Red Hat Bugzilla – Bug 1316598
[RFE] Satellite 6.2 Remote Execution provider not based on SSH-keys
Last modified: 2018-05-30 02:50:57 EDT
As puppetlabs and Red Hat announced in the following releases of puppet, "puppet kick" will be deprecated and no more puppetruns will able to be pushed from Satellite 6 on clients. Indeed in Satellite 6.1.X puppetruns executed via Satellite are disabled.
For one of our biggest customer in Spain this is a big issue because now we are running on demand puppetruns via satellite6 using puppet kick method. Now we have 1 Satellite 6.0.8 central server (+1 DR), 8 capsules 6.0.8 and around 4000 clients.
The solution for this issue is the use of "Remote Execution" feature provided on Satellite 6.2 so we are planing to migrate our satellite 6.0.8 infra to satellite 6.2, but again we have faced another problem, in the first implementation of "Remote Execution" in Satellite 6.2.X only SSH will be used as provider and oir customer has completely forbidden to use ssh keys between servers (keep in mind that this is a bank). So again we are blocked, we must wait to satellite 6.3 to be able to use Remote Execution with AMPQ or Salt Stack as providers (because SSH and Ansible are using SSH-Keys) so the questions for as are the following:
* Can you certify to us that AMPQ or Salt Stack Remote execution providers are not using SSH-keys ?
* Is any chance to implement AMPQ or Salt Stack Remote execution providers on Satellite 6.2.X in order to do not wait until Satellite 6.3 ? (Our satellite 6 infra upgrade is blocked because of this issue)
Many thanks in advence
*** Bug 1362309 has been marked as a duplicate of this bug. ***
Based on other priorities, work on this has been postponed during the last few months, but the engineering team plans to start looking into this again in next weeks time and we should have better estimates on when it's realistic to deliver based on that. I expect it would not be part of 6.3 GA, but should be possible to backport in 6.3.z stream, depending on when the 6.3 will be released. Anyway, this is quite rough estimation: we will know better after we get more into details, also taking into account some scalability improvements, that are related to this
As Ivan said, I would not expect to see this any earlier than a 6.3 zStream.
Reudcing from Urgent. PM, copied, is aware of the priority of this request.
Also need this, ssh from capsules/satellite server towards hosts is prohibited from a network security policy point of view, need a "more secure" transport. AMPQ as in an already existing message queue would be preffered I guess.
*** Bug 1393470 has been marked as a duplicate of this bug. ***
+1 on this from a security POV