diff options
author | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2015-04-30 11:51:34 +0300 |
---|---|---|
committer | Baserock Gerrit <gerrit@baserock.org> | 2015-05-01 13:15:38 +0000 |
commit | 55496bf01f072f9b45e9ec7733c4bf02080bb3a0 (patch) | |
tree | 0ba0b0de02f3bcff57b9620fa5430cdb355f026e /distbuild | |
parent | 05a6672c81c56d4c73a77582bc30d104ccece8aa (diff) | |
download | definitions-55496bf01f072f9b45e9ec7733c4bf02080bb3a0.tar.gz |
distbuild: Disable strict SSH host key checking
Although we scan the keys of the Trove, we can only do this for the exact
hostname specified in TROVE_HOST. If the definitions being built point
to repos in the Trove using an SSH URL but with a different hostname
(e.g. as an IP address, or a differently qualified hostname) then the
distbuild will fail with a fairly opaque error:
ERROR: Build of xx failed: ERROR: Failed to update cached version of
repo ssh://git@.../xxx
Currently we expect distbuild to be deployed on a trusted private
network, so this change doesn't make it less secure. However, it would
be a problem in future if we want distbuild networks connecting to their
Trove across a public, untrusted network.
Change-Id: I6cf8b318cab8985e811b5ee5ac29df225b62270d
Diffstat (limited to 'distbuild')
-rw-r--r-- | distbuild/usr/lib/distbuild-setup/ansible/distbuild-setup.yml | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/distbuild/usr/lib/distbuild-setup/ansible/distbuild-setup.yml b/distbuild/usr/lib/distbuild-setup/ansible/distbuild-setup.yml index e4f94f54..c3074c63 100644 --- a/distbuild/usr/lib/distbuild-setup/ansible/distbuild-setup.yml +++ b/distbuild/usr/lib/distbuild-setup/ansible/distbuild-setup.yml @@ -64,6 +64,16 @@ fi creates=/etc/ssh/ssh_known_hosts + # This is a kludge. We can add the host key for the TROVE_HOST that was + # specified, but users may access the Trove by other names, e.g. IP address + # or domain name. Distbuild is currently not safe to run except on a private + # network where host key checking is not important, so we disable it by + # default to avoid errors when users don't stick to using the exact same + # TROVE_HOST in repo URLs. + - name: Disable strict SSH host key checking + lineinfile: + dest: /etc/ssh/ssh_config + line: StrictHostKeyChecking no - name: Enable the morph-cache-server service service: name=morph-cache-server.service enabled=yes |