3153f27c24
I wasn't correctly sourcing the key; it has to come from hostvars as it is in a different play on different hosts. This fixes it. We also need to not have the base roles overwrite the authorized_keys file each time. The key we provision can only run a limited script that wraps "vos release". Unfortunately our gitops falls down a bit here because we don't have full testing for the AFS servers; put this on the todo list :) I have run this manually for testing. Change-Id: I0995434bde7e43082c01daa331c4b8b268d9b4bc
907 B
907 B
vos release with localauth
Install a user and script to do remote vos release with
localauth authentication. This can avoid kerberos or AFS
timeouts.
This relies on vos_release_keypair which is expected to
be a single keypair set previously by hosts in the "mirror-update"
group. It will allow that keypair to run
/usr/local/bin/vos_release.sh, which filters the incoming
command. Releases are expected to be triggered on the update host
with:
ssh -i /root/.ssh/id_vos_release afs01.dfw.openstack.org vos release <mirror>.<volume>Future work, if required
- Allow multiple hosts to call the release script (i.e. handle multiple keys).
- Implement locking within
vos_release.shscript to prevent too many simulatenous releases.
Role Variables
The authorized key to allow to run the
/usr/local/bin/vos_release.shscript