Reworked crm report appendix

xml/ha_crmreport_passl.xml

@@ -32,244 +32,40 @@
   data from the current node.
  </para>
  <para>
-  If your security policy does not allow passwordless &rootuser; SSH login, or prevents
-  &rootuser; SSH login entirely, then running <command>crm report</command> as &rootuser;
-  fails on all remote nodes. If the cluster was initialized by a non-root user with
-  <command>sudo</command> privileges, this user can run cluster reports successfully
-  under these restrictions. However, if the cluster was initialized by the &rootuser; user,
-  you must use the following workaround to run cluster reports:
+  If your security policy does not allow passwordless &rootuser; SSH login,
+  then running <command>crm report</command> as &rootuser; fails on all remote nodes.
+  In this case, you can still run cluster reports with one of the following options:
  </para>
- <orderedlist>
-  <listitem>
-   <para>
-    Creating a dedicated local user account (for running
-    <command>crm report</command>).
-   </para>
-  </listitem>
-  <listitem>
-   <para>
-    Configuring passwordless SSH access for that user account, ideally by
-    using a non-standard SSH port.
-   </para>
-  </listitem>
-  <listitem>
-   <para>
-    Configuring <command>sudo</command> for that user.
-   </para>
-  </listitem>
-  <listitem>
-   <para>
-    Running <command>crm report</command> as
-    that user.
-   </para>
-  </listitem>
- </orderedlist>
-
- <sect1 xml:id="sec-crmreport-nonroot-user">
-  <title>Creating a local user account</title>
-
-  <para>
-   The following example creates a local user named
-   <systemitem class="username">hareport</systemitem> from command line. The
-   password can be anything that meets your security requirements.
-   Alternatively, you can create the user account and set the password with
-   &yast;.
-  </para>
-
-  <procedure>
-   <title>Creating a dedicated user account for running cluster reports</title>
-   <step>
-    <para>
-     Start a shell and create a user
-     <systemitem class="username">hareport</systemitem> with a home
-     directory <filename>/home/hareport </filename>:
-    </para>
-<screen>&prompt.root;<command>useradd -m -d /home/hareport -c "HA Report" hareport</command></screen>
-   </step>
-   <step>
-    <para>
-     Set a password for the user:
-    </para>
-<screen>&prompt.root;<command>passwd hareport</command></screen>
-   </step>
-   <step>
-    <para>
-     When prompted, enter and re-enter a password for the user.
-    </para>
-   </step>
-  </procedure>
-
-  <important>
-   <title>Same user is required on each cluster node</title>
-   <para>
-    To create the same user account on all nodes, repeat the steps above on
-    each cluster node.
-   </para>
-  </important>
- </sect1>
- <sect1 xml:id="sec-crmreport-nonroot-ssh">
-  <title>Configuring a passwordless SSH account</title>
-
-    <procedure>
-   <title>Configuring the SSH daemon for a non-standard port</title>
-   <para>
-    By default, the SSH daemon and the SSH client talk and listen on port
-    <literal>22</literal>. If your network security guidelines require the
-    default SSH port to be changed to an alternate high numbered port, you
-    need to modify the daemon's configuration file
-    <filename>/etc/ssh/sshd_config</filename>.
-   </para>
-   <step>
-    <para>
-     To modify the default port, search the file for the
-     <literal>Port</literal> line, uncomment it and edit it according to
-     your wishes. For example, set it to:
-    </para>
-<screen>Port 5022</screen>
-   </step>
-   <step>
-    <para>
-     If your organization does not permit the &rootuser; user to access
-     other servers, search the file for the
-     <literal>PermitRootLogin</literal> entry, uncomment it and set it to
-     <literal>no</literal>:
-    </para>
-<screen>PermitRootLogin no</screen>
-   </step>
-   <step>
-    <para>
-     Alternatively, add the respective lines to the end of the file by
-     executing the following commands:
-    </para>
-<screen>&prompt.root;<command>echo “PermitRootLogin no” &gt;&gt; /etc/ssh/sshd_config</command>
-&prompt.root;<command>echo “Port 5022” &gt;&gt; /etc/ssh/sshd_config</command></screen>
-   </step>
-   <step>
-    <para>
-     After modifying <filename>/etc/ssh/sshd_config</filename>, restart the
-     SSH daemon to make the new settings take effect:
-    </para>
-<screen>&prompt.root;<command>systemctl restart sshd</command></screen>
-   </step>
-  </procedure>
-
-  <important>
