geo-DR: remove need to have ssh

[grypyrg]

Why do we need ssh from every machine to every machine?

For geo-DR, this is used to fetch who the master is and it's binary log information.

Can't we just have a small daemon that runs in the cluster and serves those requests? Or are there other ways through booth itself?

[y-trudeau]

We could use xinetd for example. That does introduce an extra dependency though, ssh is usually already installed. Do you have security concerns?

[grypyrg]

Yes, indeed. Many environments I work on do not allow root ssh automatically

[dotmanila]

We can optionally use http://clusterlabs.org/doc/en-US/Pacemaker/1.0/html-single/Pacemaker_Explained/#s-remote-connection

[y-trudeau]

we definitely could use remote connections but, in an environment that prohibit ssh, do you think allowing remote cib connection is not even more dangerous? I kind of like the limited capability of an xinetd frontend which just output data and allow not modification.

[dotmanila]

That's a good point, I wonder though the portability of xinetd? Remote CIB connections just appeals to me as its builtin :-)

[y-trudeau]

remote cib access can be configured with readonly ACL, I'll look into this.

[grypyrg]

Rumor has it that @dotmanila has a non-root ssh implementation with sudo almost ready as intermediate measure :)

[y-trudeau]

Checking @dotmanila code right now

[y-trudeau]

@dotmanila code has been merged in 1.0.0, I'll explore the possibility of using pacemaker directly with ACL