Page MenuHomePhabricator

cloudvps: striker project trusty deprecation
Closed, ResolvedPublic

Description

Ubuntu Trusty is no longer available in Cloud VPS since Nov 2017 for new instances. However, the EOL of Trusty is approaching in 2019 and we need to move to Debian Stretch before that date.

All instances in the striker project needs to upgrade as soon as possible.

The list of affected VMs is:

  • striker-deploy03.striker.eqiad.wmflabs

Listed administrator are:

More info in openstack browser: https://tools.wmflabs.org/openstack-browser/project/striker

Details

Related Gerrit Patches:
operations/puppet : productionssh-key-ldap-lookup: handle missing users

Event Timeline

Krenair triaged this task as Medium priority.Sep 17 2018, 4:55 PM
Krenair created this task.

I notice that there is a striker-deploy04

I started working on this at some point. striker-deploy04 is a Stretch deploy server. It is fully provisioned, but something is preventing striker-uwsgi03.striker.eqiad.wmflabs from accepting the ssh key it offers:

$ scap deploy --verbose
22:17:55 <Command u'/usr/bin/git show -s --format=%ct 2275b8d8a6654fc674a39098a25e72f955c137b2'>: starting process
22:17:55 <Command u'/usr/bin/git show -s --format=%ct 2275b8d8a6654fc674a39098a25e72f955c137b2', pid 15003>: process started
22:17:55 <Command u'/usr/bin/git show -s --format=%ct 2275b8d8a6654fc674a39098a25e72f955c137b2', pid 15003>: process completed
22:17:55 <Command u'/usr/bin/git show -s --format=%ct 2275b8d8a6654fc674a39098a25e72f955c137b2', pid 15003>: process completed
22:17:55 <Command u'/usr/bin/git show -s --format=%ct 2275b8d8a6654fc674a39098a25e72f955c137b2', pid 15003>: process completed
22:17:55 <Command u'/usr/bin/git ls-remote --get-url'>: starting process
22:17:55 <Command u'/usr/bin/git ls-remote --get-url', pid 15007>: process started
22:17:55 <Command u'/usr/bin/git ls-remote --get-url', pid 15007>: process completed
22:17:55 <Command u'/usr/bin/git ls-remote --get-url', pid 15007>: process completed
22:17:55 <Command u'/usr/bin/git ls-remote --get-url', pid 15007>: process completed
22:17:55 Started deploy [striker/deploy@2275b8d]
22:17:55 <Command u'/usr/bin/git tag --list scap/sync/2018-09-17/*'>: starting process
22:17:55 <Command u'/usr/bin/git tag --list scap/sync/2018-09-17/*', pid 15011>: process started
22:17:55 <Command u'/usr/bin/git tag --list scap/sync/2018-09-17/*', pid 15011>: process completed
22:17:55 <Command u'/usr/bin/git tag --list scap/sync/2018-09-17/*', pid 15011>: process completed
22:17:55 <Command u'/usr/bin/git rev-parse --verify HEAD'>: starting process
22:17:55 <Command u'/usr/bin/git rev-parse --verify HEAD', pid 15015>: process started
22:17:55 <Command u'/usr/bin/git rev-parse --verify HEAD', pid 15015>: process completed
22:17:55 <Command u'/usr/bin/git rev-parse --verify HEAD', pid 15015>: process completed
22:17:55 <Command u'/usr/bin/git rev-parse --verify HEAD', pid 15015>: process completed
22:17:55 Deploying Rev: HEAD = 177d9c2321377298a60962443058b554eeec2573
22:17:55 Update DEPLOY_HEAD
22:17:55 Creating /srv/deployment/striker/deploy/.git/DEPLOY_HEAD
22:17:55 <Command u'/usr/bin/git for-each-ref --sort=taggerdate --format=%(refname) refs/tags'>: starting process
22:17:55 <Command u'/usr/bin/git for-each-ref --sort=taggerdate --format=%(refname) refs/tags', pid 15021>: process started
22:17:55 <Command u'/usr/bin/git for-each-ref --sort=taggerdate --format=%(refname) refs/tags', pid 15021>: process completed
22:17:55 <Command u'/usr/bin/git for-each-ref --sort=taggerdate --format=%(refname) refs/tags', pid 15021>: process completed
22:17:55 <Command u'/usr/bin/git for-each-ref --sort=taggerdate --format=%(refname) refs/tags', pid 15021>: process completed
22:17:55 Update server info
22:17:55 <Command u'/usr/bin/git update-server-info'>: starting process
22:17:55 <Command u'/usr/bin/git update-server-info', pid 15025>: process started
22:17:55 <Command u'/usr/bin/git update-server-info', pid 15025>: process completed
22:17:55 <Command u'/usr/bin/git submodule foreach --recursive git update-server-info'>: starting process
22:17:55 <Command u'/usr/bin/git submodule foreach --recursive git update-server-info', pid 15029>: process started
22:17:55 <Command u'/usr/bin/git submodule foreach --recursive git update-server-info', pid 15029>: process completed
22:17:55 Started deploy [striker/deploy@2275b8d]: (no justification provided)
22:17:55
== DEFAULT ==
:* striker-uwsgi03.striker.eqiad.wmflabs
22:17:55 Running remote deploy cmd ['/usr/bin/scap', 'deploy-local', '-v', '--repo', 'striker/deploy', '-g', 'default', 'fetch', '--refresh-config']
22:17:55 Using key: /etc/keyholder.d/deploy_service.pub
22:17:55 ['/usr/bin/scap', 'deploy-local', '-v', '--repo', 'striker/deploy', '-g', 'default', 'fetch', '--refresh-config'] on striker-uwsgi03.striker.eqiad.wmflabs returned [255]: OpenSSH_7.4p1 Debian-10+deb9u4, OpenSSL 1.0.2l  25 May 2017
debug1: Reading configuration data /dev/null
debug1: Connecting to striker-uwsgi03.striker.eqiad.wmflabs [10.68.16.203] port 22.
debug1: Connection established.
debug1: identity file /etc/keyholder.d/deploy_service.pub type 1
debug1: key_load_public: No such file or directory
debug1: identity file /etc/keyholder.d/deploy_service.pub-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 Debian-10+deb9u4
debug1: match: OpenSSH_7.4p1 Debian-10+deb9u4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to striker-uwsgi03.striker.eqiad.wmflabs:22 as 'deploy-service'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:HlIsZ5PvvlQ6vQjcOxQLCGQ3KNukao9QeYi0georBwc
debug1: Host 'striker-uwsgi03.striker.eqiad.wmflabs' is known and matches the ECDSA host key.
debug1: Found key in /home/bd808/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /etc/keyholder.d/deploy_service.pub
debug1: Server accepts key: pkalg ssh-rsa blen 535
debug1: No more authentication methods to try.
Permission denied (publickey).

