Confirmed users
502
edits
ReleaseEngineering/Day 1 Checklist: Difference between revisions
moves high clearance access to bottom section
(moved access instructions to ref releng not buildduty) |
(moves high clearance access to bottom section) |
||
| Line 61: | Line 61: | ||
note: later on in this page we will create more MFA accounts for various systems like Github and accessing our Jumphost | note: later on in this page we will create more MFA accounts for various systems like Github and accessing our Jumphost | ||
== Mercurial (hg) == | == Mercurial (hg) == | ||
| Line 160: | Line 85: | ||
There are also a handful of git repos hosted directly by Mozilla. Your manager/mentor will let you know if you need access to one of these. ([[Github|See also]]) | There are also a handful of git repos hosted directly by Mozilla. Your manager/mentor will let you know if you need access to one of these. ([[Github|See also]]) | ||
= Communication = | = Communication = | ||
| Line 288: | Line 205: | ||
== Other Resources == | == Other Resources == | ||
* [https://docs.google.com/document/d/1VcEjW82jBxr77aYi3TVaha9S4uJwAkwEapXnhhMwcgg RelEng crowd-sourced Glossary of Terms] | * [https://docs.google.com/document/d/1VcEjW82jBxr77aYi3TVaha9S4uJwAkwEapXnhhMwcgg RelEng crowd-sourced Glossary of Terms] | ||
* Join https://mozillians.org/ (public, and yet-another-set-of-credentials) | * Join https://mozillians.org/ (public, and yet-another-set-of-credentials) | ||
| Line 298: | Line 214: | ||
* Sign up for [https://wiki.mozilla.org/Safari_Books O'Reilly's online library] of their boooks - a great resource | * Sign up for [https://wiki.mozilla.org/Safari_Books O'Reilly's online library] of their boooks - a great resource | ||
* Overview of dev cycle: http://k0s.org/mozilla/workflow.svg (slightly dated). And browse http://k0s.org/mozilla | * Overview of dev cycle: http://k0s.org/mozilla/workflow.svg (slightly dated). And browse http://k0s.org/mozilla | ||
* [[ReleaseEngineering/Tips_And_Tricks|Releng Tips and Tricks]] | * [[ReleaseEngineering/Tips_And_Tricks|Releng Tips and Tricks]]Firefox Desktop + Firefox Mobile release process docs: | ||
Firefox Desktop + Firefox Mobile release process docs: | |||
* [[Release_Management/Release_Process]] | * [[Release_Management/Release_Process]] | ||
* [[Release_Management/Release_Process/FAQ]] | * [[Release_Management/Release_Process/FAQ]] | ||
* [https://intranet.mozilla.org/TravelPolicies#Corporate_Travel_Accounts Egencia account]: this should be accessible via [https://mana.mozilla.org/wiki/display/SD/SSO+Quick+Links SSO] | * [https://intranet.mozilla.org/TravelPolicies#Corporate_Travel_Accounts Egencia account]: this should be accessible via [https://mana.mozilla.org/wiki/display/SD/SSO+Quick+Links SSO] | ||
== Future Access as you need it == | |||
Talk to your mentor/manager to see which of these make sense. For each section below, request for these as you need them. | |||
=== Nagios === | |||
https://nagios.mozilla.org/nagios/ | |||
File a bug in bugzilla under 'MOC: Service Requests' | |||
=== AWS === | |||
We have a Releng AWS account. To get access file a Release Engineering: General ticket and request for a user account with a policy that grants you access to what you need in each service. Also enable MFA | |||
=== Private Secrets === | |||
We have a secrets vault that holds access to various passwords and keys. As you need access to various parts of infra, you will need to get access to the vault and then ask for your gpg key be added to the encrypted secret. Talk to your manager as this comes up. | |||
