ReleaseEngineering/How To/Adjust SSH keys on a slave: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
{{Release Engineering How To|Adjust SSH keys on a slave}} | {{Release Engineering How To|Adjust SSH keys on a slave}} | ||
THIS PAGE | NOTE: THIS PAGE ONLY APPLIES FOR WINDOWS ([https://bugzil.la/792836 Bug 792836 - Manage slave secrets with puppet]) | ||
There are three sets of keys that are important: staging, production and try. | There are three sets of keys that are important: staging, production and try. | ||
In general, copy SSH keys from a similarly-configured slave. You will need to use <tt>-oBatchMode=no</tt> in your ssh invocation to avoid host-key failures. Note that only the private keys (<tt>*_dsa</tt>) are required, not the public keys (<tt>*_dsa.pub</tt>) <small>(however, if you have the "<tt>.pub</tt>", it must match with the private or the key will silently fail</small>). Also note that the staging and production keys have the same filename. The current production ffxbld_dsa has md5 beginning with '166b900'; staging's begins with '86bcf286'. | In general, copy SSH keys from a similarly-configured slave. You will need to use <tt>-oBatchMode=no</tt> in your ssh invocation to avoid host-key failures. Note that only the private keys (<tt>*_dsa</tt>) are required, not the public keys (<tt>*_dsa.pub</tt>) <small>(however, if you have the "<tt>.pub</tt>", it must match with the private or the key will silently fail</small>). Also note that the staging and production keys have the same filename. The current production ffxbld_dsa has md5 beginning with '166b900'; staging's begins with '86bcf286'. | ||
| Line 14: | Line 14: | ||
C:\mozilla-build\msys\bin\scp cltbld@linux-ix-slave03:~/.ssh/* . | C:\mozilla-build\msys\bin\scp cltbld@linux-ix-slave03:~/.ssh/* . | ||
set HOME=C:\Users\cltbld | set HOME=C:\Users\cltbld | ||
To test that we're good: | To test that we're good: | ||
| Line 54: | Line 48: | ||
'''Try builders use different keys!''' | '''Try builders use different keys!''' | ||
You must wipe any ssh keys that are not trybld from a newly imaged slave, and copy in the trybld keys from another try builder (staging trybld keys are on the staging slaves) | You must wipe any ssh keys that are not trybld from a newly imaged slave, and copy in the trybld keys from another try builder (staging trybld keys are on the staging slaves). | ||
To test that a try slave is set up properly, you must be able to run the following commands: | To test that a try slave is set up properly, you must be able to run the following commands '''without needing to answer any questions''': | ||
ssh -i ~/.ssh/trybld_dsa trybld@stage.mozilla.org hostname | ssh -i ~/.ssh/trybld_dsa trybld@stage.mozilla.org hostname | ||
| Line 64: | Line 58: | ||
mkdir .ssh | mkdir .ssh | ||
scp cltbld@bld-centos6-hp-024.build.mozilla.org:~/.ssh/* .ssh | scp cltbld@bld-centos6-hp-024.build.mozilla.org:~/.ssh/* .ssh | ||
# You will have to answer 'yes' and enter the cltbld password | |||
ssh -i ~/.ssh/trybld_dsa trybld@stage.mozilla.org hostname | ssh -i ~/.ssh/trybld_dsa trybld@stage.mozilla.org hostname | ||
rm -rf /c/builds/moz2_slave | rm -rf /c/builds/moz2_slave | ||
</pre> | </pre> | ||
Revision as of 14:20, 18 March 2014
NOTE: THIS PAGE ONLY APPLIES FOR WINDOWS (Bug 792836 - Manage slave secrets with puppet)
There are three sets of keys that are important: staging, production and try.
In general, copy SSH keys from a similarly-configured slave. You will need to use -oBatchMode=no in your ssh invocation to avoid host-key failures. Note that only the private keys (*_dsa) are required, not the public keys (*_dsa.pub) (however, if you have the ".pub", it must match with the private or the key will silently fail). Also note that the staging and production keys have the same filename. The current production ffxbld_dsa has md5 beginning with '166b900'; staging's begins with '86bcf286'.
Staging
Windows steps:
rmdir /S /Q .ssh mkdir .ssh cd .ssh C:\mozilla-build\msys\bin\scp cltbld@linux-ix-slave03:~/.ssh/* . set HOME=C:\Users\cltbld
To test that we're good:
ssh -i ~/.ssh/ffxbld_dsa ffxbld@dev-stage01.srv.releng.scl3.mozilla.com exit ssh -i ~/.ssh/trybld_dsa trybld@dev-stage01.srv.releng.scl3.mozilla.com exit ssh -i ~/.ssh/xrbld_dsa xrbld@dev-stage01.srv.releng.scl3.mozilla.com exit ssh -i ~/.ssh/tbirdbld_dsa tbirdbld@dev-stage01.srv.releng.scl3.mozilla.com exit ssh -i ~/.ssh/aus ffxbld@dev-stage01.srv.releng.scl3.mozilla.com exit
Preproduction
Preproduction keys are not the same as staging keys - see ReleaseEngineering/Preproduction/Stage.
Production
NOTE: Make sure that the host you try to grab keys from is on the same data-center.
Steps for Windows:
rm -rf .ssh "C:\mozilla-build\msys\bin\scp" -o 'StrictHostKeyChecking no' -o 'BatchMode=no' -r cltbld@bld-linux64-ix-028.build.scl1.mozilla.com:~/.ssh .ssh
To test that a production master slave is set up properly, you must be able to run the following commands:
ssh -i ~/.ssh/ffxbld_dsa ffxbld@symbolpush.mozilla.org exit ssh -i ~/.ssh/ffxbld_dsa ffxbld@stage.mozilla.org exit ssh -i ~/.ssh/xrbld_dsa xrbld@stage.mozilla.org exit ssh -i ~/.ssh/tbirdbld_dsa tbirdbld@symbols1.dmz.phx1.mozilla.com exit ssh -i ~/.ssh/tbirdbld_dsa tbirdbld@stage.mozilla.org exit
Try
Try builders use different keys!
You must wipe any ssh keys that are not trybld from a newly imaged slave, and copy in the trybld keys from another try builder (staging trybld keys are on the staging slaves).
To test that a try slave is set up properly, you must be able to run the following commands without needing to answer any questions:
ssh -i ~/.ssh/trybld_dsa trybld@stage.mozilla.org hostname
Steps for Windows (from SSH):
rm -rf .ssh mkdir .ssh scp cltbld@bld-centos6-hp-024.build.mozilla.org:~/.ssh/* .ssh # You will have to answer 'yes' and enter the cltbld password ssh -i ~/.ssh/trybld_dsa trybld@stage.mozilla.org hostname rm -rf /c/builds/moz2_slave