)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":7118,"name":"Ian Wienand","email":"iwienand@redhat.com","username":"iwienand"},"change_message_id":"05889d3556e04ea7a6fac6741547c962be4da0a7","unresolved":true,"context_lines":[{"line_number":13,"context_line":"As noted inline, there\u0027s really no reason this host should be"},{"line_number":14,"context_line":"connecting anywhere that isn\u0027t in the inventory.  So caching values"},{"line_number":15,"context_line":"can only hide that we might have missed something there.  Disable user"},{"line_number":16,"context_line":"known_hosts globally."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Change-Id: I6d74df90db856cf7773698e3a06180986a531322"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"130acbd6_99423907","line":16,"updated":"2022-11-21 05:06:34.000000000","message":"I thought about (and originally wrote this :) as a global setting.  But we do populate user known_hosts in a couple of cases -- gerrit and the backup services.  I think maybe it would still be good to disable this globally so that we never cache a value; but a problem for another day.\n\nnote I have moved the extant /root/.ssh/known_hosts on the bridge to a .old file, just to make sure prod ansible works, and it seems fine.","commit_id":"24a1528facadf557097223b4bd1767068e462a57"}],"playbooks/roles/add-inventory-known-hosts/tasks/main.yaml":[{"author":{"_account_id":4146,"name":"Clark Boylan","email":"cboylan@sapwetik.org","username":"cboylan"},"change_message_id":"dff1742bdca83e71e7643b86e93bb7b8ad7a788e","unresolved":true,"context_lines":[{"line_number":31,"context_line":"    create: yes"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"# Disable writing out known_hosts globally on the bastion host."},{"line_number":34,"context_line":"# Nothing on this host should be connecting to somewhere not codified"},{"line_number":35,"context_line":"# above; this prevents us possibly hiding that by caching values."},{"line_number":36,"context_line":"- name: Disable known_hosts caching"},{"line_number":37,"context_line":"  lineinfile:"},{"line_number":38,"context_line":"    path: /etc/ssh/ssh_config"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"97f2bd9c_5e07b44a","line":35,"range":{"start_line":34,"start_character":2,"end_line":35,"end_character":8},"updated":"2022-11-21 20:57:35.000000000","message":"I think this is true for ansible commands but not necessarily true generally? For example if we\u0027ve removed an old host from inventory but are still interacting with it from bridge as normal users for some reason? I haven\u0027t done this recently so it is probably unlikely to be a problem. I\u0027m willing to give it a go and we can remove it if it becomes a problem. But not approving to make sure we had considered this case first.","commit_id":"24a1528facadf557097223b4bd1767068e462a57"},{"author":{"_account_id":7118,"name":"Ian Wienand","email":"iwienand@redhat.com","username":"iwienand"},"change_message_id":"698d664d8c9480a15eacfc6ce0bc0d4850c79f33","unresolved":false,"context_lines":[{"line_number":31,"context_line":"    create: yes"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"# Disable writing out known_hosts globally on the bastion host."},{"line_number":34,"context_line":"# Nothing on this host should be connecting to somewhere not codified"},{"line_number":35,"context_line":"# above; this prevents us possibly hiding that by caching values."},{"line_number":36,"context_line":"- name: Disable known_hosts caching"},{"line_number":37,"context_line":"  lineinfile:"},{"line_number":38,"context_line":"    path: /etc/ssh/ssh_config"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"c639ee71_6508818b","line":35,"range":{"start_line":34,"start_character":2,"end_line":35,"end_character":8},"in_reply_to":"97f2bd9c_5e07b44a","updated":"2022-12-01 22:35:19.000000000","message":"Yeah I did consider this; you should still get a prompt to connect to the host, but we just won\u0027t save the details on disk.  I think this is the right thing to do -- we can connect if we need to, but we won\u0027t leave around host-keys that might let us forget to put them in the inventory, or are for a old/removed/inactive/?? host","commit_id":"24a1528facadf557097223b4bd1767068e462a57"}]}