Duplicating /root/passwords
Karsten 'quaid' Wade
kwade at redhat.com
Fri Mar 15 00:19:45 UTC 2013
Since the dawn of the rebirth of ovirt.org (Sep-ish 2011), I have kept
all the passwords and secret stuff in /root/passwords on linode01.ovirt.org.
Any of the Infra maintainers _should_ be able to shell in to that
machine and view those passwords with 'sudo'. (I bet that may not be the
case, something to not bother fixing but rather migrate away from.)
I sort-of like this idea ongoing, that is, having the one file of all
our truly secret-secrets in /root/ so anyone with full-root sudo can get
at it to do their work.
What I'm thinking is that it would be cool to duplicate this file across
all the hosts, either all VMs, or at least the top-level hypervisor
hosts at *{01,02}.ovirt.org.
Doesn't sound like something for Puppet, since the data can't be shown.
Another option is to encrypt it, and use a shared GPG key to decrypt the
file? (I have a small util[1] that does that, so not terribly painful.)
OTOH, I could write a bash script that uses rsync over ssh (and a common
root sshkey used on all our hosts) to push out a new copy of the file
whenever we saved it; cf. running 'newaliases' when making changes to
/etc/aliases.
Of course, we could go in an entirely different direction.
Thoughts?
- Karsten
[1] sezme
--
Karsten 'quaid' Wade, Sr. Analyst - Community Growth
http://TheOpenSourceWay.org .^\ http://community.redhat.com
@quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 255 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ovirt.org/pipermail/infra/attachments/20130314/4eeb6b36/attachment.sig>
More information about the Infra
mailing list