Page MenuHomePhabricator
Create Task
Maniphest T103312

Cant ssh to integration-slave-jessie-1001.integration.eqiad.wmflabs
Closed, ResolvedPublic
Actions

Description

integration-slave-jessie-1001.integration.eqiad.wmflabs cant be reached via ssh although it is working and reacheable via salt :(

Related Objects
Search...

Event Timeline

hashar created this task.Jun 22 2015, 11:30 AM
hashar claimed this task.
hashar raised the priority of this task from to Medium.
hashar updated the task description. (Show Details)
hashar added projects: Continuous-Integration-Infrastructure, Cloud-Services.
hashar added subscribers: Legoktm, yuvipanda, hashar and 2 others.
hashar added a comment.Jun 22 2015, 11:36 AM

Remove the puppet class role::ci::slave::labs which prevents puppet from completing.

Under /home/ only /home/admin/ exists :(

hashar moved this task from Untriaged to In-progress on the Continuous-Integration-Infrastructure board.Jun 22 2015, 12:43 PM
hashar added a project: Cloud-VPS.Jun 22 2015, 12:50 PM

Without role::ci::slave::labs puppet ran just fine. I verified resolv.conf / puppet.conf etc via salt commands. The only reason I can see for ssh to fail is because the user homedirs are not created under /home/.

Seems like a lab / sshd configuration issue to me.

hashar removed hashar as the assignee of this task.Jun 22 2015, 12:51 PM
hashar set Security to None.
hashar moved this task from In-progress to Externally Blocked on the Continuous-Integration-Infrastructure board.
hashar mentioned this in T90610: Continuous integration should not depend on labs NFS.
hashar merged a task: T102592: Cant ssh to integration-slave-jessie-1001.eqiad.wmflabs despite reboot.EditedJun 23 2015, 8:37 PM

From /var/log/auth.log :

Jun 23 20:36:22 integration-slave-jessie-1001 sshd[6109]: Connection from 10.68.16.210 port 45790 on 10.68.16.72 port 22
Jun 23 20:36:22 integration-slave-jessie-1001 sshd[6109]: Connection closed by 10.68.16.210 [preauth]

Well that is Shinken.

hashar added a comment.Jun 23 2015, 8:42 PM

So bastion-01.bastion.eqiad.wmflabs has the IP 10.68.17.232 but it is not enabled in the ferm rules! Thus the Jessie instance reject it, although I am not sure why it has ferm rules enabled and other CI slaves do not :-/

hashar added a comment.Jun 23 2015, 8:46 PM

Stopped ferm service via salt and I can ssh again.

Purged the ferm package, removed /etc/ferm and reran puppet. ferm is no more, though I am pretty sure it used to be around.

hashar closed this task as Resolved.Jun 23 2015, 8:56 PM
hashar claimed this task.
yuvipanda added a comment.Jun 25 2015, 11:05 AM

Hmm, the bastion-01 IP was added to puppet when it was created, are you sure these were running up to date puppet?

hashar added a comment.Jun 25 2015, 11:07 AM

For some reason ferm is no more applied on the CI instances, so it could not receive the new rules update.

yuvipanda added a comment.Jun 25 2015, 11:08 AM

Ah, that makes sense :)

Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:49 PM
Restricted Application added a project: Release-Engineering-Team (Kanban). · View Herald TranscriptJun 7 2017, 6:49 PM
Phabricator_maintenance edited projects, added RelEng-Archive-FY201718-Q1; removed Release-Engineering-Team (Kanban), Cloud-VPS.Sep 26 2017, 11:47 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL