Closed
Bug 879769
Opened 12 years ago
Closed 11 years ago
imaging processes should not regenerate SSH host keys
Categories
(Infrastructure & Operations :: RelOps: Puppet, task)
Infrastructure & Operations
RelOps: Puppet
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: dustin, Unassigned)
Details
I've been reimaging bld-lion-r5-003 recently, and just realized I haven't gotten any warnings about the host key, because it's not changing.
Aside from a few edge cases (e.g., multiple hosts in a pool accepting ssh connections), every host should have a different host key. So this should be fixed in the imaging process.
|
||
Comment 1•12 years ago
|
||
I don't so much care if all hosts have different host keys, but each host should keep the *same* host key through a reimage.
|
Reporter | |
Comment 2•12 years ago
|
||
Joe? There's some convenience to having hosts keep the same key, and the only practical way to accomplish that is for all hosts to have the same single key.
Flags: needinfo?(jstevensen)
|
|
||
Comment 3•12 years ago
|
||
Or to store the keys in a db of some sort and have them reloaded onto the machine after each image.
|
|
Reporter | |
Comment 4•12 years ago
|
||
I'd be leery of storing a whole pile of private keys in one database.
|
|
Reporter | |
Comment 5•12 years ago
|
||
Per :kang, a single host key across the pool is the best solution.
So, we should fix a pub/pvt key pair at whatever level of granularity is easiest, and install it. We should do that with puppet, since this should *not* apply to non-slaves.
Assignee: server-ops-releng → dustin
Flags: needinfo?(jstevensen)
Summary: mac imaging process should regenerate SSH host keys → imaging processes should not regenerate SSH host keys
|
||
Updated•12 years ago
|
Component: Server Operations: RelEng → RelOps
Product: mozilla.org → Infrastructure & Operations
|
|
Reporter | |
Updated•12 years ago
|
Severity: normal → enhancement
|
|
Reporter | |
Comment 6•12 years ago
|
||
I think that the design would be to add a slave_ssh_host_key/slave_ssh_host_key_pub secret pair, and if those are nonempty, set them when puppet runs, but only on slaves.
Not a high priority, so I'm unassigning from myself.
Assignee: dustin → relops
Component: RelOps → RelOps: Puppet
QA Contact: arich → dustin
|
|
Reporter | |
Comment 7•11 years ago
|
||
I think this is moot in the era of images.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•