Page MenuHomePhabricator
Create Task
Maniphest T157912

Freshly provisionned zuul fails connecting to Gerrit due to ssh key host
Closed, DeclinedPublic
Actions

Description

Spotted when installing zuul-merger on contint2001. A git clone from gerrit.wikimedia.org failed waiting for the ssh host key to be accepted.

From the puppet module wikidatabuilder, we should use something like:

[gerrit.wikimedia.org]:29418,[208.80.154.81]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCF8pwFLehzCXhbF1jfHWtd9d1LFq2NirpEBQYs7AOrGwQ/6ZZI0gvZFYiEiaw1o+F1CMfoHdny1VfWOJF3mJ1y9QMKAacc8/Z3tG39jBKRQCuxmYLO1SWymv7/Uvx9WQlkNRoTdTTa9OJFy6UqvLQEXKYaokfMIUHZ+oVFf1CgQ==

Details

SubjectRepoBranchLines +/-
wikidatabuilder: ship Gerrit ssh host key via a roleoperations/puppetproduction+8 -2
Role to provide Gerrit ssh host key on port 29418operations/puppetproduction+33 -19
Customize query in gerrit

Event Timeline

hashar created this task.Feb 12 2017, 6:00 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 12 2017, 6:00 PM
hashar added a project: Continuous-Integration-Infrastructure.Feb 12 2017, 6:00 PM
Paladox subscribed.Feb 12 2017, 6:04 PM
gerritbot subscribed.Feb 12 2017, 8:09 PM

Change 337283 had a related patch set uploaded (by Hashar):
Role to provide Gerrit ssh host key on port 29418

https://gerrit.wikimedia.org/r/337283

gerritbot added a project: Patch-For-Review.Feb 12 2017, 8:09 PM
hashar added a project: Zuul.Mar 31 2017, 9:25 AM
hashar added a project: Release-Engineering-Team.Jun 16 2017, 10:54 AM

There is a couple patches for this though I haven't pushed to get them reviewed/deployed :-(

hashar triaged this task as Low priority.Jun 16 2017, 10:54 AM
hashar added a project: Gerrit.
gerritbot added a comment.Jun 16 2017, 10:55 AM

Change 337284 had a related patch set uploaded (by Hashar; owner: Hashar):
[operations/puppet@production] wikidatabuilder: ship Gerrit ssh host key via a role

https://gerrit.wikimedia.org/r/337284

Paladox added a comment.Jul 4 2017, 2:40 PM

gerrit will change it's host key when we upgrade to gerrit 2.14.2. it will use the newer ssh key formats but supports older keys for backwards compat. But will try to use the newer one over the older one where possible.

greg moved this task from INBOX to Next on the Release-Engineering-Team board.Jul 6 2017, 7:00 PM
greg edited projects, added Release-Engineering-Team (Next); removed Release-Engineering-Team.
demon subscribed.Jul 6 2017, 7:04 PM

I wonder if we could add gerrit's SSH key to the auto-generated /etc/ssh/ssh_known_hosts like we do for all machines non-service IPs (cobalt is in there, for example). Then nobody would ever need to worry about updating it in a dozen places.

gerritbot added a comment.Sep 13 2017, 7:14 PM

Change 337283 abandoned by Hashar:
Role to provide Gerrit ssh host key on port 29418

https://gerrit.wikimedia.org/r/337283

gerritbot added a comment.Sep 13 2017, 7:14 PM

Change 337284 abandoned by Hashar:
wikidatabuilder: ship Gerrit ssh host key via a role

https://gerrit.wikimedia.org/r/337284

hashar closed this task as Declined.Sep 14 2017, 10:48 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL