action #67804

use non-personal account and key for pushing needles on osd to

Added by okurz 8 months ago. Updated 3 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:



See #67213

Acceptance criteria

  • AC1: For pushing needles on osd to a non-personal account (different to "nicksinger") is used

Related issues

Copied from openQA Infrastructure - action #67213: pushing needles on osd to failsResolved2020-05-25


#1 Updated by okurz 8 months ago

  • Copied from action #67213: pushing needles on osd to fails added

#2 Updated by okurz 6 months ago

  • Priority changed from Normal to Low

#3 Updated by okurz 3 months ago

  • Target version set to Ready

#4 Updated by okurz 3 months ago

  • Status changed from Workable to In Progress
  • Assignee set to okurz

on osd in the home directory of "geekotest" there is a directory ~/.ssh which contains:

authorized_keys  config  id_rsa  id_rsa.gitlab  known_hosts  known_hosts.old

IIUC nicksinger has added the key "id_rsa.gitlab" under the account "nicksinger" on so logging in to greets with "nicksinger" but that account is blocked at time of writing, see #75067

I just commented out the section in ~/.ssh/config to use ~/.ssh/id_rsa.gitlab so git+ssh uses "id_rsa" which is already supplied as a valid key for the gitlab user "openqa-pusher". Then in ~/share/tests/sle/products/sle/needles the command git pull --rebase origin master && git push worked because the account "openqa-pusher" is not blocked.

I don't think we actually currently need the specific "gitlab" ssh keys as we have the generic one already added to gitlab and renamed the gitlab one to make it obvious it's unused:

mv id_rsa.gitlab{,.unused}

However to include that into salt I think it's safer to use a dedicated key anyway. On osd as geekotest I did ssh-keygen -t ed25519 -N '' -C ', openqa-pusher needle pushing to gitlab' -f id_ed25519.gitlab,
added the public key in and included the files into the pillars repo

cd ~/local/openqa/salt-pillars-openqa/hosts/
ssh osd "sudo -u geekotest cat /var/lib/openqa/.ssh/" >
ssh osd "sudo -u geekotest cat /var/lib/openqa/.ssh/id_ed25519.gitlab" > id_ed25519.gitlab

and reference in salt-states-openqa, e.g.

105 {% for i in ['', '.pub'] %}
106 /var/lib/openqa/.ssh/id_ed25519.gitlab{{i}}:
107   file.managed:
108     - contents_pillar: id_ed25519.gitlab{{i}}

cat config 
  User gitlab
  IdentityFile ~/.ssh/id_ed25519.gitlab
  IdentitiesOnly yes

#6 Updated by okurz 3 months ago

  • Status changed from Feedback to Resolved

generated config on osd looks fine, everything seems to work as expected.

Also available in: Atom PDF