-   <title>Same settings are required on each cluster node</title>
-   <para>
-    Repeat the SSH daemon configuration above on each cluster node.
-   </para>
-  </important>
-
-  <procedure>
-   <title>Configuring the SSH client for a non-standard port</title>
-   <para>
-    If the SSH port change is going to be made on all nodes in the cluster,
-    it is useful to modify the SSH configuration file,
-    <filename>/etc/ssh/sshd_config</filename>.
-    </para>
-   <step>
-    <para>
-     To modify the default port, search the file for the
-     <literal>Port</literal> line, uncomment it and edit it according to
-     your wishes. For example, set it to:
-    </para>
-<screen>Port 5022</screen>
-   </step>
-   <step>
-    <para>
-     Alternatively, add the respective line to the end of the file by
-     executing the following commands:
-    </para>
-<screen>&prompt.root;<command>echo “Port 5022” &gt;&gt; /etc/ssh/ssh_config</command></screen>
-   </step>
-  </procedure>
-
-  <note>
-   <title>Settings only required on one node</title>
-   <para>
-    The SSH client configuration above is only needed on the node on which
-    you want to run the cluster report.</para>
-   <para>Alternatively, you can use the <option>-X</option> option to run the
-    <command>crm report</command> with a custom SSH port or even make
-    <command>crm report</command> use your custom SSH port by default. For
-    details, see <xref linkend="pro-crmreport-custom-ssh"/>.</para>
-  </note>
-
-  <procedure>
-   <title>Configuring shared SSH keys</title>
-   <para>
-    You can access other servers using SSH and not be asked for a
-    password. While this may appear insecure, it is actually
-    a secure access method since the users can only access servers that
-    their public key has been shared with. The shared key must be created as
-    the user that will use the key.
-   </para>
-   <step>
-    <para>
-     Log in to one of the nodes with the user account that you have created
-     for running cluster reports (in our example above, the user account was
-     <systemitem class="username">hareport</systemitem>).
-    </para>
-   </step>
-   <step>
-    <para>
-     Generate a new key:
-    </para>
-<screen><prompt role="user">hareport &gt; </prompt>ssh-keygen -t rsa</screen>
-    <para>
-     This command generates a 2048 bit key by default. The default
-     location for the key is <filename>~/.ssh/</filename>. You are asked to
-     set a passphrase on the key. However, do not enter a passphrase because
-     for passwordless login there must not be a passphrase on the key.
+ <itemizedlist>
+   <listitem>
+     <para>
+       If the cluster was initialized by a non-root user with <command>sudo</command>
+       privileges, this user can run cluster reports.
      </para>
-   </step>
-   <step>
-    <para>
-     After the keys have been generated, copy the public key to
-     <emphasis>each</emphasis> of the other nodes
-     (<emphasis>including</emphasis> the node where you created the key):
-    </para>
-<screen><prompt role="user">hareport &gt; </prompt>ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>HOSTNAME_OR_IP</replaceable></screen>
-    <para>
-     In the command, you can either use the DNS name for each server, an
-     alias, or the IP address. During the copy process you will be asked to
-     accept the host key for each node, and you will need to provide the
-     password for the <systemitem class="username">hareport</systemitem>
-     user account (this will be the only time you need to enter it).
-    </para>
-   </step>
-   <step>
-    <para>
-     After the key is shared to all cluster nodes, test if you can log in as
-     user <systemitem class="username">hareport</systemitem> to the other
-     nodes by using passwordless SSH:
+   </listitem>
+   <listitem>
+     <para>
+       If the cluster was initialized by the &rootuser; user, you can create a
+       dedicated non-root user to run cluster reports.
      </para>
-<screen><prompt role="user">hareport &gt; </prompt>ssh <replaceable>HOSTNAME_OR_IP</replaceable></screen>
-    <para>
-     You should be automatically connected to the remote server without
-     being asked to accept a certificate or enter a password.
-    </para>
-   </step>
-  </procedure>
+   </listitem>
+ </itemizedlist>
+ <para>
+  The following procedure describes how to give a non-root user limited privileges so
+  that it can use <command>sudo</command> to run <command>crm report</command>, but
+  otherwise has no <command>sudo</command> access.
+ </para>
 
