[Python-Dev] Snakebite build slaves and developer SSH/GPG public keys

[Trent Nelson]

Hi folks,

I've set up a bunch of Snakebite build slaves over the past week.
One of the original goals was to provide Python committers with
full access to the slaves, which I'm still keen on providing.

What's a nice simple way to achieve that in the interim?  Here's
what I was thinking:

- Create a new hg repo: hg.python.org/keys.

- Committers can push to it just like any other repo (i.e.
  same ssh/authz configuration as cpython).

- Repo is laid out as follows:
keys/
/
ssh (ssh public key)
gpg (gpg public key)

- Prime the repo with the current .ssh/authorized_keys
  (presuming you still use the --tunnel-user facility?).

That'll provide me with everything I need to set up the relevant
.ssh/authorized_keys stuff on the Snakebite side.  GPG keys will
be handy if I ever need to send passwords over e-mail (which I'll
probably have to do initially for those that want to RDP into the
Windows slaves).

Thoughts?

As for the slaves, here's what's up and running now:

- AMD64 Mountain Lion [SB]
- AMD64 FreeBSD 8.2 [SB]
- AMD64 FreeBSD 9.1 [SB]
- AMD64 NetBSD 5.1.2 [SB]
- AMD64 OpenBSD 5.1 [SB]
- AMD64 DragonFlyBSD 3.0.2 [SB]
- AMD64 Windows Server 2008 R2 SP1 [SB]
- x86 NetBSD 5.1.2 [SB]
- x86 OpenBSD 5.1 [SB]
- x86 DragonFlyBSD 3.0.2 [SB]
- x86 Windows Server 2003 R2 SP2 [SB]
- x86 Windows Server 2008 R2 SP1 [SB]

All the FreeBSD ones use ZFS, all the DragonFly ones use HAMMER.
DragonFly, NetBSD and OpenBSD are currently reporting all sorts
of weird and wonderful errors, which is partly why I want to set
up ssh access sooner rather than later.

Other slaves on the horizon (i.e. hardware is up, OS is installed):

- Windows 8 x64 (w/ VS2010 and VS2012)
- HP-UX 11iv2 PA-RISC
- HP-UX 11iv3 Itanium (64GB RAM)
- AIX 5.3 RS/6000
- AIX 6.1 RS/6000
- AIX 7.1 RS/6000
- Solaris 9 SPARC
- Solaris 10 SPARC

Nostalgia slaves that probably won't ever see green:
- IRIX 6.5.33 MIPS
- Tru64 5.1B Alpha

If anyone wants ssh access now to the UNIX platforms in order to
debug/test, feel free to e-mail me directly with your ssh public
keys.

For committers on other Python projects like Buildbot, Django and
Twisted that may be reading this -- yes, the plan is to give you
guys Snakebite access/slaves down the track too.  I'll start looking
into that after I've finished setting up the remaining slaves for
Python.  (Setting up a keys repo will definitely help (doesn't have
to be hg -- feel free to use svn/git/whatever, just try and follow
the same layout).)

Regards,

Trent "that-took-a-bit-longer-than-expected" Nelson.
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

[Python-Dev] root@python doc cron job failure messages

[Terry Reedy]

root@python is indirectly trying to send doc cron job failure messages 
to the python-checkings list. headers below. They are caught and held 
for moderation since "Blind carbon copies or other implicit destinations 
are not allowed." I think it is a mistake to send these messages to 
checkins, which has enough checkins traffic already, but I do not know 
who is responsible to fix the situation. The last two examples:


"home/docs/devguide/documenting.rst:773: WARNING: term not in glossary: 
bytecode"


"abort: error: Connection timed out"

Headers:
Return-Path: 
X-Original-To: python-check...@python.org
Delivered-To: python-check...@mail.python.org
Received: from albatross.python.org (localhost [127.0.0.1])
by mail.python.org (Postfix) with ESMTP id 3X2G3z3xCNzQjK;
Wed, 22 Aug 2012 19:30:23 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=python.org; s=200901;
t=1345656623; bh=conhuN6h+7FXE7LPMr0jHBM5W+Bs5Ld9a8QDgyfQyA4=;
h=Date:Message-Id:From:To:Subject:Content-Type;
b=lVY4n5KqDW1Qzzy4ngaHTMcO7wCbBlDQzSPWDqaNsUGwrBrcjtY1X8+hiDNsDxUA/
 A/wYxK1w887LE2mbzqzONtg2zoUau0cvTvG52sg0aXHqWLidRNbvJZ3WxYeYSC1ph/
 pK5u6M9JBd5a1HOiyiTOA5uTu6DWXATy04FTkjdM=
X-Spam-Status: OK 0.009
X-Spam-Evidence: '*H*': 0.98; '*S*': 0.00;
'received:dinsdale.python.org': 0.03; 'error:': 0.05;
'subject:build': 0.07; 'subject: <': 0.09; 'message-
id:@dinsdale.python.org': 0.16; 'subject:home': 0.16; 'timed':
0.16; 'from:addr:python.org': 0.17; 'subject:/': 0.28;
'connection': 0.30; 'received:python.org': 0.31; 'received:org':
0.36; 'subject:-': 0.40; 'header:Message-Id:1': 0.62;
'to:addr:docs': 0.68; 'subject:@': 0.81
Received: from localhost (HELO mail.python.org) (127.0.0.1)
  by albatross.python.org with SMTP; 22 Aug 2012 19:30:23 +0200
Received: from dinsdale.python.org (svn.python.org 
[IPv6:2001:888:2000:d::a4])

