Do LDAP authentication on dev-master01 with keys from puppet, not ssh-lpk

RESOLVED FIXED

Status

RESOLVED FIXED
8 years ago
6 years ago

People

(Reporter: dustin, Assigned: dustin)

Tracking

Details

(Whiteboard: [allhands])

Attachments

(1 attachment, 1 obsolete attachment)

I set this machine up before I knew that ssh-lpk was the old, bad, deprecated way.  And, I think, before there was a new, good, preferred way.  The result is that when LDAP has problems, the machine is inaccessible - bug 685570.
Assignee: server-ops-releng → dustin
Ah, I forgot that this is using the releng puppet manifests.

The way we've done this in IT is to autogenerate a set of user resources and SSH keys in the puppet manifests, based on a crontab that pulls from LDAP.  That way an LDAP outage hurts neither puppet nor, more importantly, running systems.

I think the best way to do this in releng will be including the public keys directly, manually.  Does that make sense to y'all, too?
I've got no real preference, personally.
So rather than put usernames, uids, and public keys in a public hg repo, it probably makes more sense to treat this similar to the secrets.pp.template file.  In fact, I'll probably add it directly to secrets.pp, just so we don't have to worry about carrying around another non-versioned file.  Does that sound OK?
I actually thinks it makes more sense to split the two files because you're constantly auto-generating one of them from an outside source.  You don't want to accidentally zorch the other non-autogenerated secrets if something should go wrong with the ldap lookup.

Since this file does not get checked into the repo, we'll need to add some extra logic to make sure that we're not doing a puppet run with a partial or corrupted file (ldap timeout, partial transfer, etc).  I think writing to a temp file, doing a compare to see if too many lines changed, then moving the temp file into place might be a help.
I tried porting the script IT uses, and it's too much trouble to get right - particularly given that the puppet masters aren't puppetized.

So I'm just going to organize this as I said in comment 3.  To be clear, that's not dynamically generated.

We can probably (definitely) do this with the new puppet-2.7.1 infra, but that's still proof-of-concept.
Whiteboard: [allhands]
Created attachment 560047 [details] [diff] [review]
m685575-puppet-manifests-p1-r1.patch

So puppet, uh, "fixed itself" again.  After we talked at lunch, I went back to try to reproduce the problems I was having with the clientbucket.  Works fine.

To pull dev-master01 back from the brink, I manually replaced /etc/ldap.conf, /etc/ssh/sshd_config, /etc/nsswitch.conf, and /etc/pam.d/system-auth-ac with files from another master.  I did *not* change the version of SSH -- the LPK-enabled version should (and seems to) work fine.  I also disabled puppetd, since it will revert these changes until the patch is landed, and lock us all out again.

So once this lands, I'll need to restart puppetd.
Attachment #560047 - Flags: review?(bhearsum)
Comment on attachment 560047 [details] [diff] [review]
m685575-puppet-manifests-p1-r1.patch

Review of attachment 560047 [details] [diff] [review]:
-----------------------------------------------------------------

I think you forgot to include the userlogins module in this patch. Could you also add a sample user/key to secrets.pp.template?
Attachment #560047 - Flags: review?(bhearsum) → review-
Comment on attachment 560047 [details] [diff] [review]
m685575-puppet-manifests-p1-r1.patch

Review of attachment 560047 [details] [diff] [review]:
-----------------------------------------------------------------

::: modules/userlogins/manifests/init.pp
@@ +1,1 @@
> +# The userids and ssh keys for these users are defined in secrets.pp.

This is the userlogins module..

I'll add the example, though.
Created attachment 560657 [details] [diff] [review]
m685575-puppet-manifests-p1-r2.patch
Attachment #560047 - Attachment is obsolete: true
Attachment #560657 - Flags: review?(bhearsum)
Comment on attachment 560657 [details] [diff] [review]
m685575-puppet-manifests-p1-r2.patch

Review of attachment 560657 [details] [diff] [review]:
-----------------------------------------------------------------

Sorry, I'm not sure how I missed the userlogins module before!
Attachment #560657 - Flags: review?(bhearsum) → review+
Landed and deployed with the corresponding secrets.pp changes.

The template was incorrect in the patch, so I fixed it up in rev 9e75ff75a9e1.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
I also used 'yum downgrade' to downgrade back to the normal version of puppet.  This helpfully removed a bunch of stuff, which i then re-added:

