Hi,
I need to somehow get private keys for the angband and norst nodes securely onto squeakci.org. My preference is to use scp, but that requires shell access. I don't think that, in general, we want shell access for teamjenkins. Ideas on how to proceed?
(I want to set up the two nodes to have Jenkins ssh to them, because that might be easier than hacking on slaves authenticating to the server.)
frank
On 2013-01-09 5:09 AM, Frank Shearar wrote:
Hi,
I need to somehow get private keys for the angband and norst nodes securely onto squeakci.org. My preference is to use scp, but that requires shell access. I don't think that, in general, we want shell access for teamjenkins. Ideas on how to proceed?
(I want to set up the two nodes to have Jenkins ssh to them, because that might be easier than hacking on slaves authenticating to the server.)
frank
Well, I guess you need to send the keys to a person with shell access. Ken is likely the best person for that, as he manages keys all the time.
Chris
On 9 January 2013 13:16, Chris Cunnington smalltalktelevision@gmail.com wrote:
On 2013-01-09 5:09 AM, Frank Shearar wrote:
Hi,
I need to somehow get private keys for the angband and norst nodes securely onto squeakci.org. My preference is to use scp, but that requires shell access. I don't think that, in general, we want shell access for teamjenkins. Ideas on how to proceed?
(I want to set up the two nodes to have Jenkins ssh to them, because that might be easier than hacking on slaves authenticating to the server.)
frank
Well, I guess you need to send the keys to a person with shell access. Ken is likely the best person for that, as he manages keys all the time.
Chris
Yes, but that just changes the problem to "how can I pass the keys to Ken in a secure manner?"
Apparently giving a user the shell "rssh" lets a user do things like move files, rsync and such, but not have generic unfettered shell access.
frank
On 2013-01-09 8:22 AM, Frank Shearar wrote:
On 9 January 2013 13:16, Chris Cunnington smalltalktelevision@gmail.com wrote:
On 2013-01-09 5:09 AM, Frank Shearar wrote:
Hi,
I need to somehow get private keys for the angband and norst nodes securely onto squeakci.org. My preference is to use scp, but that requires shell access. I don't think that, in general, we want shell access for teamjenkins. Ideas on how to proceed?
(I want to set up the two nodes to have Jenkins ssh to them, because that might be easier than hacking on slaves authenticating to the server.)
frank
Well, I guess you need to send the keys to a person with shell access. Ken is likely the best person for that, as he manages keys all the time.
Chris
Yes, but that just changes the problem to "how can I pass the keys to Ken in a secure manner?"
Apparently giving a user the shell "rssh" lets a user do things like move files, rsync and such, but not have generic unfettered shell access.
frank
There is something here I don't understand. A public key I've seen Colin post on a message board to be copied. Or you could zip them and send them to Ken? So, I'm not sure what's required here. Is the key a thing you can send to somebody else? If so, then you could send it to Ken?
Chris
On 9 January 2013 13:28, Chris Cunnington smalltalktelevision@gmail.com wrote:
On 2013-01-09 8:22 AM, Frank Shearar wrote:
On 9 January 2013 13:16, Chris Cunnington smalltalktelevision@gmail.com wrote:
On 2013-01-09 5:09 AM, Frank Shearar wrote:
Hi,
I need to somehow get private keys for the angband and norst nodes securely onto squeakci.org. My preference is to use scp, but that requires shell access. I don't think that, in general, we want shell access for teamjenkins. Ideas on how to proceed?
(I want to set up the two nodes to have Jenkins ssh to them, because that might be easier than hacking on slaves authenticating to the server.)
frank
Well, I guess you need to send the keys to a person with shell access. Ken is likely the best person for that, as he manages keys all the time.
Chris
Yes, but that just changes the problem to "how can I pass the keys to Ken in a secure manner?"
