Welcome to CiDuty!

This page is meant to serve as a resource for new CiDuty team-members getting up to speed and ensuring they have access to the appropriate systems that they are expected to use.

CiDuty and the Manifesto

• Before you start it would be a good idea to make sure you know what CiDuty is all about. Please have a read through of the manifesto

Access

SSO

Generally, we rely on auth0 across Mozilla for authentication and LDAP for authorization. Once given LDAP and you have created a temporary password (about 3 months), you can use that to login to the SSO portal. From SSO, you should have links to various services from email, irc, calendar, slack, mana, etc. More on each of those later on this page

login.mozilla.com

login.mozilla.com is where you can change a number of authentication/authorization access bits that you have control over. Each todo in this section assumes you have access to this page.

LDAP password reset

If you were given a temporary ldap password or you haven't created your own password yet, you should do this now.

SSH

Upload your public ssh key. It is a good idea to generate a separate ssh keypair from your personal one or any other that you have created in the past and use that explicitly for CiDuty and upload that. Follow this SSH guidelines doc on how to generate, configure, and use your ssh key.

note: example ssh config for accessing our systems given below in Jumphost section

PGP

We use pgp keys to share private information, secrets, and verify that the source came from someone we trust. Generate a keypair for this and upload your public key so others can find it. It would be really good if you could have other people sign your key, adding more trust that this key really belongs to you.

You can use the the pgp quickstart guide on mana or you can use the The GNU Privacy Handbook for reference.

VPN

Many of our systems are behind a private network in addition to auth0. Follow the prompts to generate and download an openVPN certificate that you can use to import to your vpn client.

See the instructions on how to install and configure your VPN client and help choosing the right client for your platform.

note: macOS users should use Viscosity. This application comes with a free 30 day trial. During your trial, your manager can help you create a ServiceNow ticket to get a Viscosity full license. While Windows users can use OpenVPN GUI that is free.

MFA

This MFA account is specific to login.mozilla.com and is used for LDAP/auth0 based logins. Follow the instructions to download the Duo Mobile app and create a Mozilla account.

note: later on in this page we will create more MFA accounts for various systems like Github and accessing our Jumphost

Jumphost

To access any of Release Engineering, Taskcluster, and Release Operations hosts directly, you will need to go through VPN -> a Jumphost machine -> Separate MFA -> your target host.

To do that, you and your manager will need to file a ticket against Release Operations and have them send you an invite to add an MFA account on your Duo App.

Then once you have your Jumphost MFA setup correctly, you will need to have your ssh config to correctly route through the jumphost before trying the target host you want.

example ssh config:

# Ensure KnownHosts are unreadable if leaked - it is otherwise easier to know which hosts your keys have access to.
HashKnownHosts yes
# Host keys the client accepts - order here is honored by OpenSSH
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256

Host hg.mozilla.org git.mozilla.org
    User USERNAME@mozilla.com
    Compression yes
    ServerAliveInterval 300

Host *.mozilla.com
    User USERNAME
    IdentityFile ~/.ssh/id_rsa_mozilla_2017-05-12
    Compression yes
    ServerAliveInterval 300

Host *.build.mozilla.org
    Compression yes
    User cltbld
    ServerAliveInterval 300

Host rejh?.srv.releng.????.mozilla.com
    ControlMaster auto
    ControlPath ~/.ssh/ssh-%C
    ControlPersist 10m
    ForwardAgent no
 
Host *.releng.mdc1.mozilla.com !rejh?.srv.releng.mdc1.mozilla.com !*.private.releng.????.mozilla.com
    ProxyJump rejh1.srv.releng.mdc1.mozilla.com
 
Host *.releng.us??.mozilla.com *.releng.scl3.mozilla.com !rejh?.srv.releng.????.mozilla.com !*.private.releng.scl3.mozilla.com
    ProxyJump rejh1.srv.releng.scl3.mozilla.com

Communications

Mail

Mozilla mail is handled by Gmail.

Have your manager subscribe you to this list if you are not already.

Mailing lists

Needs permission:

• ciduty@mozilla.com - this is our team email. Ask owner (jlund) for access
• Puppet Mail (warning: you will want to filter this as it can send a lot of mail)

You'll also need to manually subscribe to the following public lists:

• release-engineering public mailing list
• mozilla.dev.planning
• mozilla.dev.tree-management
• https://mail.mozilla.org/listinfo/taskcluster-announce - announcements of events, major changes (low volume, no discussion)
• https://lists.mozilla.org/listinfo/tools-taskcluster - general taskcluster discussion
• firefox-ci mailing list

These are available as newsgroups, google groups, and Mailman lists

Calendar

Like mail, we now use Google calendar.

