On 13/08/2020 16:46, Fabian Arrotin wrote: > Hi, > > As you noticed recently, we started to refresh the infra used for CentOS > CI (not the hardware, still the same, but the software stack and the way > to control/manage it). > > One of the identified nodes still being used and that needs to be > converted to the new infra layout is the ssh jumphost (see > https://wiki.centos.org/QaWiki/CI/GettingStarted#How_to_use_it) > > Normally, some of you have switched to OpenShift workload, (including to > the new Openshift 4/OCP setup that went live recently) but some Projects > are still on the old setup with sometimes a need to reach > dedicated/shared VMs acting as Jenkins agent[s], connected to Jenkins > behind https://ci.centos.org. > > We have already provisioned a new VM in the new setup (that can reach > the whole CI subnet and VLAN) but here are some points to consider, > reason why we wanted to pre-announce long time in advance before we do > the real switch) : > > * New ssh jump host is CentOS 8 based, versus CentOS 6, meaning that if > you used ssh-dss key (instead of ssh-rsa), you'll *not* be able to > connect through that new host. We already identified such keys and Vipul > will try (when it's tied to a real email address for the project) to > reach out. But better to announce it here too, so that you have time to > ask us to reflect a change (through ticket on > https://pagure.io/centos-infra/issues) > > * Old VM allowed shell access, but it will be disallowed on the new one > (there is no need for shell on that intermediate node anyway). Reminder > that you can configure your ssh config to directly use ProxyCommand or > even now ProxyJump (on recent openssh-client). See > https://wiki.centos.org/TipsAndTricks/SshTips/JumpHost) > > * Because the host has a new sshd_host_key, it will come with a new > fingerprint too, so if you have automation and that you don't trust our > CA already, the fingerprint for new host will be : > > [fingerprint] > rsa=3072 SHA256:n7y0qZS/FvhjaskOBds3TTKQh5EtgNQ25E7cmTNBATg (RSA) > rsa_md5=3072 MD5:9e:83:46:d0:c5:8a:a0:94:50:10:58:9d:af:ca:50:19 (RSA) > ecdsa=256 SHA256:ZQacwDsWkKBYL9HJJYwHr94Ny1sMhHMDnz9GiLFb8Uc (ECDSA) > ecdsa_md5=256 MD5:dd:24:ea:6a:fd:8b:29:3d:1d:d0:a9:32:8c:b2:ea:62 (ECDSA) > > As we know that it's August and that some of you are probably on PTO > (coming back or leaving soon), after discussion with Vipul , David and > myself, we considered that we'll probably go live around beginning of > September. > > Should you have any question around that migration, feel free to reply > to this thread (ideally on dedicated ci-users mailing list), or on > irc.freenode.net (#centos-ci) > > On behalf of the CentOS CI infra team, > Hi all, As announced (see below), we (CentOS CI infra team) decided to implement that change next week : Migration is scheduled for """"Monday 7th, 7:00 am UTC time"""". You can convert to local time with $(date -d '2020-09-07 7:00 UTC') On behalf of the CentOS CI infra team, -- Fabian Arrotin The CentOS Project | https://www.centos.org gpg key: 17F3B7A1 | twitter: @arrfab -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/ci-users/attachments/20200902/52e2af0e/attachment-0002.sig>