(using TLSv1 with cipher AES256-SHA (256/256 bits))
(No client certificate requested)
by mail.python.org (Postfix) with ESMTPS;
Wed, 22 Aug 2012 19:30:23 +0200 (CEST)
Received: from docs by dinsdale.python.org with local (Exim 4.72)
(envelope-from )
id 1T4El5-0007tw-4K
for d...@dinsdale.python.org; Wed, 22 Aug 2012 19:30:23 +0200
Date: Wed, 22 Aug 2012 19:30:23 +0200
Message-Id: 
From: r...@python.org (Cron Daemon)
To: d...@dinsdale.python.org
Subject: Cron  /home/docs/build-devguide
Content-Type: text/plain; charset=UTF-8
X-Cron-Env: 
X-Cron-Env: 
X-Cron-Env: 
X-Cron-Env: 

--
Terry Jan Reedy

___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [Infrastructure] Snakebite build slaves and developer SSH/GPG public keys

[Noah Kantrowitz]

For everyone with a record in the Chef server (read: everyone with SSH access 
to any of the PSF servers at OSL) I can easily give you automated access. Whats 
the easiest format? I can give you a Python script that will spit out files or 
JSON or more or less whatever else you want.

--Noah

On Aug 23, 2012, at 10:28 AM, Trent Nelson wrote:

> Hi folks,
> 
>I've set up a bunch of Snakebite build slaves over the past week.
>One of the original goals was to provide Python committers with
>full access to the slaves, which I'm still keen on providing.
> 
>What's a nice simple way to achieve that in the interim?  Here's
>what I was thinking:
> 
>- Create a new hg repo: hg.python.org/keys.
> 
>- Committers can push to it just like any other repo (i.e.
>  same ssh/authz configuration as cpython).
> 
>- Repo is laid out as follows:
>keys/
>/
>ssh (ssh public key)
>gpg (gpg public key)
> 
>- Prime the repo with the current .ssh/authorized_keys
>  (presuming you still use the --tunnel-user facility?).
> 
>That'll provide me with everything I need to set up the relevant
>.ssh/authorized_keys stuff on the Snakebite side.  GPG keys will
>be handy if I ever need to send passwords over e-mail (which I'll
>probably have to do initially for those that want to RDP into the
>Windows slaves).
> 
>Thoughts?
> 
>As for the slaves, here's what's up and running now:
> 
>- AMD64 Mountain Lion [SB]
>- AMD64 FreeBSD 8.2 [SB]
>- AMD64 FreeBSD 9.1 [SB]
>- AMD64 NetBSD 5.1.2 [SB]
>- AMD64 OpenBSD 5.1 [SB]
>- AMD64 DragonFlyBSD 3.0.2 [SB]
>- AMD64 Windows Server 2008 R2 SP1 [SB]
>- x86 NetBSD 5.1.2 [SB]
>- x86 OpenBSD 5.1 [SB]
>- x86 DragonFlyBSD 3.0.2 [SB]
>- x86 Windows Server 2003 R2 SP2 [SB]
>- x86 Windows Server 2008 R2 SP1 [SB]
> 
>All the FreeBSD ones use ZFS, all the DragonFly ones use HAMMER.
>DragonFly, NetBSD and OpenBSD are currently reporting all sorts
>of weird and wonderful errors, which is partly why I want to set
>up ssh access sooner rather than later.
> 
>Other slaves on the horizon (i.e. hardware is up, OS is installed):
> 
>- Windows 8 x64 (w/ VS2010 and VS2012)
>- HP-UX 11iv2 PA-RISC
>- HP-UX 11iv3 Itanium (64GB RAM)
>- AIX 5.3 RS/6000
>- AIX 6.1 RS/6000
>- AIX 7.1 RS/6000
>- Solaris 9 SPARC
>- Solaris 10 SPARC
> 
>Nostalgia slaves that probably won't ever see green:
>- IRIX 6.5.33 MIPS
>- Tru64 5.1B Alpha
> 
>If anyone wants ssh access now to the UNIX platforms in order to
>debug/test, feel free to e-mail me directly with your ssh public
>keys.
> 
>For committers on other Python projects like Buildbot, Django and
>Twisted that may be reading this -- yes, the plan is to give you
>guys Snakebite access/slaves down the track too.  I'll start looking
>into that after I've finished setting up the remaining slaves for
>Python.  (Setting up a keys repo will definitely help (doesn't have
>to be hg -- feel free to use svn/git/whatever, just try and follow
>the same layout).)
> 
>Regards,
> 
>Trent "that-took-a-bit-longer-than-expected" Nelson.
> 
> Infrastructure mailing list
> infrastruct...@python.org
> http://mail.python.org/mailman/listinfo/infrastructure
> Unsubscribe: 
> http://mail.python.org/mailman/options/infrastructure/noah%40coderanger.net



