> That's what I proposed in the previous email, but there are tradeoffs > such as having to maintain more secret keys somewhere. I'm not sure > which approach is the lesser evil ;)
I prefer having the keys in one place of reference. It's easier to remember to keep it up-to-date. On Wed, Aug 26, 2015 at 12:38 PM, Sanne Grinovero <sa...@hibernate.org> wrote: > On 26 August 2015 at 12:28, Davide D'Alto <dav...@hibernate.org> wrote: > > Can't we keep some secrets tokens on master? > > Or on a separate secret small machine? > > > > This way we can transfer them from master during the creation of the > slave. > > Basically, I'm talking about improving the transfert-to-slave script. > > That's what I proposed in the previous email, but there are tradeoffs > such as having to maintain more secret keys somewhere. I'm not sure > which approach is the lesser evil ;) > > Sanne > > > > > >> Davide extended this further with tags: see the readme to easily run > > only the tasks related to a specific task (although we should tag all > > tasks, not done yet). > > > > I might now have explained that in the readme, but the Ansible > documentation > > is clear: http://docs.ansible.com/ansible/playbooks_tags.html > > > >> FWIW, ECDSA is the future: get a better OS ;-) > > > > +1 :) > > > > Davide > > > > On Wed, Aug 26, 2015 at 12:15 PM, Sanne Grinovero <sa...@hibernate.org> > > wrote: > >> > >> On 25 August 2015 at 14:15, Gunnar Morling <gun...@hibernate.org> > wrote: > >> > Sanne, > >> > > >> > When running Ansible to update the CI slaves on OS X, I get the > >> > following error: > >> > > >> > TASK: [jenkins-slave | Ensure cimaster is a known host] > >> > *********************** > >> > unknown key type ecdsa > >> > fatal: [209.132.178.232] => lookup_plugin.pipe(ssh-keyscan -t ecdsa > >> > 54.174.65.136) returned 255 > >> > > >> > Can we use another key type than "ecdsa"? Apparently the SSH coming > >> > with OS X has no support for it (see [1]) and I'd prefer to use the > >> > default version rather than having to install another one. > >> > >> That line though is just a trick to fetch the existing keys so I guess > >> that to change the key type we need to figure out when & how these are > >> generated. > >> I just checked and it seems like we actually generate (and use) RSA > >> keys now; maybe that line is just broken on all platforms (not just on > >> OSX)? > >> When making changes I only run the related portions of the Ansible > >> script, so that might have been broken since a while w/o anyone > >> noticing. > >> Davide extended this further with tags: see the readme to easily run > >> only the tasks related to a specific task (although we should tag all > >> tasks, not done yet). > >> > >> I'm actually quite unhappy with that whole trick to get the generated > >> nodes exchange the keys; it doesn't seem like "the Ansible way" as > >> it's quite procedural, but I couldn't figure a better way other than > >> pre-generate them (and lots of other people have that problem on SO so > >> I'd hope it will improve). > >> Would you prefer us to pre-generate those keys manually and add them > >> to the list of secret tokens which we need to share among maintainers? > >> I was trying to keep the list of keys we all need and the preparation > >> steps minimal, but agree this one might not be worth the complexity. > >> > >> FWIW, ECDSA is the future: get a better OS ;-) > >> > >> Thanks, > >> Sanne > >> > >> > > >> > Thanks, > >> > > >> > --Gunnar > >> > > >> > [1] > >> > > http://apple.stackexchange.com/questions/77731/ecdsa-ssh-key-on-10-8-2 > >> > _______________________________________________ > >> > hibernate-dev mailing list > >> > hibernate-dev@lists.jboss.org > >> > https://lists.jboss.org/mailman/listinfo/hibernate-dev > >> _______________________________________________ > >> hibernate-dev mailing list > >> hibernate-dev@lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/hibernate-dev > > > > > _______________________________________________ hibernate-dev mailing list hibernate-dev@lists.jboss.org https://lists.jboss.org/mailman/listinfo/hibernate-dev
