Closed
Bug 569567
Opened 15 years ago
Closed 15 years ago
Make slaves use authorized_keys for passwordless ssh
Categories
(Release Engineering :: General, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: rail, Assigned: rail)
References
Details
(Whiteboard: [buildslaves][puppet])
Attachments
(3 files, 5 obsolete files)
|
909 bytes,
text/plain
|
Details | |
|
4.25 KB,
patch
|
bhearsum
:
review+
rail
:
checked-in+
|
Details | Diff | Splinter Review |
|
6.18 KB,
text/plain
|
Details |
It will be easier if we set up the slaves so, that they can be accessed by ssh without entering a password.
authorized_keys can be managed by Puppet.
Not sure if we need to use the same method for root user.
|
||
Comment 1•15 years ago
|
||
Are you looking for RelEng'ers public SSH keys to be in authorized_keys, or cltbld/ffxbld?
|
||
Comment 2•15 years ago
|
||
Yes, for RelEng'ers public SSH keys
|
|
||
Comment 3•15 years ago
|
||
This sounds like a great idea (i'd love it!). Maybe we can also have a set of basic config files so we have a known baseline to work from with common tools (.vimrc, .screenrc, .ssh/config .emacs.el are some that come to mind).
If someone has time to take this on feel free to take it :)
OS: Linux → All
Priority: -- → P5
|
|
Assignee | |
Comment 4•15 years ago
|
||
I spend a lot of time today playing with expect and finally managed to run ssh commands on slaves without manual interaction. But the resulting code is not maintainable. So, probably, it would be better to spend some time and get this bug fixed. It's mine. :)
Assignee: nobody → rail
Priority: P5 → P3
|
|
Assignee | |
Comment 5•15 years ago
|
||
A simple ssh key dumper. I tested it on build-vpn.m.c.
Usage: perl ldap_dump.pl ldap_password (grep bindpw /etc/ldap.conf | awk '{print $2}')
It may be used to keep the authorized_keys file up to date.
|
|
Assignee | |
Comment 6•15 years ago
|
||
BTW,
> if (/^sshPublicKey::? (.+)$/){
jford and bhearsum have two semicolons in LDAP for sshPublicKey, so we have "::?" here. FYI.
|
|
||
Comment 7•15 years ago
|
||
instead of pulling in from LDAP, could we just build a static file that we maintain and deploy that file?
|
|
Assignee | |
Comment 8•15 years ago
|
||
(In reply to comment #7)
> instead of pulling in from LDAP, could we just build a static file that we
> maintain and deploy that file?
Sure. The script should be used for initial file creation and on manual (on demand) updates, just to reduce manual work.
|
|
Assignee | |
Comment 9•15 years ago
|
||
Attachment #451501 -
Flags: review?(bhearsum)
|
|
Assignee | |
Comment 10•15 years ago
|
||
Initial authorized_keys2 generated by the ldap_dump.pl tool.
I deployed it in staging using the following script:
---------------
#!/bin/bash
for platform in \
centos5-i686 centos5-x86_64 fedora12-i686 fedora12-x86_64; do
target=/N/staging/$platform/build/local/home/cltbld/.ssh
mkdir -p $target
cp authorized_keys2 $target
done
for platform in \
darwin10-i386 darwin9-i386; do
target=/N/staging/$platform/build/local/Users/cltbld/.ssh
mkdir -p $target
cp authorized_keys2 $target
done
---------------
I tested the attached puppet manifest in staging and it worked for moz2-linux-slave51, darwin9 04 and 68, darwin10 04 and linux64 build slaves.
|
|
||
Comment 11•15 years ago
|
||
Comment on attachment 451501 [details] [diff] [review]
Puppet manifest
What's the rational for putting this in $local_fileroot rather than $puppet_fileroot? Are there differences between the staging and production versions?
Also, any reason we shouldn't apply this to the test machines, too?
|
|
Assignee | |
Comment 12•15 years ago
|
||
(In reply to comment #11)
> What's the rational for putting this in $local_fileroot rather than
> $puppet_fileroot?