Apparently giving a user the shell "rssh" lets a user do things like move files, rsync and such, but not have generic unfettered shell access.
frank
There is something here I don't understand. A public key I've seen Colin post on a message board to be copied. Or you could zip them and send them to Ken? So, I'm not sure what's required here. Is the key a thing you can send to somebody else? If so, then you could send it to Ken?
SSH uses a public/private keypair. The PUBLIC key goes into the ~/.ssh/authorized_keys of the account TO WHICH you want to connect. In this case, that's the jenkins user on the build slave. The PRIVATE key is used by the machine FROM WHICH you want to connect.
Possession of the private key grants permission to log into my build slave, in other words.
What I need is a means of securely putting the private key into a known location on squeakci.org. Then I can configure the node to use it when ssh'ing into my build slave (which doesn't permit password authentication).
frank
Chris
I figure I should just get out of the way of this conversation and let you talk to Ken.
Chris
On Wed, Jan 9, 2013 at 8:43 AM, Frank Shearar frank.shearar@gmail.comwrote:
On 9 January 2013 13:28, Chris Cunnington smalltalktelevision@gmail.com wrote:
On 2013-01-09 8:22 AM, Frank Shearar wrote:
On 9 January 2013 13:16, Chris Cunnington <
smalltalktelevision@gmail.com>
wrote:
On 2013-01-09 5:09 AM, Frank Shearar wrote:
Hi,
I need to somehow get private keys for the angband and norst nodes securely onto squeakci.org. My preference is to use scp, but that requires shell access. I don't think that, in general, we want shell access for teamjenkins. Ideas on how to proceed?
(I want to set up the two nodes to have Jenkins ssh to them, because that might be easier than hacking on slaves authenticating to the server.)
frank
Well, I guess you need to send the keys to a person with shell access. Ken is likely the best person for that, as he manages keys all the time.
Chris
Yes, but that just changes the problem to "how can I pass the keys to Ken in a secure manner?"
Apparently giving a user the shell "rssh" lets a user do things like move files, rsync and such, but not have generic unfettered shell access.
frank
There is something here I don't understand. A public key I've seen Colin post on a message board to be copied. Or you could zip them and send
them to
Ken? So, I'm not sure what's required here. Is the key a thing you can send to somebody else? If so, then you could send it to Ken?
SSH uses a public/private keypair. The PUBLIC key goes into the ~/.ssh/authorized_keys of the account TO WHICH you want to connect. In this case, that's the jenkins user on the build slave. The PRIVATE key is used by the machine FROM WHICH you want to connect.
Possession of the private key grants permission to log into my build slave, in other words.
What I need is a means of securely putting the private key into a known location on squeakci.org. Then I can configure the node to use it when ssh'ing into my build slave (which doesn't permit password authentication).
frank
Chris
On 01/09/2013 09:37 AM, Chris Cunnington wrote:
I figure I should just get out of the way of this conversation and let you talk to Ken.
Chris
I was quite confused. This conversation began with a reference to squeakci.org to which I clearly did not have any access. But then I checked and it turns out that squeakci.org is actually pointing to box3 which I had not realized.
Frankly I really don't like the idea of the community servers being used to host services under domains which the box-admins team does not have full access to modify. I know from experience that the services we as a community have to maintain often survive beyond the interest of the creator of said service. But I know you spent some money to get that domain name and it has a rather specific purpose. I would appreciate it though if you would suggest an alternative squeak.org hostname, perhaps ci.squeak.org or jenkins.squeak.org which can be used as an alternative (alongside squeakci.org) and perhaps even the primary access method by users.
Back to the issue at hand (sorry for the aside Frank):
Can you be more specific about where the private key files need to go on the server? That will help determine who needs to do it, at least for the future, even if I to do it now.
Ken
On Wed, Jan 9, 2013 at 8:43 AM, Frank Shearar <frank.shearar@gmail.com mailto:frank.shearar@gmail.com> wrote:
On 9 January 2013 13:28, Chris Cunnington <smalltalktelevision@gmail.com <mailto:smalltalktelevision@gmail.com>> wrote: > On 2013-01-09 8:22 AM, Frank Shearar wrote: >> >> On 9 January 2013 13:16, Chris Cunnington <smalltalktelevision@gmail.com <mailto:smalltalktelevision@gmail.com>> >> wrote: >>> >>> On 2013-01-09 5:09 AM, Frank Shearar wrote: >>>> >>>> Hi, >>>> >>>> I need to somehow get private keys for the angband and norst nodes >>>> securely onto squeakci.org <http://squeakci.org>. My preference is to use scp, but that >>>> requires shell access. I don't think that, in general, we want shell >>>> access for teamjenkins. Ideas on how to proceed? >>>> >>>> (I want to set up the two nodes to have Jenkins ssh to them, because >>>> that might be easier than hacking on slaves authenticating to the >>>> server.) >>>> >>>> frank >>> >>> Well, I guess you need to send the keys to a person with shell access. >>> Ken >>> is likely the best person for that, as he manages keys all the time. >>> >>> Chris >> >> Yes, but that just changes the problem to "how can I pass the keys to >> Ken in a secure manner?" >> >> Apparently giving a user the shell "rssh" lets a user do things like >> move files, rsync and such, but not have generic unfettered shell >> access. >> >> frank > > There is something here I don't understand. A public key I've seen Colin > post on a message board to be copied. Or you could zip them and send them to > Ken? > So, I'm not sure what's required here. Is the key a thing you can send to > somebody else? If so, then you could send it to Ken? SSH uses a public/private keypair. The PUBLIC key goes into the ~/.ssh/authorized_keys of the account TO WHICH you want to connect. In this case, that's the jenkins user on the build slave. The PRIVATE key is used by the machine FROM WHICH you want to connect. Possession of the private key grants permission to log into my build slave, in other words. What I need is a means of securely putting the private key into a known location on squeakci.org <http://squeakci.org>. Then I can configure the node to use it when ssh'ing into my build slave (which doesn't permit password authentication). frank > Chris
On 09.01.2013, at 10:37, Ken Causey ken@kencausey.com wrote:
Frankly I really don't like the idea of the community servers being used to host services under domains which the box-admins team does not have full access to modify. I know from experience that the services we as a community have to maintain often survive beyond the interest of the creator of said service. But I know you spent some money to get that domain name and it has a rather specific purpose. I would appreciate it though if you would suggest an alternative squeak.org hostname, perhaps ci.squeak.org or jenkins.squeak.org which can be used as an alternative (alongside squeakci.org) and perhaps even the primary access method by users.
+1
All our primary host names should be in the squeak.org domain.
- Bert -
On 9 January 2013 18:40, Bert Freudenberg bert@freudenbergs.de wrote:
On 09.01.2013, at 10:37, Ken Causey ken@kencausey.com wrote:
Frankly I really don't like the idea of the community servers being used to host services under domains which the box-admins team does not have full access to modify. I know from experience that the services we as a community have to maintain often survive beyond the interest of the creator of said service. But I know you spent some money to get that domain name and it has a rather specific purpose. I would appreciate it though if you would suggest an alternative squeak.org hostname, perhaps ci.squeak.org or jenkins.squeak.org which can be used as an alternative (alongside squeakci.org) and perhaps even the primary access method by users.
+1
All our primary host names should be in the squeak.org domain.
- Bert -
Agreed... but let's not forget that squeakci.org was (from what I understand) a spike - Chris saw the need for CI, so did the quickest/simplest thing possible.
frank
On 2013-01-09 1:49 PM, Frank Shearar wrote:
On 9 January 2013 18:40, Bert Freudenberg bert@freudenbergs.de wrote:
On 09.01.2013, at 10:37, Ken Causey ken@kencausey.com wrote:
Frankly I really don't like the idea of the community servers being used to host services under domains which the box-admins team does not have full access to modify. I know from experience that the services we as a community have to maintain often survive beyond the interest of the creator of said service. But I know you spent some money to get that domain name and it has a rather specific purpose. I would appreciate it though if you would suggest an alternative squeak.org hostname, perhaps ci.squeak.org or jenkins.squeak.org which can be used as an alternative (alongside squeakci.org) and perhaps even the primary access method by users.
