juju system ssh keys - revisiting
John Arbash Meinel
john at arbash-meinel.com
Tue Dec 17 06:33:38 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 2013-12-17 10:20, John Arbash Meinel wrote:
> ...
>> This hints to me that Juju run is improperly design. We already
>> have a way to inform all machines that we have work for them to
>> do. Which *doesn't* require us to ssh into them (the hook
>> triggers).
>
>> Just create a "run" hook that fires a custom script when there is
>> data to be run. Why would be SSH into those machines directly?
>
>
>>> I believe the rationale was so that juju-run can target
>>> machines as well as units. To target a machine without any
>>> units deployed would mean hooks are out of the question.
>
>
> Then just run a hook context runner in the Machine agent. Still
> *much* better than actually needing to SSH into every machine and
> violating the model of every-other-way we run stuff on machines in
> the environment.
>
> John =:->
I'm sorry if I'm coming off as overly negative. I don't mean to sound
that way. I was surprised that 'juju-run' needed to be an always-on
service that didn't act like all of our other always-on services that
respond to DB changes. It violates the concept that we could have a
user request things be run on the systems, without having direct SSH
access. (SSH access implies that you can run whatever you want without
auditing, while juju-run would certainly create an audit log, and
could be RBACed to run specific commands, etc.)
John
=:->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKv8EIACgkQJdeBCYSNAAP3ugCghJlUaYtAhFdqrhKQG9dZqYsp
4yEAoMKh7IN3LH3nZNAtHHnUJ+Y1sJke
=ZFj9
-----END PGP SIGNATURE-----
More information about the Juju-dev
mailing list