Closed Bug 1476406 Opened 7 years ago Closed 7 years ago

/etc/mercurial/mirror on hgssh1.dmz.mdc1 is wrong

Categories

(Developer Services :: Mercurial: hg.mozilla.org, defect)

Product:
Developer Services
Component:
Mercurial: hg.mozilla.org
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gps, Assigned: fubar)

Details

The /etc/mercurial/mirror file on hgssh1.dmz.mdc1 is wrong. Or at least it isn't an RSA private key registered with the vcs-sync@mozilla.com LDAP user. The file definitely varies from what is on hgssh4.dmz.scl3.mozilla.com and I expect the files to be the same. The file is put in place by Puppet. So this smells like a Puppet misconfiguration issue. fubar: could you please look into this? This is blocking our ability to perform an Ansible deploy in MDC1.
Flags: needinfo?(klibby)
This is not managed by puppet, though I think it had been at one point. ansible/roles/hg-ssh/tasks/main.yml: - name: replication SSH key is present command: /usr/bin/ssh-keygen -b 4096 -f /etc/mercurial/mirror -t rsa -N '' creates=/etc/mercurial/mirror
Flags: needinfo?(klibby)
Hmmm. Well, the SSH key has to be registered in LDAP. So I guess we manually placed it there on hgssh in scl3. Or it was already there. The Ansible code for creating it probably exists to support the container-based testing environment. I guess the solution here is to manually replace /etc/mercurial/mirror on mdc1 and we'll be on our way. That being said, a better solution is to have Puppet populate this file. Because it is a secret that needs to persist across new servers.
I manually updated the file on hgssh1 and hgssh3. I'll leave open in case fubar wants to add this file to Puppet. If not, then it can be resolved. But we have to be cognizant to manually update this file when we provision new hgssh servers.
Added to puppet.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.