wiki icon indicating copy to clipboard operation
wiki copied to clipboard

Published 20 hours ago verified publisher icon poanetwork

Non-AWS-Node-Setup Guide

Open phahulin opened this issue 7 years ago • 10 comments

This is for discussion... few thoughts regarding https://github.com/poanetwork/wiki/wiki/Non-AWS-Node-Setup

  • [ ] SSH-keys: it is not clear whether creating a separate key for each node significantly enhances security. On the downside it increases the possibility of forgetting/mixing passwords and losing access to nodes. Besides, there are other ways of storing ssh keys like hardware tokens, etc. I think we should avoid giving direct instructions here and rely on user's choice... we can't know his workflow and habits (does he share his computer with someone? does he install spyware?). Hopefully, if he's into crypto, he understands the importance of keeping private keys private and using strong passwords, in which case, he can manage with a few keypairs. So, as a guideline, I think we should recommend creating a separate password-protected key for each POA network (= 2 keys max at the moment). This can also help prevent accidental updates on wrong network. But, we leave it up to user to choose a keypair here. This note should go to the very beginning of the doc, because ---->

  • [ ] ----> in the opening line "Create Ubuntu 16.04 Server Image..." it assumes that user created a server himself, most probably he had to provide ssh key during this process. Later down the doc he creates a new user on the server and a new key, but access with the original key is not revoked, so there are two keys to access the same server now. I think if in (1) we describe how to choose a key for the server then there is no need to create additional keypair later.

  • [ ] however, it should be explicitly stated, that user must use a password-protected keypair, even though ssh allows password-less keys. + each key should have a different strong password.

  • [x] In the original versions of these guides I missed that there is an ansible-playbook option --ask-become-pass that prompts for sudo password. So it seems we can remove the requirement to create an additional user who can execute sudo without password, and add a note about this option instead.

  • [ ] When there are multiple keypairs in ~/.ssh, it's possible to tell ansible-playbook which one to use by providing --private-key option with full path to the private key, e.g. ansible-playbook -i hosts site.yml --key-file ~/.ssh/id_poa_sokol.

phahulin avatar Jan 12 '18 20:01 phahulin

I will get working on this, I tried ansible-private-key or something and didn't work, but I will use that option instead of additional os config.

hashguide avatar Jan 13 '18 17:01 hashguide

Should there be cloud service specific instructions? Azure has you create a sudo user while deploying, but the two I used (DigitalOcean & Vultr) have you log in with root and need to create user in CLI. The guide may get confusing having two ways of doing this part.

hashguide avatar Jan 15 '18 13:01 hashguide

If a user can create a server and setup access via ssh keys, hopefully it won't be too confusing for him. So probably add an optional step for a case when user only has root access by default

phahulin avatar Jan 15 '18 20:01 phahulin

@phahulin let's add checkboxes to complex issues e.g.

  • [ ] feature a
  • [x] feature b

igorbarinov avatar Jan 19 '18 07:01 igorbarinov

Added checkboxes, @hashguide please check them complete as you go

phahulin avatar Jan 19 '18 10:01 phahulin

When there are multiple keypairs in ~/.ssh, it's possible to tell ansible-playbook which one to use by providing --private-key option with full path to the private key, e.g. ansible-playbook -i hosts site.yml --key-file ~/.ssh/id_poa_sokol.

is it --private-key or --key-file?

hashguide avatar Jan 23 '18 12:01 hashguide

Both can be used interchangeably http://docs.ansible.com/ansible/latest/ansible-playbook.html#cmdoption-ansible-playbook-private-key

phahulin avatar Jan 23 '18 13:01 phahulin

@phahulin

Please verify the Non-AWS guides to see if this issue can be closed, thank you.

hashguide avatar Jan 24 '18 19:01 hashguide

You mean these two guides, right? https://github.com/poanetwork/wiki/wiki/Validator-Node-Non-AWS https://github.com/poanetwork/wiki/wiki/Bootnode-Setup-Non-AWS

In the first guide in "Configure node with Deployment-playbook" section in 7th paragraph "set values given to you by Master of Ceremony..." MINING_KEYFILE, MINING_ADDRESS, MINING_KEYPASS are not provided by Master of Ceremony, but by governance, maybe add a link to https://github.com/poanetwork/wiki/wiki/Governance-Overview

phahulin avatar Jan 25 '18 12:01 phahulin

alright, this part of the wiki was copied from the previous. I will change this around, completely forgot about this issue.

hashguide avatar Feb 13 '18 01:02 hashguide