+1
All our primary host names should be in the squeak.org domain.
- Bert -
Agreed... but let's not forget that squeakci.org was (from what I understand) a spike - Chris saw the need for CI, so did the quickest/simplest thing possible.
frank
Yea. I mean this is a "pioneers giving way to settlers" thing. Some action needed to be taken and I took it. But it's not my thing now. I'm happy it exists, fills a need in the community, and we can transition so that the Box team has full control.
Chris
On 2013-01-09 1:37 PM, Ken Causey wrote:
On 01/09/2013 09:37 AM, Chris Cunnington wrote:
I figure I should just get out of the way of this conversation and let you talk to Ken.
Chris
I was quite confused. This conversation began with a reference to squeakci.org to which I clearly did not have any access. But then I checked and it turns out that squeakci.org is actually pointing to box3 which I had not realized.
Frankly I really don't like the idea of the community servers being used to host services under domains which the box-admins team does not have full access to modify. I know from experience that the services we as a community have to maintain often survive beyond the interest of the creator of said service.
Fine by me. squeakci.org expires on 4 March and I'm happy to let it expire.
But I know you spent some money to get that domain name and it has a rather specific purpose. I would appreciate it though if you would suggest an alternative squeak.org hostname, perhaps ci.squeak.org or jenkins.squeak.org which can be used as an alternative (alongside squeakci.org) and perhaps even the primary access method by users.
We can switch it to whatever you like.
Chris
Back to the issue at hand (sorry for the aside Frank):
Can you be more specific about where the private key files need to go on the server? That will help determine who needs to do it, at least for the future, even if I to do it now.
Ken
On 01/09/2013 12:43 PM, Chris Cunnington wrote:
On 2013-01-09 1:37 PM, Ken Causey wrote: Fine by me. squeakci.org expires on 4 March and I'm happy to let it expire.
But I know you spent some money to get that domain name and it has a rather specific purpose. I would appreciate it though if you would suggest an alternative squeak.org hostname, perhaps ci.squeak.org or jenkins.squeak.org which can be used as an alternative (alongside squeakci.org) and perhaps even the primary access method by users.
We can switch it to whatever you like.
Thank you. I'm open to suggestions. ci.squeak.org is nice due to it's shortness, but maybe it is too short or unclear? jenkins.squeak.org? build.squeak.org?
Chris
On 09.01.2013, at 11:30, Ken Causey ken@kencausey.com wrote:
On 01/09/2013 12:43 PM, Chris Cunnington wrote:
On 2013-01-09 1:37 PM, Ken Causey wrote: Fine by me. squeakci.org expires on 4 March and I'm happy to let it expire.
But I know you spent some money to get that domain name and it has a rather specific purpose. I would appreciate it though if you would suggest an alternative squeak.org hostname, perhaps ci.squeak.org or jenkins.squeak.org which can be used as an alternative (alongside squeakci.org) and perhaps even the primary access method by users.
We can switch it to whatever you like.
Thank you. I'm open to suggestions. ci.squeak.org is nice due to it's shortness, but maybe it is too short or unclear? jenkins.squeak.org? build.squeak.org?
My naming preferences is for role not implementation (e.g. rather "www.squeak.org" than "apache.squeak.org" or "nginx.squeak.org"). I like "build" a tiny bit better than "ci" because it's more descriptive to average people like me ;)
- Bert -
On 9 January 2013 19:58, Bert Freudenberg bert@freudenbergs.de wrote:
On 09.01.2013, at 11:30, Ken Causey ken@kencausey.com wrote:
On 01/09/2013 12:43 PM, Chris Cunnington wrote:
On 2013-01-09 1:37 PM, Ken Causey wrote: Fine by me. squeakci.org expires on 4 March and I'm happy to let it expire.
