From bd80ed9a1690accd8d5dcb964ce387a27f6b014b Mon Sep 17 00:00:00 2001
From: Sam Thursfield <sam.thursfield@codethink.co.uk>
Date: Mon, 17 Nov 2014 12:12:25 +0000
Subject: Avoid scanning SSH host key of UPSTREAM_TROVE unless necessary

I've seen trove-setup.service fail in the case that the Trove is behind
a proxy that blocks SSH traffic due to `ssh-keyscan` returning an error.
We only need to scan the SSH host key of UPSTREAM_TROVE if we're going
to be using SSH to acess it, so we can work around this issue.

This pulls in the 'sshknownhosts' Ansible module from commit
80f31fa8a5d3751b4e3e19123164c3ea97f262dd of
<https://github.com/bfmartin/ansible-sshknownhosts>. The module seems
small enough that we don't need to mess with a submodules to include it.
---
 ansible/roles/trove-setup/tasks/known-hosts-setup.yml | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

(limited to 'ansible/roles/trove-setup/tasks/known-hosts-setup.yml')

diff --git a/ansible/roles/trove-setup/tasks/known-hosts-setup.yml b/ansible/roles/trove-setup/tasks/known-hosts-setup.yml
index a8d18f7..b3e268a 100644
--- a/ansible/roles/trove-setup/tasks/known-hosts-setup.yml
+++ b/ansible/roles/trove-setup/tasks/known-hosts-setup.yml
@@ -1,10 +1,15 @@
 # Depends on:
 # - check.yml
+# Uses sshknownhosts module from:
+#   https://github.com/bfmartin/ansible-sshknownhosts
 ---
-# If UPSTREAM_TROVE is not defined, the jinja2 'default' filter will
-# replace it with an empty string. ssh-keyscan skips empty hostnames,
-# so it will run only with 'localhost'
-- name: Add localhost and UPSTREAM_TROVE to /etc/ssh/ssh_known_hosts
-  shell: |
-         ssh-keyscan localhost {{ UPSTREAM_TROVE|default('')|quote }} > /etc/ssh/ssh_known_hosts
-         creates=/etc/ssh/ssh_known_hosts
+- name: Add localhost to /etc/ssh/ssh_known_hosts
+  sshknownhosts: host=localhost state=present
+
+# We avoid trying to scan UPSTREAM_TROVE's host keys unless the user explicitly
+# configured Lorry Controller to access it over SSH. It's possible that the
+# Trove is behind a proxy that blocks SSH traffic, and if this step fails then
+# the whole trove-setup.service will fail.
+- name: Add {{ UPSTREAM_TROVE }} to /etc/ssh/ssh_known_hosts
+  sshknownhosts: host={{ UPSTREAM_TROVE }} state=present
+  when: UPSTREAM_TROVE_PROTOCOL == ssh
-- 
cgit v1.2.1