-
Notifications
You must be signed in to change notification settings - Fork 332
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CLI: SSH Support #1319
Comments
So, the general solution to this in my opinion is to open an SSH tunnel on demand for the user and then interact with the control API over it (or perhaps via SSHFS in the case of a Unix socket). At the moment the user can already configure either of those externally, but it would be a value add that Unitctl does this for them. That said, I have qualms:
The reason why we are tracking this is to make sure we are at feature parity with unitc so that we can standardize on unitctl instead. @lcrilly Im interested if you feel like this is a priority function or if you feel like we could replace unitc with this work still pending. |
Thanks for the tag. When I think about remote management of Unit I see it in the context of a developer accessing a server that is part of their development environment. So either local VM or a something nearby over a trusted network. I don't think there is much value in building a production-grade control plane. I'd be happy for unitctl to prioritize local unitd and Docker images, especially as this is in line with other efforts to improve the first-touch developer experience. Securing the control API with mTLS would be a better investment of engineering effort IMO. |
Is there another ticket that tracks this? |
Not succinctly. It has been discussed several times over the years :) There is an active discussion (#1315) that covers one of the use cases for exposing the control API over the network. And a discussion (#993) that describes a workaround for selectively exposing parts of the control API. It's a bit off-topic, but separating the control API from the status endpoint would remove pressure on securing the control API itself. |
unitctl
should support configuring and interacting with instances over SSH, but should not automatically log into servers without a specific invocation from the user (unitctl instances
should not seek instances over SSH). CLI needs to handle control sockets specified over SSH at least with file sockets, and preferably with TCP endpoints as well. This applies to the following subcommands:The text was updated successfully, but these errors were encountered: