[Ci-users] Infra Pre-Announce : moving CI ssh jump host soon, please read !

Wed Sep 2 13:33:19 UTC 2020
Fabian Arrotin <arrfab at centos.org>

On 13/08/2020 16:46, Fabian Arrotin wrote:
> Hi,
> As you noticed recently, we started to refresh the infra used for CentOS
> CI (not the hardware, still the same, but the software stack and the way
> to control/manage it).
> One of the identified nodes still being used and that needs to be
> converted to the new infra layout is the ssh jumphost (see
> https://wiki.centos.org/QaWiki/CI/GettingStarted#How_to_use_it)
> Normally, some of you have switched to OpenShift workload, (including to
> the new Openshift 4/OCP setup that went live recently) but some Projects
> are still on the old setup with sometimes a need to reach
> dedicated/shared VMs acting as Jenkins agent[s], connected to Jenkins
> behind https://ci.centos.org.
> We have already provisioned a new VM in the new setup (that can reach
> the whole CI subnet and VLAN) but here are some points to consider,
> reason why we wanted to pre-announce long time in advance before we do
> the real switch) :
>  * New ssh jump host is CentOS 8 based, versus CentOS 6, meaning that if
> you used ssh-dss key (instead of ssh-rsa), you'll *not* be able to
> connect through that new host. We already identified such keys and Vipul
> will try (when it's tied to a real email address for the project) to
> reach out. But better to announce it here too, so that you have time to
> ask us to reflect a change (through ticket on
> https://pagure.io/centos-infra/issues)
>  * Old VM allowed shell access, but it will be disallowed on the new one
> (there is no need for shell on that intermediate node anyway). Reminder
> that you can configure your ssh config to directly use ProxyCommand or
> even now ProxyJump (on recent openssh-client). See
> https://wiki.centos.org/TipsAndTricks/SshTips/JumpHost)
>  * Because the host has a new sshd_host_key, it will come with a new
> fingerprint too, so if you have automation and that you don't trust our
> CA already, the fingerprint for new host will be :
> [fingerprint]
> rsa=3072 SHA256:n7y0qZS/FvhjaskOBds3TTKQh5EtgNQ25E7cmTNBATg  (RSA)
> rsa_md5=3072 MD5:9e:83:46:d0:c5:8a:a0:94:50:10:58:9d:af:ca:50:19  (RSA)
> ecdsa=256 SHA256:ZQacwDsWkKBYL9HJJYwHr94Ny1sMhHMDnz9GiLFb8Uc  (ECDSA)
> ecdsa_md5=256 MD5:dd:24:ea:6a:fd:8b:29:3d:1d:d0:a9:32:8c:b2:ea:62  (ECDSA)
> As we know that it's August and that some of you are probably on PTO
> (coming back or leaving soon), after discussion with Vipul , David and
> myself, we considered that we'll probably go live around beginning of
> September.
> Should you have any question around that migration, feel free to reply
> to this thread (ideally on dedicated ci-users mailing list), or on
> irc.freenode.net (#centos-ci)
> On behalf of the CentOS CI infra team,

Hi all,

As announced (see below), we (CentOS CI infra team) decided to implement
that change next week :

Migration is scheduled for """"Monday 7th, 7:00 am UTC time"""".
You can convert to local time with $(date -d '2020-09-07 7:00 UTC')

On behalf of the CentOS CI infra team,
Fabian Arrotin
The CentOS Project | https://www.centos.org
gpg key: 17F3B7A1 | twitter: @arrfab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/ci-users/attachments/20200902/52e2af0e/attachment-0002.sig>