Hello,
On Tue, 27 Nov 2012 20:15:55 +0100 Danilo Šegan danilo.segan@linaro.org wrote:
Heya Andy,
У уто, 27. 11 2012. у 12:24 -0600, Andy Doan пише:
yes, we have ways of transferring a file from target->host in our dispatcher. We could use that so that our private key only has to live on our actual server(s).
Cool.
Since we'd like to switch to API-based publishing as well, I suppose that means we could also have a key stored in the database for pushing stuff over: does that make sense?
So you are saying we might need a new "publishing key". That seems fine, just a slightly different config option for our setup I'd think.
Yeah, mostly for the sanity (and symmetry) of our existing set up. The way it's currently set up is that our publishing framework accepts SSH connections with very limited permissions:
- upload step which only allows sftp-ing
to /srv/snapshots.linaro.org/uploads which is not publicly accessible
- trigger step which reshuffles the files into appropriate location
(restricted to running publish_to_snapshots.py script)
We use separate user accounts on mombin with two different SSH keys (this was requested by IS so they could limit possible actions for these passphrase-less SSH keys).
It should be also added that these SSH keys for additional security allow login only from a specific IP address. So, we indeed would need to publish from LAVA master, not directly from target boards (we have the same thing in Jenkins).
Two-step process also ensures we do not offer incomplete files for download and allows us to do some pre-processing before publishing (eg. since jenkins publishes our username_buildname combo into a single directory, we split that into username/buildname in this step).
Full docs on the publishing setup currently are at
http://bazaar.launchpad.net/~linaro-infrastructure/linaro-license-protection...
(might be slightly out of date regarding paths on the system for scripts that are shared between users)
I am hoping we can find some time to improve this with an API on https://snapshots.linaro.org that would be authenticated directly, but we can't make promises on when that's going to be around.
Cheers, Danilo