Paul Sokolovsky paul.sokolovsky@linaro.org writes:
Hello,
On Tue, 27 Nov 2012 20:15:55 +0100 Danilo Šegan danilo.segan@linaro.org wrote:
Heya Andy,
У уто, 27. 11 2012. у 12:24 -0600, Andy Doan пише:
yes, we have ways of transferring a file from target->host in our dispatcher. We could use that so that our private key only has to live on our actual server(s).
Cool.
Since we'd like to switch to API-based publishing as well, I suppose that means we could also have a key stored in the database for pushing stuff over: does that make sense?
So you are saying we might need a new "publishing key". That seems fine, just a slightly different config option for our setup I'd think.
Yeah, mostly for the sanity (and symmetry) of our existing set up. The way it's currently set up is that our publishing framework accepts SSH connections with very limited permissions:
- upload step which only allows sftp-ing
to /srv/snapshots.linaro.org/uploads which is not publicly accessible
- trigger step which reshuffles the files into appropriate location
(restricted to running publish_to_snapshots.py script)
We use separate user accounts on mombin with two different SSH keys (this was requested by IS so they could limit possible actions for these passphrase-less SSH keys).
It should be also added that these SSH keys for additional security allow login only from a specific IP address. So, we indeed would need to publish from LAVA master, not directly from target boards (we have the same thing in Jenkins).
While I agree publishing from the master makes sense, the conclusion you draw here is not valid -- all requests from the lab appear to come from the same IP address by the wonders of NAT. We have 5 IP addresses from our ISP but currently only use one.
Cheers, mwh