launchpad-reviewers team mailing list archive

Thread
Date

[Merge] ~cjwatson/lp-codeimport:charm-disable-strict-host-key-checking into lp-codeimport:master

To: mp+398334@xxxxxxxxxxxxxxxxxx
From: Colin Watson <cjwatson@xxxxxxxxxxxxx>
Date: Fri, 19 Feb 2021 11:00:41 -0000
Reply-to: mp+398334@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

Colin Watson has proposed merging ~cjwatson/lp-codeimport:charm-disable-strict-host-key-checking into lp-codeimport:master.

Commit message:
charm: Disable StrictHostKeyChecking for storage host

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~cjwatson/lp-codeimport/+git/lp-codeimport/+merge/398334

This eliminates a manual step in setting up new workers.

Losing ssh's host key check isn't completely ideal, but if somebody does manage to run a man-in-the-middle attack on the code-import-storage unit then all that happens is that code import workers will push imported versions of public VCS repositories to them, so no great harm will be done.
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of ~cjwatson/lp-codeimport:charm-disable-strict-host-key-checking into lp-codeimport:master.

diff --git a/charm/lp-codeimport/reactive/lp-codeimport.py b/charm/lp-codeimport/reactive/lp-codeimport.py
index 4e5d00f..e05990a 100644
--- a/charm/lp-codeimport/reactive/lp-codeimport.py
+++ b/charm/lp-codeimport/reactive/lp-codeimport.py
@@ -7,6 +7,7 @@ import base64
 import os.path
 import shutil
 import subprocess
+from urllib.parse import urlparse
 
 from charmhelpers.core import (
     hookenv,
@@ -187,6 +188,8 @@ def configure():
         'oopses_dir': oopses_dir(),
         'home_dir': home_dir(),
         'user': base.user(),
+        'code_import_storage_host': (
+            urlparse(config['bazaar_branch_store']).hostname),
         # Chosen to allow distributing dispatch start time over a 30-second
         # interval.
         'dispatch_offset': host.modulo_distribution(modulo=6, wait=5),
diff --git a/charm/lp-codeimport/templates/ssh_config.j2 b/charm/lp-codeimport/templates/ssh_config.j2
index 926b3f5..d19fd89 100644
--- a/charm/lp-codeimport/templates/ssh_config.j2
+++ b/charm/lp-codeimport/templates/ssh_config.j2
@@ -1,3 +1,6 @@
+Host {{ code_import_storage_host }}
+    StrictHostKeyChecking no
+
 Host *
     IdentityFile ~/.ssh/lp-codeimport