Last modified: 2013-04-24 18:31:30 UTC
Please list the fingerprint(s) of the server. cd /etc/ssh ssh-keygen -lf ssh_host_rsa-key.pub or the like. See http://article.gmane.org/gmane.science.linguistics.wikipedia.technical/56378
The fingerprints of the instances are dynamic (would change on each recreation). Extension:OpenStackManager can show them in the 'get output', but you can't view that page unless you are admin.
I'll try to think of some way of listing this info. There are definitely some dirty, hackish ways of doing this. I may just put a cron on one system that pulls the keys and adds them to the instance's wiki page. I may also be able to do this via OpenStackManager, by adding a job to the job queue that tries to ssh to the host, pulling the key and then updating the wiki page with the fingerprint.
http://www.php.net/manual/en/function.ssh2-fingerprint.php ^^ that would do perfectly.
(In reply to comment #1) > The fingerprints of the instances are dynamic (would change on each > recreation). I understand. Perhaps a solution, and increasing security: each newly created instance must get a new name, or serial number, or hash ?
(In reply to comment #4) > (In reply to comment #1) > > The fingerprints of the instances are dynamic (would change on each > > recreation). > I understand. > > Perhaps a solution, and increasing security: each newly created instance must > get a new name, or serial number, or hash ? It does. Every new one has a unique instance name, and is a newly installed OS, so also has a new ssh key. That is what *causes* the problem, though. It's not a solution. I listed a solution above.
Moving out of the Wikimedia product into the already existing Wikimedia Labs product, I'm going to remove the Labs component from the Wikimedia product.
Now we have salt running on most the instances we could write a module for grabbing this data (possibly after the api is done). I'd really like to push SSHFP records into DNS, apparently the current PDNS ldap schema can't handle that though :(
I'd like salt to fire an event when the instance is finished building. It could include the fingerprint along with the event message.
Is this really high priority (as it's been since November 2011), or shall this be decreased to low or normal priority?
No. Normal priority is fine.