GPO images to name existing file ffxbld_dsa as ffxbld_rsa (but content of file should remain the same)

RESOLVED WONTFIX

Status

Infrastructure & Operations
RelOps
RESOLVED WONTFIX
4 years ago
3 years ago

People

(Reporter: pmoore, Assigned: markco)

Tracking

Details

(Whiteboard: [kanban:engops:https://mozilla.kanbanize.com/ctrl_board/6/309] )

(Reporter)

Description

4 years ago
This either needs to be a coordinated roll out at the same as the RelEng source code changes in parent bug 1061188, or alternatively; ffxbld_rsa could be provided as a copy of ffxbld_dsa (i.e. both ffxbld_rsa and ffxbld_dsa are included in GPO), and after bug 1061188 lands, ffxbld_dsa can be deleted in a future bug. Perhaps this is the sanest solution?

Explanation: due to a security incident, we needed to generate a new key. Policy states that this should be an rsa key, not a dsa key. We initially created a new key, but to minimise impact, left it named as ffxbld_dsa. We would like to switch the name over to ffxbld_rsa to avoid confusion, since it is an rsa key.

Please advise which of these two potential roll out procedures are preferred.
We should definitely make a copy first, since that means we won't need a tree closure to switch form one to the other. We can go back later and delete the file named ffxbld_dsa after all the hosts have been updated and the releng code has been modified to use only ffxbld_rsa.
Assignee: relops → mcornmesser
(Assignee)

Comment 2

4 years ago
The GPO that does the file copy now includes ffxbld_rsa. Once we are comfortable i will remove ffxbld_dsa.

If, for any reason, we wanted to remove it on a limited number of machines first, I can add file deletion to the existing GPO and limit it through item level targeting.
(Reporter)

Comment 3

4 years ago
Many thanks Mark!

We'll have to update our tools to use ffxbld_rsa, and I can coordinate back in this bug when we are ready to get rid of ffxbld_dsa, when everything has been switched over.
(Reporter)

Comment 4

4 years ago
(In reply to Mark Cornmesser [:markco] from comment #2)
> The GPO that does the file copy now includes ffxbld_rsa. Once we are
> comfortable i will remove ffxbld_dsa.
> 
> If, for any reason, we wanted to remove it on a limited number of machines
> first, I can add file deletion to the existing GPO and limit it through item
> level targeting.

Do we need to reimage all of our machines to pick up this change?

For example:
https://bugzilla.mozilla.org/show_bug.cgi?id=1082535#c62

Or what is the best way to make sure this is rolled out to all machines?

Thanks,
Pete
Flags: needinfo?(mcornmesser)
GPO runs at boot time, so no reimaging required.
Flags: needinfo?(mcornmesser)
(Assignee)

Comment 6

4 years ago
Pmoore: I will take a look into what is happening with https://bugzilla.mozilla.org/show_bug.cgi?id=1082535#c62 tomorrow or Friday this week.
(Reporter)

Comment 7

4 years ago
(In reply to Mark Cornmesser [:markco] from comment #6)
> Pmoore: I will take a look into what is happening with
> https://bugzilla.mozilla.org/show_bug.cgi?id=1082535#c62 tomorrow or Friday
> this week.

No worries Mark - Coop and Amy both pointed out that the GPO imaging occurs after a reboot, and no doubt this slave had not rebooted.

I'm going to upload the key to the windows slaves to catch the ones that haven't rebooted, and try again.

Thanks!
Pete

Updated

4 years ago
Whiteboard: [kanban:engops:https://kanbanize.com/ctrl_board/6/309]
(Reporter)

Updated

4 years ago
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
(Reporter)

Comment 8

4 years ago
Whoops, I closed this rather prematurely.

I think we are now ready to drop the dsa key from GPO, and clean up the .ssh dir of the windows machines to not include the rsa key.

Once this is done, we can close the bug.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Reporter)

Comment 9

4 years ago
(In reply to Pete Moore [:pete][:pmoore] from comment #8)

> I think we are now ready to drop the dsa key from GPO, and clean up the .ssh
> dir of the windows machines to not include the rsa key.


I mean, "not include the ffxbld_dsa key" (not the rsa key).
(Reporter)

Comment 10

4 years ago
Hi Mark,

Can you delete the ffxbld_dsa key now from the GPO images, and also from the slaves (if needed)?

Nothing should be relying on that key any more.

Many thanks!
Pete
Flags: needinfo?(mcornmesser)
(Assignee)

Comment 11

4 years ago
I have a GPO ready to roll for this. Do we want to roll it out to a smaller test pool first?
(Assignee)

Updated

4 years ago
Flags: needinfo?(mcornmesser)
(Assignee)

Updated

4 years ago
Flags: needinfo?(pmoore)
(Reporter)

Comment 12

4 years ago
Hey Mark,

I've just found out that some new dependencies have recently been added on the old file (see https://bugzilla.mozilla.org/show_bug.cgi?id=1061188#c36), so we should probably hold off for now until I've fixed that up. When I've landed a fix for that and it has propagated, we should be good to go.

Then indeed we could roll out to a smaller test pool initially, if that is not too much work for you.

Thanks Mark!
Pete
Flags: needinfo?(pmoore)
(Assignee)

Comment 13

4 years ago
Sounds good.

Updated

4 years ago
Whiteboard: [kanban:engops:https://kanbanize.com/ctrl_board/6/309] → [kanban:engops:https://mozilla.kanbanize.com/ctrl_board/6/694] [kanban:engops:https://kanbanize.com/ctrl_board/6/309]
Whiteboard: [kanban:engops:https://mozilla.kanbanize.com/ctrl_board/6/694] [kanban:engops:https://kanbanize.com/ctrl_board/6/309] → [kanban:engops:https://mozilla.kanbanize.com/ctrl_board/6/309] [kanban:engops:https://kanbanize.com/ctrl_board/6/309]
Whiteboard: [kanban:engops:https://mozilla.kanbanize.com/ctrl_board/6/309] [kanban:engops:https://kanbanize.com/ctrl_board/6/309] → [kanban:engops:https://mozilla.kanbanize.com/ctrl_board/6/309]
(Assignee)

Comment 14

3 years ago
Just checking in. Any update on the dependencies ?
(Reporter)

Comment 15

3 years ago
Dependencies landed I believe - can we try on a test pool?
Flags: needinfo?(mcornmesser)
(Reporter)

Comment 16

3 years ago
Hey Mark,

Now we're setting up puppet for Windows, is this no longer needed? Should I mark as WONTFIX?

Thanks,
Pete
(Assignee)

Comment 17

3 years ago
WONTFIX is probably a good choice. This has been at the bottom of my list to address because of Puppet.
Status: REOPENED → RESOLVED
Last Resolved: 4 years ago3 years ago
Flags: needinfo?(mcornmesser)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.