Comments (5)
Tony suggested that we use the "--file" argument to the "nova boot" command for this, if that is working in our current infrastructure. It worked with Essex but gave us problems on Folsom.
from xos.
We could break this into two problems:
(1) Getting multiple SSH keys into the VM
(2) Copying the SSH keys from inside the VM to set up the proxy login account
For (1) there are a number of ways we could proceed, but probably the cleanest is to use cloud-init. To add multiple keys we would supply a user-data script:
#cloud-config
ssh_authorized_keys:
- ssh-rsa AAAAB3NzaC1...
- ssh-rsa AAAAB3NzaC1...
... etc.
For (2) we could use guestfish. Here is a command that copies out all of the SSH authorized keys in all of the user accounts in the VM 'instance-00000034':
$ guestfish --ro -d instance-00000034 -i glob cat /home/*/.ssh/authorized_keys
Since we don't know when keys inside the VM have been added or changed, we'd probably want to run this command in a cron job every few minutes for every VM. It appears to take about 5 seconds per VM to complete.
Some advantages to doing it this way:
- Requires very little code/setup - just a cron job on the nodes, and a script to generate the user-data
- Lets us get rid of a hack to nova-compute where we intercept the key so that we can set up the proxy login account
from xos.
The user-data you're creating for cloud-init is in YAML format? If so, then
it should be straightforward to add this to sync_slivers.py:get_userdata().
My only concern is copying out all of the keys in all of the user accounts
inside the VM. I would be worried about VMs creating account names that
conflict, either unintentionally or intentionally (as some sort of spoofing
or DOS attempt).
I would also anticipate some leakage of nuisance accounts that weren't
intended to be reachable via the NAT interface. For example, the log
aggregation server had an account that was used by HPC nodes to deposit
their logs via rsync over SSH. In an XOS world, that could have been
implemented via a private network between HPC and the log server. (we're
not setting up the log server on XOS, so it's a moot point, just an example
of potential configuration)
Scott
On Thu, Mar 12, 2015 at 8:24 AM, Andy Bavier [email protected]
wrote:
We could break this into two problems:
(1) Getting multiple SSH keys into the VM
(2) Copying the SSH keys from inside the VM to set up the proxy login
accountFor (1) there are a number of ways we could proceed, but probably the
cleanest is to use cloud-init. To add multiple keys we would supply a
user-data script:#cloud-config
ssh_authorized_keys:
- ssh-rsa AAAAB3NzaC1...
- ssh-rsa AAAAB3NzaC1...
... etc.
For (2) we could use guestfish. Here is a command that copies out all of
the SSH authorized keys in all of the user accounts in the VM
'instance-00000034':$ guestfish --ro -d instance-00000034 -i glob cat
/home/*/.ssh/authorized_keysSince we don't know when keys inside the VM have been added or changed,
we'd probably want to run this command in a cron job every few minutes for
every VM. It appears to take about 5 seconds per VM to complete.Some advantages to doing it this way:
- Requires very little code/setup - just a cron job on the nodes, and
a script to generate the user-data- Lets us get rid of a hack to nova-compute where we intercept the key
so that we can set up the proxy login account—
Reply to this email directly or view it on GitHub
#3 (comment).
from xos.
We could stick with copying out keys in the default user accounts (e.g., ubuntu). This is easy right now since the only images we support are Ubuntu images.
from xos.
That sounds like a plan. Even in the Centos-5.5 image, I named the default
user 'ubuntu'.
Scott
On Thu, Mar 12, 2015 at 12:27 PM, Andy Bavier [email protected]
wrote:
We could stick with copying out keys in the default user accounts (e.g.,
ubuntu). This is easy right now since the only images we support are Ubuntu
images.—
Reply to this email directly or view it on GitHub
#3 (comment).
from xos.
Related Issues (20)
- Sometimes non-responsive DNS resolvers are configured in instances HOT 2
- docker build -t xos . is failing: createdb: could not connect to database... HOT 3
- Clean up HPC / RR code dependencies
- indicate if a site only hosts nodes/users or both. HOT 1
- /xos/imagedeploymentses/
- "controller_kind": "none" is invalid HOT 1
- "enacted" is a required field for PATCH xos/users/{pk}/
- unsupported parameter for module: token HOT 1
- Failing to type a slice name in the Tenant view's <Create Slice> feature causes a 500 error HOT 9
- Tenancy Graph View - Error 500 HOT 3
- xosproject/xos image: Tabs don't work in GUI
- xosproject/xos image: Initial login screen is messed up HOT 1
- slice creation fails
- Cannot create new slice using Tenant view HOT 3
- little cloud icon stays red
- Instance creator has no privileges on Slice
- Can't uncheck site's "Hosts nodes" field via GUI
- deleting instance in XOS does not delete it in OpenStack
- Error when starting development docker containers
- how to run in physical machine instead of virtual machine
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from xos.