New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a wrapper for Vm.assemble to create Sshable for the service vms #752
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice size reduction
I'm curious about the ideas of @byucesoy, @furkansahin, and @pykello, as they have experience writing services using our VMs under the hood. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this looks good overall. I'm wondering if we use this opportunity to standardize sshable user names for internal vms.
Current usernames:
I don't know |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
awesome!
85c53b2
to
4656314
Compare
I would like to keep minio-user as well since it's the default service user for minio. |
I think exactly for that reasons, we should not use runner, minio-user or any other service user as our SSH user. It is serious security loop hole. Giving examples from postgres;
|
Your point is valid. We should consider changing our SSH user for them as well. Should we implement this change in a separate PR or include it in the current one? |
Initially I thought we can do it in this PR, but now I'm not sure if changing the user would break the services and bloat this PR with lots of changes to unbreak them. Feel free to do whatever makes sense to you. |
4656314
to
39212e2
Compare
73bbc52
to
407685a
Compare
GitHub runners need more changes to switch the user. I will do it in another PR. |
We need to update the Vm.exclude(pool_id: nil).all.each do |vm|
next unless vm.sshable
vm.sshable.update(host: vm.ephemeral_net4)
end; |
407685a
to
987c976
Compare
We manage customer virtual machines, as well as the virtual machines utilized by our other services. The latter are managed by the control plane, which connects these virtual machines via SSH. Or services like GitHub runners, PostgreSQL, MinIO, and E2E tests all rely on these virtual machines. Each service generates an Sshable, assembles the virtual machine, and then updates the host of the Sshable once the machine is ready. To streamline this process, I've consolidated the generation and testing from 4 different locations into one. `Vm::Nexus.assemble_with_sshable` serves as a wrapper for `Vm::Nexus.assemble`, sharing the same signature with one key difference: it receives a `unix_user` as the first argument instead of a `public_key`. Consequently, it generates an Sshable for the virtual machine
987c976
to
d4d985e
Compare
We manage customer virtual machines, as well as the virtual machines utilized by our other services. The latter are managed by the control plane, which connects these virtual machines via SSH. Or services like GitHub runners, PostgreSQL, MinIO, and E2E tests all rely on these virtual machines. Each service generates an Sshable, assembles the virtual machine, and then updates the host of the Sshable once the machine is ready. To streamline this process, I've consolidated the generation and testing from 4 different locations into one.
Vm::Nexus.assemble_with_sshable
serves as a wrapper forVm::Nexus.assemble
, sharing the same signature with one key difference: it receives aunix_user
as the first argument instead of apublic_key
. Consequently, it generates an Sshable for the virtual machine