Always provide our known_hosts in addition to user known_hosts #1464

roberth · 2021-08-06T16:16:39Z

Solves one of the problems from #1264 (comment)

It also solves a problem where multiple deployments to distinct private networks fight over the key for the same ip that occurs in both.

nixops import --include-keys-like functionality doesn't seem to be included.

Prevously, you'd

create a deployment
upload the state
download the deployment state on a fresh machine (eg colleague)
nixops ssh doesn't know the keys
non-interactive deployments fail

With this pr, we don't have to rely on user configuration to include
known_hosts entries for the deployments.

It makes nixops import --include-keys unnecessary, unless you
use those entries outside of nixops.

Since recently we can get our deployment state from remote storage
backends, but we didn't have a way to get configure the known_hosts
yet. This is now largely unnecessary.

This functionality requires some cooperation from the plugins. For
instance, here's what ec2 needs to do: (pun intended)

+    def get_ssh_host_keys(self):
+        return self.private_ipv4 + " " + self.public_host_key + "\n" + self.public_ipv4 + " " + self.public_host_key + "\n"

(NixOS/nixops-aws#141)

Companion of NixOS/nixops#1464

This way, we don't have to rely on user configuration to include known_hosts entries for the deployments. It makes `nixops import --include-keys` unnecessary, unless you use those entries outside of nixops. Since recently we can get our deployment state from remote storage backends, but we didn't have a way to get configure the known_hosts yet. This is now largely unnecessary. This functionality requires some cooperation from the plugins. For instance, here's what ec2 needs to do: (pun intended) + def get_ssh_host_keys(self): + return self.private_ipv4 + " " + self.public_host_key + "\n" + self.public_ipv4 + " " + self.public_host_key + "\n"

Companion of NixOS/nixops#1464

…present

nixops/backends/__init__.py

Thanks Mic92!

roberth · 2021-08-30T11:43:54Z

Thanks @Mic92 that was very helpful!

This will let NixOps provide the host keys directly to the ssh client, regardless of whether they've been saved to user dotfiles. It solves a problem where the host keys were not known on systems that retrieve the state from a remote state provider. See NixOS/nixops#1464

roberth added a commit to hercules-ci/nixops-aws that referenced this pull request Aug 6, 2021

Let NixOps provide known_hosts independently of user known_hosts

46489df

Companion of NixOS/nixops#1464

This was referenced Aug 6, 2021

Let NixOps provide known_hosts independently of user known_hosts NixOS/nixops-aws#141

Merged

Writing to known_hosts should be optional #1465

Open

roberth force-pushed the internal-known-hosts-handling branch 4 times, most recently from 454bf40 to ec0007f Compare August 6, 2021 16:45

roberth force-pushed the internal-known-hosts-handling branch from ec0007f to 94a6884 Compare August 6, 2021 16:46

roberth added a commit to hercules-ci/nixops-aws that referenced this pull request Aug 6, 2021

Let NixOps provide known_hosts independently of user known_hosts

e30c874

Companion of NixOS/nixops#1464

Make nix-copy-closure work when ssh GlobalKnownHostsFile entries are …

6e0d3aa

…present

roberth mentioned this pull request Aug 26, 2021

Release 2.0 old tracking issue #1242

Open

16 tasks

Mic92 reviewed Aug 28, 2021

View reviewed changes