On Thu, 27 Jun 2013 13:12:49 -0600 Stephen John Smoogen <smooge@xxxxxxxxx> wrote: > On 25 June 2013 13:16, seth vidal <skvidal@xxxxxxxxxxxxxxxxx> wrote: > > > Last week when we were talking about spawning rdiff-backup to backup > > our systems, we diverged into discussing app/apache logs and the > > somewhat complicated system we currently have for grabbing those > > logs. > > > > Right now we have a list of hosts on log02 that it should grab logs > > from. Those hosts need to have rsyncd running on them to allow > > access from log02 to fetch the /var/log/httpd/ path from them. > > > > That requires 2 things to be coupled and it is a bit awkward if you > > set up a host that is tricky to access from log02 or isn't on the > > vpn. > > > > In general I also am not in love with having to have rsyncd > > listening on systems - even if it is ip-restricted. > > > > So the thought was we could do something like this on log02: > > > > 1. setup an ssh key on log02 that can run rsync to /var/log/httpd on > > all hosts > > 2. make any host that needs to have its logs retrieved be marked in > > the ansible inventory host/group vars > > 3. git clone public-ansible-repo onto log02 > > 4. use group_by to construct a group of the hosts which can then be > > retrieved using rsync. > > > > The sole reason for using ansible here is so we can keep the log > > sync info in our inventory and to parallelize the retrieval of logs. > > > > This is more or less identical to what we talked about for backups > > using rdiff-backup. > > > > > My question is will a person who is on log02 be able to ssh into every > rsyncable host as root like they can do so from lockbox. or will we be > using a sub-user who can be ssh'd from log02 to get the log files? I > am just wanting to keep the number of systems we need to really worry > about to a minimum so we aren't ending up with whackamole later. 1. we could do a separate user - we just have to make sure /var/log/httpd stays 'open' to that user - which is actually quite tricky in the face of apache updated rpms 2. we could also just keep using rsync - but over ssh and restrict that particular ssh key to only running rsync and only from one path. -sv _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