22:17:55 connection to striker-uwsgi03.striker.eqiad.wmflabs failed and future stages will not be attempted for this target
striker/deploy: fetch stage(s): 100% (ok: 0; fail: 1; left: 0)
22:17:55 1 targets had deploy errors
22:17:55 1 targets failed
22:17:55 1 of 1 default targets failed, exceeding limit
Rollback all deployed groups? [Y/n]: n
22:17:59 Finished deploy [striker/deploy@2275b8d]: (no justification provided) (duration: 00m 04s)
22:17:59 Finished deploy [striker/deploy@2275b8d] (duration: 00m 04s)

It also fails with direct ssh + agent access:

$ SSH_AUTH_SOCK=/run/keyholder/proxy.sock ssh -vvv deploy-service@striker-uwsgi03.striker.eqiad.wmflabs
OpenSSH_7.4p1 Debian-10+deb9u4, OpenSSL 1.0.2l  25 May 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "striker-uwsgi03.striker.eqiad.wmflabs" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to striker-uwsgi03.striker.eqiad.wmflabs [10.68.16.203] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/bd808/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bd808/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bd808/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bd808/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bd808/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bd808/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bd808/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bd808/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 Debian-10+deb9u4
debug1: match: OpenSSH_7.4p1 Debian-10+deb9u4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to striker-uwsgi03.striker.eqiad.wmflabs:22 as 'deploy-service'
debug3: hostkeys_foreach: reading file "/home/bd808/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/bd808/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from striker-uwsgi03.striker.eqiad.wmflabs
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
debug2: MACs ctos: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
debug2: MACs stoc: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:HlIsZ5PvvlQ6vQjcOxQLCGQ3KNukao9QeYi0georBwc
debug3: hostkeys_foreach: reading file "/home/bd808/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/bd808/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from striker-uwsgi03.striker.eqiad.wmflabs
debug3: hostkeys_foreach: reading file "/home/bd808/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/bd808/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys from 10.68.16.203
debug1: Host 'striker-uwsgi03.striker.eqiad.wmflabs' is known and matches the ECDSA host key.
debug1: Found key in /home/bd808/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /etc/keyholder.d/deploy_service (0x55db3775d160), agent
debug2: key: /home/bd808/.ssh/id_rsa ((nil))
debug2: key: /home/bd808/.ssh/id_dsa ((nil))
debug2: key: /home/bd808/.ssh/id_ecdsa ((nil))
debug2: key: /home/bd808/.ssh/id_ed25519 ((nil))
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /etc/keyholder.d/deploy_service
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg ssh-rsa blen 535
debug2: input_userauth_pk_ok: fp SHA256:BkaF2U4ziL7sesuRSV9UaEoQzK3GvoWZWgGCrKxUYBo
debug3: sign_and_send_pubkey: RSA SHA256:BkaF2U4ziL7sesuRSV9UaEoQzK3GvoWZWgGCrKxUYBo
debug3: send packet: type 50
Authentication failed.