But I know you spent some money to get that domain name and it has a rather specific purpose. I would appreciate it though if you would suggest an alternative squeak.org hostname, perhaps ci.squeak.org or jenkins.squeak.org which can be used as an alternative (alongside squeakci.org) and perhaps even the primary access method by users.
We can switch it to whatever you like.
Thank you. I'm open to suggestions. ci.squeak.org is nice due to it's shortness, but maybe it is too short or unclear? jenkins.squeak.org? build.squeak.org?
My naming preferences is for role not implementation (e.g. rather "www.squeak.org" than "apache.squeak.org" or "nginx.squeak.org"). I like "build" a tiny bit better than "ci" because it's more descriptive to average people like me ;)
OK, consider me swayed!
frank
- Bert -
On 9 January 2013 18:37, Ken Causey ken@kencausey.com wrote:
On 01/09/2013 09:37 AM, Chris Cunnington wrote:
I figure I should just get out of the way of this conversation and let you talk to Ken.
Chris
I was quite confused. This conversation began with a reference to squeakci.org to which I clearly did not have any access. But then I checked and it turns out that squeakci.org is actually pointing to box3 which I had not realized.
Frankly I really don't like the idea of the community servers being used to host services under domains which the box-admins team does not have full access to modify. I know from experience that the services we as a community have to maintain often survive beyond the interest of the creator of said service. But I know you spent some money to get that domain name and it has a rather specific purpose. I would appreciate it though if you would suggest an alternative squeak.org hostname, perhaps ci.squeak.org or jenkins.squeak.org which can be used as an alternative (alongside squeakci.org) and perhaps even the primary access method by users.
Back to the issue at hand (sorry for the aside Frank):
Can you be more specific about where the private key files need to go on the server? That will help determine who needs to do it, at least for the future, even if I to do it now.
Hi Ken,
I'm not particularly fussed. Maybe let's have a /home/teamjenkins/node-keys/ and put them there?
frank
Ken
On Wed, Jan 9, 2013 at 8:43 AM, Frank Shearar <frank.shearar@gmail.com mailto:frank.shearar@gmail.com> wrote:
On 9 January 2013 13:28, Chris Cunnington <smalltalktelevision@gmail.com <mailto:smalltalktelevision@gmail.com>> wrote: > On 2013-01-09 8:22 AM, Frank Shearar wrote: >> >> On 9 January 2013 13:16, Chris Cunnington <smalltalktelevision@gmail.com <mailto:smalltalktelevision@gmail.com>> >> wrote: >>> >>> On 2013-01-09 5:09 AM, Frank Shearar wrote: >>>> >>>> Hi, >>>> >>>> I need to somehow get private keys for the angband and norstnodes >>>> securely onto squeakci.org http://squeakci.org. My
preference is to use scp, but that >>>> requires shell access. I don't think that, in general, we want shell >>>> access for teamjenkins. Ideas on how to proceed? >>>> >>>> (I want to set up the two nodes to have Jenkins ssh to them, because >>>> that might be easier than hacking on slaves authenticating tothe >>>> server.) >>>> >>>> frank >>> >>> Well, I guess you need to send the keys to a person with shell access. >>> Ken >>> is likely the best person for that, as he manages keys all the time. >>> >>> Chris >> >> Yes, but that just changes the problem to "how can I pass the keys to >> Ken in a secure manner?" >> >> Apparently giving a user the shell "rssh" lets a user do things like >> move files, rsync and such, but not have generic unfettered shell >> access. >> >> frank > > There is something here I don't understand. A public key I've seen Colin > post on a message board to be copied. Or you could zip them and send them to > Ken? > So, I'm not sure what's required here. Is the key a thing you can send to > somebody else? If so, then you could send it to Ken?
