On 26 August 2015 at 12:28, Davide D'Alto <dav...@hibernate.org> wrote: > Can't we keep some secrets tokens on master? > Or on a separate secret small machine? > > This way we can transfer them from master during the creation of the slave. > Basically, I'm talking about improving the transfert-to-slave script.
That's what I proposed in the previous email, but there are tradeoffs such as having to maintain more secret keys somewhere. I'm not sure which approach is the lesser evil ;) Sanne > >> Davide extended this further with tags: see the readme to easily run > only the tasks related to a specific task (although we should tag all > tasks, not done yet). > > I might now have explained that in the readme, but the Ansible documentation > is clear: http://docs.ansible.com/ansible/playbooks_tags.html > >> FWIW, ECDSA is the future: get a better OS ;-) > > +1 :) > > Davide > > On Wed, Aug 26, 2015 at 12:15 PM, Sanne Grinovero <sa...@hibernate.org> > wrote: >> >> On 25 August 2015 at 14:15, Gunnar Morling <gun...@hibernate.org> wrote: >> > Sanne, >> > >> > When running Ansible to update the CI slaves on OS X, I get the >> > following error: >> > >> > TASK: [jenkins-slave | Ensure cimaster is a known host] >> > *********************** >> > unknown key type ecdsa >> > fatal: [209.132.178.232] => lookup_plugin.pipe(ssh-keyscan -t ecdsa >> > 54.174.65.136) returned 255 >> > >> > Can we use another key type than "ecdsa"? Apparently the SSH coming >> > with OS X has no support for it (see [1]) and I'd prefer to use the >> > default version rather than having to install another one. >> >> That line though is just a trick to fetch the existing keys so I guess >> that to change the key type we need to figure out when & how these are >> generated. >> I just checked and it seems like we actually generate (and use) RSA >> keys now; maybe that line is just broken on all platforms (not just on >> OSX)? >> When making changes I only run the related portions of the Ansible >> script, so that might have been broken since a while w/o anyone >> noticing. >> Davide extended this further with tags: see the readme to easily run >> only the tasks related to a specific task (although we should tag all >> tasks, not done yet). >> >> I'm actually quite unhappy with that whole trick to get the generated >> nodes exchange the keys; it doesn't seem like "the Ansible way" as >> it's quite procedural, but I couldn't figure a better way other than >> pre-generate them (and lots of other people have that problem on SO so >> I'd hope it will improve). >> Would you prefer us to pre-generate those keys manually and add them >> to the list of secret tokens which we need to share among maintainers? >> I was trying to keep the list of keys we all need and the preparation >> steps minimal, but agree this one might not be worth the complexity. >> >> FWIW, ECDSA is the future: get a better OS ;-) >> >> Thanks, >> Sanne >> >> > >> > Thanks, >> > >> > --Gunnar >> > >> > [1] >> > http://apple.stackexchange.com/questions/77731/ecdsa-ssh-key-on-10-8-2 >> > _______________________________________________ >> > hibernate-dev mailing list >> > hibernate-dev@lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/hibernate-dev >> _______________________________________________ >> hibernate-dev mailing list >> hibernate-dev@lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/hibernate-dev > > _______________________________________________ hibernate-dev mailing list hibernate-dev@lists.jboss.org https://lists.jboss.org/mailman/listinfo/hibernate-dev
