Re: Review for new rbac_playbook

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 9 Jun 2014 08:49:48 -0600
Kevin Fenzi <kevin@xxxxxxxxx> wrote:

> On Mon, 9 Jun 2014 08:44:38 -0600
> Tim Flink <tflink@xxxxxxxxxx> wrote:
> 
> > I think that most of your concerns have been addressed or are being
> > discussed in other parts of this thread but I wanted to speak
> > towards the reason that -P is there at all.
> > 
> > You are correct in reading that it has ansible-playbook use an ssh
> > port other than 22. That is set using -e 'ansible_ssh_port=<some
> > port>' and giving direct access to the -e parameter would be
> > port>problematic at best,
> > so I added the -P parameter which is restricted to just that option
> > even though it's rendered as -e
> > 
> > The QA devel folks use phabricator and phabricator supports git repo
> > hosting (through http(s) and ssh). In order to support git over ssh
> > while keeping user information in phabricator (username, ssh key for
> > git, repo permissions etc.), it uses a short-circuited ssh daemon
> > that uses phabricator for auth instead of system accounts
> > (restricted to git commands, though). Git repos on alternate ports
> > is a bit of a pain, so to support git+ssh on port 22 I change the
> > real ssh daemon (that can do more than git) to an alternate port.
> 
> If those hosts always have ssh on the same different port, we could
> just add that to vars?
> 
> http://docs.ansible.com/faq.html#how-do-i-handle-different-machines-needing-different-user-accounts-or-ports-to-log-in-with

I've generally been using port 222 for real ssh on those hosts. We
could set the port in the inventory file. While that would work for many
cases, I've always used the -e directly for 2 reasons:

1) My understanding is that ansible convention discourages putting
   stuff like that in the inventory files

2) Hosts are listening for ssh on port 22 when initially deployed.
   Initial deployments would require changing the inventory information
   to use port 22 for initial deployment and then changing it back
   to the alternate port after running the playbook/role which sets up
   the alternate port for ssh.

If that's the way that we want to go, we'll have some extra commits to
the ansible repo but it'll work.

Tim

Attachment: signature.asc
Description: PGP signature

_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux