Page MenuHomePhabricator

Update gerrit sshkey in role::ci::slave::labs when upgrade to Jessie happens
Closed, ResolvedPublic

Description

I added a patch to allow Jenkins slaves to trust the gerrit host here - https://github.com/wikimedia/operations-puppet/blob/production/modules/role/manifests/ci/slave/labs.pp#L66. The ssh key should be updated if it changes when the Gerrit server is upgraded to Jessie.

Creating this task so we remember to do it.

Related Objects

StatusSubtypeAssignedTask
ResolvedNemo_bis
Resolveddemon
Resolveddemon
Resolveddemon
Resolveddemon
ResolvedNone
Resolveddemon
Resolveddemon
Resolveddemon
ResolvedAklapper
Resolveddemon
Resolveddemon
Resolveddemon
Resolveddemon
Resolveddemon
Resolveddemon
Resolveddemon
ResolvedDzahn
ResolvedRobH
ResolvedCmjohnson
Resolveddemon
ResolvedCmjohnson

Event Timeline

Paladox raised the priority of this task from Low to High.Jul 11 2016, 9:04 PM

Changing to high priority due to the fact we are near to updating gerrit sometime this week.

Good catch! I guess @chad has a pending patch that replaces all occurences of the host key. Maybe the key will be migrated to the new server and would thus remain valid.

Change 298377 had a related patch set uploaded (by Paladox):
contint/gerrit: allow ssh for git on new gerrit server

https://gerrit.wikimedia.org/r/298377

Good catch! I guess @chad has a pending patch that replaces all occurences of the host key. Maybe the key will be migrated to the new server and would thus remain valid.

It's not the host key, it's the public SSH key for the gerrit2 user. Jenkins/Zuul doesn't use that user, right? That key shouldn't have to change.

(Bonus points if we could pull that IP address from hiera so we don't have to tweak it)

Change 298377 merged by Dzahn:
contint/gerrit: allow ssh for git on new gerrit server

https://gerrit.wikimedia.org/r/298377

I'm thinking we should copy the host key to the new machine as well so people don't get unexpected key mismatches. Then zuul won't need a tweak either.

demon claimed this task.

That public key won't be changing, neither will the ssh host key. I'm tentatively closing this.