Can't we keep some secrets tokens on master? Or on a separate secret small machine?
This way we can transfer them from master during the creation of the slave. Basically, I'm talking about improving the transfert-to-slave script. > Davide extended this further with tags: see the readme to easily run only the tasks related to a specific task (although we should tag all tasks, not done yet). I might now have explained that in the readme, but the Ansible documentation is clear: http://docs.ansible.com/ansible/playbooks_tags.html > FWIW, ECDSA is the future: get a better OS ;-) +1 :) Davide On Wed, Aug 26, 2015 at 12:15 PM, Sanne Grinovero <sa...@hibernate.org> wrote: > On 25 August 2015 at 14:15, Gunnar Morling <gun...@hibernate.org> wrote: > > Sanne, > > > > When running Ansible to update the CI slaves on OS X, I get the > following error: > > > > TASK: [jenkins-slave | Ensure cimaster is a known host] > *********************** > > unknown key type ecdsa > > fatal: [209.132.178.232] => lookup_plugin.pipe(ssh-keyscan -t ecdsa > > 54.174.65.136) returned 255 > > > > Can we use another key type than "ecdsa"? Apparently the SSH coming > > with OS X has no support for it (see [1]) and I'd prefer to use the > > default version rather than having to install another one. > > That line though is just a trick to fetch the existing keys so I guess > that to change the key type we need to figure out when & how these are > generated. > I just checked and it seems like we actually generate (and use) RSA > keys now; maybe that line is just broken on all platforms (not just on > OSX)? > When making changes I only run the related portions of the Ansible > script, so that might have been broken since a while w/o anyone > noticing. > Davide extended this further with tags: see the readme to easily run > only the tasks related to a specific task (although we should tag all > tasks, not done yet). > > I'm actually quite unhappy with that whole trick to get the generated > nodes exchange the keys; it doesn't seem like "the Ansible way" as > it's quite procedural, but I couldn't figure a better way other than > pre-generate them (and lots of other people have that problem on SO so > I'd hope it will improve). > Would you prefer us to pre-generate those keys manually and add them > to the list of secret tokens which we need to share among maintainers? > I was trying to keep the list of keys we all need and the preparation > steps minimal, but agree this one might not be worth the complexity. > > FWIW, ECDSA is the future: get a better OS ;-) > > Thanks, > Sanne > > > > > Thanks, > > > > --Gunnar > > > > [1] > http://apple.stackexchange.com/questions/77731/ecdsa-ssh-key-on-10-8-2 > > _______________________________________________ > > hibernate-dev mailing list > > hibernate-dev@lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/hibernate-dev > _______________________________________________ > hibernate-dev mailing list > hibernate-dev@lists.jboss.org > https://lists.jboss.org/mailman/listinfo/hibernate-dev > _______________________________________________ hibernate-dev mailing list hibernate-dev@lists.jboss.org https://lists.jboss.org/mailman/listinfo/hibernate-dev