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Snakebite build slaves and developer SSH/GPG public keys

[Nick Coghlan]

On Thu, Aug 23, 2012 at 8:28 AM, Trent Nelson  wrote:
> Hi folks,
>
> I've set up a bunch of Snakebite build slaves over the past week.
> One of the original goals was to provide Python committers with
> full access to the slaves, which I'm still keen on providing.
>
> What's a nice simple way to achieve that in the interim?  Here's
> what I was thinking:
>
> - Create a new hg repo: hg.python.org/keys.
>
> - Committers can push to it just like any other repo (i.e.
>   same ssh/authz configuration as cpython).
>
> - Repo is laid out as follows:
> keys/
> /
> ssh (ssh public key)
> gpg (gpg public key)
>
> - Prime the repo with the current .ssh/authorized_keys
>   (presuming you still use the --tunnel-user facility?).

Make ssh and gpg directories and this sounds like a usefully secure
way to allow us to add extra keys (currently, there's a security hole
in the fact that requests to change our registered ssh key for access
are not themselves authenticated electronically)

Also, nice work on getting to this point, even though it turned out to
be a lot more work than you originally anticipated!

Cheers,
Nick.

-- 
Nick Coghlan   |   ncogh...@gmail.com   |   Brisbane, Australia
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [Infrastructure] Snakebite build slaves and developer SSH/GPG public keys

[Brett Cannon]

On Wed, Aug 22, 2012 at 7:03 PM, Nick Coghlan  wrote:

> On Thu, Aug 23, 2012 at 8:28 AM, Trent Nelson  wrote:
> > Hi folks,
> >
> > I've set up a bunch of Snakebite build slaves over the past week.
> > One of the original goals was to provide Python committers with
> > full access to the slaves, which I'm still keen on providing.
> >
> > What's a nice simple way to achieve that in the interim?  Here's
> > what I was thinking:
> >
> > - Create a new hg repo: hg.python.org/keys.
> >
> > - Committers can push to it just like any other repo (i.e.
> >   same ssh/authz configuration as cpython).
> >
> > - Repo is laid out as follows:
> > keys/
> > /
> > ssh (ssh public key)
> > gpg (gpg public key)
> >
> > - Prime the repo with the current .ssh/authorized_keys
> >   (presuming you still use the --tunnel-user facility?).
>
> Make ssh and gpg directories and this sounds like a usefully secure
> way to allow us to add extra keys (currently, there's a security hole
> in the fact that requests to change our registered ssh key for access
> are not themselves authenticated electronically)
>

Screw security, it would mean ssh keys would be self-serve! =) No more
having to email an alias that bugs Georg and Antoine to add a key when you
can do it yourself (or for the person who you nominated to gain commit
access).

This assumes, of course, that Georg, Antoine, and Martin are cool with this
can get some hook set up to make this work with our current setup.


>
> Also, nice work on getting to this point, even though it turned out to
> be a lot more work than you originally anticipated!
>

I expect a TIP BoF update at PyCon US 2013 or else I consider this an early
April Fool's joke. =)
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [Infrastructure] Snakebite build slaves and developer SSH/GPG public keys

[R. David Murray]

On Thu, 23 Aug 2012 10:53:34 +1200, Noah Kantrowitz  wrote:
> For everyone with a record in the Chef server (read: everyone with SSH access 
> to any of the PSF servers at OSL) I can easily give you automated access. 
> Whats the easiest format? I can give you a Python script that will spit out 
> files or JSON or more or less whatever else you want.

That isn't going to be the right set of keys for Trent's purposes
(though it is likely to be a subset).  The keyfile we use for the hg
repository is.

--David
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com