[hibernate-dev] Ansible set-up, error "unknown key type ecdsa"

Sanne Grinovero sanne at hibernate.org
Wed Aug 26 07:38:04 EDT 2015 

On 26 August 2015 at 12:28, Davide D'Alto <davide at hibernate.org> wrote:
> Can't we keep some secrets tokens on master?
> Or on a separate secret small machine?
>
> This way we can transfer them from master during the creation of the slave.
> Basically, I'm talking about improving the transfert-to-slave script.

That's what I proposed in the previous email, but there are tradeoffs
such as having to maintain more secret keys somewhere. I'm not sure
which approach is the lesser evil ;)

Sanne


>
>> Davide extended this further with tags: see the readme to easily run
> only the tasks related to a specific task (although we should tag all
> tasks, not done yet).
>
> I might now have explained that in the readme, but the Ansible documentation
> is clear: http://docs.ansible.com/ansible/playbooks_tags.html
>
>> FWIW, ECDSA is the future: get a better OS ;-)
>
> +1 :)
>
> Davide
>
> On Wed, Aug 26, 2015 at 12:15 PM, Sanne Grinovero <sanne at hibernate.org>
> wrote:
>>
>> On 25 August 2015 at 14:15, Gunnar Morling <gunnar at hibernate.org> wrote:
>> > Sanne,
>> >
>> > When running Ansible to update the CI slaves on OS X, I get the
>> > following error:
>> >
>> > TASK: [jenkins-slave | Ensure cimaster is a known host]
>> > ***********************
>> > unknown key type ecdsa
>> > fatal: [209.132.178.232] => lookup_plugin.pipe(ssh-keyscan -t ecdsa
>> > 54.174.65.136) returned 255
>> >
>> > Can we use another key type than "ecdsa"? Apparently the SSH coming
>> > with OS X has no support for it (see [1]) and I'd prefer to use the
>> > default version rather than having to install another one.
>>
>> That line though is just a trick to fetch the existing keys so I guess
>> that to change the key type we need to figure out when & how these are
>> generated.
>> I just checked and it seems like we actually generate (and use) RSA
>> keys now; maybe that line is just broken on all platforms (not just on
>> OSX)?
>> When making changes I only run the related portions of the Ansible
>> script, so that might have been broken since a while w/o anyone
>> noticing.
>> Davide extended this further with tags: see the readme to easily run
>> only the tasks related to a specific task (although we should tag all
>> tasks, not done yet).
>>
>> I'm actually quite unhappy with that whole trick to get the generated
>> nodes exchange the keys; it doesn't seem like "the Ansible way" as
>> it's quite procedural, but I couldn't figure a better way other than
>> pre-generate them (and lots of other people have that problem on SO so
>> I'd hope it will improve).
>> Would you prefer us to pre-generate those keys manually and add them
>> to the list of secret tokens which we need to share among maintainers?
>> I was trying to keep the list of keys we all need and the preparation
>> steps minimal, but agree this one might not be worth the complexity.
>>
>> FWIW, ECDSA is the future: get a better OS ;-)
>>
>> Thanks,
>> Sanne
>>
>> >
>> > Thanks,
>> >
>> > --Gunnar
>> >
>> > [1]
>> > http://apple.stackexchange.com/questions/77731/ecdsa-ssh-key-on-10-8-2
>> > _______________________________________________
>> > hibernate-dev mailing list
>> > hibernate-dev at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/hibernate-dev
>> _______________________________________________
>> hibernate-dev mailing list
>> hibernate-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/hibernate-dev
>
>

More information about the hibernate-dev mailing list