We can move it to $puppet_fileroot, sure.
> Are there differences between the staging and production
> versions?
No. I don't think that we're going to have different files.
> Also, any reason we shouldn't apply this to the test machines, too?
Do you mean adding the same entries to talos_fedora.pp and talos_osx.pp?
|
|
Assignee | |
Comment 13•15 years ago
|
||
LDAP returns busted keys for bhearsum and jford. I manually fixed their keys.
Should we ask each person to confirm his/her key or a review would be enough?
Attachment #451505 -
Attachment is obsolete: true
|
||
Comment 14•15 years ago
|
||
My key matches correctly. Thanks Rail!
|
|
Assignee | |
Comment 15•15 years ago
|
||
* s/${local_fileroot}/${platform_fileroot}/g
* Added the same entries to os/talos_*.pp
The following shell script could be used:
-----
for level in staging production; do
for type in build test; do
for os in \
centos5-i686 centos5-x86_64 fedora12-i686 fedora12-x86_64; do
target=/N/$level/$os/$type/home/cltbld/.ssh
mkdir -p $target
cp authorized_keys2 $target
done
for os in darwin10-i386 darwin9-i386; do
target=/N/$level/$os/$type/Users/cltbld/.ssh
mkdir -p $target
cp authorized_keys2 $target
done
done
done
-----
Attachment #451501 -
Attachment is obsolete: true
Attachment #452200 -
Flags: review?(bhearsum)
Attachment #451501 -
Flags: review?(bhearsum)
|
|
||
Comment 16•15 years ago
|
||
Comment on attachment 452200 [details] [diff] [review]
Puppet manifest
Seems like we're going towards sharing our staging envs with devs...so we'll have to go back to using ${local_fileroot} here.
Attachment #452200 -
Flags: review?(bhearsum) → review-
|
|
Assignee | |
Updated•15 years ago
|
Priority: P3 → P2
|
|
Assignee | |
Comment 17•15 years ago
|
||
A little bit simplified version.
packages/authorized_keys.pp:
${local_fileroot}/home/cltbld/.ssh/authorized_keys2 could be used instead of ${local_fileroot}/${home}/cltbld/.ssh/authorized_keys2 to simplify file management, but the current one looks more obvious, IMO.
base/nodes.pp:
I had to "include authorized_keys" twice for "centos" and "darwin-build" because "cltbld" user is managed by cltbld.pp on build slaves.
Attachment #452200 -
Attachment is obsolete: true
Attachment #466236 -
Flags: review?(bhearsum)
|
|
||
Comment 18•15 years ago
|
||
Comment on attachment 466236 [details] [diff] [review]
Puppet manifest
Why not put the authorized_keys include in the "slave" node definition? Did that not work because of where the file/httproots get defined?
I think the ~/.ssh part needs to go elsewhere. build/cltbld.pp already defines it for Linux build machines, not sure where the best place to put it for others' is.
Attachment #466236 -
Flags: review?(bhearsum) → review-
|
|
Assignee | |
Comment 19•15 years ago
|
||
Attachment #466236 -
Attachment is obsolete: true
Attachment #477288 -
Flags: review?(bhearsum)
|
|
||
Updated•15 years ago
|
Attachment #477288 -
Flags: review?(bhearsum) → review+
|
|
Assignee | |
Comment 20•15 years ago
|
||
Updated authorized_keys (Alice has been removed).
Attachment #451643 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 21•15 years ago
|
||
Comment on attachment 477288 [details] [diff] [review]
Puppet manifests
http://hg.mozilla.org/build/puppet-manifests/rev/510a1d7d9902
Attachment #477288 -
Flags: checked-in+
|
|
Assignee | |
Comment 22•15 years ago
|
||
The feature is being deployed and seen on some of the hosts. I tried to login to some of the updated hosts with different roles and platforms and they allowed me in without entering cltbld password.
Feel free to reopen if you find a host asking for a password.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
||
Updated•12 years ago
|
Product: mozilla.org → Release Engineering
You need to log in
before you can comment on or make changes to this bug.
Description
•