Closed Bug 678804 Opened 13 years ago Closed 11 years ago

Audit ssh keys on slaves

Categories

(Infrastructure & Operations Graveyard :: CIDuty, task, P3)

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 792836

People

(Reporter: rail, Unassigned)

Details

(Whiteboard: [buildslaves])

During 6.0 build I hit a problem when xrbld key was missing on the slave. We need:

1) make sure that every slave has the same keys
2) audit chmod and chown of keys (some of the keys are owned by cltbl:games)
3) manage the keys by puppet or slavealloc (so we can easily move slaves from production to staging)

Ideas are welcome.
(In reply to Rail Aliiev [:rail] from comment #0)
> During 6.0 build I hit a problem when xrbld key was missing on the slave. We
> need:
> 
> 1) make sure that every slave has the same keys
> 2) audit chmod and chown of keys (some of the keys are owned by cltbl:games)
> 3) manage the keys by puppet or slavealloc (so we can easily move slaves
> from production to staging)
> 
> Ideas are welcome.

I think using the same system that understands where the slave should go is a great choice for deciding which keys to install.  I am not sure how much of a security risk it is, since slavealloc is essentially serving up a python script which gets run on the slave, which has access to the upload keys.

If we don't want to actually serve the keys through slavealloc, we could have it run a script to validate that the keys have the correct permissions and do a checksum to make sure its the right key.
Priority: -- → P3
Bug 624622 is about using puppet to make sure slaves have the correct keys installed.
Product: mozilla.org → Release Engineering
Found in triage. As this is about multiple machines, I *think* this belongs in PlatformSupport.
Component: Other → Platform Support
bug 792836 is in progress and addressing this.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Component: Platform Support → Buildduty
Product: Release Engineering → Infrastructure & Operations
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.