I'm a Pungi developer. I would like to test https://pagure.io/pungi/pull-request/1699 in a more realistic environment. In the past I used the staging compose host for that.
I'm in sysadmin-releng group, I can ssh to production compose hosts, but for some reasons the staging one doesn't let me in.
I have the same SSH keys configured in both production and staging FAS. But still the key that is accepted in production is rejected by the staging host.
Can I get some help with fixing the access?
Metadata Update from @zlopez: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: low-gain, low-trouble, ops
I checked that @lsedlar is in sysadmin-releng on staging FAS as well, so I don't see any reason for SSH key to be rejected.
Which host are you trying to access?
I'd like to use compose-x86-01.stg.iad2.fedoraproject.org.
compose-x86-01.stg.iad2.fedoraproject.org
I have this in .ssh/config (which works for prod):
Host bastion.fedoraproject.org HostName bastion-iad01.fedoraproject.org User lsedlar ProxyCommand none ForwardAgent no Host *.iad2.fedoraproject.org User lsedlar ProxyCommand ssh -W %h:%p bastion.fedoraproject.org
I can confirm that the compose-x86-01.stg.iad2.fedoraproject.org is not accessible for me as well.
It seems that there are no user account on staging machine. Only one user in /home/fedora folder.
/home/fedora
@kevin What is the correct way to add the fedora user to machine?
User accounts are all controlled by IPA cluster, you shouldn't add local users. ;)
I looked at this a bit, but the staging ipa servers are under some construction right now, so not sure the failure. will look more soon...
ok. This should be all fixed.
The machine was in a weird state with ipa, so I unenrolled it, but then trying to run the playbook hit a scp error because it's sshd_config was too old. I manually fixed that, then ran the playbook and it re-enrolled and everything is working now.
Please reopen or file a new ticket if you see any futher problems.
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @kevin: - Issue assigned to kevin
Thanks Kevin!
I'm not sure what I'm doing wrong. I still see the same behaviour as before.
With prod, I can authenticate with either a key or kerberos ticket. The staging host doesn't let me in with neither.
Do I need some special configuration for stage? What logs would be helpful for debugging?
Metadata Update from @lsedlar: - Issue status updated to: Open (was: Closed)
so, it was working, but I just tried and it failed again. ;(
sssd was giving some kind of system error, so I restarted it and its working for me now?
can you try again now?
I apologize for missing the last comment. I just tried it again and I'm still getting the same error.
Pretty frustrating. sssd was offline again. ;(
It working right now. Please try again.
I'll try and figure out from the logs why sssd is going off line. ;(
No luck. I wonder if somehow my attempt to connect is bringing sshd down :confused:
I think it's because our ipa cluster in staging is being worked on to upgrade it to rhel9, and at least one of the members of the cluster is unhappy. ;(
Will try and get that sorted out. Sorry for the long delay here.
I upgraded the machine to f39... it seems like it might be more stable now? (but I could be wrong). Can you try it again now?
I'm in! Thank you very much.
Great!
Log in to comment on this ticket.