blob: 7de2def32ed63652cc5f2578fb44166a85bff4c7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
---
title: SSH client config for WMF
author: Lars Wirzenius
bindings: ssh-config.yaml
functions: ssh-config.py
...
# Introduction
I need to access certain servers for my work at WMF using SSH. For
this to work, I need an SSH client config that uses the right SSH keys
and routes access via a "bastion" server. This document has acceptance
criteria for my config.
My configuration is based on the one [on
wikitech](https://wikitech.wikimedia.org/wiki/Production_access#Setting_up_your_SSH_config):
~~~
# Configure the initial connection to the bastion host, with the one HostName closest to you
Host bast
User your_username_here
HostName bast1002.wikimedia.org
IdentityFile ~/.ssh/your_production_ssh_key
ForwardAgent no
IdentitiesOnly yes
# Proxy all connections to internal servers through the bastion host
Host *.wmnet
User your_username_here
ProxyCommand ssh -W %h:%p bast
IdentityFile ~/.ssh/your_production_ssh_key
ForwardAgent no
IdentitiesOnly yes
~~~
# Acceptance criteria for WMF
For my work I need to access production servers. Most of them don't
allow direct SSH access and I need to go through a bastion server.
There are also two keys: a "lab" key and a "production" key. The SSH
config ensures the right key is used.
## Bastion access
This scenario ensures I can access the bastion host directly.
~~~scenario
when I run ssh bast hostname
then the output matches /^bast\d+$/
~~~
## Deployment server access
This scenario ensures I can access the deployment host for running the
train.
~~~scenario
when I run ssh deploy1001.eqiad.wmnet hostname
then the output matches /^deploy\d+$/
~~~
## Continuous integration server access
This scenario ensures I can access the server running CI.
~~~scenario
when I run ssh contint1001.wikimedia.org hostname
then the output matches /^contint1001$/
when I run ssh contint2001.wikimedia.org hostname
then the output matches /^contint2001$/
~~~
## Gerrit access
For Gerrit, we need more than just a simple ssh command. We need git.
~~~scenario
when I run git clone ssh://gerrit.wikimedia.org/sandbox
then the directory sandbox exists
~~~
# Acceptance criteria for personal use
## Localhost access
I use Ansible to configure my laptop and it works over ssh to
localhost.
~~~scenario
when I run ssh localhost hostname
then the output matches /^exolobe\d$/
~~~
## git.liw.fi access
git.liw.fi runs Gitano, which has a handy whoami command.
~~~scenario
when I run ssh git@git.liw.fi whoami
then the output matches /User name:/
~~~
## gitlab.com access
I have a personal gitlab.com account. I have a subplot repository
there.
NOTE: This scenario only checks that I can clone from there over ssh,
not that do it with my personal ssh key.
~~~scenario
when I run git clone ssh://git@gitlab.com/larswirzenius/subplot.git
then the directory subplot exists
~~~
## Backup server access
I have two backup servers. Check access to both.
~~~scenario
when I run ssh holywood2 hostname
then the output matches /^holywood2$/
when I run ssh pergamum hostname
then the output matches /^pergamum$/
~~~
|
