Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Landing 792836 - slave and master secrets
0 views
Skip to first unread message
Dustin J. Mitchell
Dec 3, 2013, 10:31:28 AM12/3/13
to Announcements and development of PuppetAgain
The patch on this bug is landing very soon. The effect is to manage all secret information on buildslaves, so that it does not need to be set up manually anymore. This also makes visible the set of SSH keys that are available on each slave, and the history in the bug shows that this has been quite a learning experience for everyone involved.
Here's what orgs need to know:
** This patch will purge all ~/.ssh/ directories on all buildmasters and buildslaves **
..so if you have any private keys or anything else in there, get it managed by puppet (and make a backup just to be safe). The authorized_keys, known_hosts, and config will stay -- they're already puppet-managed.
Buildmasters
============
Buildmaster keys must be specified in your configuration, as $buildmaster_ssh_keys. According to the docs:
# a list of ssh key names that should exist on every buildmaster. This
# list contains bare key names (e.g., caminobld_dsa), while the
# corresponding secrets have a "buildmaster_ssh_key_" prefix, e.g.,
# buildmaster_ssh_key_caminobld_dsa.
$buildmaster_ssh_keys = []
See https://wiki.mozilla.org/ReleaseEngineering/PuppetAgain/Secrets#Using_EYAML for help creating secrets.
Buildslaves
===========
Buildslaves are a little different. First, slaves have a trustlevel, which is set as a node-scope variable $slave_trustlevel. This should be "core" in general, or "try" for hosts which build or run untrusted code. The intention is to separate slaves that are trusted to have important secrets and create real builds from those which might easily be compromised.
Second, you'll need to provide a "keyset", which is the list of keys to be installed on the slave, by adding a clause for your organization to `modules/slave_secrets/manifests/ssh_keys.pp`. The keysets are a map from key name (the filename in ~/.ssh) to secret name. This can be as simple as
$prod_try_keyset = {
'somekey' => 'builder_ssh_key_some',
'anotherkey' => 'builder_ssh_key_another',
}
or as complex as you'd like. Moco's is pretty complex!
Note that the slave type -- build or test -- is passed as an argument to the class. It may be helpful to distinguish SSH keys on that basis.
If you want to get keysets merged before the patch lands, send me a snippet and I'll include it; otherwise, it's fine to land with a=orgonly.
Dustin
Here's what orgs need to know:
** This patch will purge all ~/.ssh/ directories on all buildmasters and buildslaves **
..so if you have any private keys or anything else in there, get it managed by puppet (and make a backup just to be safe). The authorized_keys, known_hosts, and config will stay -- they're already puppet-managed.
Buildmasters
============
Buildmaster keys must be specified in your configuration, as $buildmaster_ssh_keys. According to the docs:
# a list of ssh key names that should exist on every buildmaster. This
# list contains bare key names (e.g., caminobld_dsa), while the
# corresponding secrets have a "buildmaster_ssh_key_" prefix, e.g.,
# buildmaster_ssh_key_caminobld_dsa.
$buildmaster_ssh_keys = []
See https://wiki.mozilla.org/ReleaseEngineering/PuppetAgain/Secrets#Using_EYAML for help creating secrets.
Buildslaves
===========
Buildslaves are a little different. First, slaves have a trustlevel, which is set as a node-scope variable $slave_trustlevel. This should be "core" in general, or "try" for hosts which build or run untrusted code. The intention is to separate slaves that are trusted to have important secrets and create real builds from those which might easily be compromised.
Second, you'll need to provide a "keyset", which is the list of keys to be installed on the slave, by adding a clause for your organization to `modules/slave_secrets/manifests/ssh_keys.pp`. The keysets are a map from key name (the filename in ~/.ssh) to secret name. This can be as simple as
$prod_try_keyset = {
'somekey' => 'builder_ssh_key_some',
'anotherkey' => 'builder_ssh_key_another',
}
or as complex as you'd like. Moco's is pretty complex!
Note that the slave type -- build or test -- is passed as an argument to the class. It may be helpful to distinguish SSH keys on that basis.
If you want to get keysets merged before the patch lands, send me a snippet and I'll include it; otherwise, it's fine to land with a=orgonly.
Dustin
0 new messages