[root@dev-master01 ~]# yum downgrade openssh
Loaded plugins: fastestmirror
Setting up Downgrade Process
Loading mirror speeds from cached hostfile
 * base: centos.mirrors.hoobly.com
 * epel: linux.mirrors.es.net
 * extras: centos.mirror.facebook.net
 * updates: centos.mirror.facebook.net
Resolving Dependencies
--> Running transaction check
---> Package openssh.x86_64 0:4.3p2-72.el5_7.5 set to be updated
---> Package openssh.x86_64 0:5.2p1-1.rhel5 set to be erased
--> Processing Dependency: openssh = 5.2p1-1.rhel5 for package: openssh-server
--> Processing Dependency: openssh = 5.2p1-1.rhel5 for package: openssh-clients
--> Running transaction check
---> Package openssh-clients.x86_64 0:5.2p1-1.rhel5 set to be erased
--> Processing Dependency: openssh-clients for package: git
---> Package openssh-server.x86_64 0:5.2p1-1.rhel5 set to be erased
--> Running transaction check
---> Package git.x86_64 0:1.7.4.1-1.el5 set to be erased
--> Processing Dependency: git = 1.7.4.1-1.el5 for package: perl-Git
--> Running transaction check
---> Package perl-Git.x86_64 0:1.7.4.1-1.el5 set to be erased
--> Processing Dependency: /usr/bin/ssh for package: nagios-plugins-by_ssh
--> Restarting Dependency Resolution with new changes.
--> Running transaction check
---> Package nagios-plugins-by_ssh.x86_64 0:1.4.15-2.el5 set to be erased
--> Processing Dependency: nagios-plugins-by_ssh for package: nagios-plugins-all
--> Running transaction check
---> Package nagios-plugins-all.x86_64 0:1.4.15-2.el5 set to be erased
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================================================================================================================================================================================================
 Package                                                                      Arch                                                          Version                                                                    Repository                                                        Size
==============================================================================================================================================================================================================================================================================================
Downgrading:
 openssh                                                                      x86_64                                                        4.3p2-72.el5_7.5                                                           updates                                                          289 k
Removing for dependencies:
 git                                                                          x86_64                                                        1.7.4.1-1.el5                                                              installed                                                         11 M
 nagios-plugins-all                                                           x86_64                                                        1.4.15-2.el5                                                               installed                                                         0.0
 nagios-plugins-by_ssh                                                        x86_64                                                        1.4.15-2.el5                                                               installed                                                         56 k
 openssh-clients                                                              x86_64                                                        5.2p1-1.rhel5                                                              installed                                                        3.1 M
 openssh-server                                                               x86_64                                                        5.2p1-1.rhel5                                                              installed                                                        1.8 M
 perl-Git                                                                     x86_64                                                        1.7.4.1-1.el5                                                              installed                                                         35 k

Transaction Summary
==============================================================================================================================================================================================================================================================================================
Remove        6 Package(s)
Reinstall     0 Package(s)
Downgrade     1 Package(s)

Total download size: 289 k

[root@dev-master01 ~]# yum install nagios-plugins-all git openssh-server openssh-clients
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.mirrors.hoobly.com
 * epel: linux.mirrors.es.net
 * extras: centos.mirror.facebook.net
 * updates: centos.mirror.facebook.net
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package git.x86_64 0:1.7.4.1-1.el5 set to be updated
--> Processing Dependency: perl-Git = 1.7.4.1-1.el5 for package: git
--> Processing Dependency: perl(Git) for package: git
---> Package nagios-plugins-all.x86_64 0:1.4.15-2.el5 set to be updated
--> Processing Dependency: nagios-plugins-by_ssh for package: nagios-plugins-all
---> Package openssh-clients.x86_64 0:4.3p2-72.el5_7.5 set to be updated
---> Package openssh-server.x86_64 0:4.3p2-72.el5_7.5 set to be updated
--> Running transaction check
---> Package nagios-plugins-by_ssh.x86_64 0:1.4.15-2.el5 set to be updated
---> Package perl-Git.x86_64 0:1.7.4.1-1.el5 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================================================================================================================================================================================================
 Package                                                                       Arch                                                           Version                                                                   Repository                                                       Size
==============================================================================================================================================================================================================================================================================================
Installing:
 git                                                                           x86_64                                                         1.7.4.1-1.el5                                                             epel                                                            4.5 M
 nagios-plugins-all                                                            x86_64                                                         1.4.15-2.el5                                                              epel                                                             10 k
 openssh-clients                                                               x86_64                                                         4.3p2-72.el5_7.5                                                          updates                                                         452 k
 openssh-server                                                                x86_64                                                         4.3p2-72.el5_7.5                                                          updates                                                         278 k
Installing for dependencies:
 nagios-plugins-by_ssh                                                         x86_64                                                         1.4.15-2.el5                                                              epel                                                             37 k perl-Git                                                                      x86_64                                                         1.7.4.1-1.el5                                                             epel                                                             28 k

Transaction Summary
==============================================================================================================================================================================================================================================================================================
Install       6 Package(s)
Upgrade       0 Package(s)

Total download size: 5.3 M



I need to do the same on releng-mirror01, but it's currently out of space.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
OK, I did the relevant un-horking in comments 6 and 12.

releng-mirror01 was out of disk space (and had been alerting as such for a while), which may have been what precipitated this.  I blew away the seamonkey dir and disabled the rsync for the moment.

Puppet was not set up to run at boot, so I fixed that and started it back up.  It put the proper SSH keys in place, and re-enabled the rsync.  So it will fill up again soon.
Status: REOPENED → RESOLVED
Last Resolved: 7 years ago7 years ago
Resolution: --- → FIXED
Component: Server Operations: RelEng → RelOps
Product: mozilla.org → Infrastructure & Operations
You need to log in before you can comment on or make changes to this bug.