On Tue, 6 May 2014 19:20:25 +0530 Venky Shankar <yknev.shankar@xxxxxxxxx> wrote: > push-pem expects password less SSH b/w the node where the CLI is > executed and a slave node (the slave endpoint used session creation). > It then adds master's SSH keys to *authorized_keys* on all slave > nodes (prepended with command=... for restricting access to gsyncd). > As you said, prompting for password is definitely better and should > be thought of. I thought that maybe just removing the check from gverify.sh would do the trick but after trying it, I see that it's not quite that straightforward. It doesn't execute that script in the foreground? > Non-root geo-replication does not work as of now (upstream/3.5). I'm > in the process of getting in to work (patch > http://review.gluster.org/#/c/7658/ in gerrit). Even with this you'd > need password less SSH to one of the nodes on the slave (to an > unprivileged user in this case). Your argument of prompting for > password still holds true here. Good to hear, I'll keep an eye on that. Given that push-pem writes files to /var on the remote end, would that step still require root? We generally disable root SSH login as per security policy although temporarily allowing it for this one step would not be the end of the world. It looks like this problem has been considered but not yet solved in gerrit. > I see the document link you mentioned in BZ #1091079 (comment #2) > still points to old style geo-replication (we'd need to correct > that). Are you following that in any case? Comment #1 points to the > correct URL. 3.5 is the first version I've tried but I came across the older documentation first. Even after discovering the newer documentation, I got the impression that "push-pem" is more of a convenience thing to save you from copying the keys around manually. I only have two nodes, a master and a slave, so the new "distributed" model doesn't add much for me. Regards, James _______________________________________________ Gluster-users mailing list Gluster-users@xxxxxxxxxxx http://supercolony.gluster.org/mailman/listinfo/gluster-users
