Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Upcoming management of SSH keys
7 views
Skip to first unread message
Dustin J. Mitchell
Oct 17, 2013, 9:17:29 PM10/17/13
to tools-pu...@lists.mozilla.org
Hey folks! A potential breaking change is coming.
When bug 792836 lands, the builder and root ~/.ssh/ directories will be purged of any unmanaged files, on the assumption that they are SSH private keys. All build slaves will also require a "trustlevel", indicating roughly the level of trust in the code that is run on those hosts. All orgs other than moco can probably get away with a single trustlevel, "prod".
You can use the $builder_ssh_keys_per_trustlevel and $buildmaster_ssh_keys to specify keys that should be present. For each builder key, you'll need a corresponding secret named `builder_ssh_key_${trust}_${key_name}`. For each buildmaster key, you'll need a secret named `buildmaster_ssh_key_${key_name}`.
This is all up in the air until the patch is r+'d, but I wanted to raise everyone's awareness of it. Luckily, any org changes can be made in advance without interfering with existing code:
- add $trustlevel = "prod" to any node definitions that include toplevel::slave::build or subclasses
- add $builder_ssh_keys_per_trustlevel and $buildmaster_ssh_keys to your config
- add corresponding secrets to hiera.
I'll check back once I have an r+ and once I've written some documentation, to make sure everyone is ready for landing.
Dustin
When bug 792836 lands, the builder and root ~/.ssh/ directories will be purged of any unmanaged files, on the assumption that they are SSH private keys. All build slaves will also require a "trustlevel", indicating roughly the level of trust in the code that is run on those hosts. All orgs other than moco can probably get away with a single trustlevel, "prod".
You can use the $builder_ssh_keys_per_trustlevel and $buildmaster_ssh_keys to specify keys that should be present. For each builder key, you'll need a corresponding secret named `builder_ssh_key_${trust}_${key_name}`. For each buildmaster key, you'll need a secret named `buildmaster_ssh_key_${key_name}`.
This is all up in the air until the patch is r+'d, but I wanted to raise everyone's awareness of it. Luckily, any org changes can be made in advance without interfering with existing code:
- add $trustlevel = "prod" to any node definitions that include toplevel::slave::build or subclasses
- add $builder_ssh_keys_per_trustlevel and $buildmaster_ssh_keys to your config
- add corresponding secrets to hiera.
I'll check back once I have an r+ and once I've written some documentation, to make sure everyone is ready for landing.
Dustin
0 new messages