Comments (8)
Actually. ssh-copy-id
doesn't less us specify an identity to use when connecting, so it might not work in the vagrant case.
Private key should go in /etc/flocker/private_key
and then we can use permissions to ensure it's only root readable as first pass. And then code that needs to ssh to other nodes (typically the volume manager) can explicitly state the credentials it wants, which should make for less error prone functionality.
from flocker.
This should probably be done in three parts.
- Generate a key on each node to report back to the orchestrator.
- Add keys reported by the orchestrator from other nodes to authorized_keys.
- Write a wrapper program that prevents the added keys from doing arbitrary things.
from flocker.
Personally I was thinking of just doing this the stupid insecure way where you have one keypair you share with all of them, on the theory we'll be switching away from SSH within a release or two anyway. And just document "not secure, don't use in production".
from flocker.
Also note there may be some useful code for running openssh in my branch for #16 in a bit.
from flocker.
description updated with more detailed plan
from flocker.
As a testing strategy, use the Conch-based "run an SSH server" code from the volume push branch, point the API at that, and assert that good stuff happens locally as a result.
from flocker.
- One thing that's missing here is which private key is used to SSH in to the nodes from developer laptop. Typically relying on user's existing keys would work... except Vagrant which defaults to a random key it generates. Possibly we can solve this by having the (still to be created) demo
Vagrantfile
use a real SSH key instead of the random one it uses. File a followup issue to figure that out, pretty sure it's just an easy config option. - File follow up issue to make our (still to be created) demo
Vagrantfile
allow ssh'ing in as root. Ditto for being an easy config option. (This and the previous one can be same issue of "configure demo vagrant for easy ssh-ing"). - I'm a bit worried about functional testing strategy that can make developer desktops insecure if they're not using vagrant... I suggest having the root directory being an input to the entry point function, so you can run the tests against a sandbox area instead of global root directory.
- I suggest storing the keypair in
~/.flocker/
on the admin laptop. - Please use
GSSAPIAuthentiction=no
, otherwise our demo will be super slow on Ubuntu desktops.
In general sounds good, please proceed.
from flocker.
I suggest having the root directory being an input to the entry point function, so you can run the tests against a sandbox area instead of global root directory.
I won't write any kind of tests that actually modifies anything in /root or /etc. The Conch server used by the functional tests can give the root user an alternate home - something from TestCase.mktemp()
most likely. Then using the relative path .ssh/authorized_keys
should be sufficient for the tests and real usage. Hmm. Using the same solution for /etc/flocker
would mean using paths like ../etc/flocker
which encodes assumptions about root's home directory...
Putting the key in root's home directory instead of /etc/flocker
would side step this problem.
Please use
GSSAPIAuthentiction=no
, otherwise our demo will be super slow on Ubuntu desktops.
Argh argh argh argh argh.
from flocker.
Related Issues (20)
- Can't start flocker-control - CentOS 7 HOT 1
- Error looking up volume plugin flocker: legacy plugin: plugin not found HOT 1
- Flocker tests are failing HOT 1
- How to use flocker with docker swarm mode HOT 1
- pkg_resources.DistributionNotFound: The 'eliot' distribution was not found and is required by Flocker HOT 1
- Linux mint 18.1 Install Flocker Node Service Error
- Error: flocker: plugin not found
- Flocker: Control service is not getting up
- Issue with Cloudformation Template HOT 2
- Cannnot install Flocker node on Centos7 HOT 3
- Download page is not reachable HOT 1
- HTTP Error 404: Not Found for URL https://clusterhq-archive.s3.amazonaws.com/python/Flocker-1.15.0-py2-none-any.whl HOT 2
- The New site need to be Right Url HOT 7
- Flocker Shutdown HOT 1
- flocker apt repo failed on ubuntu16.04 HOT 9
- Regarding kubernete with flocker, Is this mandate to intstall the flocker on kubernetes Nodes or can I install flocker on separate nodes from kubernete and then integrate together
- Unable to access the below URL HOT 1
- Can't install flocker-node on RHEL/CentOS 7
- FYI: referenced issue is fixed
- Flocker abandoned? HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flocker.