3

My firm manages a fairly large array of production servers across a number of servers. Our production server, by convention, only allow SSH access from a handful of gateway hosts. Most of these web servers run PHP projects which use rsync-based deployment scripts running on one main gateway host.

That said, we're building a couple of large applications using Django, and expecting to use Fabric to manage deployment. Fabric does not yet support SSH tunneling but it seems to be in their roadmap.

My options seem to be:

  1. Cast aside our gateway-host rule in favor of following Django deployment best practices.
  2. Roll my own Django deployment script in bash, install it on our gateway host, and trigger that from Fabric locally.

Perhaps I'm asking the wrong question here, and Fabric isn't the right choice, but it feels really natural and I would like to use it if possible.

1 Answers1

2

Fabric shouldn't need to support SSH tunnelling; it just involves a bit of SSH config (ProxyCommand ftw) and you're away. Of course, SSH bastion hosts are a pretty numpty idea anyway; they're like a VPN for people who're scared of IP routing.

womble
  • 95,029
  • 29
  • 173
  • 228
  • 1
    Yeah, I'm a big fan of ProxyCommand too, but Fabric's underlying SSH library (Paramiko) doesn't support it. Configuring a VPN seems like overkill considering that we really only use SSH for server access, but I'd be willing to try it if there's no other way. – Austin Smith Apr 23 '12 at 05:09
  • Things that don't use real SSH make me a sad womble. – womble Apr 24 '12 at 05:13
  • 1
    Yeah, I'm sad too. I can either chain Fabric so that it runs locally and on the bastion host, (e.g `fab deploy` triggers `fab really-deploy` on the bastion host), or I can just gut up and install a VPN. I'm thinking the latter will probably be more maintainable in the long run. Thanks for the advice. – Austin Smith Apr 24 '12 at 19:51