Manual provisioning - feedback wanted

Andrew Wilkins andrew.wilkins at
Mon Sep 9 02:16:36 UTC 2013

On Mon, Sep 9, 2013 at 9:57 AM, David Cheney <david.cheney at>wrote:

> >
> > As of 1.13.3 you can now do this:
> >     juju add-machine ssh:[user@]host
> * Does this user have to be root ? If the user has to be root, do we
> have to get into the business of telling people how to adjust their
> /etc/ssh/sshd to allow root login ?

No. The command will ssh to the remote host, and sudo on the remote
machine. So you need to be able to sudo, but you definitely don't need to
be able to ssh in as root.

> * What happens if I do, juju add-machine ssh:localhost ? I can't
> imagine anything good will come from that. Should there be a provision
> to prohibit this ?

As long as you're not running a local provider environment, that'll work
just fine. Really, add-machine is just a matter of:
 - detect machine characteristics
 - get tools from storage, unpack into the right location
 - create a log directory
 - install an upstart script

I say "as long as you're not running a local provider environment" because
there are checks that no juju agents exist on the target machine.

* What happens if the machine you are ssh'ing to is via a jump/bastian
> host, the target won't be able to communate with the outside world or
> bootstrap node, right ? That sounds like a huge support timesuck.

Right, it won't work. You'll get an error from add-machine because
add-machine won't be able to remotely fetch the tools. This is one of the
caveats I listed; the target machine must be able to communicate with the
state server and storage. We'll want to document this bit well, and provide
some suggestions on what to do in those kinds of environments.

>  - There is no change in supported operating systems; the machine being
> > provisioned must be running Ubuntu 12.04+
> Is this enforced in code ?

Only in so far as default-series, etc., are enforced. There's nothing
special about manual provisioning here.

>  - Multiple invocations of ssh will be made, and sudo is used on the
> remote
> > host to install the machine agent. To reduce noisy prompts, you should
> use
> > public key authentication. To completely eliminate prompting, you'll also
> > need to enable passwordless sudo on the target host.
> Can we automate this with a file in /etc/sudoers.d ?

Naturally that will require root ;)
This is up to the person doing the install.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Juju mailing list