[Box-Admins] Access to the new server(s)

Fabio Niephaus lists at fniephaus.com
Wed Sep 28 10:03:41 UTC 2016 

On Wed, Sep 28, 2016 at 11:31 AM Tobias Pape <Das.Linux at gmx.de> wrote:

> Dear all
>
> [ACTIONS AT END]
>
> with retroactive blessing of Levente, I have now prepared eight VMs on
> Rackspace.
> Here's the overview:
>
>
> =======================================================================================================================
> Name    Name (ext)      intended use    Unix Users      Public Ports
> Private Ports   Public IPv4     Private IPv4
>
> -----------------------------------------------------------------------------------------------------------------------
> ian     ssh.squeak.org  ssh-gateway     ssh             1022
> 22              104.130.6.82    10.208.225.29
> alan    *.squeak.org    webserver       webteam         80, 443
>  22              104.239.229.92  10.176.200.8
> adele   lists....       mailinglists    (tbd)           25, 587, 465
> 22, 8080        162.242.237.43  10.208.160.56
> andreas --------        source.squeak   chrismuller*    --------
> 22, 8080        irrelevant      10.208.161.222
> dan     --------        squeaksource    davidlewis*     --------
> 22, 8080        irrelevant      10.176.197.150
> ted     --------        squeak wiki+map (tbd)           --------
> 22, 8080, 8081  irrelevant      10.176.130.111
> david   --------        jenkins         (tbd)           --------
> 22, 8080        irrelevant      10.208.194.45
> scott   --------        misc            (tbd)           --------
> 22, 8080, 8081  irrelevant      10.176.199.169
>
> =======================================================================================================================
>
> Currently, Levente and me have sudo on all these machines. Users with *
> also do.
>
> Note that _no_ server exposes SSH on port 22 on a public IP. This is
> intentional to narrow attack vectors for script kiddies.
> How to login?
>
> Ian is the ssh gateway so you have to connect to ian _first_ and use (1)
> local forwarding or (2) proxy jumping.
> I have installed the Public keys from most of you for the 'ssh' user on
> ian.
>
> Please verify by
>         ssh -p1022 -lssh 104.130.6.82
> you should see
>         restrict shell, no commands #
> (you get out with crtl-d, ctrl-c, or killing ssh)
>
> How to reach the other servers? Example for 'andreas'
>
> variant (1):
>         Do a local forward by
>                 ssh -AN -L22221:10.176.200.8:22 -p1022 -lssh 104.130.6.82
>         and then
>                 ssh -lYOURNAME -p22221 localhost
>         (-N maybe optional, but then you see 'restrict shell, no commands
> #')
>
>         Or in your .ssh/config you can put
>
>         Host ian.squeak.org
>           User ssh
>           Hostname 104.130.6.82
>           Port 1022
>           LocalForward 222221 10.176.200.8:22
>
>         Host andreas.squeak.org
>           User YOURNAME
>           Hostname localhost
>           Port 222221
>
>         And then say 'ssh -AN ian.squeak.org' and then 'ssh
> andreas.squeak.org'
>
> variant (2):
>         (a) You have OpenSSH >= 7.3
>         Do a Jump with
>                 ssh -J ssh at 104.130.6.82:1022 YOURNAME at 10.176.200.8
>
>         Or in your .ssh/config you can put
>
>         Host ian.squeak.org
>           User ssh
>           Hostname 104.130.6.82
>           Port 1022
>
>         Host andreas.squeak.org
>           User YOURNAME
>           Hostname 10.176.200.8
>           ProxyJump ian.squeak.org
>
>         And then say 'ssh andreas.squeak.org'
>
>         (b) You have OpenSSH >= 5.4
>         Do a Jump via
>                 ssh -o ProxyCommand="ssh -lssh -p1022 -W %h:%p
> 104.130.6.82" YOURNAME at 10.176.200.8
>
>         Or in your .ssh/config you can put
>
>         Host ian.squeak.org
>           User ssh
>           Hostname 104.130.6.82
>           Port 1022
>
>         Host andreas.squeak.org
>           User YOURNAME
>           Hostname 10.176.200.8
>           ProxyCommand ssh -W %h:%p ian.squeak.org
>
>         And then say 'ssh andreas.squeak.org'
>

2b works like a charm! Thanks :)


>
>         (c) You have OpenSSH < 5.4
>         Use variant (1)
>
> We will shortly start RSYNC-ing over data from box3 and box4 as well as
> replicatiing DNS entries before switching over.
>
> [ACTION REQUIRED]
>
> - Who needs access to which servers?
>

I would need webteam/webserver access.


> - Do we need Jenkins anymore?
>

We moved Squeak-Trunk to TravisCI, so if there isn't anything else
important still running there, I'd say no.


>
> As always, questions appreciated.
>
> Best regards
>         -Tobias
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.squeakfoundation.org/pipermail/box-admins/attachments/20160928/cd9e4a9d/attachment-0001.htm

More information about the Box-Admins mailing list