Add a couple clarifications regarding access requirements #164
Conversation
| @@ -240,7 +250,7 @@ Once the web page is updated, run the following command to update the CA certifi | |||
| verify that the version of the CA certificates match the version that was promoted to release. | |||
|
|
|||
| ```bash | |||
| # moria.cs.wisc.edu | |||
| # dumbo.chtc.wisc.edu | |||
There was a problem hiding this comment.
This doesn't work. Because we nolonger make an AFS specific tarballs. We should replace this step with something else.
There was a problem hiding this comment.
I'll update this step in a different PR.
There was a problem hiding this comment.
@matyasselmeci @mwestphall @timtheisen one thing that I don't understand here is
run the following command to update the CA certificates in the tarball installation
This step is after the tarballs are built and copied to the relevant locations on AFS / OASIS. It doesn't look like we're running the update and tar'ing everything back up so this seems like a no-op to me? We also do these sorts of tests in the tarball verification script https://github.com/opensciencegrid/release-tools/blob/master/1-verify-tarballs#L35-L63
I think we can just scratch this step except for verifying that the cadist page is updated
There was a problem hiding this comment.
Correct. I just ensure that the cadist page updates.
There was a problem hiding this comment.
Just make sure that the page https://repo.opensciencegrid.org/cadist/ updates.
| !!! note | ||
| Ensure you've [added your SSH key to oasis](https://osg-htc.org/docs/common/contact-registration/#oasis-managers-adding-an-ssh-key) prior | ||
| to running this step. Also, ensure you've [enabled SSH agent forwarding](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/using-ssh-agent-forwarding) | ||
| from a host with your SSH key (such as your laptop) to dumbo. |
There was a problem hiding this comment.
Why do we need SSH agent forwarding? We should avoid prefer ProxyJump wherever we can https://www.infoworld.com/article/2266099/proxyjump-is-safer-than-ssh-agent-forwarding.html
There was a problem hiding this comment.
I don't think we need SSH agent forwarding. I don't use it and I can upload tarballs just fine. I'd delete that requirement.
There was a problem hiding this comment.
@timtheisen the instructions specify running this step on dumbo, so the presumed setup is that you're ssh'ing from your local laptop to dumbo, then to oasis. Oasis does key-based ssh authentication, and I was running into issues not having my ssh key available on dumbo when running this step. My first thought of how to work around this was agent forwarding from my laptop to dumbo (and then to oasis), we can look into other approaches though if that's not the preferred aproach.
There was a problem hiding this comment.
I see, I have my private key on dumbo. That's the difference.
There was a problem hiding this comment.
We discussed this locally and have ideas to do pulls from Pelican instead of pushes so that we don't have to keep private keys on dumbo
See https://opensciencegrid.atlassian.net/browse/SOFTWARE-6094
No description provided.