=== LDAP Groups === | |||
You may have access to the [https://ldapadmin1.private.scl3.mozilla.com/manage/ ldap admin page] and see your own groups that you have on your record. This page is behind vpn and auth0. | |||
Although you can read your current groups, you will not be able to modify them. To extend with Releng groups that you need. You and your manager will need to file a ticket for them under "MOC: Service Requests" | |||
example ldap groups they may have by default: | |||
cn=corp-vpn,ou=groups,dc=mozilla | |||
cn=IntranetWiki,ou=groups,dc=mozilla | |||
cn=irccloud,ou=groups,dc=mozilla | |||
cn=mfa,ou=groups,dc=mozilla | |||
cn=phonebook_access,ou=groups,dc=mozilla | |||
cn=team_moco,ou=groups,dc=mozilla | |||
cn=vpn_corp,ou=groups,dc=mozilla | |||
cn=vpn_default,ou=groups,dc=mozilla | |||
TODO audit these and break them up by security level (Bug 1465535) | |||
Example ldap groups you may need to file for and request added (example, Bug 1434168): | |||
cn=releng,ou=groups,dc=mozilla | |||
cn=RelEngWiki,ou=groups,dc=mozilla | |||
cn=vpn_releng,ou=groups,dc=mozilla | |||
cn=vpn_releng_loan,ou=groups,dc=mozilla | |||
cn=vpn_relengwiki,ou=groups,dc=mozilla | |||
cn=vpn_tooltooleditor,ou=groups,dc=mozilla | |||
cn=inventory,ou=groups,dc=mozilla | |||
cn=inventory_build,ou=groups,dc=mozilla | |||
cn=vpn_inventory,ou=groups,dc=mozilla | |||
cn=nagiosadmin,ou=groups,dc=mozilla | |||
cn=GraphsAdmin,ou=groups,dc=mozilla | |||
cn=active_scm_level_1,ou=groups,dc=mozilla | |||
cn=all_scm_level_1,ou=groups,dc=mozilla | |||
cn=vpn_genericrhel6,ou=groups,dc=mozilla | |||
=== Jumphost === | |||
To access any of Release Engineering, Taskcluster, and Release Operations hosts directly, you will need to go through VPN -> a Jumphost machine -> Separate MFA -> your target host. | |||
To do that, you and your manager will need to file a ticket against Release Operations and have them send you an invite to add an MFA account on your Duo App. | |||
Then once you have your Jumphost MFA setup correctly, you will need to have your ssh config to correctly route through the jumphost before trying the target host you want. | |||
example ssh config: | |||
<source lang="ruby"> | |||
# Ensure KnownHosts are unreadable if leaked - it is otherwise easier to know which hosts your keys have access to. | |||
HashKnownHosts yes | |||
# Host keys the client accepts - order here is honored by OpenSSH | |||
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 | |||
Host hg.mozilla.org git.mozilla.org | |||
User USERNAME@mozilla.com | |||
Compression yes | |||
ServerAliveInterval 300 | |||
Host *.mozilla.com | |||
User USERNAME | |||
IdentityFile ~/.ssh/id_rsa_mozilla_2017-05-12 | |||
Compression yes | |||
ServerAliveInterval 300 | |||
Host *.build.mozilla.org | |||
Compression yes | |||
User cltbld | |||
ServerAliveInterval 300 | |||
Host rejh?.srv.releng.????.mozilla.com | |||
ControlMaster auto | |||
ControlPath ~/.ssh/ssh-%C | |||
ControlPersist 10m | |||
ForwardAgent no | |||
Host *.releng.mdc1.mozilla.com !rejh?.srv.releng.mdc1.mozilla.com !*.private.releng.????.mozilla.com | |||
ProxyJump rejh1.srv.releng.mdc1.mozilla.com | |||
Host *.releng.us??.mozilla.com *.releng.scl3.mozilla.com !rejh?.srv.releng.????.mozilla.com !*.private.releng.scl3.mozilla.com | |||
ProxyJump rejh1.srv.releng.scl3.mozilla.com | |||
</source> | |||