Accessing Autobuilders: Difference between revisions
No edit summary |
(Update to remove typhoon directions.) |
||
(11 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
==Connecting to Autobuilders== | ==Connecting to Autobuilders== | ||
We use an ssh jumphost called access.yoctoproject.org to connect to the autobuilders. Jumphosts enhance security by removing the threat of hijacked ssh-agents and limiting the services running on Internet exposed hosts. | We use an ssh jumphost called access.yoctoproject.org/access.yocto.io to connect to the autobuilders. Jumphosts enhance security by removing the threat of hijacked ssh-agents and limiting the services running on Internet exposed hosts. | ||
===Generate keys=== | ===Generate keys=== | ||
In order to access any of the autobuilders your ssh public keys must first be installed. The preferred | In order to access any of the autobuilders your ssh public keys must first be installed. The preferred key type is ECC. RSA with 4096 bits is also acceptable. Please put your e-mail, the date of generation, and the host the key lives on in the comment. Please set a passphrase even if it's a simple one! Ideally your private key will never leave the host it is generated on - so if you have multiple machines please generate multiple keys. E-mail your '''public''' key named ~/.ssh/id_ed25519.pub or id_rsa.pub to helpdesk@yoctoproject.org. Keep id_ed25519 or id_rsa(the private key) super safe. Please never share it with anyone or copy it onto the Internet. Don't e-mail it to yourself either. | ||
ssh-keygen | ssh-keygen -t ed25519 -C "your_email@example.com_2012-05-30_localhostname" | ||
Substitute your own e-mail and your computer's hostname in the command above. Setting these helps with troubleshooting in the future. | Substitute your own e-mail and your computer's hostname in the command above. Setting these helps with troubleshooting in the future. | ||
===Configure ssh=== | ===Configure ssh=== | ||
Edit ~/.ssh/config and add: | Edit ~/.ssh/config on your local machine and add: | ||
Host access. | Host access-vk.yoctoproject.org | ||
# Make sure your username matches your account on the autobuilder | # Make sure your username matches your account on the autobuilder | ||
#User [username] | #User [username] | ||
# Give the full path to the proper public key | # Give the full path to the proper public key if needed | ||
#IdentityFile /home/[username]/.ssh/id_rsa | #IdentityFile /home/[username]/.ssh/id_rsa | ||
# If your network requires you to use a SOCKS proxy enable it here | # If your network requires you to use a SOCKS proxy enable it here | ||
Line 22: | Line 22: | ||
# ProxyCommand nc --proxy-type socks5 --proxy [proxyserver.address.company.com:1080] %h %p | # ProxyCommand nc --proxy-type socks5 --proxy [proxyserver.address.company.com:1080] %h %p | ||
# | # Valkyrie proxy through a bastion to simplify key management. | ||
# SSH host keys should be verified automatically via DNS for the bastion | |||
ProxyJump access. | # If you don't have native IPv6 you must proxy through access-vk.yoctoproject.org. | ||
Host *-vk-*.yocto.io | |||
ProxyJump access-vk.yoctoproject.org | |||
#User [username] | #User [username] | ||
#IdentityFile /home/[username]/.ssh/id_rsa | #IdentityFile /home/[username]/.ssh/id_rsa | ||
Line 33: | Line 34: | ||
# Don't bother saving hostkeys we don't check | # Don't bother saving hostkeys we don't check | ||
UserKnownHostsFile /dev/null | UserKnownHostsFile /dev/null | ||
===Verify Fingerprints=== | ===Verify Fingerprints=== | ||
Now actually ssh to access.yoctoproject.org and verify that the fingerprint you receive matches a fingerprint below. | Now actually ssh to access.yoctoproject.org and verify that the fingerprint you receive matches a fingerprint below. | ||
access.yoctoproject.org | access-vk.yoctoproject.org | ||
ED25519 key fingerprint is SHA256:eDGzlYP3G+io9ylXmE6HMwtLMJ3eV82DveBnbM2mgJo. | |||
===Connect!=== | ===Connect!=== | ||
Now that you've added access.yoctoproject.org to your known hosts you don't need to worry about fingerprints anymore. Time to connect to a builder. Run: | Now that you've added access.yoctoproject.org to your known hosts you don't need to worry about fingerprints anymore. Time to connect to a builder. Run: | ||
ssh | ssh debian12-vk-1.yocto.io | ||
If all worked correctly you are now logged | If all worked correctly you are now logged in. Build workers are [https://autobuilder.yoctoproject.org/typhoon/#/workers listed on the controller]. Append .yocto.io to the name to ssh. | ||
===Need to work on the build scripts?=== | ===Need to work on the build scripts?=== |
Latest revision as of 20:37, 11 November 2024
Connecting to Autobuilders
We use an ssh jumphost called access.yoctoproject.org/access.yocto.io to connect to the autobuilders. Jumphosts enhance security by removing the threat of hijacked ssh-agents and limiting the services running on Internet exposed hosts.
Generate keys
In order to access any of the autobuilders your ssh public keys must first be installed. The preferred key type is ECC. RSA with 4096 bits is also acceptable. Please put your e-mail, the date of generation, and the host the key lives on in the comment. Please set a passphrase even if it's a simple one! Ideally your private key will never leave the host it is generated on - so if you have multiple machines please generate multiple keys. E-mail your public key named ~/.ssh/id_ed25519.pub or id_rsa.pub to helpdesk@yoctoproject.org. Keep id_ed25519 or id_rsa(the private key) super safe. Please never share it with anyone or copy it onto the Internet. Don't e-mail it to yourself either.
ssh-keygen -t ed25519 -C "your_email@example.com_2012-05-30_localhostname"
Substitute your own e-mail and your computer's hostname in the command above. Setting these helps with troubleshooting in the future.
Configure ssh
Edit ~/.ssh/config on your local machine and add:
Host access-vk.yoctoproject.org # Make sure your username matches your account on the autobuilder #User [username] # Give the full path to the proper public key if needed #IdentityFile /home/[username]/.ssh/id_rsa # If your network requires you to use a SOCKS proxy enable it here # ProxyCommand nc -X5 -x [proxyserver.address.company.com:1080] %h %p # If your system uses 'ncat', rather than 'netcat', use these options to enable a SOCKS proxy # ProxyCommand nc --proxy-type socks5 --proxy [proxyserver.address.company.com:1080] %h %p # Valkyrie proxy through a bastion to simplify key management. # SSH host keys should be verified automatically via DNS for the bastion # If you don't have native IPv6 you must proxy through access-vk.yoctoproject.org. Host *-vk-*.yocto.io ProxyJump access-vk.yoctoproject.org #User [username] #IdentityFile /home/[username]/.ssh/id_rsa # We don't need strict checking on the private network. StrictHostKeyChecking no VisualHostKey no # Don't bother saving hostkeys we don't check UserKnownHostsFile /dev/null
Verify Fingerprints
Now actually ssh to access.yoctoproject.org and verify that the fingerprint you receive matches a fingerprint below.
access-vk.yoctoproject.org ED25519 key fingerprint is SHA256:eDGzlYP3G+io9ylXmE6HMwtLMJ3eV82DveBnbM2mgJo.
Connect!
Now that you've added access.yoctoproject.org to your known hosts you don't need to worry about fingerprints anymore. Time to connect to a builder. Run:
ssh debian12-vk-1.yocto.io
If all worked correctly you are now logged in. Build workers are listed on the controller. Append .yocto.io to the name to ssh.
Need to work on the build scripts?
If you are on the SWAT team you can access pokybuild using this sudo command:
sudo -iu pokybuild
keywords: ssh access auto builder accessing autobuilders