[CentOS-devel] Infra Pre-Announce : moving CI ssh jump host soon, please read !

Thu Aug 13 14:46:58 UTC 2020
Fabian Arrotin <arrfab at centos.org>

Hi,

As you noticed recently, we started to refresh the infra used for CentOS
CI (not the hardware, still the same, but the software stack and the way
to control/manage it).

One of the identified nodes still being used and that needs to be
converted to the new infra layout is the ssh jumphost (see
https://wiki.centos.org/QaWiki/CI/GettingStarted#How_to_use_it)

Normally, some of you have switched to OpenShift workload, (including to
the new Openshift 4/OCP setup that went live recently) but some Projects
are still on the old setup with sometimes a need to reach
dedicated/shared VMs acting as Jenkins agent[s], connected to Jenkins
behind https://ci.centos.org.

We have already provisioned a new VM in the new setup (that can reach
the whole CI subnet and VLAN) but here are some points to consider,
reason why we wanted to pre-announce long time in advance before we do
the real switch) :

 * New ssh jump host is CentOS 8 based, versus CentOS 6, meaning that if
you used ssh-dss key (instead of ssh-rsa), you'll *not* be able to
connect through that new host. We already identified such keys and Vipul
will try (when it's tied to a real email address for the project) to
reach out. But better to announce it here too, so that you have time to
ask us to reflect a change (through ticket on
https://pagure.io/centos-infra/issues)

 * Old VM allowed shell access, but it will be disallowed on the new one
(there is no need for shell on that intermediate node anyway). Reminder
that you can configure your ssh config to directly use ProxyCommand or
even now ProxyJump (on recent openssh-client). See
https://wiki.centos.org/TipsAndTricks/SshTips/JumpHost)

 * Because the host has a new sshd_host_key, it will come with a new
fingerprint too, so if you have automation and that you don't trust our
CA already, the fingerprint for new host will be :

[fingerprint]
rsa=3072 SHA256:n7y0qZS/FvhjaskOBds3TTKQh5EtgNQ25E7cmTNBATg  (RSA)
rsa_md5=3072 MD5:9e:83:46:d0:c5:8a:a0:94:50:10:58:9d:af:ca:50:19  (RSA)
ecdsa=256 SHA256:ZQacwDsWkKBYL9HJJYwHr94Ny1sMhHMDnz9GiLFb8Uc  (ECDSA)
ecdsa_md5=256 MD5:dd:24:ea:6a:fd:8b:29:3d:1d:d0:a9:32:8c:b2:ea:62  (ECDSA)

As we know that it's August and that some of you are probably on PTO
(coming back or leaving soon), after discussion with Vipul , David and
myself, we considered that we'll probably go live around beginning of
September.

Should you have any question around that migration, feel free to reply
to this thread (ideally on dedicated ci-users mailing list), or on
irc.freenode.net (#centos-ci)

On behalf of the CentOS CI infra team,
-- 
Fabian Arrotin
The CentOS Project | https://www.centos.org
gpg key: 17F3B7A1 | twitter: @arrfab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20200813/f523904d/attachment-0005.sig>