ReleaseEngineering/How To/Adjust SSH keys on a slave

From MozillaWiki
< ReleaseEngineering‎ | How To
Revision as of 23:00, 7 May 2012 by NThomas (talk | contribs) (→‎Try: Add symbol check for try)
Jump to navigation Jump to search

There are three sets of keys that are important: staging, production and try. Aside from a strange permissions problem on linux (.ssh is root:root owned), the process is roughly consistent on all three platforms.

In general, copy SSH keys from a similarly-configured slave. You will need to use -oBatchMode=no in your ssh invocation to avoid host-key failures. Note that only the private keys (*_dsa) are required, not the public keys (*_dsa.pub) (however, if you have the ".pub", it must match with the private or the key will silently fail). Also note that the staging and production keys have the same filename. The current production ffxbld_dsa has md5 beginning with '166b900'; staging's begins with '86bcf286'.

= Staging = To test that you have the staging keys and they are set up properly, try: 

# *nix
ssh -i ~/.ssh/ffxbld_dsa ffxbld@staging-stage.build.mozilla.org hostname
# Windows
set HOME=C:\Documents and Settings\cltbld
D:\mozilla-build\msys\bin\ssh.exe -i .ssh\ffxbld_dsa ffxbld@staging-stage.build.mozilla.org hostname

Preproduction

Preproduction keys are not the same as staging keys - see ReleaseEngineering/Preproduction/Stage.

Production

Steps for Windows: 

rmdir /S /Q .ssh
D:\mozilla-build\msys\bin\scp.exe cltbld@staging-master.build.mozilla.org:~/w32-prod-keys.zip .
D:\mozilla-build\7zip\7z.exe x w32-prod-keys.zip -o".ssh"
del w32-prod-keys.zip
rmdir /S /Q E:\builds\moz2_slave

To test that a production master slave is set up properly, you must be able to run the following commands: 

set HOME=C:\Documents and Settings\cltbld
D:\mozilla-build\msys\bin\ssh -i ~/.ssh/ffxbld_dsa ffxbld@aus3-staging.mozilla.org hostname
D:\mozilla-build\msys\bin\ssh -i ~/.ssh/ffxbld_dsa ffxbld@symbols1.dmz.phx1.mozilla.com hostname
D:\mozilla-build\msys\bin\ssh -i ~/.ssh/ffxbld_dsa ffxbld@stage.mozilla.org hostname
D:\mozilla-build\msys\bin\ssh -i ~/.ssh/ffxbld_dsa ffxbld@stage-old.mozilla.org hostname
D:\mozilla-build\msys\bin\ssh -i ~/.ssh/xrbld_dsa xrbld@stage.mozilla.org hostname
D:\mozilla-build\msys\bin\ssh -i ~/.ssh/tbirdbld_dsa tbirdbld@aus3-staging.mozilla.org hostname
D:\mozilla-build\msys\bin\ssh -i ~/.ssh/tbirdbld_dsa tbirdbld@symbols1.dmz.phx1.mozilla.com hostname
D:\mozilla-build\msys\bin\ssh -i ~/.ssh/tbirdbld_dsa tbirdbld@stage.mozilla.org hostname

Try

Try builders use different keys!

You must wipe any ssh keys that are not trybld from a newly imaged slave, and copy in the trybld keys from another try builder (staging trybld keys are on the staging slaves)

To test that a try slave is set up properly, you must be able to run the following commands: 

ssh -i ~/.ssh/trybld_dsa trybld@stage.mozilla.org hostname

Steps for Windows: 

rmdir /S /Q .ssh
D:\mozilla-build\msys\bin\scp.exe cltbld@staging-master.build.mozilla.org:~/w32-try-keys.zip .
D:\mozilla-build\7zip\7z.exe x w32-try-keys.zip
del w32-try-keys.zip
REM Testing - it should not ask you for authentication
set HOME=C:\Documents and Settings\cltbld
D:\mozilla-build\msys\bin\ssh.exe -i .ssh/trybld_dsa trybld@stage.mozilla.org hostname
D:\mozilla-build\msys\bin\ssh.exe -i .ssh/trybld_dsa trybld@relengweb1.dmz.scl3.mozilla.com hostname
rmdir /S /Q E:\builds\moz2_slave
Retrieved from "https://wiki.mozilla.org/index.php?title=ReleaseEngineering/How_To/Adjust_SSH_keys_on_a_slave&oldid=428237"