You'll want to subscribe to the following public calendars:

• Release Engineering - Public

Bugzilla

Almost everything at Mozilla goes through Bugzilla. Create a Bugzilla account if you have not already. You should setup MFA and can reuse your LDAP based MFA account.

You'll need a few tweaks to your account to get access to everything releng-related:

• Use your LDAP email if you would like. You can use a personal one or bugzilla specific one if you prefer to filter that way
• Add privileges for bugzilla group "build" (Mozilla Build Team) (Can be done by catlee or bugzilla admin.)
• Add your irc nickname & ldap username as "aliases" for your account
  • log into bugzilla & follow links "Preferences" -> "Account Information"
  • append the aliases, with a leading ':' and enclosed in brackets ('[]') to the "Real Name" field
  • e.g.: "Chris AtLee [:catlee]"
• QuickSearch help

Vidyo

Our primary two way video meeting platform is Vidyo. Basic usage instructions are here. Especially if you are running linux, it is highly recommended that you install the client and make test calls prior to any meeting.

Special Ubuntu instructions that may help

Add to your contact list the CiDuty room

IRC

Historically, IRC is the primary place for chat based communication. Many people use the locally-hosted irccloud instance. SSO should have a link to the irccloud instance. Servicedesk has some great getting started tips for IRC.

Useful channels

• #ci, #releaseduty, #releng-bots #taskcluster, #developers, #mobile, #ateam, #moc

Protected channels

• #platform-ops-soc, #platform-ops-alerts

 * password in secrets repo

• you don't need to join all of these but some may be useful: https://mana.mozilla.org/wiki/display/SYSADMIN/IRC+use+within+IT

 * passwordw in mana

Slack

Some parts of Mozilla prefer Slack to IRC, more info on mana.

Wiki

wiki.mozilla.org (here) is the main source for public documentation

Mana

Some internal Mozilla systems (IT, HR) are documented on mana. File a ServiceNow ticket if you don't have access when you start.

Google Drive

Google Drive (formerly Google docs) is a preferred way to share things these days. This includes spreadsheets and documents that will change a great deal over time.

Google Drive access should be enabled with your email account when you start. If you need access to a particular document, talk to the document owner or your manager/mentor.

Development

Mercurial (hg)

Most development in releng (and at Mozilla writ-large) is stored in version control using hg.

There is an excellent step-by-step guide for setting up and using hg: Mercurial for Mozillians

The root webview of the Mozilla hg repositories is here: https://hg.mozilla.org/

There are 3 levels of commit access:

• Level 1 access allows you to use the Try Server and setup user repos. As a new contributor, you should request this on day one.
• Level 2 access is required to land code in the build and project repos. Once you have a proven track record of successful patches, you can ask your manager/mentor to vouch for your Level 2 access. Your manager/mentor can also land patches for you until you receive Level 2 access.
• Level 3 access is required to land code in mozilla-central and its derived integration & release branches. At some point in your Mozilla contribution story, you may need Level 3 access but many contributors never do. Talk to your manager/mentor if you think you need this access. You should already have Level 2 access when you request Level 3.

You need to file an IT bug to get hg commit access. Follow the instructions for Becoming a Mozilla Committer, and for Level 2, specify you need access to (at least) hg.mozilla.org/build/* (Product/Component: mozilla.org/Repository Account Requests).

• example request: bug 703351

Git & Github

There are git mirrors of many popular Mozilla repositories. One of the Mozilla github admins (jlund) can add you to the following GitHub groups:

• CiDuty Github Team

There are also a handful of git repos hosted directly by Mozilla. Your manager/mentor will let you know if you need access to one of these. (See also)

Secrets

Releng and Relops have a shared repo of secrets. Please reach out to jlund or another manager for instructions on how to access and ask to be add yourself as a recipient to every secret that the rest of the CiDuty team (users/buildduty-fingerprints) has access to

Releng/TC AWS account

File a release engineering "general" ticket and needinfo jlund or another releng manager to create a user account and add you to the CiDuty group

Other Services

For access to other services, you'll need file a couple of bugs:

• Access to Papertrail
  • ask jlund or another manager to be added to the encrypted file in the secrets repo