Make slaves use authorized_keys for passwordless ssh

RESOLVED FIXED

Status

P2
normal
RESOLVED FIXED
9 years ago
5 years ago

People

(Reporter: rail, Assigned: rail)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [buildslaves][puppet])

Attachments

(3 attachments, 5 obsolete attachments)

It will be easier if we set up the slaves so, that they can be accessed by ssh without entering a password.

authorized_keys can be managed by Puppet.

Not sure if we need to use the same method for root user.
Are you looking for RelEng'ers public SSH keys to be in authorized_keys, or cltbld/ffxbld?
Yes, for RelEng'ers public SSH keys
This sounds like a great idea (i'd love it!).  Maybe we can also have a set of basic config files so we have a known baseline to work from with common tools (.vimrc, .screenrc, .ssh/config .emacs.el are some that come to mind).

If someone has time to take this on feel free to take it :)
OS: Linux → All
Priority: -- → P5
I spend a lot of time today playing with expect and finally managed to run ssh commands on slaves without manual interaction. But the resulting code is not maintainable. So, probably, it would be better to spend some time and get this bug fixed. It's mine. :)
Assignee: nobody → rail
Priority: P5 → P3
Created attachment 451358 [details]
Dump ssh keys from LDAP 

A simple ssh key dumper. I tested it on build-vpn.m.c.
Usage: perl ldap_dump.pl ldap_password (grep bindpw /etc/ldap.conf | awk '{print $2}')

It may be used to keep the authorized_keys file up to date.
BTW,

> if (/^sshPublicKey::? (.+)$/){

jford and bhearsum have two semicolons in LDAP for sshPublicKey, so we have "::?" here. FYI.
instead of pulling in from LDAP, could we just build a static file that we maintain and deploy that file?
(In reply to comment #7)
> instead of pulling in from LDAP, could we just build a static file that we
> maintain and deploy that file?

Sure. The script should be used for initial file creation and on manual (on demand) updates, just to reduce manual work.
Created attachment 451501 [details] [diff] [review]
Puppet manifest
Attachment #451501 - Flags: review?(bhearsum)
Created attachment 451505 [details]
Initial authorized_keys2

Initial authorized_keys2 generated by the ldap_dump.pl tool.

I deployed it in staging using the following script:

---------------
#!/bin/bash
for platform in \
  centos5-i686  centos5-x86_64  fedora12-i686  fedora12-x86_64; do
    target=/N/staging/$platform/build/local/home/cltbld/.ssh
    mkdir -p $target
    cp authorized_keys2 $target
done

for platform in \
  darwin10-i386  darwin9-i386; do
    target=/N/staging/$platform/build/local/Users/cltbld/.ssh
    mkdir -p $target
    cp authorized_keys2 $target
done
---------------

I tested the attached puppet manifest in staging and it worked for moz2-linux-slave51, darwin9 04 and 68, darwin10 04 and linux64 build slaves.
Comment on attachment 451501 [details] [diff] [review]
Puppet manifest

What's the rational for putting this in $local_fileroot rather than $puppet_fileroot? Are there differences between the staging and production versions?

Also, any reason we shouldn't apply this to the test machines, too?
(In reply to comment #11)
> What's the rational for putting this in $local_fileroot rather than
> $puppet_fileroot?

We can move it to $puppet_fileroot, sure.

> Are there differences between the staging and production
> versions?

No. I don't think that we're going to have different files.
 
> Also, any reason we shouldn't apply this to the test machines, too?

Do you mean adding the same entries to talos_fedora.pp and talos_osx.pp?
Created attachment 451643 [details]
Initial authorized_keys2

LDAP returns busted keys for bhearsum and jford. I manually fixed their keys.

Should we ask each person to confirm his/her key or a review would be enough?
Attachment #451505 - Attachment is obsolete: true

Comment 14

9 years ago
My key matches correctly. Thanks Rail!
Created attachment 452200 [details] [diff] [review]
Puppet manifest

* s/${local_fileroot}/${platform_fileroot}/g
* Added the same entries to os/talos_*.pp

The following shell script could be used:
-----
for level in staging production; do
    for type in build test; do
        for os in \
          centos5-i686  centos5-x86_64  fedora12-i686  fedora12-x86_64; do
            target=/N/$level/$os/$type/home/cltbld/.ssh
            mkdir -p $target
            cp authorized_keys2 $target
        done
        for os in darwin10-i386  darwin9-i386; do
            target=/N/$level/$os/$type/Users/cltbld/.ssh
            mkdir -p $target
            cp authorized_keys2 $target
        done
    done
done
-----
Attachment #451501 - Attachment is obsolete: true
Attachment #452200 - Flags: review?(bhearsum)
Attachment #451501 - Flags: review?(bhearsum)
Comment on attachment 452200 [details] [diff] [review]
Puppet manifest

Seems like we're going towards sharing our staging envs with devs...so we'll have to go back to using ${local_fileroot} here.
Attachment #452200 - Flags: review?(bhearsum) → review-
Priority: P3 → P2
Created attachment 466236 [details] [diff] [review]
Puppet manifest

A little bit simplified version.

packages/authorized_keys.pp:
${local_fileroot}/home/cltbld/.ssh/authorized_keys2 could be used instead of ${local_fileroot}/${home}/cltbld/.ssh/authorized_keys2 to simplify file management, but the current one looks more obvious, IMO.

base/nodes.pp:

I had to "include authorized_keys" twice for "centos" and "darwin-build" because "cltbld" user is managed by cltbld.pp on build slaves.
Attachment #452200 - Attachment is obsolete: true
Attachment #466236 - Flags: review?(bhearsum)
Comment on attachment 466236 [details] [diff] [review]
Puppet manifest

Why not put the authorized_keys include in the "slave" node definition? Did that not work because of where the file/httproots get defined?

I think the ~/.ssh part needs to go elsewhere. build/cltbld.pp already defines it for Linux build machines, not sure where the best place to put it for others' is.
Attachment #466236 - Flags: review?(bhearsum) → review-
Created attachment 477288 [details] [diff] [review]
Puppet manifests
Attachment #466236 - Attachment is obsolete: true
Attachment #477288 - Flags: review?(bhearsum)
Attachment #477288 - Flags: review?(bhearsum) → review+
Created attachment 477295 [details]
authorized_keys

Updated authorized_keys (Alice has been removed).
Attachment #451643 - Attachment is obsolete: true
The feature is being deployed and seen on some of the hosts. I tried to login to some of the updated hosts with different roles and platforms and they allowed me in without entering cltbld password.

Feel free to reopen if you find a host asking for a password.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.