Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

InstallDev breaks deployment scripts on DBS 3 dev vm #107

Open
giffels opened this issue Jan 30, 2014 · 2 comments
Open

InstallDev breaks deployment scripts on DBS 3 dev vm #107

giffels opened this issue Jan 30, 2014 · 2 comments

Comments

@giffels
Copy link
Member

giffels commented Jan 30, 2014

Hi Diego, Alan,

is there any reason why -o PubkeyAuthentication=no is used in
https://github.com/dmwm/deployment/blob/master/admin/InstallDev#L71 ? We (DBS 3) have set-up an environment, that allows us to install dbs3 vms running under the dbs3 service account without knowing the password by using public keys. Unfortunately, that is not working anymore. Do you think we can remove that option again, at least for the InstallDev?

Thanks,
Manuel
@geneguvo
Copy link
Member

Hi Manuel,

When you need to run ProxySeed to upload credentials to myproxy, it needs to have access to the usercert/key.pem. Since the user home where these files are found is on his home on AFS, we want to make sure the ssh initializes the session with a kerberos token and afs ticket, that's why we disable the pubkey authentication.

Besides that, the userkey.pem is protected with a passphrase, so this part of the script really wants to bug the user for: getting a kerberos token and for unlocking his key.

So I don't think you can robotize this step without breaking a few security rules. What we could do is add an option to ignore if the proxy seed fails and them after-wards you drop the proxy there some other security approved way (i.e. you generate/renew it properly elsewhere a set a cronjob to copy the proxy to your devvm).

But can you remind me why DBS needs a proxy? is this DBSMigration accessing DBS3 APIs?

Cheers,
Diego.

@giffels
Copy link
Member Author

giffels commented Feb 3, 2014

Hi Diego,

in our case the home directory of the service account is locally on the VM. I use fabric to deploy the VMs from my laptop. First the usercert/key.pem are copied to the VM and of course they are password protected, so I have to enter the password when installing the VM and this not a problem.

The problem is the service account password. I am not sure, if I am allowed to distribute the password to Yuyi for example. So we used public keys the enable password less login to the service account on the VMs and this is not working with -o PubkeyAuthentication=no.

DBS needs a proxy, because the migration service is accessing DBS3 APIs using pycurl.

Cheers,
Manuel

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@giffels @geneguvo