3153f27c24
I wasn't correctly sourcing the key; it has to come from hostvars as it is in a different play on different hosts. This fixes it. We also need to not have the base roles overwrite the authorized_keys file each time. The key we provision can only run a limited script that wraps "vos release". Unfortunately our gitops falls down a bit here because we don't have full testing for the AFS servers; put this on the todo list :) I have run this manually for testing. Change-Id: I0995434bde7e43082c01daa331c4b8b268d9b4bc
28 lines
907 B
ReStructuredText
28 lines
907 B
ReStructuredText
vos release with localauth
|
|
|
|
Install a user and script to do remote ``vos release`` with
|
|
``localauth`` authentication. This can avoid kerberos or AFS
|
|
timeouts.
|
|
|
|
This relies on ``vos_release_keypair`` which is expected to be a
|
|
single keypair set previously by hosts in the "mirror-update" group.
|
|
It will allow that keypair to run ``/usr/local/bin/vos_release.sh``,
|
|
which filters the incoming command. Releases are expected to be
|
|
triggered on the update host with::
|
|
|
|
ssh -i /root/.ssh/id_vos_release afs01.dfw.openstack.org vos release <mirror>.<volume>
|
|
|
|
Future work, if required
|
|
|
|
* Allow multiple hosts to call the release script (i.e. handle
|
|
multiple keys).
|
|
* Implement locking within ``vos_release.sh`` script to prevent too
|
|
many simulatenous releases.
|
|
|
|
**Role Variables**
|
|
|
|
.. zuul:rolevar:: vos_release_keypair
|
|
|
|
The authorized key to allow to run the
|
|
``/usr/local/bin/vos_release.sh`` script
|