CentOS Infrastructure Team
CentOS Infrastructure Team¶
Overview¶
CentOS Infra is mainly managed by the Community Platform Engineering Team, but also accepting infra contributions from Community Contributors, which can be delegated rights on parts of the infra for service[s] they'd like to contribute to, or even be responsible for.
All that is possible at various levels :
- Application level : granted needed credentials (usually authenticated through ACO)
- Ansible role level : through Pull Requests against our Ansible roles and/or inventories
- Machine/Infra level : granted shell/elevated rights based on Ansible rights
Onboarding infra members¶
This is an overview of needed steps to onboard a new sysadmin, having so access everywhere :
Info
Worth knowing that all explained steps don't have to be all applied.
Example: someone can be granted koji
build right for the infra tags, because also of needed delegation for just koji/cbs.centos.org but not needing shell/access anywhere else, so don't apply blindly this process !
IPA Group membership¶
While being part of the sig-infra
group doesn't grant any shell/sudo permission anywhere , it at least reflect that new person joigning the team will be a PoC for infra and also automatically granted :
- rights to build/promote pkgs on the infra koji tags
- a
@centosproject.org
email address (see also the postfix section)
Ansible inventory access (for "full" sysadmin)¶
Based on the Environment that new infra team member needs access to (delegation, as some are in charge of CentOS CI but not -yet- other parts, etc), one needs to be added in a specific ansible list/variables in inventory, the admins_list that contains list of shell accounts to create , with their ssh pub key and if they are granted sudo rights.
From that point, next time Ansible will be ran across servers fleet (either automatically through central mgmt station or manually for the machines in the manual-run
specific group), it will add the new sysadmin (or modify/remove) on the nodes.
To retrieve a sysadmin ssh public key, gpg key or other needed informations, you can directly query IPA through fajson (it needs first to have a working kerberos ticket, so don't forget to kinit
first) :
fas_user="arrfab"
curl --silent --fail --negotiate -u : https://fasjson.fedoraproject.org/v1/users/${fas_user}/|jq
It's required that CentOS Infra members, when they'll be in charge of multiple services and granted elevated rights, will :
- use GnuPG for encryption (for mails and/or to be able to access ansible inventory git repositories) and so public gpg key available through fasjson/IPA/noggin portal
- have their ssh pub key also passphrase protected and with publicy key available on fasjson/IPA/noggin
- have enabled OTP on their account for authentication services
Once you have verified the GPG public key, you can (for git-crypt
ed git repositories for ansible, add the new collaborator like this (do this on each git repo that the new sysadmin is granted access to).
So after you've added the gpg in your own keyring, you can add it to git-crypt
git-crypt add-gpg-user --trusted <replace_with_user_email_listed_in_gpg)
[master e28a784] Add 1 git-crypt collaborator
1 file changed, 1 insertion(+)
create mode 100644 .git-crypt/keys/default/0/<usually_user_gpg_pub_key>.gpg
git push
Zabbix access (for "full" sysadmin)¶
One existing administrator can create (through WebUI - Administration/Users - or through Zabbix API), a new user with the following settings:
- User section
- Alias (username) => matching existing
nick
from authentication - Groups => can be
Zabbix administrators
for full admins - password => randomly generated and initial one sent to new sysadmin by gpg encrypted email, to be changed by user after (note that when we'll switch zabbix to new auth system, that step will be skipped completely)
- Media section
- At least add the
email
media type, sending to his registered email in IPA - Filter out
Not classified
andInformation
severity levels but users can change/fine tune after - Permissions section
- User Type =>
Zabbix Super Admin
: Read-Write everywhere in Zabbix
Various notes¶
IPA groups giving access¶
git/pagure¶
The centos-git-admins
IPA group will give you all needed rights in pagure/git.centos.org, so add user in that group if he needs to be able to administer this git forge solution.
Openshift¶
Git notifications¶
For the current setup for inventories (not the ones hosted on gitlab that is) we can quickly enable commits notifications like this (adapt to the needs/users/projects) :
# Some variables
git_basedir="/repositories/git/centos"
git_repos="ansible-filestore-ci ansible-pkistore-ci ansible-inventory-ci"
git_mailto="rcpt_1@domain.com, rcpt2@otherdomain.com"
git_mailfrom="git@centosproject.org"
pushd ${git_basedir}
for repo in ${git_repos}; do
pushd ${repo}.git
git config multimailhook.mailingList "${git_mailto}"
git config multimailhook.from ${git_mailfrom}
pushd hooks/post-receive.d; test -e git_multimail.py || ln -s /usr/bin/git_multimail.py ; popd
popd
done
popd