Page MenuHomePhabricator
Create Task
Maniphest T128364

Provision CI:admins ssh public key in Nodepool instances
Closed, DeclinedPublic
Actions

Description

@mobrovac was wondering how one can SSH into a Nodepool instance for debugging purposes. Since they are not hooked with LDAP, the only way right now is to:

  • head to labnodepool1001.eqiad.wmnet
  • become-nodepool
  • ssh jenkins@<instance ip>

In T128175#2066977, @JanZerebecki proposed to copy the keys from ldap into place at instance creation or image build time.

Note: In principle these nodes can be unprivileged. In practice when they run gate-and-submit (pre merge) or any post merge action they might have equivalent access to directly push to the repo, make and publish releases and other trusted build artifacts. So it would be nice to be able to differentiate these actions or their simulation when considering which keys get access.

Related Objects

Event Timeline

hashar created this task.Feb 29 2016, 11:20 AM
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptFeb 29 2016, 11:20 AM
hashar mentioned this in T128175: Access Request for mobrovac as ci-admin to mess with CI infrastructure.Feb 29 2016, 11:20 AM
JanZerebecki updated the task description. (Show Details)Mar 1 2016, 3:57 PM
hashar added a comment.Mar 2 2016, 8:35 PM

When I originally provisioned the images, I tried to reuse the puppet related class to install the LDAP backed authentication layer. But at some point, that causes the whole authentication to refuse any auth since it tries to access the labs LDAP (which is not reachable when building the image outside of labs obviously).

I think the LDAP access also need a password, and I am not that confortable in having it in the CI instances. But maybe anonymous auth is possible.

Currently, the image uses cloud-init to inject a ssh key pair for the debian user which has sudo privileges. That let Nodepool interact with the image to complete it and snapshot it as a base image to boot instances from.

Later, when an instance boots, Nodepool uses the jenkins user which is provisioned when the image is created with an authorized_key entry matching the ssh private for nodepool@labnodepool1001.eqiad.wmnet.

Note: In principle these nodes can be unprivileged. In practice when they run gate-and-submit (pre merge) or any post merge action they might have equivalent access to directly push to the repo, make and publish releases and other trusted build artifacts. So it would be nice to be able to differentiate these actions or their simulation when considering which keys get access.

The credentials are hold in the Jenkins credential store and are injected for jobs that requires it. Sometime we even get a ssh-agent automatically started and holding the credentials.

hashar triaged this task as Medium priority.Mar 10 2016, 2:12 PM
hashar removed a project: Continuous-Integration-Infrastructure.
hashar merged a task: T129880: Give @mobrovac access to CI instances.Nov 4 2016, 8:59 AM
hashar mentioned this in T129880: Give @mobrovac access to CI instances.
hashar added subscribers: greg, Krenair, Ricordisamoa and 2 others.
Krenair added a comment.Nov 4 2016, 9:36 AM

I think the LDAP access also need a password, and I am not that confortable in having it in the CI instances. But maybe anonymous auth is possible.

The LDAP bindpw for the proxyagent user? It's public and shared with all labs instances, so...

hashar added a comment.Dec 6 2016, 11:14 AM

The LDAP bindpw for the proxyagent user? It's public and shared with all labs instances, so...

My understanding was that it is more or less private to labs, if we were to inject the LDAP password in the Nodepool image, we would need to make it publicly available.

hashar added a comment.Dec 6 2016, 11:15 AM

There is a very annoying way to get root access on an instance. That requires generating a ssh key pair and spawn an instance with that key pair attached to it. cloud-init then inject the credential on boot which grant root access.

I have added the documentation at https://wikitech.wikimedia.org/wiki/Nodepool#Connect_to_an_instance . That still does not solve this task though.

Krenair added a comment.Dec 6 2016, 8:35 PM
In T128364#2850113, @hashar wrote:

The LDAP bindpw for the proxyagent user? It's public and shared with all labs instances, so...

My understanding was that it is more or less private to labs, if we were to inject the LDAP password in the Nodepool image, we would need to make it publicly available.

Shared with all labs instances = public
https://github.com/wikimedia/labs-private/blob/HEAD/hieradata/eqiad.yaml#L12

Paladox subscribed.Dec 6 2016, 8:36 PM
greg added a project: Release-Engineering-Team (Backlog).May 20 2017, 3:52 PM
hashar closed this task as Declined.Feb 8 2018, 7:59 AM

We could have configured the labs LDAP in Nodepool instances. However Nodepool is now legacy and we are moving to Docker containers which make it trivial to reproduce a build on a local machine.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL