Add a couple clarifications regarding access requirements #164
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -17,6 +17,11 @@ Requirements | |
| - `release-tools` scripts in your `PATH` ([GitHub](https://github.com/opensciencegrid/release-tools)) | ||
| - `osg-build` scripts in your `PATH` (installed via OSG yum repos or [source](https://github.com/opensciencegrid/osg-build)) | ||
|
|
||
| !!! note | ||
| The release procedure requires running scripts on both `dumbo` (for AFS-facing operations) and your personal laptop | ||
| (for koji-facing operations). The correct host for each command is indicated by a shell comment in this documentation. | ||
| Ensure you are running each command on the correct host. | ||
|
|
||
| Promoting Packages from Testing to Pre-release | ||
| ---------------------------------------------- | ||
|
|
||
|
|
@@ -201,7 +206,12 @@ Click the `Run Workflow` button, select the `master` branch, and click `Run work | |
| ### Step 5: Install the tarballs into OASIS | ||
|
|
||
| !!! note | ||
| You must be an OASIS manager of the `mis` VO to do these steps. Known managers as of 2025-02-13: Mat, Tim C, Tim T, Brian L, Matt W. | ||
|
|
||
| !!! note | ||
| Ensure you've [added your SSH key to oasis](https://osg-htc.org/docs/common/contact-registration/#oasis-managers-adding-an-ssh-key) prior | ||
| to running this step. Also, ensure you've [enabled SSH agent forwarding](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/using-ssh-agent-forwarding) | ||
| from a host with your SSH key (such as your laptop) to dumbo. | ||
|
|
||
| Get the uploader script from Git and run it with `osgrun` from the UW AFS install of the tarball client you made earlier. On a UW CSL machine: | ||
|
|
||
|
|
@@ -240,7 +250,7 @@ Once the web page is updated, run the following command to update the CA certifi | |
| verify that the version of the CA certificates match the version that was promoted to release. | ||
|
|
||
| ```bash | ||
| # dumbo.chtc.wisc.edu | ||
|
There was a problem hiding this comment. This doesn't work. Because we nolonger make an AFS specific tarballs. We should replace this step with something else. There was a problem hiding this comment. I'll update this step in a different PR. There was a problem hiding this comment. @matyasselmeci @mwestphall @timtheisen one thing that I don't understand here is
This step is after the tarballs are built and copied to the relevant locations on AFS / OASIS. It doesn't look like we're running the update and tar'ing everything back up so this seems like a no-op to me? We also do these sorts of tests in the tarball verification script https://github.com/opensciencegrid/release-tools/blob/master/1-verify-tarballs#L35-L63 I think we can just scratch this step except for verifying that the cadist page is updated There was a problem hiding this comment. Correct. I just ensure that the cadist page updates. There was a problem hiding this comment. Just make sure that the page https://repo.opensciencegrid.org/cadist/ updates. |
||
| /p/vdt/workspace/tarball-client/current/amd64_rhel7/osgrun osg-update-data | ||
| ``` | ||
|
|
||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we need SSH agent forwarding? We should avoid prefer
ProxyJumpwherever we can https://www.infoworld.com/article/2266099/proxyjump-is-safer-than-ssh-agent-forwarding.htmlThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we need SSH agent forwarding. I don't use it and I can upload tarballs just fine. I'd delete that requirement.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@timtheisen the instructions specify running this step on dumbo, so the presumed setup is that you're ssh'ing from your local laptop to dumbo, then to oasis. Oasis does key-based ssh authentication, and I was running into issues not having my ssh key available on dumbo when running this step. My first thought of how to work around this was agent forwarding from my laptop to dumbo (and then to oasis), we can look into other approaches though if that's not the preferred aproach.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, I have my private key on dumbo. That's the difference.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We discussed this locally and have ideas to do pulls from Pelican instead of pushes so that we don't have to keep private keys on dumbo
See https://opensciencegrid.atlassian.net/browse/SOFTWARE-6094