca%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
The lowest UID and GID for user accounts, and conversely the highest UID and GID for service accounts changed between CentOS 6 and 7. The boundary in CentOS 6 was 500 while the boundary in CentOS 7 is 1000.
There are already some changes in the Rocks rolls to deal with this and some have been added more recently to 'fix' 411 to NOT sync service accounts and groups in the standard configuration.
So... part of the behavior may depend on the UID/GID of the users you are trying to transfer and part may depend on the version of the Rocks rolls you have on your beta 7 system (some of these updates/fixes are from this week).
In short...
IF your frontend and all nodes are running the latest rocks7-beta code AS OF TODAY, your transferred user had both UID and GID >= 1000, you brought over all the correct information (/etc/{passwd,shadow,group,gshadow,auto.home}) as well as have access to the user home directory (either by access to external NFS server or copy of /export/home/$USER to your frontend) it should all work.
That said...
I have definitely NOT done this and have only created new accounts in my current test systems.
On another note...
Other recent updates 'fixed' host-based authentication which should be used INSTEAD of self-trusted, password-less SSH keys inside your cluster for all users except the root user.
If attempting to SSH between nodes without self-trusted, password-less SSH keys inside your cluster isn't working you should fix that.
Check by removing all self-trusted, password-less keys from ~/.ssh, drop all keys from a forwarded ssh-agent and explicitly request hostbased auth.
For example...
[testuser@rocks7-beta ~]$ ssh-add -D
All identities removed.
[testuser@rocks7-beta ~]$ find ~/.ssh -name "id*"
[testuser@rocks7-beta ~]$ ssh -o HostbasedAuthentication=true \
-o HostbasedKeyTypes=ssh-rsa rocks7-beta-03
Last login: Thu Oct 26 14:16:00 2017 from rocks7-beta.local
Rocks Compute Node
Rocks 7.0 (Manzanita)
Profile built 08:58 26-Oct-2017
Kickstarted 09:05 26-Oct-2017
[testuser@rocks7-beta-03 ~]$
If this doesn't work iterate the last command with increasing verbosity to track down the problem.
Hope this helps,
Trevor
> On Oct 26, 2017, at 1:29 PM, Scott Givan <f1n...@gmail.com> wrote:
>
> Is there a recommended procedure for migrating accounts from rocks 6 to rocks 7? I transferred lines from passwd, shadow, group and auto.home for a user from a rocks6 to a rocks7 cluster. It mostly worked, I could log into the head node and all my stuff was there, but I couldn't log into cluster nodes withought entering a password. I "fixed" that by running ssh-keygen and appending the new public key to the authorized_keys file. Will I have to do that for all the users I tranfer?
>
> You received this message because you are subscribed to the Google Groups "rocks7-beta" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rocks7-beta...@googlegroups.com.
> To post to this group, send email to rocks...@googlegroups.com.
> Visit this group at https://groups.google.com/group/rocks7-beta.
> To view this discussion on the web visit https://groups.google.com/d/msgid/rocks7-beta/bdbb4ddf-bca9-44c5-a363-87971ac955ca%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Scott Givan
Oct 26, 2017, 6:50:06 PM10/26/17
to rocks7-beta
This is great info. Thanks.
The GID for this particular account is below 1000. I didn't transfer anything from gshadow (I didn't even know it existed). And, my rolls are from yesterday, so they aren't the latest. My home directories are via NFS, so for now I can cross mount them between the two clusters.
So, I've got some things to work on.
The GID for this particular account is below 1000. I didn't transfer anything from gshadow (I didn't even know it existed). And, my rolls are from yesterday, so they aren't the latest. My home directories are via NFS, so for now I can cross mount them between the two clusters.
So, I've got some things to work on.
Scott Givan
Oct 30, 2017, 9:52:59 AM10/30/17
to rocks7-beta
I transferred the appropriate lines in passwd, shadow, group, gshadow and auto.home from a rocks 6 machine to a rocks 7 beta machine. I can confirm that it allows the user to login to the rocks 7 beta head node (using a password) and to the compute nodes (withoug using a password). Of course, if you are mounting the home directory from an NFS server, you have to make sure the home directory is available in the rocks 7 beta private network and can be mounted to the machines within.
Reply all
Reply to author
Forward
0 new messages