SSH uses a public/private keypair. The PUBLIC key goes into the ~/.ssh/authorized_keys of the account TO WHICH you want to connect. In this case, that's the jenkins user on the build slave. The PRIVATE key is used by the machine FROM WHICH you want to connect. Possession of the private key grants permission to log into my build slave, in other words. What I need is a means of securely putting the private key into a known location on squeakci.org <http://squeakci.org>. Then I can configure the node to use it when ssh'ing into my build slave (which doesn't permit password authentication). frank > Chris
On 01/09/2013 12:48 PM, Frank Shearar wrote:
On 9 January 2013 18:37, Ken Causeyken@kencausey.com wrote:
Hi Ken,
I'm not particularly fussed. Maybe let's have a /home/teamjenkins/node-keys/ and put them there?
frank
I apologize for my ignorance. How are these keys going to be used/accessed? Is it just a matter of them being somewhere on the filesystem and then through a web interface you configure jenkins to point to them?
Assuming that is the case I'm not at all opposed to creating an account for you where you can put whatever files you need. At that point if someone else with more access than you have is needed to put the file somewhere else, then it's a simple matter.
Can you send me your ssh public key? I will then setup a frankshearar account on box3 and you can access it via ssh/scp/etc.
Ken
P.S. In contrast to how we did things on the old server my intention on the newer servers is to, whenever possible, setup user accounts (i.e. an account mapped to an individual) to which only one person has access and avoid the omnibus accounts we used before.
On 01/09/2013 01:21 PM, Ken Causey wrote:
On 01/09/2013 12:48 PM, Frank Shearar wrote:
On 9 January 2013 18:37, Ken Causeyken@kencausey.com wrote:
Hi Ken,
I'm not particularly fussed. Maybe let's have a /home/teamjenkins/node-keys/ and put them there?
frank
I apologize for my ignorance. How are these keys going to be used/accessed? Is it just a matter of them being somewhere on the filesystem and then through a web interface you configure jenkins to point to them?
Assuming that is the case I'm not at all opposed to creating an account for you where you can put whatever files you need. At that point if someone else with more access than you have is needed to put the file somewhere else, then it's a simple matter.
Can you send me your ssh public key? I will then setup a frankshearar account on box3 and you can access it via ssh/scp/etc.
Ken
P.S. In contrast to how we did things on the old server my intention on the newer servers is to, whenever possible, setup user accounts (i.e. an account mapped to an individual) to which only one person has access and avoid the omnibus accounts we used before.
Frank separately emailed me his ssh key and I set him up with an account (frankshearar) on box3.
Ken
On 9 January 2013 21:04, Ken Causey ken@kencausey.com wrote:
On 01/09/2013 01:21 PM, Ken Causey wrote:
On 01/09/2013 12:48 PM, Frank Shearar wrote:
On 9 January 2013 18:37, Ken Causeyken@kencausey.com wrote:
Hi Ken,
I'm not particularly fussed. Maybe let's have a /home/teamjenkins/node-keys/ and put them there?
frank
I apologize for my ignorance. How are these keys going to be used/accessed? Is it just a matter of them being somewhere on the filesystem and then through a web interface you configure jenkins to point to them?
Assuming that is the case I'm not at all opposed to creating an account for you where you can put whatever files you need. At that point if someone else with more access than you have is needed to put the file somewhere else, then it's a simple matter.
Can you send me your ssh public key? I will then setup a frankshearar account on box3 and you can access it via ssh/scp/etc.
Ken
P.S. In contrast to how we did things on the old server my intention on the newer servers is to, whenever possible, setup user accounts (i.e. an account mapped to an individual) to which only one person has access and avoid the omnibus accounts we used before.
Frank separately emailed me his ssh key and I set him up with an account (frankshearar) on box3.
Thanks, Ken! I'm putting my node keys in /home/frankshearar/node-keys/.
frank
Ken
box-admins@lists.squeakfoundation.org
-
Bert Freudenberg -
Chris Cunnington -
Frank Shearar -
Ken Causey