[SAC] [OSGeo] #2684: new VM for demo.pygeoapi.io

OSGeo trac_osgeo at osgeo.org
Sun Dec 19 11:12:40 PST 2021 

#2684: new VM for demo.pygeoapi.io
---------------------------+----------------------------------------
 Reporter:  pvgenuchten    |       Owner:  sac@…
     Type:  task           |      Status:  new
 Priority:  normal         |   Milestone:  Sysadmin Contract 2021-II
Component:  Systems Admin  |  Resolution:
 Keywords:                 |
---------------------------+----------------------------------------

Comment (by robe):

 Okay a couple of thoughts on this:

 1) how a CI/CD process can access the VM directly over the hop (needs SSH
 Proxy Config)

 If it's an issue I could open up a different port on the server to allow
 direct ssh to the container.  Can github actions use an alternative
 port(not 22)?

 e.g would be able to do something like below (where 41022 is the port I'd
 open up)


 {{{
 ssh -p 41022 ansible at demo.pygeoapi.io
 }}}

 I don't see any huge security hole with this so am fine with that change
 as long as you turn off password authentication on your container with


 {{{
 in /etc/ssh/sshd_config

 change to

 PasswordAuthentication no

 }}}

 Also note your proxy account doesn't need to be the same as the account
 you log into the container with. But whatever account you use for ansible
 the public key has to be also registered in your ldap profile (or we could
 setup a different profile - e.g. we have one for geoserver I think with
 some email alias like pygeoapi at osgeo.org that points to your email).

 You can also have more than one ldap public key on your profile.


 2) How Ansible (within the CI/CD processes) can make direct sudo-changes
 without password prompts
 what comes to mind

 If you create an ansible account with sudo rights

 Then assuming you have the proxy worked out, ansible would log in as
 something like:

 {{{
 ssh ansible at osgeo3-demo-pygeoapi
 }}}

 To allow ansible ability to sudo without password prompt, just change the
 visudo accordingly


 {{{
 visudo
 }}}

 Then add a line at end:

 {{{
 ansible ALL=(ALL) NOPASSWD: ALL
 }}}


 again I don't think there is a huge risk to this since if ansible gets
 compromised, would only affect your VM not the others.

-- 
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2684#comment:6>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

More information about the Sac mailing list