[MediaWiki-commits] [Gerrit] gerrit: configure sshd to not listen on gerrit IP - change (operations/puppet)

Mon, 10 Nov 2014 18:41:53 -0800 

Dzahn has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/172476

Change subject: gerrit: configure sshd to not listen on gerrit IP
......................................................................

gerrit: configure sshd to not listen on gerrit IP

on hosts using the gerrit role, we have 2 IP addresses,
one is the host (ytterbium.wikimedia.org) and one is the
service (gerrit.wikimedia.org). both are configured on eth0

as described in Bug 35611 / RT: 8838 what we want is to
enable Gerrit listening on port 22, so that for example
users behind corporate firewalls don't have trouble accessing
the current high port 29418 we are using exclusively

it sounds like the host already has the 2 IPs for this exact
reason, we just never finished this

I743d0993a6273a suggest to make Gerrit listen on 22, but first
we need to make sure SSHd does NOT listen on that IP anymore, instead
just on the server IP. this change is the attempt to make that
happen. we have to puppetize the entire SSHd config because
per default we'd do 0.0.0.0:22

sshd_config manpage says hostnames are OK to use here
ListenAddress host|IPv4_addr|IPv6_addr

so we do that and use the DNS name instead of hardcoding IP

Change-Id: Id27657ca29e41960886b517fe0be63ad992d382a
---
M manifests/role/gerrit.pp
M modules/gerrit/manifests/instance.pp
A modules/gerrit/templates/sshd_config.erb
3 files changed, 106 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/76/172476/1

diff --git a/manifests/role/gerrit.pp b/manifests/role/gerrit.pp
index 7086c85..c6d3854 100644
--- a/manifests/role/gerrit.pp
+++ b/manifests/role/gerrit.pp
@@ -7,6 +7,7 @@
         class { 'gerrit::instance':
             db_host      => 'gerrit-db',
             host         => 'gerrit-dev.wmflabs.org',
+            server_host  => 'FIXME.wmflabs.org',
             ssh_key      => 
'AAAAB3NzaC1yc2EAAAADAQABAAABAQDIb6jbDSyzSD/Pw8PfERVKtNkXgUteOTmZJjHtbOjuoC7Ty6dbvUMX+45GedcD1wAYkWEY26RhI1lW2yEwKvh7VWkKixXqPNyrQGvI+ldjYEyWsGlEHCNqsh37mJD5K3cwr7X/PMaxzxh7rjTk4uRKjtiga9bz1vTDRDaNlXcj84kifsu7xmCY1E+OL4oqqy7b3SKhOpcpZc7n5GonfRSeon5uFHVUjoZ57xQ8x2736zbuLBwMRKtaB+V63cU9ArL90XdVrWfbjI4Fzfex4tBG9fOvt8lINR62cjH5Lova2kZ6VBeUnJYdZ8V1mOSwtITjwkE0K98FNZdqaANZAH7V',
             ssl_cert     => 'star.wmflabs',
             ssl_cert_key => 'star.wmflabs',
@@ -66,6 +67,7 @@
         class { "gerrit::instance":
             db_host      => 'm2-master.eqiad.wmnet',
             host         => 'gerrit.wikimedia.org',
+            server_host  => 'ytterbium.wikimedia.org',
             ssh_key      => 
'AAAAB3NzaC1yc2EAAAABIwAAAQEAxOlshfr3UaPr8gQ8UVskxHAGG9xb55xDyfqlK7vsAs/p+OXpRB4KZOxHWqI40FpHhW+rFVA0Ugk7vBK13oKCB435TJlHYTJR62qQNb2DVxi5rtvZ7DPnRRlAvdGpRft9JsoWdgsXNqRkkStbkA5cqotvVHDYAgzBnHxWPM8REokQVqil6S/yHkIGtXO5J7F6I1OvYCnG1d1GLT5nDt+ZeyacLpZAhrBlyFD6pCwDUhg4+H4O3HGwtoh5418U4cvzRgYOQQXsU2WW5nBQHE9LXVLoL6UeMYY4yMtaNw207zN6kXcMFKyTuF5qlF5whC7cmM4elhAO2snwIw4C3EyQgw==',
             ssl_cert     => 'gerrit.wikimedia.org',
             ssl_cert_key => 'gerrit.wikimedia.org',
diff --git a/modules/gerrit/manifests/instance.pp 
b/modules/gerrit/manifests/instance.pp
index e5afa1a..37c6a57 100644
--- a/modules/gerrit/manifests/instance.pp
+++ b/modules/gerrit/manifests/instance.pp
@@ -7,6 +7,7 @@
     $db_host     = '',
     $db_name     = 'reviewdb',
     $host        = '',
+    $server_host = '',
     $db_user     = 'gerrit',
     $ssh_key     = '',
     $ssl_cert    = 'ssl-cert-snakeoil',
@@ -62,4 +63,15 @@
         smtp_host            => $smtp_host,
         ssh_key              => $ssh_key,
     }
+
+    # configure SSHd to NOT listen on the gerrit IP
+    # so that we can let gerrit listen on port 22 here (bug 35611)
+    file { '/etc/ssh/sshd_config':
+        ensure  => present,
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0444',
+        content => template('gerrit/sshd_config.erb'),
+    }
+
 }
diff --git a/modules/gerrit/templates/sshd_config.erb 
b/modules/gerrit/templates/sshd_config.erb
new file mode 100644
index 0000000..0625b3b
--- /dev/null
+++ b/modules/gerrit/templates/sshd_config.erb
@@ -0,0 +1,92 @@
+# This file is managed by puppet!
+# Package generated configuration file
+# See the sshd(8) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+ListenAddress <%= scope.lookupvar('gerrit::instance::server_host') %>
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel VERBOSE
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin yes
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile    %h/.ssh/authorized_keys
+
+
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+
+
+HostbasedAuthentication no
+
+IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Globally deny logon via password, only allow SSH-key login.  
+PasswordAuthentication no  
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+
+
+
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+UsePAM yes
+
+
+
+
+##
+## Anything below this point must start with a match declaration
+## or will only apply to the previous Matches above.
+##

-- 
To view, visit https://gerrit.wikimedia.org/r/172476
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Id27657ca29e41960886b517fe0be63ad992d382a
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to