MozillaWiki

ReleaseEngineering/Day 1 Checklist: Difference between revisions

Page Discussion

ReleaseEngineering/Day 1 Checklist (view source)

Revision as of 19:53, 7 May 2018

1,261 bytes added ,  7 May 2018
moved access instructions to the top. updated to reflect sso and jumphost reality
(Add release-drivers list.)
(moved access instructions to the top. updated to reflect sso and jumphost reality)
Line 15: Line 15:
* Read and keep up to date with: [[ReleaseEngineering/Development_Best_Practices|Development Best Practices]]
* Read and keep up to date with: [[ReleaseEngineering/Development_Best_Practices|Development Best Practices]]
*  
*  
= Single Sign-On (SSO) =
= Access =
Many Mozilla services use SSO now, including Gmail, Drive, and ServiceNow. The [https://mozilla.okta.com/app/UserHome?fromLogin=true Single Sign-On homepage] has a list of the available services.
 
== SSO ==


'''NOTE''': SSO requires that [[#LDAP.2C_SSH.2C_VPN|LDAP be setup first]].
Generally, we rely on [https://auth0.com/ auth0] across Mozilla for authentication and [https://mana.mozilla.org/wiki/display/SYSADMIN/LDAP+Architecture LDAP] for authorization. Once given LDAP and you have created a permanent password, you can use that to login to the [https://sso.mozilla.com SSO portal]. From SSO, you should have links to various services from email, irc, calendar, slack, mana, etc. More on each of those later on this page


= Mail =
== login.mozilla.com ==
Mozilla mail is handled by [https://mail.google.com/ Gmail] now.


You should be added to the release@mozilla.com google group as a new hire/intern. This mailing list is managed by Google groups. Owners of this group will be able to add you. Send a test message to release@m.c to verify that your address has been added/subscribed. Talk to your manager if it is not working.
[https://login.mozilla.com/ login.mozilla.com] is where you can change a number of authentication/authorization access bits that you have control over. Each todo in this section assumes you have access to this page.


'''WARNING''': release@m.c can contain security-sensitive information. Do not automatically forward your email to a system that is not under Mozilla's control.
=== LDAP password reset ===


== Mailing lists ==
If you were given a temporary ldap password or you haven't created your own password yet, you should do this now.
You'll need to manually subscribe to:
* [https://lists.mozilla.org/listinfo/release-engineering release-engineering] public mailing list
* [https://lists.mozilla.org/listinfo/dev-planning mozilla.dev.planning]
* [https://lists.mozilla.org/listinfo/tools-taskcluster]
* [https://mail.mozilla.org/listinfo/release-drivers] private list


These are available as [news://news.mozilla.org newsgroups], google groups, and [https://lists.mozilla.org/listinfo Mailman lists]
'''''Warning for people who already have an LDAP account:''''' '''Change your password.''' Otherwise, adding you to the releng group may lock your account without further notice.  


== Mail Filtering ==
'''''Note:There is a stronger password policy in releng: users must change their password every 3 months.''''' If you don't change your password, the only symptom will be that one day or another (already observed after 8 days), your regular password won't work anymore. If this happens to you, contact people in #servicedesk, they will be able to reset your password.


With all that new email, you will want to set up some filters in Gmail (https://mail.google.com/mail/u/0/#settings/filters) to filter some of the higher-volume automated mail into a folder. You may eventually want to handle this information, but on day one hundreds of nagios notifications are not going to be educational.  
This is mostly applicable only to employees and interns, although it *is* possible for other contributors to acquire some limited LDAP access. Speak to someone you work with on the releng team if you would like to investigate this.


Here is [http://people.mozilla.org/~coop/mozillaMailFilters.xml an imperfect set of Gmail filters] that you can import to get you started.
=== SSH ===


A list of new (and some older) automated emails are indexed by subject, along with relevant actions, [https://wiki.mozilla.org/ReleaseEngineering/How_To/Process_release_email here].
Upload your public ssh key. It is a good idea to generate a separate ssh keypair from your personal one or any other that you have created in the past and use that explicitly for Buildduty and upload that. Follow this [[Security/Guidelines/OpenSSH#OpenSSH_client|SSH guidelines doc]] on how to generate, configure, and use your ssh key.


If you are going to working on puppet, you should also look at this page on [https://intranet.mozilla.org/RelEngWiki/index.php/How_To/Read_Releng-Shared_Emails how to read releng shared emails].
note: example ssh config for accessing our systems given below in Jumphost section


== Calendar ==
=== PGP ===
Like mail, we now use [https://www.google.com/calendar/ Google calendar].


