Support #43309
closedSepia Lab Access Request
0%
Description
1) Do you just need VPN access or will you also be running teuthology jobs?
Whichever is necessary for cephadm related tests
2) Desired Username:
mgfritch
3) Alternate e-mail address(es) we can reach you at:
mfritch@suse.com
4) If you don't already have an established history of code contributions to Ceph, is there an existing community or core developer you've worked with who has reviewed your work and can vouch for your access request?
Sage or SebastianW
If you answered "No" to # 4, please answer the following (paste directly below the question to keep indentation):
4a) Paste a link to a Blueprint or planning doc of yours that was reviewed at a Ceph Developer Monthly.
4b) Paste a link to an accepted pull request for a major patch or feature.
4c) If applicable, include a link to the current project (planning doc, dev branch, or pull request) that you are looking to test.
https://github.com/ceph/ceph/pull/32244
5) Paste your SSH public key(s) between the pre tags
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCitWIN7jm5KEmB6jqcA+ufKRLodxkJ1GIdaaueCdeXdMHgWNH9FUDCUJk5dcA11MxQO15DRH/cdhb3QHPGiMv4XrBeK6HHYwGttzkcUEz1EDUhpowOrnFETbPa7K39ObmRcgdvoGXOSrNZ4mvptCTz9Xb0MF+Gcg5iJ4g+qZzIVa2/ueecYY8ZorbaH4m/NWUub6Rf01Q04HfxTvKrUFswrbCoE/Aigz/Oh88RiS854XoTvV7rE1tKbyKkaungwMAaQSNnZkq4hi8nbp6pzTxJLV7N/ZYMhVpdxSbWcghFg6cy7aeoCzZMN97WcDhpdfbhRT0dbqCkMmHV6t0usDDnOss2v68UCzkxuA1Hj4uy8rRHjXBtYqI6xsrwCjvmgP05B14TpmFdG+3GdRHx2+QlhnGj7nuPf1KoWW/f3tD85DXoEmVl6RJ4KTrMeEVlOn3kdMLVH0y2hIqPTYMP5cMVNi0EdfeoBdd9kxMKMvoSVBAgmLzGVv17o1lNvVS6V1kyt7gME2PfNR2Np+U1cJVJfUJRTm28mHXBVoDXG9s0zv8+LpQ/gVPS+vsPAfxWWYGW8ZmEV3ZorDOZycSPybjHkPFzDAdUhPG0Db0o+F9ug+22F7pvifsdDZ42zqGGLbyzfIQE3AtyI7LR7Sc5tpN9rKTeSBYJ0yNcDKEj5FUHDw== mfritch@suse.com
6) Paste your hashed VPN credentials between the pre tags (Format: user@hostname 22CharacterSalt 65CharacterHashedPassword)
mgfritch@laptop 3KhqWETFJaVsH/I8FOBfUg 0aca6c3c6d45c554bad8ba9853f0bc575c9915eee33ee6be2059568ad09a9d72
Files
Updated by adam kraitman over 4 years ago
- Category set to User access
- Status changed from New to In Progress
- Assignee set to adam kraitman
Hi Sage Weil, Can you vouch for Michael Fritch ?
Thanks
Updated by adam kraitman over 4 years ago
Hi Michael,
You should have access to the Sepia lab now. Please verify you're able to connect to the vpn and ssh mgfritch@teuthology.front.sepia.ceph.com using the private key matching the pubkey you provided.
Be sure to check out the following links for final workstation setup steps:
https://wiki.sepia.ceph.com/doku.php?id=vpnaccess#vpn_client_access
https://wiki.sepia.ceph.com/doku.php?id=testnodeaccess#ssh_config
Most developers choose to schedule runs from the shared teuthology VM. For information on that, see http://docs.ceph.com/teuthology/docs/intro_testers.html
Thanks.
Updated by Michael Fritch over 4 years ago
Hi,
Something appears incorrect with either the backend VPN config or my secret file.
When attempting this:
openvpn --config /etc/openvpn/sepia/client.conf --cd /etc/openvpn/ --verb 5
I see an auth failure:
Fri Dec 20 10:37:59 2019 us=223400 SENT CONTROL [openvpn-sepia]: 'PUSH_REQUEST' (status=1)
WRRFri Dec 20 10:37:59 2019 us=293490 AUTH: Received control message: AUTH_FAILED
Fri Dec 20 10:37:59 2019 us=293772 TCP/UDP: Closing socket
Should I regenerate a set of hashed VPN credentials? Or is there something else I should try?
Thanks!
Updated by adam kraitman over 4 years ago
Hi Michael,
Can you please paste the output of the following command:
sudo systemctl status openvpn-client@sepia
OR
sudo systemctl status openvpn@sepia
Thanks,
Adam
Updated by Michael Fritch over 4 years ago
Hi Adam, please see the below. Thanks!
