geo-DR: remove need to have ssh

Question

geo-DR: remove need to have ssh

Opened this issue 10 years ago · 9 comments

Why do we need ssh from every machine to every machine?

For geo-DR, this is used to fetch who the master is and it's binary log information.

Can't we just have a small daemon that runs in the cluster and serves those requests?
Or are there other ways through booth itself?

Answer 1 · 2014-09-11T13:02:25.000Z

We could use xinetd for example. That does introduce an extra dependency though, ssh is usually already installed. Do you have security concerns?

Answer 2 · 2014-09-13T09:10:15.000Z

Yes, indeed. Many environments I work on do not allow root ssh automatically

Answer 3 · 2014-09-18T01:08:54.000Z

We can optionally use http://clusterlabs.org/doc/en-US/Pacemaker/1.0/html-single/Pacemaker_Explained/#s-remote-connection

Answer 4 · 2014-09-19T17:52:52.000Z

we definitely could use remote connections but, in an environment that prohibit ssh, do you think allowing remote cib connection is not even more dangerous? I kind of like the limited capability of an xinetd frontend which just output data and allow not modification.

Answer 5 · 2014-09-20T04:23:57.000Z

That's a good point, I wonder though the portability of xinetd? Remote CIB connections just appeals to me as its builtin :-)

Answer 6 · 2014-09-30T17:04:48.000Z

remote cib access can be configured with readonly ACL, I'll look into this.

Answer 7 · 2014-10-13T07:37:57.000Z

Rumor has it that @dotmanila has a non-root ssh implementation with sudo almost ready as intermediate measure :)

Answer 8 · 2015-03-02T19:57:33.000Z

Checking @dotmanila code right now

Answer 9 · 2015-04-01T14:34:18.000Z

@dotmanila code has been merged in 1.0.0, I'll explore the possibility of using pacemaker directly with ACL