Hi all, A while back Andrew raised the suggestion that we create a SSH key for the purpose of monitoring the juju bootstrap. This has raised its head again for several reasons:
1) Many windows users don't have ssh keys, nor even ssh installed. We have a go ssh implementation that we can fall back to if there is no PuTTY installed. 2) Not all linux users have ssh installed. Granted, most developers will, but not necessarily all. 3) Creating new environments from the Juju GUI needs a way to get things bootstrapped 4) Now we have the authorized_keys workers, we can add ssh keys once an environment is running, and the existing machines get the new keys added in to their authorized keys list and finally, the real thing that clinched it for me 5) Juju run. In order to make this available to the GUI, it needs to be executed from the API server. This means that the API server machine needs to be able to SSH to all the other machines. No one is going to want to upload their own private key, nor should they. I propose that we create a new SSH key when we bootstrap environments, and use that key to watch the bootstrap process. This means that we have no checking for existing keys when we bootstrap, no "oh, you don't have a key, I'll make one", but instead, as part of the bootstrap process we generate a "juju system ssh key" with an appropriate comment. Both the public and private parts of this key are installed on all the "api server" machines. The private identity can be stored anywhere, and I suggest /var/lib/juju/identity/juju-system-ssh-key (or any other bike-shed colour). This key is then used by juju when it needs to do things with the other machines. We already have a utility command to wrap ssh things, and we will most likely expand on that utility. Upgrades Given that we'd need to add this system key for upgraded environments, and also have a way to handle the situation where a user removes (however they do it) they system ssh key, we need some way to do this initial creation. Tim -- Juju-dev mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju-dev
