Make clush safer
Closed, DeclinedPublic
Actions

Assigned To

None

Authored By

	scfc
	Dec 10 2016, 11:11 PM

Description

AFAIUI, currently clush works by sudoing to root, then sshing (standard protocol) into the selected instances as clushuser, then (if necessary) sudoing from clushuser to root.

We already have set up Toolforge so that every member of the tools.admin group can ssh into any host, and HBA should be working between instances in the Toolforge project as well.

i would prefer if we could switch clush to (for example) ssh as the logged-in user with HBA to the selected instances. There, if necessary, sudo can be used as normal. Thus, there would be less root involved when it is not needed and we could remove role::toollabs::clush::target's:

# Give it complete sudo rights
sudo::user { 'clushuser':
    ensure     => present,
    privileges => ['ALL = (ALL) NOPASSWD: ALL'],
}

Related Objects
Search...

Status	Assigned	Task
Declined	None	T152866 Make clush safer
Resolved	taavi	T153163 Set up and use exported resources for Tool Labs's shared knowledge
Resolved	Krenair	T153577 Make standalone puppetmasters optionally use PuppetDB
Resolved	scfc	T154104 role::puppetmaster::puppetdb depends on Ganglia and cannot be used in Labs
Resolved	Krenair	T245365 Replace tools-puppetmaster-01 (jessie) with a buster puppetmaster
Resolved	taavi	T214427 Enable puppetdb in toolforge