[SAC] [OSGeo] #2684: new VM for demo.pygeoapi.io
OSGeo
trac_osgeo at osgeo.org
Sun Dec 19 11:12:40 PST 2021
#2684: new VM for demo.pygeoapi.io
---------------------------+----------------------------------------
Reporter: pvgenuchten | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2021-II
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+----------------------------------------
Comment (by robe):
Okay a couple of thoughts on this:
1) how a CI/CD process can access the VM directly over the hop (needs SSH
Proxy Config)
If it's an issue I could open up a different port on the server to allow
direct ssh to the container. Can github actions use an alternative
port(not 22)?
e.g would be able to do something like below (where 41022 is the port I'd
open up)
{{{
ssh -p 41022 ansible at demo.pygeoapi.io
}}}
I don't see any huge security hole with this so am fine with that change
as long as you turn off password authentication on your container with
{{{
in /etc/ssh/sshd_config
change to
PasswordAuthentication no
}}}
Also note your proxy account doesn't need to be the same as the account
you log into the container with. But whatever account you use for ansible
the public key has to be also registered in your ldap profile (or we could
setup a different profile - e.g. we have one for geoserver I think with
some email alias like pygeoapi at osgeo.org that points to your email).
You can also have more than one ldap public key on your profile.
2) How Ansible (within the CI/CD processes) can make direct sudo-changes
without password prompts
what comes to mind
If you create an ansible account with sudo rights
Then assuming you have the proxy worked out, ansible would log in as
something like:
{{{
ssh ansible at osgeo3-demo-pygeoapi
}}}
To allow ansible ability to sudo without password prompt, just change the
visudo accordingly
{{{
visudo
}}}
Then add a line at end:
{{{
ansible ALL=(ALL) NOPASSWD: ALL
}}}
again I don't think there is a huge risk to this since if ansible gets
compromised, would only affect your VM not the others.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2684#comment:6>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
More information about the Sac
mailing list