-  <note>
-   <title>Settings only required on one node</title>
-   <para>
-    If you intend to run the cluster report from the same node each time, it
-    is sufficient to execute the procedure above on this node only.
-    Otherwise repeat the procedure on each node.
-   </para>
-  </note>
- </sect1>
  <sect1 xml:id="sec-crmreport-nonroot-sudo">
-  <title>Configuring <command>sudo</command></title>
+  <title>Configuring limited <command>sudo</command> privileges for a non-root user</title>
 
   <para>
    The <command>sudo</command> command allows a regular user to quickly
    become &rootuser; and issue a command, with or without providing a
    password. Sudo access can be given to all root-level commands or to
-   specific commands only. Sudo typically uses aliases to define the entire
-   command string.
+   specific commands only. This procedure describes how to configure <command>sudo</command>
+   privileges only for the specific commands required to run cluster reports.
+   Sudo typically uses aliases to define the entire command string.
   </para>
 
   <para>
@@ -287,7 +83,30 @@
    </para>
   </warning>
 
+  <itemizedlist>
+    <title>Requirements</title>
+    <listitem>
+      <para>
+        A non-root user with no <command>sudo</command> privileges. The following
+        procedure uses an example user called <systemitem class="username">hareport</systemitem>.
+      </para>
+    </listitem>
+    <listitem>
+      <para>
+        The user <systemitem class="username">hareport</systemitem> exists on all
+        nodes in the cluster.
+      </para>
+    </listitem>
+    <listitem>
+      <para>
+        The user <systemitem class="username">hareport</systemitem> can access all
+        other nodes in the cluster via passwordless SSH.
+      </para>
+    </listitem>
+  </itemizedlist>
+
   <procedure>
+   <title>Configuring limited <command>sudo</command> privileges for a non-root user</title>
    <step>
     <para>
      Log in as &rootuser;.
@@ -301,7 +120,7 @@
    </step>
    <step>
     <para> Look for the following categories: <literal>Host alias
-      specification</literal>,<literal>User alias specification</literal>,
+      specification</literal>, <literal>User alias specification</literal>,
       <literal>Cmnd alias specification</literal>, and <literal>Runas alias
       specification</literal>. </para>
    </step>
@@ -327,10 +146,7 @@ Runas_Alias R = root <co xml:id="ha-sudoers-runas-alias"/></screen>
      <callout arearefs="ha-sudoers-user-alias">
       <para>
        The user alias allows you to add multiple local user accounts to a
-       single alias. However, in this case you could avoid creating an alias since
-       only one account is being used. In the example above, we added the
-       <systemitem class="username">hareport</systemitem> user which we have
-       created for running cluster reports.
+       single alias. However, in this case only one account is being used.
       </para>
      </callout>
      <callout arearefs="ha-sudoers-cmd-alias">
@@ -346,7 +162,7 @@ Runas_Alias R = root <co xml:id="ha-sudoers-runas-alias"/></screen>
      <callout arearefs="ha-sudoers-runas-alias">
       <para>
        The <literal>runas</literal> alias specifies the account that the command will be run
-       as. In this case &rootuser;.
+       as, in this case &rootuser;.
       </para>
      </callout>
     </calloutlist>
@@ -391,37 +207,5 @@ ALL     ALL=(ALL) ALL
    </para>
   </important>
  </sect1>
- <sect1 xml:id="sec-crmreport-nonroot-execute">
-  <title>Generating a cluster report</title>
-  <para>To run cluster reports with the settings you have configured above, you need to be logged
-   in to one of the nodes as user <systemitem class="username">hareport</systemitem>.
-   To start a cluster report, use the <command>crm report</command> command.
-   For example: </para>
-  <screen><prompt role="user">hareport &gt; </prompt><command>sudo crm report -f 0:00 -n "&node1; &node2; &node3;"</command></screen>
-  <para>This command extracts all information since <literal>0 am</literal> on the named nodes
-   and create a <literal>*.tar.bz2</literal> archive named
-     <filename>pcmk-<replaceable>DATE</replaceable>.tar.bz2</filename> in
-     the current directory.</para>
-  <procedure xml:id="pro-crmreport-custom-ssh">
-   <title>Generating a cluster report using a custom SSH port</title>
-   <step>
-    <para>When using a custom SSH port, use the <option>-X</option> with
-     <command>crm report</command> to modify the client's SSH port. For example,
-     if your custom SSH port is <literal>5022</literal>, use the following
-     command:</para>
-    <screen>&prompt.root;<command>crm report -X "-p 5022" [...]</command></screen>
-   </step>
-   <step>
-    <para>To set your custom SSH port permanently for
-     <command>crm&nbsp;report</command>, start the interactive &crmshell;:</para>
-     <screen>&prompt.root;<command>crm options</command></screen>
-   </step>
-   <step>
-    <para>
-     Enter the following:
-    </para>
-    <screen>&prompt.crm.opt;<command>set core.report_tool_options "-X -oPort=5022"</command></screen>
-   </step>
-  </procedure>
-   </sect1>
+
 </appendix>

xml/ha_hawk2_health_i.xml

@@ -35,8 +35,7 @@
   details. To verify cluster health and generate the report, &hawk2; requires
   passwordless SSH access between the nodes. Otherwise, it can only collect data
   from the current node. If you have set up your cluster with the bootstrap scripts,
-  which are provided by the &crmshell;, passwordless SSH access is already configured. If you need to
-  configure it manually, see <xref linkend="sec-crmreport-nonroot-ssh"/>.
+  which are provided by the &crmshell;, passwordless SSH access is already configured.
  </para>
 
  <procedure>

xml/ha_hawk2_monitor_i.xml

@@ -109,8 +109,7 @@
    To monitor multiple clusters, use the &hawk2; <guimenu>Dashboard</guimenu>.
    The cluster information displayed in the <guimenu>Dashboard</guimenu> screen
    is stored on the server side. It is synchronized between the cluster nodes (if
-   passwordless SSH access between the cluster nodes has been configured). For
-   details, see <xref linkend="sec-crmreport-nonroot-ssh"/>. However, the
+   passwordless SSH access between the cluster nodes has been configured). However, the
    machine running &hawk2; does not even need to be part of any
    cluster for that purpose&mdash;it can be a separate, unrelated system.
   </para>