[hibernate-dev] Ansible set-up, error "unknown key type ecdsa"

Davide D'Alto davide at hibernate.org
Wed Aug 26 07:51:34 EDT 2015


> That's what I proposed in the previous email, but there are tradeoffs
> such as having to maintain more secret keys somewhere. I'm not sure
> which approach is the lesser evil ;)

I prefer having the keys in one place of reference.
It's easier to remember to keep it up-to-date.







On Wed, Aug 26, 2015 at 12:38 PM, Sanne Grinovero <sanne at hibernate.org>
wrote:

> On 26 August 2015 at 12:28, Davide D'Alto <davide at hibernate.org> wrote:
> > Can't we keep some secrets tokens on master?
> > Or on a separate secret small machine?
> >
> > This way we can transfer them from master during the creation of the
> slave.
> > Basically, I'm talking about improving the transfert-to-slave script.
>
> That's what I proposed in the previous email, but there are tradeoffs
> such as having to maintain more secret keys somewhere. I'm not sure
> which approach is the lesser evil ;)
>
> Sanne
>
>
> >
> >> Davide extended this further with tags: see the readme to easily run
> > only the tasks related to a specific task (although we should tag all
> > tasks, not done yet).
> >
> > I might now have explained that in the readme, but the Ansible
> documentation
> > is clear: http://docs.ansible.com/ansible/playbooks_tags.html
> >
> >> FWIW, ECDSA is the future: get a better OS ;-)
> >
> > +1 :)
> >
> > Davide
> >
> > On Wed, Aug 26, 2015 at 12:15 PM, Sanne Grinovero <sanne at hibernate.org>
> > wrote:
> >>
> >> On 25 August 2015 at 14:15, Gunnar Morling <gunnar at hibernate.org>
> wrote:
> >> > Sanne,
> >> >
> >> > When running Ansible to update the CI slaves on OS X, I get the
> >> > following error:
> >> >
> >> > TASK: [jenkins-slave | Ensure cimaster is a known host]
> >> > ***********************
> >> > unknown key type ecdsa
> >> > fatal: [209.132.178.232] => lookup_plugin.pipe(ssh-keyscan -t ecdsa
> >> > 54.174.65.136) returned 255
> >> >
> >> > Can we use another key type than "ecdsa"? Apparently the SSH coming
> >> > with OS X has no support for it (see [1]) and I'd prefer to use the
> >> > default version rather than having to install another one.
> >>
> >> That line though is just a trick to fetch the existing keys so I guess
> >> that to change the key type we need to figure out when & how these are
> >> generated.
> >> I just checked and it seems like we actually generate (and use) RSA
> >> keys now; maybe that line is just broken on all platforms (not just on
> >> OSX)?
> >> When making changes I only run the related portions of the Ansible
> >> script, so that might have been broken since a while w/o anyone
> >> noticing.
> >> Davide extended this further with tags: see the readme to easily run
> >> only the tasks related to a specific task (although we should tag all
> >> tasks, not done yet).
> >>
> >> I'm actually quite unhappy with that whole trick to get the generated
> >> nodes exchange the keys; it doesn't seem like "the Ansible way" as
> >> it's quite procedural, but I couldn't figure a better way other than
> >> pre-generate them (and lots of other people have that problem on SO so
> >> I'd hope it will improve).
> >> Would you prefer us to pre-generate those keys manually and add them
> >> to the list of secret tokens which we need to share among maintainers?
> >> I was trying to keep the list of keys we all need and the preparation
> >> steps minimal, but agree this one might not be worth the complexity.
> >>
> >> FWIW, ECDSA is the future: get a better OS ;-)
> >>
> >> Thanks,
> >> Sanne
> >>
> >> >
> >> > Thanks,
> >> >
> >> > --Gunnar
> >> >
> >> > [1]
> >> >
> http://apple.stackexchange.com/questions/77731/ecdsa-ssh-key-on-10-8-2
> >> > _______________________________________________
> >> > hibernate-dev mailing list
> >> > hibernate-dev at lists.jboss.org
> >> > https://lists.jboss.org/mailman/listinfo/hibernate-dev
> >> _______________________________________________
> >> hibernate-dev mailing list
> >> hibernate-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/hibernate-dev
> >
> >
>


More information about the hibernate-dev mailing list