Confirmed users
67
edits
(first draft of Buildduty focused day1 checklist. Updated and forked from releng) |
(Removed Nagios entry) |
||
(18 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
__TOC__ | __TOC__ | ||
Welcome to | Welcome to CiDuty! | ||
This page is meant to serve as a resource for new | This page is meant to serve as a resource for new CiDuty team-members getting up to speed and ensuring they have access to the appropriate systems that they are expected to use. | ||
= | = CiDuty and the Manifesto = | ||
* Before you start it would be a good idea to make sure you know what | * Before you start it would be a good idea to make sure you know what CiDuty is all about. Please have a read through of [[ReleaseEngineering/Buildduty_manifesto|the manifesto]] | ||
= Access = | = Access = | ||
Line 13: | Line 13: | ||
== SSO == | == SSO == | ||
Generally, we rely on [https://auth0.com/ auth0] across Mozilla for authentication and [https://mana.mozilla.org/wiki/display/SYSADMIN/LDAP+Architecture LDAP] for authorization. Once given LDAP and you have created a | Generally, we rely on [https://auth0.com/ auth0] across Mozilla for authentication and [https://mana.mozilla.org/wiki/display/SYSADMIN/LDAP+Architecture LDAP] for authorization. Once given LDAP and you have created a temporary password (about 3 months), you can use that to login to the [https://sso.mozilla.com SSO portal]. From SSO, you should have links to various services from email, irc, calendar, slack, mana, etc. More on each of those later on this page | ||
== login.mozilla.com == | == login.mozilla.com == | ||
Line 25: | Line 25: | ||
=== SSH === | === SSH === | ||
Upload your public ssh key. It is a good idea to generate a separate ssh keypair from your personal one or any other that you have created in the past and use that explicitly for | Upload your public ssh key. It is a good idea to generate a separate ssh keypair from your personal one or any other that you have created in the past and use that explicitly for CiDuty and upload that. Follow this [[Security/Guidelines/OpenSSH#OpenSSH_client|SSH guidelines doc]] on how to generate, configure, and use your ssh key. | ||
note: example ssh config for accessing our systems given below in Jumphost section | note: example ssh config for accessing our systems given below in Jumphost section | ||
Line 42: | Line 42: | ||
See the instructions on how to [https://mana.mozilla.org/wiki/display/SD/VPN install and configure your VPN client] and help choosing the right client for your platform. | See the instructions on how to [https://mana.mozilla.org/wiki/display/SD/VPN install and configure your VPN client] and help choosing the right client for your platform. | ||
note: macOS | note: macOS users should use [https://www.sparklabs.com/viscosity/ Viscosity]. This application comes with a free 30 day trial. During your trial, your manager can help you create a ServiceNow ticket to get a Viscosity full license. While Windows users can use OpenVPN GUI that is free. | ||
=== MFA === | === MFA === | ||
Line 52: | Line 52: | ||
== Jumphost == | == Jumphost == | ||
To access any of Release Engineering, Taskcluster, and Release Operations hosts directly, you will need to go through VPN -> a Jumphost machine -> Separate MFA -> your target host. | |||
To do that, you and your manager will need to file a ticket against Release Operations and have them send you an invite to add an MFA account on your Duo App. | |||
Then once you have your Jumphost MFA setup correctly, you will need to have your ssh config to correctly route through the jumphost before trying the target host you want. | |||
example ssh config: | |||
<source lang="ruby"> | |||
# Ensure KnownHosts are unreadable if leaked - it is otherwise easier to know which hosts your keys have access to. | |||
HashKnownHosts yes | |||
# Host keys the client accepts - order here is honored by OpenSSH | |||
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 | |||
Host hg.mozilla.org git.mozilla.org | |||
User USERNAME@mozilla.com | |||
Compression yes | |||
ServerAliveInterval 300 | |||
Host *.mozilla.com | |||
User USERNAME | |||
IdentityFile ~/.ssh/id_rsa_mozilla_2017-05-12 | |||
Compression yes | |||
ServerAliveInterval 300 | |||
Host *.build.mozilla.org | |||
Compression yes | |||
User cltbld | |||
ServerAliveInterval 300 | |||
Host rejh?.srv.releng.????.mozilla.com | |||
ControlMaster auto | |||
ControlPath ~/.ssh/ssh-%C | |||
ControlPersist 10m | |||
ForwardAgent no | |||
Host *.releng.mdc1.mozilla.com !rejh?.srv.releng.mdc1.mozilla.com !*.private.releng.????.mozilla.com | |||
ProxyJump rejh1.srv.releng.mdc1.mozilla.com | |||
Host *.releng.us??.mozilla.com *.releng.scl3.mozilla.com !rejh?.srv.releng.????.mozilla.com !*.private.releng.scl3.mozilla.com | |||
ProxyJump rejh1.srv.releng.scl3.mozilla.com | |||
</source> | |||
= Communications = | = Communications = | ||
== Mail == | == Mail == | ||
Mozilla mail is handled by [https://mail.google.com/ Gmail]. | |||
Mozilla mail is handled by [https://mail.google.com/ Gmail] | |||
Have your manager subscribe you to this list if you are not already. | |||
=== Mailing lists === | |||
Needs permission: | |||
* [https://groups.google.com/a/mozilla.com/forum/?hl=en#!forum/ciduty ciduty@mozilla.com] - this is our team email. Ask owner (jlund) for access | |||
* [https://groups.google.com/a/mozilla.com/forum/?hl=en#!forum/releng-puppet-mail Puppet Mail] (warning: you will want to filter this as it can send a lot of mail) | |||
You'll also need to manually subscribe to the following public lists: | |||
You'll need to manually subscribe to: | |||
