Page MenuHomePhabricator
Create Task
Maniphest T160941

Improve SSH access information in onboarding documentation
Closed, ResolvedPublic
Actions

Description

It seems that folks have trouble with gaining SSH access and would appreciate improved documentation. Some notes taken that show examples of this trouble:

Notes from Zareen, found at https://wikitech.wikimedia.org/wiki/Production_shell_access#Other_tips:

(Note from Dan: this seems quite painful, we should see if there are any unnecessary steps).

  1. Follow Request Access steps: https://wikitech.wikimedia.org/wiki/Production_shell_access#Requesting_access
  2. Once the ticket has been resolved, create a config file under ~/.ssh on your laptop (if it doesn’t exist already)
  3. Copy and paste this into config file (edit User and IdentityFile - only provide path to private key, don’t actually paste private key) and save
Host bast1001.wikimedia.org
    # Direct connection for the bastion host
    ProxyCommand none
    ControlMaster auto

Host *.wikimedia.org *.wmnet !gerrit.wikimedia.org !git-ssh.wikimedia.org
    User your_username_here
    # Everything else goes via bastion acting as a proxy
    ProxyCommand ssh -a -W %h:%p bast1001.wikimedia.org
    # Do not offer other identities loaded in ssh-agent
    IdentitiesOnly yes
    IdentityFile ~/.ssh/your_production_ssh_key
  1. https://wikitech.wikimedia.org/wiki/Production_shell_access#SSH_configuration
  2. ssh bast1001.wikimedia.org into terminal
  3. You will be prompted to enter your ssh password (if there is one)
  4. Now you are in the bastion server, but still need to connect to the access groups
  5. Exit bastion
  6. Go back to config file on your laptop and copy and paste (edit User and IdentityFile) and save (this may be different for different access groups, for example stat1002.eqiad.wmnet needs the Host *.eqiad.wmnet configurations but another access group may require different host configurations) :
## Internal Zones
Host *.wmnet
    User your_username_here
    IdentitiesOnly yes
    IdentityFile ~/.ssh/your_production_ssh_key

Related Objects

Event Timeline

Milimetric created this task.Mar 20 2017, 7:10 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 20 2017, 7:10 PM
Tbayer awarded a token.Mar 20 2017, 7:14 PM
Tbayer subscribed.
Aklapper added a project: Documentation.Mar 20 2017, 8:35 PM
madhuvishy awarded a token.Mar 28 2017, 11:32 PM
Nuria added a project: SRE.Mar 30 2017, 3:53 PM
Nuria added subscribers: Zareenf, mpopov, Nuria.

Can we be specific as to what needs improvements to help ops document what is needed? cc @Zareenf, @Tbayer @mpopov who had had trouble with this in the past

Nuria moved this task from Incoming to Radar on the Analytics board.Mar 30 2017, 3:54 PM
Tbayer added a comment.Mar 30 2017, 4:37 PM
In T160941#3143836, @Nuria wrote:

Can we be specific as to what needs improvements to help ops document what is needed? cc @Zareenf, @Tbayer @mpopov who had had trouble with this in the past

Have you already had a look at the notes mentioned in the task description?

Nuria added a comment.Mar 30 2017, 4:47 PM

This task will be seen by the ops on cleaning duty next week. It will help to have a list of issues so they can know what problems the documentation needs to address.

Nuria removed a project: Analytics.Mar 30 2017, 4:49 PM
Milimetric updated the task description. (Show Details)Mar 31 2017, 1:45 PM

@Tbayer, I copied Zareen's notes in the description, please add anything else that you think is painful about SSH access.

MoritzMuehlenhoff claimed this task.Apr 3 2017, 10:20 AM
MoritzMuehlenhoff triaged this task as Medium priority.
MoritzMuehlenhoff subscribed.

I'll take care of that.

Tbayer added subscribers: nshahquinn-wmf, JKatzWMF.May 1 2017, 5:24 AM
In T160941#3146572, @Milimetric wrote:

@Tbayer, I copied Zareen's notes in the description, please add anything else that you think is painful about SSH access.

In T160941#3150151, @MoritzMuehlenhoff wrote:

I'll take care of that.

Thanks Dan and Moritz! Yes, I think vetting and - if appropriate - merging these nine steps is likely to advance progress on this task. Overall, it seems that identifying the precise list of things that need to be fixed is the main task here. And considering that for users, SSH onboarding is a one-off activity which often involves having to become more familiar with SSH generally at the same time, they are not in the best position to do this work. I would suggest doing the following (after processing Zareen's notes):

  1. Have an expert about our current setup do a thorough read through the existing documentation and either confirm that, from their perspective, it should all work as intended, or list parts that need to be updated or fixed.
  2. Test the existing documentation by creating a new (dummy) account from scratch following the prescribed steps exactly.

Once that is done, we could go back and ask users for any remaining pain points.

The version history of the documentation ( https://wikitech.wikimedia.org/w/index.php?title=Production_shell_access&action=history https://wikitech.wikimedia.org/w/index.php?title=SSH_access&action=history ) shows edits by several non-experts who apparently recorded insights from their own trial-and-error there (including e.g. @JKatzWMF and @Neil_P._Quinn_WMF). That clearly isn't the most efficient way to write good documentation, as much as I appreciate that it consists of wiki pages that allow anyone contribute their knowledge (as I frequently do myself).

Tbayer added a subscriber: Cdentinger.May 1 2017, 5:30 AM

PS: Perhaps (I haven't checked in detail) there are also things that could be adapted from the SSH documentation changes @Cdentinger recently made to the Fundraising part of that page ("geared toward less technical users").

JKatzWMF awarded a token.May 2 2017, 12:04 AM
Tbayer added subscribers: diego, RobH.Aug 22 2017, 1:20 AM

CCing @diego and @RobH who (judging from IRC scrollback) grappled quite a bit too with the existing onboarding process the other day. Just in case they have useful input from recent memory on the shortcomings of the current documentation.

srodlund moved this task from Backlog to Update or Improvement Needed to Existing Technical Documentation on the Documentation board.Aug 16 2018, 11:03 PM
jijiki subscribed.Nov 13 2018, 2:44 PM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 9:08 PM
RobH unsubscribed.Mar 3 2020, 6:03 PM
Aklapper removed MoritzMuehlenhoff as the assignee of this task.Jun 19 2020, 4:21 PM

This task has been assigned to the same task owner for more than two years. Resetting task assignee due to inactivity, to decrease task cookie-licking and to get a slightly more realistic overview of plans. Please feel free to assign this task to yourself again if you still realistically work or plan to work on this task - it would be welcome!

For tips how to manage individual work in Phabricator (noisy notifications, lists of task, etc.), see https://phabricator.wikimedia.org/T228575#6237124 for available options.
(For the records, two emails were sent to assignee addresses before resetting assignees. See T228575 for more info and for potential feedback. Thanks!)

Nuria closed this task as Resolved.Jun 19 2020, 4:48 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits