[Gluster-users] tar_ssh.pem?

[James Le Cuirot]

On Tue, 6 May 2014 19:20:25 +0530
Venky Shankar <yknev.shankar at gmail.com> wrote:

> push-pem expects password less SSH​ b/w the node where the CLI is
> executed and a slave node (the slave endpoint used session creation).
> It then adds master's SSH keys to *authorized_keys* on all slave
> nodes (prepended with command=... for restricting access to gsyncd).
> As you said, prompting for password is definitely better and should
> be thought of.

I thought that maybe just removing the check from gverify.sh would do
the trick but after trying it, I see that it's not quite that
straightforward. It doesn't execute that script in the foreground?

> Non-root geo-replication does not work as of now (upstream/3.5). I'm
> in the process of getting in to work (patch
> http://review.gluster.org/#/c/7658/ in gerrit). Even with this you'd
> need password less SSH to one of the nodes on the slave (to an
> unprivileged user in this case). Your argument of prompting for
> password still holds true here.

Good to hear, I'll keep an eye on that. Given that push-pem writes
files to /var on the remote end, would that step still require root? We
generally disable root SSH login as per security policy although
temporarily allowing it for this one step would not be the end of the
world. It looks like this problem has been considered but not yet
solved in gerrit.

> I see the document link you mentioned in BZ #1091079 (comment #2)
> still points to old style geo-replication (we'd need to correct
> that). Are you following that in any case? Comment #1 points to the
> correct URL.

3.5 is the first version I've tried but I came across the older
documentation first. Even after discovering the newer documentation, I
got the impression that "push-pem" is more of a convenience thing to
save you from copying the keys around manually. I only have two nodes,
a master and a slave, so the new "distributed" model doesn't add much
for me.

Regards,
James