The auth.log on the target host is showing ssh-key-ldap-lookup as the reason for the denial:

Sep 17 22:24:03 striker-uwsgi03 sshd[28044]: error: AuthorizedKeysCommand /usr/sbin/ssh-key-ldap-lookup deploy-service failed, status 1
Sep 17 22:24:03 striker-uwsgi03 sshd[28044]: Postponed publickey for deploy-service from 10.68.20.78 port 52374 ssh2 [preauth]
Sep 17 22:24:04 striker-uwsgi03 sshd[28044]: error: AuthorizedKeysCommand /usr/sbin/ssh-key-ldap-lookup deploy-service failed, status 1
Sep 17 22:24:04 striker-uwsgi03 sshd[28044]: pam_access(sshd:account): access denied for user `deploy-service' from `10.68.20.78'
Sep 17 22:24:04 striker-uwsgi03 sshd[28044]: Failed publickey for deploy-service from 10.68.20.78 port 52374 ssh2: RSA SHA256:BkaF2U4ziL7sesuRSV9UaEoQzK3GvoWZWgGCrKxUYBo
Sep 17 22:24:04 striker-uwsgi03 sshd[28044]: fatal: Access denied for user deploy-service by PAM account configuration [preauth]

The root cause here may actually be something that changed in ssh-key-ldap-lookup or some missing project configuration.

krenair@striker-uwsgi03:~$ sudo /usr/sbin/ssh-key-ldap-lookup deploy-service
Traceback (most recent call last):
  File "/usr/sbin/ssh-key-ldap-lookup", line 124, in <module>
    main()
  File "/usr/sbin/ssh-key-ldap-lookup", line 117, in main
    keys = get_user_keys(conn, username)
  File "/usr/sbin/ssh-key-ldap-lookup", line 47, in get_user_keys
    ldap.SCOPE_BASE
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 597, in search_s
    return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 591, in search_ext_s
    return self.result(msgid,all=1,timeout=timeout)[1]
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 503, in result
    resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 507, in result2
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
ldap.NO_SUCH_OBJECT: {'matched': 'ou=people,dc=wikimedia,dc=org', 'desc': 'No such object'}
krenair@striker-uwsgi03:~$ ldapsearch -x uid=deploy-service
# extended LDIF
#
# LDAPv3
# base <dc=wikimedia,dc=org> (default) with scope subtree
# filter: uid=deploy-service
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1
krenair@striker-uwsgi03:~$ getent passwd deploy-service
deploy-service:x:498:498::/var/lib/deploy-service:/bin/bash

deploy-service isn't in LDAP but is a local user. Shouldn't ssh-key-ldap-lookup just return 0 and output nothing in this case?

Krenair assigned this task to bd808.Oct 22 2018, 1:27 PM

@bd808: Btw, I also noticed your security access.conf.d file only has the old deployment server IP, not the new one?

krenair@striker-uwsgi03:~$ cat /etc/security/access.conf.d/60-scap-allow-deploy-service 
+ : deploy-service : 172.16.2.212
krenair@striker-uwsgi03:~$ host 172.16.2.212
212.2.16.172.in-addr.arpa domain name pointer striker-deploy03.striker.eqiad.wmflabs.

Another ping. Deadline is approaching (2018-12-18). @bd808 please ping if you need us taking a look here.

Ping. Today is Friday and the deadline is Tuesday.

@bd808 Today is the deadline.

I am planning on fixing this project over my end of year holiday break (2018-12-22 to 2019-01-02). Worst case scenario I will delete all existing instances and rebuild the entire project from scratch.

Hi! Since the deadline already passed, we agreed on shutting down remaining Trusty instances on 2019-01-18. More info at https://wikitech.wikimedia.org/wiki/News/Trusty_deprecation#Cloud_VPS_projects

Change 481343 had a related patch set uploaded (by BryanDavis; owner: Bryan Davis):
[operations/puppet@production] ssh-key-ldap-lookup: handle missing users

https://gerrit.wikimedia.org/r/481343

Mentioned in SAL (#wikimedia-cloud) [2018-12-27T04:26:18Z] <bd808> Shutdown striker-deploy03 instance for T204563

Mentioned in SAL (#wikimedia-cloud) [2018-12-27T22:50:53Z] <bd808> Deleted striker-deploy03 for T204563

bd808 closed this task as Resolved.Dec 27 2018, 10:51 PM

Change 481343 merged by Andrew Bogott:
[operations/puppet@production] ssh-key-ldap-lookup: handle missing users

https://gerrit.wikimedia.org/r/481343