Review for new rbac_playbook

Tim Flink tflink at redhat.com
Mon Jun 9 16:13:00 UTC 2014 

On Mon, 9 Jun 2014 08:49:48 -0600
Kevin Fenzi <kevin at scrye.com> wrote:

> On Mon, 9 Jun 2014 08:44:38 -0600
> Tim Flink <tflink at redhat.com> wrote:
> 
> > I think that most of your concerns have been addressed or are being
> > discussed in other parts of this thread but I wanted to speak
> > towards the reason that -P is there at all.
> > 
> > You are correct in reading that it has ansible-playbook use an ssh
> > port other than 22. That is set using -e 'ansible_ssh_port=<some
> > port>' and giving direct access to the -e parameter would be
> > port>problematic at best,
> > so I added the -P parameter which is restricted to just that option
> > even though it's rendered as -e
> > 
> > The QA devel folks use phabricator and phabricator supports git repo
> > hosting (through http(s) and ssh). In order to support git over ssh
> > while keeping user information in phabricator (username, ssh key for
> > git, repo permissions etc.), it uses a short-circuited ssh daemon
> > that uses phabricator for auth instead of system accounts
> > (restricted to git commands, though). Git repos on alternate ports
> > is a bit of a pain, so to support git+ssh on port 22 I change the
> > real ssh daemon (that can do more than git) to an alternate port.
> 
> If those hosts always have ssh on the same different port, we could
> just add that to vars?
> 
> http://docs.ansible.com/faq.html#how-do-i-handle-different-machines-needing-different-user-accounts-or-ports-to-log-in-with

I've generally been using port 222 for real ssh on those hosts. We
could set the port in the inventory file. While that would work for many
cases, I've always used the -e directly for 2 reasons:

1) My understanding is that ansible convention discourages putting
   stuff like that in the inventory files

2) Hosts are listening for ssh on port 22 when initially deployed.
   Initial deployments would require changing the inventory information
   to use port 22 for initial deployment and then changing it back
   to the alternate port after running the playbook/role which sets up
   the alternate port for ssh.

If that's the way that we want to go, we'll have some extra commits to
the ansible repo but it'll work.

Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20140609/45fc082d/attachment-0001.sig>

More information about the infrastructure mailing list