[hibernate-dev] Ansible set-up, error "unknown key type ecdsa"

Davide D'Alto davide at hibernate.org
Wed Aug 26 07:28:49 EDT 2015 

Can't we keep some secrets tokens on master?
Or on a separate secret small machine?

This way we can transfer them from master during the creation of the slave.
Basically, I'm talking about improving the transfert-to-slave script.

> Davide extended this further with tags: see the readme to easily run
only the tasks related to a specific task (although we should tag all
tasks, not done yet).

I might now have explained that in the readme, but the Ansible
documentation is clear: http://docs.ansible.com/ansible/playbooks_tags.html

> FWIW, ECDSA is the future: get a better OS ;-)

+1 :)

Davide

On Wed, Aug 26, 2015 at 12:15 PM, Sanne Grinovero <sanne at hibernate.org>
wrote:

> On 25 August 2015 at 14:15, Gunnar Morling <gunnar at hibernate.org> wrote:
> > Sanne,
> >
> > When running Ansible to update the CI slaves on OS X, I get the
> following error:
> >
> > TASK: [jenkins-slave | Ensure cimaster is a known host]
> ***********************
> > unknown key type ecdsa
> > fatal: [209.132.178.232] => lookup_plugin.pipe(ssh-keyscan -t ecdsa
> > 54.174.65.136) returned 255
> >
> > Can we use another key type than "ecdsa"? Apparently the SSH coming
> > with OS X has no support for it (see [1]) and I'd prefer to use the
> > default version rather than having to install another one.
>
> That line though is just a trick to fetch the existing keys so I guess
> that to change the key type we need to figure out when & how these are
> generated.
> I just checked and it seems like we actually generate (and use) RSA
> keys now; maybe that line is just broken on all platforms (not just on
> OSX)?
> When making changes I only run the related portions of the Ansible
> script, so that might have been broken since a while w/o anyone
> noticing.
> Davide extended this further with tags: see the readme to easily run
> only the tasks related to a specific task (although we should tag all
> tasks, not done yet).
>
> I'm actually quite unhappy with that whole trick to get the generated
> nodes exchange the keys; it doesn't seem like "the Ansible way" as
> it's quite procedural, but I couldn't figure a better way other than
> pre-generate them (and lots of other people have that problem on SO so
> I'd hope it will improve).
> Would you prefer us to pre-generate those keys manually and add them
> to the list of secret tokens which we need to share among maintainers?
> I was trying to keep the list of keys we all need and the preparation
> steps minimal, but agree this one might not be worth the complexity.
>
> FWIW, ECDSA is the future: get a better OS ;-)
>
> Thanks,
> Sanne
>
> >
> > Thanks,
> >
> > --Gunnar
> >
> > [1]
> http://apple.stackexchange.com/questions/77731/ecdsa-ssh-key-on-10-8-2
> > _______________________________________________
> > hibernate-dev mailing list
> > hibernate-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/hibernate-dev
> _______________________________________________
> hibernate-dev mailing list
> hibernate-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hibernate-dev
>

More information about the hibernate-dev mailing list