NOTE: THIS PAGE ONLY APPLIES FOR WINDOWS (Bug 792836 - Manage slave secrets with puppet)

There are three sets of keys that are important: staging, production and try.

In general, copy SSH keys from a similarly-configured slave. You will need to use -oBatchMode=no in your ssh invocation to avoid host-key failures. Note that only the private keys (*_dsa) are required, not the public keys (*_dsa.pub) (however, if you have the ".pub", it must match with the private or the key will silently fail). Also note that the staging and production keys have the same filename. The current production ffxbld_dsa has md5 beginning with '166b900'; staging's begins with '86bcf286'.

Staging

Windows steps:

rmdir /S /Q .ssh
mkdir .ssh
cd .ssh
C:\mozilla-build\msys\bin\scp cltbld@linux-ix-slave03:~/.ssh/* .
set HOME=C:\Users\cltbld

To test that we're good:

ssh -i ~/.ssh/ffxbld_dsa    ffxbld@dev-stage01.srv.releng.scl3.mozilla.com exit
ssh -i ~/.ssh/xrbld_dsa     xrbld@dev-stage01.srv.releng.scl3.mozilla.com exit
ssh -i ~/.ssh/tbirdbld_dsa  tbirdbld@dev-stage01.srv.releng.scl3.mozilla.com exit
ssh -i ~/.ssh/b2gbld_dsa    b2gbld@dev-stage01.srv.releng.scl3.mozilla.com exit
ssh -i ~/.ssh/trybld_dsa    trybld@dev-stage01.srv.releng.scl3.mozilla.com exit

These should be set up but aren't, but then we don't have good staging for mozharness.

ssh -i ~/.ssh/b2gtry_dsa    b2gtry@dev-stage01.srv.releng.scl3.mozilla.com exit
ssh -i ~/.ssh/b2gbld_dsa    ffxbld@dev-stage01.srv.releng.scl3.mozilla.com exit

Production

NOTE: Make sure that the host you try to grab keys from is on the same data-center.

Steps for Windows:

rm -rf .ssh
"C:\mozilla-build\msys\bin\scp" -o 'StrictHostKeyChecking no' -o 'BatchMode=no' -r  cltbld@b-linux64-ix-0001.build.mozilla.org:~/.ssh .ssh

if scp does not working properly coping files from windows to windows hosts, use sftp instead:

rm -rf .ssh
sftp b-2008-ix-0083.winbuild.releng.scl3.mozilla.com:.ssh/* .ssh/

To test that a production master slave is set up properly, you must be able to run the following commands:

ssh -i ~/.ssh/ffxbld_dsa    ffxbld@symbolpush.mozilla.org exit
ssh -i ~/.ssh/tbirdbld_dsa  tbirdbld@symbolpush.mozilla.org exit
ssh -i ~/.ssh/ffxbld_dsa    ffxbld@stage.mozilla.org exit
ssh -i ~/.ssh/tbirdbld_dsa  tbirdbld@stage.mozilla.org exit
ssh -i ~/.ssh/xrbld_dsa     xrbld@stage.mozilla.org exit
ssh -i ~/.ssh/b2gbld_dsa    b2gbld@stage.mozilla.org exit
ssh -i ~/.ssh/ffxbld_dsa    b2gbld@stage.mozilla.org exit
ssh -i ~/.ssh/b2gbld_dsa    b2gbld@pvtbuilds.pvt.build.mozilla.org exit
ssh -i ~/.ssh/b2gbld_dsa    b2gbld@pvtbuilds2.dmz.scl3.mozilla.com exit

Try

Try builders use different keys!

You must wipe any ssh keys that are not trybld from a newly imaged slave, and copy in the trybld keys from another try builder (staging trybld keys are on the staging slaves).

To test that a try slave is set up properly, you must be able to run the following commands without needing to answer any questions:

ssh -i ~/.ssh/trybld_dsa trybld@stage.mozilla.org hostname
ssh -i ~/.ssh/b2gtry_dsa b2gtry@pvtbuilds.pvt.build.mozilla.org hostname
ssh -i ~/.ssh/b2gtry_dsa b2gtry@pvtbuilds2.dmz.scl3.mozilla.com hostname

Steps for Windows (from SSH):

rm -rf .ssh
mkdir .ssh
scp cltbld@b-linux64-hp-0001.build.mozilla.org:~/.ssh/* .ssh
# You will have to answer 'yes' and enter the cltbld password
ssh -i ~/.ssh/trybld_dsa trybld@stage.mozilla.org hostname
ssh -i ~/.ssh/b2gtry_dsa b2gtry@pvtbuilds.pvt.build.mozilla.org hostname
ssh -i ~/.ssh/b2gtry_dsa b2gtry@pvtbuilds2.dmz.scl3.mozilla.com hostname
rm -rf /c/builds/moz2_slave

For seamicro instances, use sftp instead

rm -rf .ssh
mkdir .ssh
sftp b-2008-ix-0178.wintry.releng.scl3.mozilla.com:.ssh/* .ssh/
# You will have to answer 'yes' and enter the cltbld password
ssh -i ~/.ssh/trybld_dsa trybld@stage.mozilla.org hostname
ssh -i ~/.ssh/b2gtry_dsa b2gtry@pvtbuilds.pvt.build.mozilla.org hostname
ssh -i ~/.ssh/b2gtry_dsa b2gtry@pvtbuilds2.dmz.scl3.mozilla.com hostname
rm -rf /c/builds/moz2_slave