Update default SSH host key checking, user warnings, and documentation

wmudge · wmudge · commit 2dfd1a0f176d · 2021-05-10T16:30:08.000-04:00
Signed-off-by: Webster Mudge &lt;wmudge@cloudera.com&gt;
diff --git a/quickstart.sh b/quickstart.sh
@@ -85,6 +85,17 @@ if [ ! "$(docker ps -q -f name=${CONTAINER_NAME})" ]; then
     docker exec -td "${CONTAINER_NAME}" /usr/bin/env git clone https://github.com/cloudera-labs/cloudera-deploy.git /opt/cloudera-deploy --depth 1
 fi
 
+cat <<SSH_HOST_KEY
+
+  *** WARNING: SSH Host Key Checking is disabled by default. ***
+
+  This setting may not be suitable for Production deployments. 
+  If you wish to enable host key checking, please set the Ansible environment
+  variable, ANSIBLE_HOST_KEY_CHECKING, to True before execution. See the project 
+  documentation for further details on managing SSH host key checking.
+
+SSH_HOST_KEY
+
 echo 'Quickstart? Run this command -- ansible-playbook /opt/cloudera-deploy/main.yml -e "definition_path=examples/sandbox" -t run,default_cluster'
 docker exec \
   --detach-keys="ctrl-@" \
diff --git a/readme.adoc b/readme.adoc
@@ -4,7 +4,7 @@
 
 *Automation wrappers for the Cloudera Ansible Collection*
 
-Readme last updated: 2021-05-03
+Readme last updated: 2021-05-10
 
 Cloudera Deploy is a toolset for deploying the Cloudera Data Platform (CDP). It's scope includes both Public and Private Cloud products and Base clusters, and application setup, execution and other post-deployment functions. 
 
@@ -104,6 +104,27 @@ For CDP Private Cloud you will need a valid Cloudera license file in order to do
 
 If you are also using Public Cloud infrastructure to host your CDP Private Cloud clusters, then you will need those credentials as well.
 
+== SSH Host Key Checking
+
+For CDP Private Cloud clusters and other direct inventory scenarios, you will need to manage SSH host key validation appropriate to your specific environment.
+
+**Be advised!** By default, the `quickstart.sh` script explicitly sets the `ANSIBLE_HOST_KEY_CHECKING` variable to `False` for ease-of-use with an introductory deployment. However, this setting is *not recommended* for any other deployment type. **For all other deployment types, you should directly manage your SSH host key checking.**
+
+A common approach is to create your own "startup" script using the `quickstart.sh` as a template, and setting the appropriate https://docs.ansible.com/ansible/latest/reference_appendices/config.html[Ansible SSH configuration variables].
+
+In some scenarios, for example, a reused pool of dynamic hosts within a development Openstack environment, you might wish to manage this control from your host machine's SSH config file. For example:
+
+[source]
+----
+# ~/.ssh/config
+
+# Disable host key checking only for your specific environment
+Host *.your.development.domain
+   StrictHostKeyChecking no
+----
+
+These settings will flow from your host to the Docker container's environment. 
+
 == Execution
 
 Cloudera Deploy utilizes a single entrypoint playbook -- `main.yml` -- that examines the user-provided <<User Input Dependencies,profile>> details, a deployment <<Definitions, definition>>, and any optional Ansible `tags` and then runs the appropriate actions.  At minimum, you execute a deployment like so:
