Push over SSH
Pallet executes scripts using push over SSH. Pallet provides several methods for handling SSH identities.
The admin User
To SSH to a node, pallet requires a username and an SSH key. You can pass the admin-user object (use pallet.utils/make-user to create one) to lift and converge using the :user keyword.
For REPL use there is a rebindable var, pallet.utils/*admin-user*, that provides the default admin user. This defaults to your username, and id_rsa identity. You can rebind this using pallet.core/with-admin-user.
Environment
The admin user can also be specified in the :environment
(defpallet
:services
{:aws
{:provider "ec2" :identity "key" :credential "secret-key"
:environment
{:user {:username "admin"
:private-key-path "/path/to/private-key"
:public-key-path "/path/to/public-key"}}}})
Lein and Cake
You can configure the admin-user that is used by the lein and cake plugins, in the ~/.pallet/config.clj file.
(defpallet
:admin-user
{:username "admin"
:private-key-path "/path/to/private-key"
:public-key-path "/path/to/public-key"})
Other SSH Key Strategies
While convenient, having all your nodes authorise the same SSH key is not the best security practice. Pallet allows you to install a function to provide an identity using your own strategy, with pallet.core/with-middleware. A per node identity could be implemented using something like this:
(require 'pallet.utils)
(require 'pallet.execute)
(require 'pallet.session)
(require 'clj-ssh.ssh)
(defn lookup-identity [node]
;; Implement this to
;; return [private-key public-key passphrase]
)
(defn node-based-identity
[handler]
(fn [session]
(binding [pallet.execute/default-agent-atom (atom nil)]
(apply clj-ssh.ssh/add-identity
(pallet.execute/default-agent)
(lookup-identity (pallet.session/target-node session)))
(handler session))))