#9847 cannot login on a few servers as fi-apprentice
Closed: Fixed 9 days ago by kevin. Opened 11 days ago by heldwin.

I was trying to check what were the servers I was allowed to access, but it seems I cannot on a few of them.

Not sure if it is only my public key or if it is more general with the fi-apprentice group, or if there are works in progress after the authentification changes.

Most are stg servers, and a few others openqa/copr/smtp/etc.

blockerbugs01.stg.iad2.fedoraproject.org Failed
copr-fe-dev.aws.fedoraproject.org Failed
datagrepper01.stg.iad2.fedoraproject.org Failed
koji01.stg.iad2.fedoraproject.org Failed
memcached01.stg.iad2.fedoraproject.org Failed
oci-candidate-registry01.stg.iad2.fedoraproject.org Failed
oci-registry01.stg.iad2.fedoraproject.org Failed
openqa-a64-worker01.iad2.fedoraproject.org Failed
openqa-a64-worker02.iad2.fedoraproject.org Failed
openqa-a64-worker03.iad2.fedoraproject.org Failed
openqa-p09-worker01.iad2.fedoraproject.org Failed
osbs-aarch64-node01.stg.iad2.fedoraproject.org Failed
osbs-aarch64-node02.stg.iad2.fedoraproject.org Failed
osbs-master01.stg.iad2.fedoraproject.org Failed
osbs-node01.stg.iad2.fedoraproject.org Failed
osbs-node02.stg.iad2.fedoraproject.org Failed
proxy01.stg.iad2.fedoraproject.org Failed
proxy02.stg.iad2.fedoraproject.org Failed
proxy06.fedoraproject.org Failed
proxy09.fedoraproject.org Failed
proxy13.fedoraproject.org Failed
proxy33.fedoraproject.org Failed
resultsdb01.iad2.fedoraproject.org Failed
resultsdb01.stg.iad2.fedoraproject.org Failed
smtp-mm-cc-rdu01.fedoraproject.org Failed
smtp-mm-ib01.fedoraproject.org Failed
smtp-mm-osuosl01.fedoraproject.org Failed
sundries01.stg.iad2.fedoraproject.org Failed
value01.stg.iad2.fedoraproject.org Failed
wiki01.stg.iad2.fedoraproject.org Failed


fi-apprentice does not allow access everywhere. Some servers are not open to that group.

As for .stg. you need to set up your SSH key on https://accounts.stg.fedoraproject.org

The list of servers I took was from batcave01, running:
./scripts/hosts_with_var_set -i inventory/ -o fas_client_groups=fi-apprentice, from the ansible git I cloned there.

I have added my ssh public key in accounts.stg. , thanks for the info.

I have now:
copr-fe-dev.aws.fedoraproject.org
Failed -> public key

oci-candidate-registry01.stg.iad2.fedoraproject.org
Failed -> Connection closed by UNKNOWN port 65535

oci-registry01.stg.iad2.fedoraproject.org
Failed -> Connection closed by UNKNOWN port 65535

openqa-a64-worker01.iad2.fedoraproject.org
Failed -> Connection closed by UNKNOWN port 65535

openqa-a64-worker02.iad2.fedoraproject.org
Failed -> Connection closed by UNKNOWN port 65535

openqa-a64-worker03.iad2.fedoraproject.org
Failed -> Connection closed by UNKNOWN port 65535

openqa-p09-worker01.iad2.fedoraproject.org
Failed -> Connection closed by UNKNOWN port 65535

proxy06.fedoraproject.org
Failed -> Cannot assign requested address

proxy09.fedoraproject.org
Failed -> Cannot assign requested address

proxy13.fedoraproject.org
Failed -> Connection timed out

resultsdb01.iad2.fedoraproject.org
Failed -> Connection closed by UNKNOWN port 65535

smtp-mm-cc-rdu01.fedoraproject.org
Failed -> public key

smtp-mm-ib01.fedoraproject.org
Failed -> Connection closed by 152.19.134.143 port 22

smtp-mm-osuosl01.fedoraproject.org
Failed -> Cannot assign requested address

Metadata Update from @smooge:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue private status set to: False (was: True)
- Issue tagged with: low-gain, low-trouble, ops

11 days ago

I think that many of these need to be updated in their variables for whether or not they allow apprentices to log in. Several of the ones above (like openqa and copr) should have that turned off.

Also, it looks like there have been a few changes since we moved to Noggin/IPA for the accounts system.

Try ./scripts/hosts_with_var_set -i inventory/ -o ipa_client_shell_groups=fi-apprentice

I tried this script (and the old one), but both seems to return nothing.

i have the same issue since migration.