* [https://lists.mozilla.org/listinfo/release-engineering release-engineering] public mailing list | * [https://lists.mozilla.org/listinfo/release-engineering release-engineering] public mailing list | ||
* [https://lists.mozilla.org/listinfo/dev-planning mozilla.dev.planning] | * [https://lists.mozilla.org/listinfo/dev-planning mozilla.dev.planning] | ||
* [https://lists.mozilla.org/listinfo/dev-tree-management mozilla.dev.tree-management] | * [https://lists.mozilla.org/listinfo/dev-tree-management mozilla.dev.tree-management] | ||
* https://mail.mozilla.org/listinfo/taskcluster-announce - announcements of events, major changes (low volume, no discussion) | |||
* https://lists.mozilla.org/listinfo/tools-taskcluster - general taskcluster discussion | |||
* [https://groups.google.com/a/mozilla.com/forum/#!forum/firefox-ci firefox-ci] mailing list | |||
These are available as [news://news.mozilla.org newsgroups], google groups, and [https://lists.mozilla.org/listinfo Mailman lists] | These are available as [news://news.mozilla.org newsgroups], google groups, and [https://lists.mozilla.org/listinfo Mailman lists] | ||
== Calendar == | == Calendar == | ||
Like mail, we now use [https://www.google.com/calendar/ Google calendar]. | Like mail, we now use [https://www.google.com/calendar/ Google calendar]. | ||
You'll want to subscribe to the following public calendars: | You'll want to subscribe to the following public calendars: | ||
* [https://calendar.google.com/calendar/embed?src=mozilla.com_2d32343333353036312d393737%40resource.calendar.google.com Release Engineering - Public] | * [https://calendar.google.com/calendar/embed?src=mozilla.com_2d32343333353036312d393737%40resource.calendar.google.com Release Engineering - Public] | ||
== Bugzilla == | == Bugzilla == | ||
Almost everything at Mozilla goes through Bugzilla. [https://bugzilla.mozilla.org/createaccount.cgi Create a Bugzilla account] if you have not already. | Almost everything at Mozilla goes through Bugzilla. [https://bugzilla.mozilla.org/createaccount.cgi Create a Bugzilla account] if you have not already. You should setup MFA and can reuse your LDAP based MFA account. | ||
You'll need a few tweaks to your account to get access to everything releng-related: | You'll need a few tweaks to your account to get access to everything releng-related: | ||
* Use your LDAP email if you would like. You can use a personal one or bugzilla specific one if you prefer to filter that way | |||
* Add privileges for bugzilla group "build" (Mozilla Build Team) (Can be done by catlee or bugzilla admin.) | * Add privileges for bugzilla group "build" (Mozilla Build Team) (Can be done by catlee or bugzilla admin.) | ||
* Add your irc nickname & ldap username as "aliases" for your account | * Add your irc nickname & ldap username as "aliases" for your account | ||
Line 108: | Line 139: | ||
== Vidyo == | == Vidyo == | ||
Our primary two way video meeting platform is Vidyo. Basic usage instructions are [https://mana.mozilla.org/wiki/display/SD/Vidyo+Desktop+3 here]. Especially if you are running linux, it is highly recommended that you install the client and make test calls prior to any meeting. | |||
Special [https://mana.mozilla.org/wiki/display/~gene@mozilla.com/How+to+get+Vidyo+working+on+Ubuntu+16.04+and+newer Ubuntu instructions] that may help | |||
Add to your contact list the CiDuty room | |||
== IRC == | == IRC == | ||
Line 120: | Line 151: | ||
Useful channels | Useful channels | ||
* # | * #ci, #releaseduty, #releng-bots #taskcluster, #developers, #mobile, #ateam, #moc | ||
Protected channels | |||
* #platform-ops-soc, #platform-ops-alerts | |||
* password in secrets repo | |||
* you don't need to join all of these but some may be useful: https://mana.mozilla.org/wiki/display/SYSADMIN/IRC+use+within+IT | |||
* passwordw in mana | |||
== Slack == | == Slack == | ||
Line 149: | Line 186: | ||
The root webview of the Mozilla hg repositories is here: https://hg.mozilla.org/ | The root webview of the Mozilla hg repositories is here: https://hg.mozilla.org/ | ||
There are 3 levels of commit access: | There are 3 levels of commit access: | ||
Line 162: | Line 197: | ||
== Git & Github == | == Git & Github == | ||
There are git mirrors of many popular Mozilla repositories. One of the Mozilla github admins ( | There are git mirrors of many popular Mozilla repositories. One of the Mozilla github admins (jlund) can add you to the following GitHub groups: | ||
* [https://github.com/mozilla-releng | * [https://github.com/orgs/mozilla-releng/teams/buildduty/members CiDuty Github Team] | ||
There are also a handful of git repos hosted directly by Mozilla. Your manager/mentor will let you know if you need access to one of these. ([[Github|See also]]) | There are also a handful of git repos hosted directly by Mozilla. Your manager/mentor will let you know if you need access to one of these. ([[Github|See also]]) | ||
= Secrets = | |||
Releng and Relops have a shared repo of secrets. Please reach out to jlund or another manager for instructions on how to access and ask to be add yourself as a recipient to every secret that the rest of the CiDuty team (users/buildduty-fingerprints) has access to | |||
= Releng/TC AWS account = | |||
File a release engineering "general" ticket and needinfo jlund or another releng manager to create a user account and add you to the CiDuty group | |||
= Other Services = | = Other Services = | ||
For access to other services, you'll need file a couple of bugs: | For access to other services, you'll need file a couple of bugs: | ||
* Access to | * Access to Papertrail | ||
** | ** ask jlund or another manager to be added to the encrypted file in the secrets repo | ||