bastion re-installs yesterday and today (2014-10-08)
Kevin Fenzi
kevin at scrye.com
Fri Oct 10 14:40:52 UTC 2014
Greetings.
Yesterday I re-installed bastion02.fedoraproject.org.
Moving it to ansible and rhel7.
Today I would like to do bastion01. :)
I plan to start the process around 18UTC today.
* Switch openvpn to bastion02
* Shutdown postfix on bastion01
* Save postfix queue off
* Take down bastion01, saving disk
(At this point anyone ssh tunning via bastion01 will be disconnected)
* Fresh install/ansiblizing.
* Restore postfix queue
* Update sshfp and ssh_known_hosts for folks to verify against.
While I could copy the ssh host keys from the old instances, I am not
going to do that in this case. The host keys on those machines have
been copied forward through a number of re-installs and I think it's
time to have newly generated ones.
This of course means that everyone who has shell access will need to
remove the old ssh host key from their known_hosts and add and check
the new one. If you are using the: VerifyHostKeyDNS ssh option, ssh
will verify the host key against the sshfp dns record. If you aren't
you can check it against:
https://admin.fedoraproject.org/ssh_known_hosts
In the event the new bastion01 has issues, I will have the old disk and
can switch back to that instance if needed.
Thanks,
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20141010/a08d43c8/attachment.sig>
More information about the infrastructure
mailing list