@heldwin have you tried a git pull recently? I tried
./scripts/hosts_with_var_set -i inventory/ -o ipa_client_shell_groups=fi-apprentice

And it shows a list

[nb@mymachine fedora-ansible]$ ./scripts/hosts_with_var_set -i inventory/ -o ipa_client_shell_groups=fi-apprentice
[WARNING]: * Failed to parse /home/nebebout/git-repos/fedora-ansible/inventory/zzz-inventory.config with ini plugin: Invalid host pattern 'plugin:' supplied, ending in ':' is not allowed, this character is reserved to provide a port.
[WARNING]: Unable to parse /home/nebebout/git-repos/fedora-ansible/inventory/zzz-inventory.config as an inventory source
hosts with variable ipa_client_shell_groups matching fi-apprentice value
batcave01.iad2.fedoraproject.org
batcave13.rdu2.fedoraproject.org
blockerbugs01.iad2.fedoraproject.org
blockerbugs01.stg.iad2.fedoraproject.org
datagrepper01.iad2.fedoraproject.org
datagrepper01.stg.iad2.fedoraproject.org
datagrepper02.iad2.fedoraproject.org
debuginfod01.iad2.fedoraproject.org
debuginfod01.stg.iad2.fedoraproject.org
koji01.stg.iad2.fedoraproject.org
log01.iad2.fedoraproject.org
memcached01.iad2.fedoraproject.org
memcached01.stg.iad2.fedoraproject.org
openqa-lab01.iad2.fedoraproject.org
openqa01.iad2.fedoraproject.org
osbs-aarch64-master01.iad2.fedoraproject.org
osbs-aarch64-master01.stg.iad2.fedoraproject.org
osbs-aarch64-node01.iad2.fedoraproject.org
osbs-aarch64-node01.stg.iad2.fedoraproject.org
osbs-aarch64-node02.iad2.fedoraproject.org
osbs-aarch64-node02.stg.iad2.fedoraproject.org
osbs-control01.iad2.fedoraproject.org
osbs-control01.stg.iad2.fedoraproject.org
osbs-master01.iad2.fedoraproject.org
osbs-master01.stg.iad2.fedoraproject.org
osbs-node01.iad2.fedoraproject.org
osbs-node01.stg.iad2.fedoraproject.org
osbs-node02.iad2.fedoraproject.org
osbs-node02.stg.iad2.fedoraproject.org
proxy01.iad2.fedoraproject.org
proxy01.stg.iad2.fedoraproject.org
proxy02.fedoraproject.org
proxy02.stg.iad2.fedoraproject.org
proxy03.fedoraproject.org
proxy04.fedoraproject.org
proxy05.fedoraproject.org
proxy06.fedoraproject.org
proxy09.fedoraproject.org
proxy10.iad2.fedoraproject.org
proxy101.iad2.fedoraproject.org
proxy11.fedoraproject.org
proxy110.iad2.fedoraproject.org
proxy12.fedoraproject.org
proxy13.fedoraproject.org
proxy14.fedoraproject.org
proxy30.fedoraproject.org
proxy31.fedoraproject.org
proxy32.fedoraproject.org
proxy33.fedoraproject.org
proxy34.fedoraproject.org
proxy35.fedoraproject.org
proxy36.fedoraproject.org
proxy37.fedoraproject.org
proxy38.fedoraproject.org
proxy39.fedoraproject.org
proxy40.fedoraproject.org
resultsdb01.stg.iad2.fedoraproject.org
secondary01.iad2.fedoraproject.org
sundries01.iad2.fedoraproject.org
sundries01.stg.iad2.fedoraproject.org
sundries02.iad2.fedoraproject.org
torrent02.fedoraproject.org
value01.iad2.fedoraproject.org
value01.stg.iad2.fedoraproject.org
wiki01.iad2.fedoraproject.org
wiki01.stg.iad2.fedoraproject.org
wiki02.iad2.fedoraproject.org
zabbix01.stg.iad2.fedoraproject.org

hum weird. Yes I tried to pull it several times, with no update.
Both on batcave01 and on my machine.

I have deleted the clone, and cloned it again on my machine, and now it lists the same as you.

EDIT:
my bad, I was pulling on master and not main it seems...
It was able to find something for a branch named master though.
If I pull on batcave01 for main, it find updates.

So, what is the current list of hosts you cannot reach?

Keep in mind that stg may require you to login to https://accounts.stg.fedoraproject.org, confirm your ssh key is right and that you are in the fi-apprentice group.

I can login to every servers the script returns, except these ones I cannot reach:

batcave13.rdu2.fedoraproject.org;Failed;Name or service not known
proxy06.fedoraproject.org;Failed:Cannot assign requested address
proxy09.fedoraproject.org;Failed;Cannot assign requested address
proxy13.fedoraproject.org;Failed;Connection timed out

I can login to every servers the script returns, except these ones I cannot reach:

batcave13.rdu2.fedoraproject.org;Failed;Name or service not known

This one should actually be on the vpn, but isn't (yet). It also needs re-installing. I'll fix it soon.

proxy06.fedoraproject.org;Failed:Cannot assign requested address
proxy09.fedoraproject.org;Failed;Cannot assign requested address
proxy13.fedoraproject.org;Failed;Connection timed out

So, these should all be reachable on the vpn. So 'proxy06.vpn.fedoraproject.org' they may be rejecting ssh except for from batcave01's external ip and vpn.

So, I think we are all done here then with that?

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

9 days ago

Login to comment on this ticket.

Metadata
Boards 1
ops Status: Backlog