Page MenuHomePhabricator

Update gerrit sshkey in role::ci::slave::labs when upgrade to Jessie happens
Closed, ResolvedPublic

Description

I added a patch to allow Jenkins slaves to trust the gerrit host here - https://github.com/wikimedia/operations-puppet/blob/production/modules/role/manifests/ci/slave/labs.pp#L66. The ssh key should be updated if it changes when the Gerrit server is upgraded to Jessie.

Creating this task so we remember to do it.

Related Objects

StatusAssignedTask
ResolvedNemo_bis
Resolveddemon
Resolveddemon
Resolveddemon
Resolveddemon
ResolvedNone
Resolveddemon
Resolveddemon
Resolveddemon
ResolvedAklapper
Resolveddemon
Resolveddemon
Resolveddemon
Resolveddemon
Resolveddemon
Resolveddemon
Resolveddemon
ResolvedDzahn
ResolvedRobH
ResolvedCmjohnson
Resolveddemon
ResolvedCmjohnson

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 6 2016, 12:01 AM
fgiunchedi triaged this task as Low priority.Apr 27 2016, 1:59 PM
Paladox raised the priority of this task from Low to High.Jul 11 2016, 9:04 PM

Changing to high priority due to the fact we are near to updating gerrit sometime this week.

Paladox added a subscriber: demon.Jul 11 2016, 9:04 PM

Good catch! I guess @chad has a pending patch that replaces all occurences of the host key. Maybe the key will be migrated to the new server and would thus remain valid.

Change 298377 had a related patch set uploaded (by Paladox):
contint/gerrit: allow ssh for git on new gerrit server

https://gerrit.wikimedia.org/r/298377

demon added a comment.Jul 11 2016, 9:49 PM

Good catch! I guess @chad has a pending patch that replaces all occurences of the host key. Maybe the key will be migrated to the new server and would thus remain valid.

It's not the host key, it's the public SSH key for the gerrit2 user. Jenkins/Zuul doesn't use that user, right? That key shouldn't have to change.

(Bonus points if we could pull that IP address from hiera so we don't have to tweak it)

Change 298377 merged by Dzahn:
contint/gerrit: allow ssh for git on new gerrit server

https://gerrit.wikimedia.org/r/298377

demon added a comment.EditedJul 19 2016, 4:15 PM

I'm thinking we should copy the host key to the new machine as well so people don't get unexpected key mismatches. Then zuul won't need a tweak either.

demon closed this task as Resolved.Jul 21 2016, 3:14 PM
demon claimed this task.

That public key won't be changing, neither will the ssh host key. I'm tentatively closing this.