#3925 fedmsg enablement - run fasclient driven by fedmsg in some way
Closed: Fixed None Opened 10 years ago by ralph.

This started being talked about at FUDCon Lawrence 2013.

The idea is we want fasclient to run on hosts shortly after their permissions change in fas. Right now fasclient syncs permissions to the box from fas, but it does it hourly on a cronjob.

I think there are two competing approaches being discussions.. I'll attempt to portray them fairly:

1) Write a fedmsg trigger script that runs on every host. When a permission changes, the script asks FAS if this is really true and if it is, then it runs fasclient to sync permissions.

2) Write a fedmsg trigger script that runs on lockbox. When a permission changes, the script asks FAS if this is really true and if it is, it runs an ansible playbook to ssh to every host one after another, running fasclient in serial (or parallel?)

I've assigned this ticket to myself for bookkeeping, but if you want to work on it, please take it from me.


if the fedmsg-genacls experiment goes well, we should copy that approach and use it again here.

We can do this much easier, if less completely with a variant of 2)

The only things we really care about changing are:

  • user added/removed from any group

  • any user changes ssh key

We can only watch for those 3 fas fedmsgs. We don't need to come up with complex logic. It means we will run more often than we need to, but vastly less often than we do now.

I dislike 1) above as it means we have to run a thing on every server. We should go with approach 2).

This is now all done. ;)

Login to comment on this ticket.

Metadata