Page MenuHomePhabricator

tjones needs access to stat1002
Closed, ResolvedPublic

Description

Need access to stat1002 to look at zero query data, etc.

Event Timeline

TJones created this task.Jul 17 2015, 7:21 PM
TJones raised the priority of this task from to Needs Triage.
TJones updated the task description. (Show Details)
TJones added a project: SRE-Access-Requests.
TJones added subscribers: TJones, Deskana, Ironholds, Ottomata.
Restricted Application added a project: acl*sre-team. · View Herald TranscriptJul 17 2015, 7:21 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Deskana set Security to None.Jul 17 2015, 9:27 PM
Deskana added a subscriber: Wwes.
Restricted Application added a subscriber: Matanya. · View Herald TranscriptJul 17 2015, 9:27 PM
fgiunchedi triaged this task as Normal priority.Jul 20 2015, 9:28 AM

@TJones we'll have also to provision your shell user across the cluster, to do that we'll need the following information from https://wikitech.wikimedia.org/wiki/Requesting_shell_access

  • Please sign: https://phabricator.wikimedia.org/L3
  • Your labs username/wikitech username (a link to your profile is welcome).
  • We base production UID from labs UID, so you have to sign up on labs/wikitech before you request access to the normal cluster.
  • Your preferred shell user name.
  • Your public RSA/DSA key must be provided, and has a few criteria:
    • Key must be uploaded via a non-email means, the following suggestions suffice:
    • Put a copy of your public key on your wiki user page.
    • Paste your public key into a phabricator task directly or onto a file/paste via web (but not via email!)
    • Upload your own patchset to gerrit which includes your public key.

Signed https://phabricator.wikimedia.org/L3
wikitech profile: https://wikitech.wikimedia.org/wiki/User:Tjones
preferred shell username: tjones (backup: trey)

@fgiunchedi: Can I put my public RSA key here, or do you want a separate task?

you can put it here. via web, not email.

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDaSUgjRZTi0djdSkKrqxTUXQisq/OCb9ZlXZNJQ69VD6Gup+GlzLxT5MhZrQ6hlf6p/NVvuc9y7zVI09qVYgbpe1L6EJWjyA2CnqLdukq46JDo31EcE1rhfeVqm7eba3X5DWLR3Tu7+tNuI+oC1/VFNnYOXTJOcXn9D27EHR1kANbkli4p82U4V8n23r5q6dZ6EPDLjnq5nG4w476GNAw8+Pf28/jTV3RMpkRdlpHqLJ6922NkMCYBLncJdhP16k14YSGIuOb4jdjLYIs8GOhdeezwBOxf27j/CPwHl27Traeq/7IHRyEczhJKlqEHea1MpkF6o5OVScl8v/3dUrZR tjones@wikimedia.org

Change 226077 had a related patch set uploaded (by Matanya):
access: shell account for Trey Jones

https://gerrit.wikimedia.org/r/226077

Signed https://phabricator.wikimedia.org/L3
wikitech profile: https://wikitech.wikimedia.org/wiki/User:Tjones
preferred shell username: tjones (backup: trey)
@fgiunchedi: Can I put my public RSA key here, or do you want a separate task?

here is fine like @Matanya pointed out, however you should generate a new keypair and use that only for production sorry if that wasn't clear!

@fgiunchedi @Matanya: take 2!

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFBwfxSdeDwBy5ypWAfsfnmwqJ3R2ks+T9wbnqq30zPyOvZjzequ6vA5JzboCce6OqZ5+mLg3LPQqczlTXbJakWJTjGz7a1Wjhhb6m1/UWWXWjBbSzRwk6Mit77Vq0zlEm06//rFzsukMIMliwmjZcVrIP8Wyb74pABfpM1NvgDXFYjzbbBxY+LugiIk7sl9quDYWUTR6SETnTGOIET7ONZuZfFAHQltyvhUZkLmV9VbNZXxspoWRLyKJZjMkhHvnIeA55IrDBIdJ0VsruFjEn7wvZodjXAjS4xWvIH68vIiXiL3LTCmZjBk0pNEjfpAjvZ5MX8/bgR4ab2/7H6Voj tjones@wikimedia.org

Sorry for the trouble, and thanks for the help.

