Greetings all - was suggested I might be able to ask a question here, I'll
go back to lurking if not!
There are a lot of ways to solve the problem of authenticating to hundreds
of disposable systems. The method I'm currently putting in place during our
move from Slicehost to EC2 is to set up a multi-master 389 Directory
Server. I'm using openssh-lpk, which was originally an old patch that never
got in to the official openssh package but that is becoming a helper daemon
(instead of a patch) as of Fedora14. I installed the Fed14 packages on my
Fed13 instance; I'm a bad person. What I can then do is put public keys for
users in the directory server, and then - since the AMI is set up to ask my
ldap server for info - viola! Brand new instances can already be key-auth'd
by brand new accounts, without creating the account on the other side (and
thus, without putting the key in authorized_hosts), in a way that is dynamic
enough that I can add/revoke auth to any number of instances within
seconds. There's more to it than what I've said, but hopefully you get the
I had to mostly just do it all with little guidance (not a big deal, but I
like using tested methods...) as I didn't find much "out there" about
authing to a cloud. Is documentation about what I've done the sort of thing
in which Cloud SIG would be interested? Most such documentation is
currently found in snippets of someone's blog somewhere; there are many
necessary incidentals to making cloud computing successful for an
enterprise, so it would seem they'd be better addressed, especially for
small/mid-sized companies that don't need complicated setups. Things like
cfengine seem somehow...innappropriate...for disposable systems that are
going to created in a "blessed" state anyway, and only need minor tweeks.
On that note, is Cloud SIG working on gathering documentation of the "making
a Cloud useful, once it exists" variety?
ps - I mentioned it to gholms already via email, but the official python
package for Slicehost (pyactiveresource) is not yet a fedora package; should
it be one? Or is it simple enough that it's assumed someone will just pip
install it, if needed?