Buildduty/day 1 checklist: Difference between revisions

Removed Nagios entry
(first draft of Buildduty focused day1 checklist. Updated and forked from releng)
 
(Removed Nagios entry)
 
(18 intermediate revisions by 3 users not shown)
Line 1: Line 1:
__TOC__
__TOC__


Welcome to Buildduty!  
Welcome to CiDuty!  


This page is meant to serve as a resource for new Buildduty people getting up to speed and ensuring they have access to the appropriate systems that they are expected to use.
This page is meant to serve as a resource for new CiDuty team-members getting up to speed and ensuring they have access to the appropriate systems that they are expected to use.


= Buildduty and the Manifesto =
= CiDuty and the Manifesto =


* Before you start it would be a good idea to make sure you know what Buildduty is all about. Please have a read through of [[ReleaseEngineering/Buildduty_manifesto|the manifesto]]
* Before you start it would be a good idea to make sure you know what CiDuty is all about. Please have a read through of [[ReleaseEngineering/Buildduty_manifesto|the manifesto]]


= Access =
= Access =
Line 13: Line 13:
== SSO ==
== SSO ==


Generally, we rely on [https://auth0.com/ auth0] across Mozilla for authentication and [https://mana.mozilla.org/wiki/display/SYSADMIN/LDAP+Architecture LDAP] for authorization. Once given LDAP and you have created a permanent password, you can use that to login to the [https://sso.mozilla.com SSO portal]. From SSO, you should have links to various services from email, irc, calendar, slack, mana, etc. More on each of those later on this page
Generally, we rely on [https://auth0.com/ auth0] across Mozilla for authentication and [https://mana.mozilla.org/wiki/display/SYSADMIN/LDAP+Architecture LDAP] for authorization. Once given LDAP and you have created a temporary password (about 3 months), you can use that to login to the [https://sso.mozilla.com SSO portal]. From SSO, you should have links to various services from email, irc, calendar, slack, mana, etc. More on each of those later on this page


== login.mozilla.com ==
== login.mozilla.com ==
Line 25: Line 25:
=== SSH ===
=== SSH ===


Upload your public ssh key. It is a good idea to generate a separate ssh keypair from your personal one or any other that you have created in the past and use that explicitly for Buildduty and upload that. Follow this [[Security/Guidelines/OpenSSH#OpenSSH_client|SSH guidelines doc]] on how to generate, configure, and use your ssh key.
Upload your public ssh key. It is a good idea to generate a separate ssh keypair from your personal one or any other that you have created in the past and use that explicitly for CiDuty and upload that. Follow this [[Security/Guidelines/OpenSSH#OpenSSH_client|SSH guidelines doc]] on how to generate, configure, and use your ssh key.


note: example ssh config for accessing our systems given below in Jumphost section
note: example ssh config for accessing our systems given below in Jumphost section
Line 42: Line 42:
See the instructions on how to [https://mana.mozilla.org/wiki/display/SD/VPN install and configure your VPN client] and help choosing the right client for your platform.
See the instructions on how to [https://mana.mozilla.org/wiki/display/SD/VPN install and configure your VPN client] and help choosing the right client for your platform.


note: macOS and Windows users should use [https://www.sparklabs.com/viscosity/ Viscosity]. This application comes with a free 30 day trial. During your trial, your manager can help you create a ServiceNow ticket to get a Viscosity full license.  
note: macOS users should use [https://www.sparklabs.com/viscosity/ Viscosity]. This application comes with a free 30 day trial. During your trial, your manager can help you create a ServiceNow ticket to get a Viscosity full license. While Windows users can use OpenVPN GUI that is free.


=== MFA ===
=== MFA ===
Line 52: Line 52:
== Jumphost ==
== Jumphost ==


TODO - how to setup MFA and create ssh config
To access any of Release Engineering, Taskcluster, and Release Operations hosts directly, you will need to go through VPN -> a Jumphost machine -> Separate MFA -> your target host.


== Buildduty LDAP groups ==
To do that, you and your manager will need to file a ticket against Release Operations and have them send you an invite to add an MFA account on your Duo App.


TODO
Then once you have your Jumphost MFA setup correctly, you will need to have your ssh config to correctly route through the jumphost before trying the target host you want.


example ssh config:
<source lang="ruby">
# Ensure KnownHosts are unreadable if leaked - it is otherwise easier to know which hosts your keys have access to.
HashKnownHosts yes
# Host keys the client accepts - order here is honored by OpenSSH
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
Host hg.mozilla.org git.mozilla.org
    User USERNAME@mozilla.com
    Compression yes
    ServerAliveInterval 300
Host *.mozilla.com
    User USERNAME
    IdentityFile ~/.ssh/id_rsa_mozilla_2017-05-12
    Compression yes
    ServerAliveInterval 300
Host *.build.mozilla.org
    Compression yes
    User cltbld
    ServerAliveInterval 300
Host rejh?.srv.releng.????.mozilla.com
    ControlMaster auto
    ControlPath ~/.ssh/ssh-%C
    ControlPersist 10m
    ForwardAgent no
Host *.releng.mdc1.mozilla.com !rejh?.srv.releng.mdc1.mozilla.com !*.private.releng.????.mozilla.com
    ProxyJump rejh1.srv.releng.mdc1.mozilla.com
Host *.releng.us??.mozilla.com *.releng.scl3.mozilla.com !rejh?.srv.releng.????.mozilla.com !*.private.releng.scl3.mozilla.com
    ProxyJump rejh1.srv.releng.scl3.mozilla.com
</source>


= Communications =
= Communications =


== Mail ==
== Mail ==
TODO
Mozilla mail is handled by [https://mail.google.com/ Gmail].
Mozilla mail is handled by [https://mail.google.com/ Gmail] now.
 
Have your manager subscribe you to this list if you are not already.


You should be added to the release@mozilla.com google group as a new hire/intern. This mailing list is managed by Google groups. Owners of this group will be able to add you. Send a test message to release@m.c to verify that your address has been added/subscribed. Talk to your manager if it is not working.
=== Mailing lists ===


'''WARNING''': release@m.c can contain security-sensitive information. Do not automatically forward your email to a system that is not under Mozilla's control.
Needs permission:
* [https://groups.google.com/a/mozilla.com/forum/?hl=en#!forum/ciduty ciduty@mozilla.com] - this is our team email. Ask owner (jlund) for access
* [https://groups.google.com/a/mozilla.com/forum/?hl=en#!forum/releng-puppet-mail Puppet Mail] (warning: you will want to filter this as it can send a lot of mail)


== Mailing lists ==
You'll also need to manually subscribe to the following public lists:
TODO
You'll need to manually subscribe to:
* [https://lists.mozilla.org/listinfo/release-engineering release-engineering] public mailing list
* [https://lists.mozilla.org/listinfo/release-engineering release-engineering] public mailing list
* [https://lists.mozilla.org/listinfo/dev-planning mozilla.dev.planning]
* [https://lists.mozilla.org/listinfo/dev-planning mozilla.dev.planning]
* [https://lists.mozilla.org/listinfo/dev-tree-management mozilla.dev.tree-management]
* [https://lists.mozilla.org/listinfo/dev-tree-management mozilla.dev.tree-management]
* https://mail.mozilla.org/listinfo/taskcluster-announce - announcements of events, major changes (low volume, no discussion)
* https://lists.mozilla.org/listinfo/tools-taskcluster - general taskcluster discussion
* [https://groups.google.com/a/mozilla.com/forum/#!forum/firefox-ci firefox-ci] mailing list


These are available as [news://news.mozilla.org newsgroups], google groups, and [https://lists.mozilla.org/listinfo Mailman lists]
These are available as [news://news.mozilla.org newsgroups], google groups, and [https://lists.mozilla.org/listinfo Mailman lists]
== Mail Filtering ==
With all that new email, you will want to set up some filters in Gmail (https://mail.google.com/mail/u/0/#settings/filters) to filter some of the higher-volume automated mail into a folder. You may eventually want to handle this information, but on day one hundreds of nagios notifications are not going to be educational.
If you are going to working on puppet, you should also look at this page on [https://intranet.mozilla.org/RelEngWiki/index.php/How_To/Read_Releng-Shared_Emails how to read releng shared emails].


== Calendar ==
== Calendar ==
TODO
Like mail, we now use [https://www.google.com/calendar/ Google calendar].
Like mail, we now use [https://www.google.com/calendar/ Google calendar].


You'll want to subscribe to the following public calendars:
You'll want to subscribe to the following public calendars:
* [https://calendar.google.com/calendar/embed?src=mozilla.com_2d32343333353036312d393737%40resource.calendar.google.com Release Engineering - Public]
* [https://calendar.google.com/calendar/embed?src=mozilla.com_2d32343333353036312d393737%40resource.calendar.google.com Release Engineering - Public]
* [https://www.google.com/calendar/feeds/mozilla.com_toi1svbfjd878aslutkgj32dco%40group.calendar.google.com/public/basic Releng PTO]


Talk to your manager/mentor to get added to the various other private calendars as appropriate.


== Bugzilla ==
== Bugzilla ==
TODO
 
Almost everything at Mozilla goes through Bugzilla. [https://bugzilla.mozilla.org/createaccount.cgi Create a Bugzilla account] if you have not already.
Almost everything at Mozilla goes through Bugzilla. [https://bugzilla.mozilla.org/createaccount.cgi Create a Bugzilla account] if you have not already. You should setup MFA and can reuse your LDAP based MFA account.


You'll need a few tweaks to your account to get access to everything releng-related:
You'll need a few tweaks to your account to get access to everything releng-related:
* Use your LDAP email if you would like. You can use a personal one or bugzilla specific one if you prefer to filter that way
* Add privileges for bugzilla group "build" (Mozilla Build Team) (Can be done by catlee or bugzilla admin.)
* Add privileges for bugzilla group "build" (Mozilla Build Team) (Can be done by catlee or bugzilla admin.)
* Add your irc nickname &amp; ldap username as &quot;aliases&quot; for your account
* Add your irc nickname &amp; ldap username as &quot;aliases&quot; for your account
Line 108: Line 139:


== Vidyo ==
== Vidyo ==
TODO
Our primary two way video meeting platform is Vidyo. Basic usage instructions are [https://mana.mozilla.org/wiki/display/SD/Vidyo+Desktop+3 here]. Especially if you are running linux, it is highly recommended that you install the client and make test calls prior to any meeting. Many of our team meetings are held in the '''ReleaseEngineering''' room.
* ''Pro tip: many folks have found the mobile client useful to have preinstalled as a backup device.''
* If you're going to record a meeting, practice first. (Instructions are linked from [https://mana.mozilla.org/wiki/display/SD/Vidyo+Desktop+3 mana page].)
* Ask team members for details on recording in the '''ReleaseEngineering''' room.


Our primary two way video meeting platform is Vidyo. Basic usage instructions are [https://mana.mozilla.org/wiki/display/SD/Vidyo+Desktop+3 here]. Especially if you are running linux, it is highly recommended that you install the client and make test calls prior to any meeting.
Special [https://mana.mozilla.org/wiki/display/~gene@mozilla.com/How+to+get+Vidyo+working+on+Ubuntu+16.04+and+newer Ubuntu instructions] that may help
Add to your contact list the CiDuty room


== IRC ==
== IRC ==
Line 120: Line 151:


Useful channels
Useful channels
* #buildduty, #releng, #taskcluster, #developers, #mobile, #ateam, #moc
* #ci, #releaseduty, #releng-bots #taskcluster, #developers, #mobile, #ateam, #moc
 
Protected channels
* #platform-ops-soc, #platform-ops-alerts
  * password in secrets repo
* you don't need to join all of these but some may be useful: https://mana.mozilla.org/wiki/display/SYSADMIN/IRC+use+within+IT
  * passwordw in mana


== Slack ==
== Slack ==
Line 149: Line 186:


The root webview of the Mozilla hg repositories is here: https://hg.mozilla.org/
The root webview of the Mozilla hg repositories is here: https://hg.mozilla.org/
Most releng code lives in repos under https://hg.mozilla.org/build


There are 3 levels of commit access:
There are 3 levels of commit access:
Line 162: Line 197:
== Git & Github ==
== Git & Github ==


There are git mirrors of many popular Mozilla repositories. One of the Mozilla github admins (catlee, kmoir, jlund) can add you to the following GitHub groups:
There are git mirrors of many popular Mozilla repositories. One of the Mozilla github admins (jlund) can add you to the following GitHub groups:
* [https://github.com/mozilla-releng Mozilla-Releng organization]
* [https://github.com/orgs/mozilla-releng/teams/buildduty/members CiDuty Github Team]
* [https://github.com/orgs/mozilla/teams/releng Releng team within the Mozilla organization]  


There are also a handful of git repos hosted directly by Mozilla. Your manager/mentor will let you know if you need access to one of these. ([[Github|See also]])
There are also a handful of git repos hosted directly by Mozilla. Your manager/mentor will let you know if you need access to one of these. ([[Github|See also]])


= Secrets =
Releng and Relops have a shared repo of secrets. Please reach out to jlund or another manager for instructions on how to access and ask to be add yourself as a recipient to every secret that the rest of the CiDuty team (users/buildduty-fingerprints) has access to
= Releng/TC AWS account =
File a release engineering "general" ticket and needinfo jlund or another releng manager to create a user account and add you to the CiDuty group


= Other Services =
= Other Services =


For access to other services, you'll need file a couple of bugs:
For access to other services, you'll need file a couple of bugs:
* Access to [http://nagios.mozilla.org/nagios/ Nagios]
* Access to Papertrail
** File a bug in bugzilla under 'MOC: Service Requests'
** ask jlund or another manager to be added to the encrypted file in the secrets repo
* Access to [https://inventory.mozilla.org/en-US/#inventory inventory]
** File a bug under 'Infrastructure & Operations::WebOps: Inventory'
Confirmed users
67

edits