Change 226115 had a related patch set uploaded (by Matanya):
access: add Trey Jones to statistics-privatedata-users

https://gerrit.wikimedia.org/r/226115

Change 226077 merged by Filippo Giunchedi:
access: shell account for Trey Jones

https://gerrit.wikimedia.org/r/226077

Change 226115 merged by Filippo Giunchedi:
access: add Trey Jones to statistics-privatedata-users

https://gerrit.wikimedia.org/r/226115

fgiunchedi closed this task as Resolved.Jul 22 2015, 10:02 AM
fgiunchedi claimed this task.

@TJones you should be set, more access documentation at https://wikitech.wikimedia.org/wiki/SSH_access

also thanks @Matanya for the assistance!

Thanks @fgiunchedi & @Matanya, and thanks for the link.

@fgiunchedi — When should I expect this to be live? I'm trying to figure out if my inability to connect is coming from misconfiguration on my end, or because the update isn't live yet. Thanks.

This is live you should be able to access unless my patch is broken somehow.

@Matanya - good to know it's live. At least then I know the problem is on my end. Thanks.

What error are you getting when trying to connect?

@Krenair, assuming stat1002.eqiad.wmnet is the right host, this is what I get:

ssh -v stat1002.eqiad.wmnet
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/tjones/.ssh/config
debug1: /Users/tjones/.ssh/config line 11: Applying options for *.wmnet
debug1: /Users/tjones/.ssh/config line 15: Applying options for *.eqiad.wmnet
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Executing proxy command: exec ssh -a -W stat1002.eqiad.wmnet:22 iron.wikimedia.org
debug1: permanently_drop_suid: 502
debug1: identity file /Users/tjones/.ssh/labs_id_rsa type 1
debug1: identity file /Users/tjones/.ssh/labs_id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
Permission denied (publickey).
ssh_exchange_identification: Connection closed by remote host

Your ssh config shouldn't contain references to iron.wikimedia.org. Only ops can log in there.

@Krenair, thanks for the help.

Everyone says "stat1002" but the only full host name I've found, in the office wiki, refers to stat1002.eqiad.wmnet. Is that the right host name?

If so, I was lead astray by the presence of "*.eqiad.wmnet" on the SSH access page. I've switched to the *.wmnet config for production, using bast1001.wikimedia.org and I get the same result.

Yes, stat1002 is stat1002.eqiad.wmnet, which is what you should have access to.

Please paste the result of ssh -v like you did before, using your new config.

OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/tjones/.ssh/config
debug1: /Users/tjones/.ssh/config line 5: Applying options for *.wmnet
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Executing proxy command: exec ssh -a -W stat1002.eqiad.wmnet:22 bast1001.wikimedia.org
debug1: permanently_drop_suid: 502
debug1: identity file /Users/tjones/.ssh/labs_id_rsa type 1
debug1: identity file /Users/tjones/.ssh/labs_id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
Permission denied (publickey).
ssh_exchange_identification: Connection closed by remote host
Host bast1001.wikimedia.org
    ProxyCommand none
    ControlMaster auto

Host *.wikimedia.org *.wmnet
    User tjones
    ProxyCommand ssh -a -W %h:%p bast1001.wikimedia.org
    IdentityFile ~/.ssh/labs_id_rsa

@TJones was not added to the bastiononly group, which he will need in order to get to pretty much any production node. Doing so now...

Change 226743 had a related patch set uploaded (by Ottomata):
Add tjones to bastiononly group so he can ssh into stat1002

https://gerrit.wikimedia.org/r/226743

Yay! I'm not (entirely) crazy! Thanks, @Ottomata!

Change 226743 merged by Ottomata:
Add tjones to bastiononly group so he can ssh into stat1002

https://gerrit.wikimedia.org/r/226743

I'm in! Thanks very much!