You'll want to subscribe to the following public calendars:
We use pgp keys to share private information, secrets, and verify that the source came from someone we trust. Generate a keypair for this and upload your public key so others can find it. It would be really good if you could have other people sign your key, adding more trust that this key really belongs to you.
* [https://calendar.google.com/calendar/embed?src=mozilla.com_2d32343333353036312d393737%40resource.calendar.google.com Release Engineering - Public]
* [https://www.google.com/calendar/feeds/mozilla.com_toi1svbfjd878aslutkgj32dco%40group.calendar.google.com/public/basic Releng PTO]


Talk to your manager/mentor to get added to the various other private calendars as appropriate.
You can use the the [https://mana.mozilla.org/wiki/display/SD/Generating+a+GPG+Public+Key pgp quickstart guide on mana] or you can use the The [https://www.gnupg.org/gph/en/manual.html GNU Privacy Handbook] for reference.


= Access =


== Bugzilla ==
=== VPN ===
Almost everything at Mozilla goes through Bugzilla. [https://bugzilla.mozilla.org/createaccount.cgi Create a Bugzilla account] if you have not already.


You'll need a few tweaks to your account to get access to everything releng-related:
Many of our systems are behind a private network in addition to auth0. Follow the prompts to generate and download an openVPN certificate that you can use to import to your vpn client.
* Add privileges for bugzilla group "build" (Mozilla Build Team) (Can be done by catlee or bugzilla admin.)
* Add your irc nickname & ldap username as "aliases" for your account
** log into bugzilla & follow links "Preferences" -> "Account Information"
** append the aliases, with a leading ':' and enclosed in brackets ('[]') to the "Real Name" field
** e.g.: &quot;<tt>Chris AtLee [:catlee]</tt>&quot;
* [https://bugzilla.mozilla.org/page.cgi?id=quicksearch.html QuickSearch help]


== Filing bugs against Release Engineering ==
See the instructions on how to [https://mana.mozilla.org/wiki/display/SD/VPN install and configure your VPN client] and help choosing the right client for your platform.
The product to use is, unsurprisingly, "Release Engineering." There are multiple possible components under that product, so take your best guess or ask for guidance in IRC.


== Vidyo Services ==
note: macOS and Windows users should use [https://www.sparklabs.com/viscosity/ Viscosity]. This application comes with a free 30 day trial. During your trial, your manager can help you create a ServiceNow ticket to get a Viscosity full license.  
Our primary two way video meeting platform is Vidyo. Basic usage instructions are [https://mana.mozilla.org/wiki/display/SD/Vidyo+Desktop+3 here]. Especially if you are running linux, it is highly recommended that you install the client and make test calls prior to any meeting. Many of our team meetings are held in the '''ReleaseEngineering''' room.
* ''Pro tip: many folks have found the mobile client useful to have preinstalled as a backup device.''
* If you're going to record a meeting, practice first. (Instructions are linked from [https://mana.mozilla.org/wiki/display/SD/Vidyo+Desktop+3 mana page].)
* Ask team members for details on recording in the '''ReleaseEngineering''' room.


== LDAP, SSH, VPN ==
=== MFA ===


'''''Warning for people who already have an LDAP account:''''' '''Change your password.''' Otherwise, adding you to the releng group may lock your account without further notice.  
This MFA account is specific to login.mozilla.com and is used for LDAP/auth0 based logins. Follow the instructions to download the Duo Mobile app and create a Mozilla account.


'''''Note:There is a stronger password policy in releng: users must change their password every 3 months.''''' If you don't change your password, the only symptom will be that one day or another (already observed after 8 days), your regular password won't work anymore. If this happens to you, contact people in #servicedesk, they will be able to reset your password.
note: later on in this page we will create more MFA accounts for various systems like Github and accessing our Jumphost


This is mostly applicable only to employees and interns, although it *is* possible for other contributors to acquire some limited LDAP access. Speak to someone you work with on the releng team if you would like to investigate this.
== Jumphost ==


SSH keys are used for access to most machines, and some of them are stored in your LDAP record:
To access any of Release Engineering, Taskcluster, and Release Operations hosts directly, you will need to go through VPN -> a Jumphost machine -> Separate MFA -> your target host.
* Generate a key for Mozilla based on the [https://wiki.mozilla.org/Security/Guidelines/OpenSSH#OpenSSH_client Security's recommendations]. If you are connecting to buildbot masters and slaves you will need to use the Intermediate ssh config.
* Add your SSH public key to your LDAP account, at https://login.mozilla.com/


