Add a vpn_sheriff group to MozillaVPN and give it access to the releng buildbot masters

RESOLVED FIXED

Status

Infrastructure & Operations
Infrastructure: OpenVPN
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: emorley, Assigned: jabba)

Tracking

Details

(Reporter)

Description

5 years ago
I'm unable to access:
http://slavealloc.build.mozilla.org/
http://buildbot-master62.srv.releng.use1.mozilla.com:8001/

When using the new MozillaVPN (https://mana.mozilla.org/wiki/pages/viewpage.action?pageId=30769829).

See dependant bug for where BuildVPN permission was granted.

Thank you :-)
(Assignee)

Updated

5 years ago
Component: Infrastructure: Other → Infrastructure: OpenVPN
(Assignee)

Comment 1

5 years ago
Since this is a custom setup and we are trying to avoid blanket access. I've created a group vpn_emorley for you with those two hosts in it. Please let me know if there is more access required and I can update the group. You'll need to disconnect/reconnect to get the changes.
Assignee: infra → jdow
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Talked about this with Ed. We'd like to create a "sheriff" group for Ed, RyanVM, KWierso, and Tomcat that has access to the following:
https://secure.pub.build.mozilla.org/slavealloc/ui/ (this is the new URL for slavealloc, with slavealloc.b.m.o now deprecated.)
srv.releng.scl3.mozilla.com
srv.releng.use1.mozilla.com
srv.releng.usw2.mozilla.com
buildbot-master45.build.scl1.mozilla.com
buildbot-master44.build.scl1.mozilla.com
buildbot-master43.build.scl1.mozilla.com
buildbot-master42.build.scl1.mozilla.com
buildbot-master29.build.scl1.mozilla.com
buildbot-master22.build.scl1.mozilla.com
buildbot-master20.build.scl1.mozilla.com
buildbot-master10.build.scl1.mozilla.com
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Comment 3

5 years ago
Ok, done.

Except buildbots-masters 22, 20 and 10 aren't resolving for me, so I didn't add those. Is that an error?

secure.pub.build.mozilla.org is a public IP. Does that still need to be routed through the VPN, or can I just leave that one out?
(Assignee)

Comment 4

5 years ago
Note: I created vpn_sheriff and removed vpn_emorley. Added the other folks to vpn_sheriff. I think I still need one more tweak before kwierso can connect, since it's not a corp LDAP account, so might need to hold off on him testing.
(In reply to Justin Dow [:jabba] from comment #3)
> Ok, done.
> 
> Except buildbots-masters 22, 20 and 10 aren't resolving for me, so I didn't
> add those. Is that an error?

Whoops! Those three are mtv1, not scl1.

> secure.pub.build.mozilla.org is a public IP. Does that still need to be
> routed through the VPN, or can I just leave that one out?

I...don't know. This is pretty new, so I'll have to defer to Dustin there.
Flags: needinfo?(dustin)
It doesn't need to be routed through the VPN, no.
Flags: needinfo?(dustin)
(Assignee)

Comment 7

5 years ago
Ok, should be all good to go
Status: REOPENED → RESOLVED
Last Resolved: 5 years ago5 years ago
Resolution: --- → FIXED
master list for mtv1 missed one of the tegra masters:

buildbot-master19.build.mtv1.mozilla.com
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Comment 9

5 years ago
Added.
Status: REOPENED → RESOLVED
Last Resolved: 5 years ago5 years ago
Resolution: --- → FIXED
(Reporter)

Comment 10

5 years ago
I can confirm I can successfully access the handful of buildbot masters I tried + that the new slavealloc URL is accessible without being connected to the VPN (albeit my LDAP perms don't appear to be sufficient but will file another bug) - thank you :-)
Summary: Unable to access several build/releng services on the new MozillaVPN → Add a vpn_sheriff group to MozillaVPN and give it access to the releng buildbot masters
(Reporter)

Updated

5 years ago
No longer depends on: 803131
(Reporter)

Updated

5 years ago
Depends on: 887450
(Reporter)

Comment 11

4 years ago
This appears to have regressed recently - not sure if just for me, or for all of the vpn_sheriff group.

I can access the buildbot masters (eg http://buildbot-master70.srv.releng.use1.mozilla.com:8201/buildslaves/t-w864-ix-065) via the old Build VPN, but not via the new global Mozilla VPN.

Note: bug 891789 touched my ldap groups recently, don't know if that inadvertently changed anything else.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Reporter)

Comment 12

4 years ago
10:29:23 - Tomcat: edmorley: the buildbot master page works for me
10:29:35 - Tomcat: no problem via the new vpn

-> Seems like just my groups were reset?
(Assignee)

Comment 13

4 years ago
Hmm, I don't see any problems with your groups. What kind of connection errors are you seeing? resolution failures, timeouts or connection refused?
(Reporter)

Comment 14

4 years ago
And now it's working again, typical! :-)

(I can't remember which error type now, sorry)
(Reporter)

Updated

4 years ago
Status: REOPENED → RESOLVED
Last Resolved: 5 years ago4 years ago
Resolution: --- → FIXED
(Reporter)

Updated

4 years ago
Depends on: 916077
(Reporter)

Updated

4 years ago
Depends on: 937106
You need to log in before you can comment on or make changes to this bug.