You'll need a number of other bits set in your LDAP object to access releng networks and systems via the VPN.
To do that, you and your manager will need to file a ticket against Release Operations and have them send you an invite to add an MFA account on your Duo App.
* Full instructions for [https://mana.mozilla.org/wiki/pages/viewpage.action?pageId=30769829#MozillaVPN%28DatacenterVPN%29 accessing the VPN] are on [https://mana.mozilla.org mana].
** this usually starts by generating a certificate at https://login.mozilla.com/
* file a bug against Product/Component: Infrastructure & Operations/MOC: Service Requests asking to be added to the '''releng''' and '''vpn_releng''' groups. Something similar to {{bug|1223449}}
* If you're on MacOSX or Windows, you might want to request a license for Viscosity (A VPN client). To do so from [https://mozilla.service-now.com/ service-now].
** 'Order Stuff' > 'Software Applications' > 'Viscosity VPN' > 'Buisness Support && follow onscreen instructions
* Your manager is responsible for making sure you belong to the following LDAP groups, ideally before your first day. See below section


example ldap groups they may have by default:
Then once you have your Jumphost MFA setup correctly, you will need to have your ssh config to correctly route through the jumphost before trying the target host you want.
cn=corp-vpn,ou=groups,dc=mozilla
cn=IntranetWiki,ou=groups,dc=mozilla
cn=irccloud,ou=groups,dc=mozilla
cn=mfa,ou=groups,dc=mozilla
cn=phonebook_access,ou=groups,dc=mozilla
cn=team_moco,ou=groups,dc=mozilla
cn=vpn_corp,ou=groups,dc=mozilla
cn=vpn_default,ou=groups,dc=mozilla


example ldap groups you may need to file for and request added (example, [https://bugzilla.mozilla.org/show_bug.cgi?id=1370413 Bug 1370413]):
example ssh config:
cn=releng,ou=groups,dc=mozilla
<source lang="ruby">
cn=RelEngWiki,ou=groups,dc=mozilla
# Ensure KnownHosts are unreadable if leaked - it is otherwise easier to know which hosts your keys have access to.
cn=vpn_releng,ou=groups,dc=mozilla
HashKnownHosts yes
cn=vpn_releng_loan,ou=groups,dc=mozilla
# Host keys the client accepts - order here is honored by OpenSSH
cn=vpn_relengwiki,ou=groups,dc=mozilla
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256


=== SSH Config ===
Host hg.mozilla.org git.mozilla.org
You'll want to update your ~/.ssh/config. Releng uses jump hosts to reach protected servers, so those can be configured in the ssh configuration, too. [https://mana.mozilla.org/wiki/display/IT/Releng+JumpHosts Mana] has some more information about ssh options for older ssh clients (OpenSSH <7.2 doesn't support ProxyJump, for example)
    User USERNAME@mozilla.com
    Compression yes
    ServerAliveInterval 300


<pre class="_fck_mw_lspace">Host hg.mozilla.org
Host *.mozilla.com
     User <short-ldap-name-here>@mozilla.com
     User USERNAME
    IdentityFile ~/.ssh/id_rsa_mozilla_2017-05-12
     Compression yes
     Compression yes
     ServerAliveInterval 300
     ServerAliveInterval 300


Host reviewboard-hg.mozilla.org
Host *.build.mozilla.org
  User <short-ldap-name-here>@mozilla.com
    Compression yes
    User cltbld
    ServerAliveInterval 300


Host rejh?.srv.releng.????.mozilla.com
Host rejh?.srv.releng.????.mozilla.com
Line 130: Line 98:
     ControlPersist 10m
     ControlPersist 10m
     ForwardAgent no
     ForwardAgent no
 
Host *.relenv.mdc1.mozilla.com !rejh?.srv.releng.mdc1.mozilla.com
Host *.releng.mdc1.mozilla.com !rejh?.srv.releng.mdc1.mozilla.com !*.private.releng.????.mozilla.com
     ProxyJump rejh1.srv.releng.mdc1.mozilla.com
     ProxyJump rejh1.srv.releng.mdc1.mozilla.com
Host *.releng.us??.mozilla.com *.releng.scl3.mozilla.com !rejh?.srv.releng.????.mozilla.com !*.private.releng.scl3.mozilla.com
    ProxyJump rejh1.srv.releng.scl3.mozilla.com
</source>
== Buildduty LDAP groups ==


Host *.releng.us??.mozilla.com *.releng.scl3.mozilla.com !rejh?.srv.releng.????.mozilla.com
You may have access to the [https://ldapadmin1.private.scl3.mozilla.com/manage/ ldap admin page] and see your own groups that you have on your record. This page is behind vpn and auth0.
    ProxyJump rejh1.srv.releng.scl3.mozilla.com


Host *.mozilla.com
Although you can read your current groups, you will not be able to modify them. To extend with Buildduty groups that you need. You and your manager will need to file a ticket for them under "MOC: Service Requests"
    User <short-ldap-name-here>
    Compression yes
    ServerAliveInterval 300


Host *.build.mozilla.org
example ldap groups they may have by default:
    Compression yes
  cn=corp-vpn,ou=groups,dc=mozilla
    User cltbld
  cn=IntranetWiki,ou=groups,dc=mozilla
    ServerAliveInterval 300</pre>
  cn=irccloud,ou=groups,dc=mozilla
  cn=mfa,ou=groups,dc=mozilla
  cn=phonebook_access,ou=groups,dc=mozilla
  cn=team_moco,ou=groups,dc=mozilla
  cn=vpn_corp,ou=groups,dc=mozilla
  cn=vpn_default,ou=groups,dc=mozilla


You can add an <tt>IdentityFile ~/.ssh/<filename></tt> line to those blocks to specify separate keys for different systems (eg Github).
example ldap groups you may need to file for and request added (example, Bug 1434168):
  cn=releng,ou=groups,dc=mozilla
  cn=RelEngWiki,ou=groups,dc=mozilla
  cn=vpn_releng,ou=groups,dc=mozilla
  cn=vpn_releng_loan,ou=groups,dc=mozilla
  cn=vpn_relengwiki,ou=groups,dc=mozilla
  cn=vpn_tooltooleditor,ou=groups,dc=mozilla
  cn=inventory,ou=groups,dc=mozilla
  cn=inventory_build,ou=groups,dc=mozilla
  cn=vpn_inventory,ou=groups,dc=mozilla
  cn=nagiosadmin,ou=groups,dc=mozilla
  cn=GraphsAdmin,ou=groups,dc=mozilla
  cn=active_scm_level_1,ou=groups,dc=mozilla
  cn=all_scm_level_1,ou=groups,dc=mozilla
  cn=vpn_genericrhel6,ou=groups,dc=mozilla


== Mercurial (hg) ==
== Mercurial (hg) ==
Line 173: Line 161:
There are also a handful of git repos hosted directly by Mozilla. Your manager/mentor will let you know if you need access to one of these. ([[Github|See also]])
There are also a handful of git repos hosted directly by Mozilla. Your manager/mentor will let you know if you need access to one of these. ([[Github|See also]])


== PGP ==
PGP keys are used for encrypting sensitive data - you are responsible for generating and managing you own keys. A [https://intranet.mozilla.org/AndroidMarket#How_To:_GPG_Encryption.2FDecryption quick, Mac-focused primer is available on the intranet] or you can use the [https://www.gnupg.org/gph/en/manual.html The GNU Privacy Handbook] for reference. After you have created your keys, do try to get your key signed by other team members, and uploaded to [https://gpg.mozilla.org gpg.mozilla.org].
* It is okay to reuse an existing gpg key, provided you add an additional ID for your canonical LDAP name (e.g. 'hwine [at] mozilla.com', not an alias like 'Hal_9001 [at] mozilla.com').


== Other Services ==
== Other Services ==
Line 185: Line 170:


= Communication =  
= Communication =  
== Mail ==
Mozilla mail is handled by [https://mail.google.com/ Gmail] now.
You should be added to the release@mozilla.com google group as a new hire/intern. This mailing list is managed by Google groups. Owners of this group will be able to add you. Send a test message to release@m.c to verify that your address has been added/subscribed. Talk to your manager if it is not working.
'''WARNING''': release@m.c can contain security-sensitive information. Do not automatically forward your email to a system that is not under Mozilla's control.
=== Mailing lists ===
You'll need to manually subscribe to:
* [https://lists.mozilla.org/listinfo/release-engineering release-engineering] public mailing list
* [https://lists.mozilla.org/listinfo/dev-planning mozilla.dev.planning]
* [https://lists.mozilla.org/listinfo/tools-taskcluster]
* [https://mail.mozilla.org/listinfo/release-drivers] private list
These are available as [news://news.mozilla.org newsgroups], google groups, and [https://lists.mozilla.org/listinfo Mailman lists]
=== Mail Filtering ===
With all that new email, you will want to set up some filters in Gmail (https://mail.google.com/mail/u/0/#settings/filters) to filter some of the higher-volume automated mail into a folder. You may eventually want to handle this information, but on day one hundreds of nagios notifications are not going to be educational.
Here is [http://people.mozilla.org/~coop/mozillaMailFilters.xml an imperfect set of Gmail filters] that you can import to get you started.
A list of new (and some older) automated emails are indexed by subject, along with relevant actions, [https://wiki.mozilla.org/ReleaseEngineering/How_To/Process_release_email here].
If you are going to working on puppet, you should also look at this page on [https://intranet.mozilla.org/RelEngWiki/index.php/How_To/Read_Releng-Shared_Emails how to read releng shared emails].
== Calendar ==
Like mail, we now use [https://www.google.com/calendar/ Google calendar].
You'll want to subscribe to the following public calendars:
* [https://calendar.google.com/calendar/embed?src=mozilla.com_2d32343333353036312d393737%40resource.calendar.google.com Release Engineering - Public]
* [https://www.google.com/calendar/feeds/mozilla.com_toi1svbfjd878aslutkgj32dco%40group.calendar.google.com/public/basic Releng PTO]
Talk to your manager/mentor to get added to the various other private calendars as appropriate.
== Bugzilla ==
Almost everything at Mozilla goes through Bugzilla. [https://bugzilla.mozilla.org/createaccount.cgi Create a Bugzilla account] if you have not already.
You'll need a few tweaks to your account to get access to everything releng-related:
* Add privileges for bugzilla group "build" (Mozilla Build Team) (Can be done by catlee or bugzilla admin.)
* Add your irc nickname &amp; ldap username as &quot;aliases&quot; for your account
** log into bugzilla &amp; follow links &quot;Preferences&quot; -&gt; &quot;Account Information&quot;
** append the aliases, with a leading ':' and enclosed in brackets ('[]') to the &quot;Real Name&quot; field
** e.g.: &quot;<tt>Chris AtLee [:catlee]</tt>&quot;
* [https://bugzilla.mozilla.org/page.cgi?id=quicksearch.html QuickSearch help]
== Filing bugs against Release Engineering ==
The product to use is, unsurprisingly, "Release Engineering." There are multiple possible components under that product, so take your best guess or ask for guidance in IRC.


== IRC ==
== IRC ==
Line 206: Line 241:
** #moco access_key is [https://mana.mozilla.org/wiki/display/AVSE/MoCo+Vidyo+Room+and+%23moco+IRC+Channel+Security on mana]
** #moco access_key is [https://mana.mozilla.org/wiki/display/AVSE/MoCo+Vidyo+Room+and+%23moco+IRC+Channel+Security on mana]
** #firebot for hiliting when you're mentioned in a bug, review request, etc.
** #firebot for hiliting when you're mentioned in a bug, review request, etc.
* http://chatzilla.hacksrus.com/faq/#connect
Some folks run a BNC (an IRC bouncer) (e.g. znc) and/or <tt>irssi</tt> under screen to get continuous view of traffic. Ask around. (some [https://mana.mozilla.org/wiki/display/SYSADMIN/IRC+use+within+IT#IRCusewithinIT-irssi good irssi notes]).
See [[#pastebin|below]] for a local pastebin install, so you don't paste huge amounts in channel (irccloud handles this internally).


IT now also provides a hosted [https://mana.mozilla.org/wiki/display/SD/IRCCloud+Account+Setup IRCCloud cloud] instance you can partake of.
IT now also provides a hosted [https://mana.mozilla.org/wiki/display/SD/IRCCloud+Account+Setup IRCCloud cloud] instance you can partake of.
Line 223: Line 252:
== Slack ==
== Slack ==
Some parts of Mozilla prefer Slack to IRC, more info on [https://mana.mozilla.org/wiki/display/CCT/Slack  mana].
Some parts of Mozilla prefer Slack to IRC, more info on [https://mana.mozilla.org/wiki/display/CCT/Slack  mana].
== Vidyo Services ==
Our primary two way video meeting platform is Vidyo. Basic usage instructions are [https://mana.mozilla.org/wiki/display/SD/Vidyo+Desktop+3 here]. Especially if you are running linux, it is highly recommended that you install the client and make test calls prior to any meeting. Many of our team meetings are held in the '''ReleaseEngineering''' room.
* ''Pro tip: many folks have found the mobile client useful to have preinstalled as a backup device.''
* If you're going to record a meeting, practice first. (Instructions are linked from [https://mana.mozilla.org/wiki/display/SD/Vidyo+Desktop+3 mana page].)
* Ask team members for details on recording in the '''ReleaseEngineering''' room.


== Wiki ==
== Wiki ==
Jlund
Confirmed users
502

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1193414"