$ sudo systemctl status openvpn@sepia openvpn@sepia.service - OpenVPN tunneling daemon instance using /etc/openvpn/sepia.conf Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled) Active: inactive (dead) Dec 22 08:13:14 foobaz openvpn@sepia[7628]: VERIFY KU OK Dec 22 08:13:14 foobaz openvpn@sepia[7628]: Validating certificate extended key usage Dec 22 08:13:14 foobaz openvpn@sepia[7628]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Dec 22 08:13:14 foobaz openvpn@sepia[7628]: VERIFY EKU OK Dec 22 08:13:14 foobaz openvpn@sepia[7628]: VERIFY OK: depth=0, O=Redhat, CN=openvpn-sepia Dec 22 08:13:16 foobaz openvpn@sepia[7628]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2432 bit RSA Dec 22 08:13:16 foobaz openvpn@sepia[7628]: [openvpn-sepia] Peer Connection Initiated with [AF_INET]8.43.84.129:1194 Dec 22 08:13:17 foobaz openvpn@sepia[7628]: AUTH: Received control message: AUTH_FAILED Dec 22 08:13:17 foobaz openvpn@sepia[7628]: SIGTERM[soft,auth-failure] received, process exiting Dec 22 08:13:17 foobaz systemd[1]: openvpn@sepia.service: Succeeded. $ sudo journalctl -u openvpn@sepia -- Logs begin at Sun 2019-11-10 15:29:25 MST, end at Sun 2019-12-22 08:37:13 MST. -- Dec 22 08:13:14 foobaz systemd[1]: Starting OpenVPN tunneling daemon instance using /etc/openvpn/sepia.conf... Dec 22 08:13:14 foobaz openvpn@sepia[7628]: WARNING: file 'sepia/tlsauth' is group or others accessible Dec 22 08:13:14 foobaz openvpn@sepia[7628]: OpenVPN 2.4.7 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019 Dec 22 08:13:14 foobaz openvpn@sepia[7628]: library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10 Dec 22 08:13:14 foobaz systemd[1]: Started OpenVPN tunneling daemon instance using /etc/openvpn/sepia.conf. Dec 22 08:13:14 foobaz openvpn@sepia[7628]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Dec 22 08:13:14 foobaz openvpn@sepia[7628]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Dec 22 08:13:14 foobaz openvpn@sepia[7628]: TCP/UDP: Preserving recently used remote address: [AF_INET]8.43.84.129:1194 Dec 22 08:13:14 foobaz openvpn@sepia[7628]: UDP link local: (not bound) Dec 22 08:13:14 foobaz openvpn@sepia[7628]: UDP link remote: [AF_INET]8.43.84.129:1194 Dec 22 08:13:14 foobaz openvpn@sepia[7628]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Dec 22 08:13:14 foobaz openvpn@sepia[7628]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Dec 22 08:13:14 foobaz openvpn@sepia[7628]: VERIFY OK: depth=1, O=Redhat, CN=openvpnca-sepia Dec 22 08:13:14 foobaz openvpn@sepia[7628]: VERIFY KU OK Dec 22 08:13:14 foobaz openvpn@sepia[7628]: Validating certificate extended key usage Dec 22 08:13:14 foobaz openvpn@sepia[7628]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Dec 22 08:13:14 foobaz openvpn@sepia[7628]: VERIFY EKU OK Dec 22 08:13:14 foobaz openvpn@sepia[7628]: VERIFY OK: depth=0, O=Redhat, CN=openvpn-sepia Dec 22 08:13:16 foobaz openvpn@sepia[7628]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2432 bit RSA Dec 22 08:13:16 foobaz openvpn@sepia[7628]: [openvpn-sepia] Peer Connection Initiated with [AF_INET]8.43.84.129:1194 Dec 22 08:13:17 foobaz openvpn@sepia[7628]: AUTH: Received control message: AUTH_FAILED Dec 22 08:13:17 foobaz openvpn@sepia[7628]: SIGTERM[soft,auth-failure] received, process exiting Dec 22 08:13:17 foobaz systemd[1]: openvpn@sepia.service: Succeeded.
Updated by adam kraitman over 4 years ago
Thank you Michael, Can you also paste the output of "sudo cat /etc/openvpn/client/sepia/secret"
And also run "sudo systemctl restart openvpn@sepia" and see if the output of sudo systemctl status openvpn@sepia change to "running" ?
Updated by Michael Fritch over 4 years ago
- File new-client.patch new-client.patch added
Perhaps we can try again using a newly generated set of hashed VPN credentials?
mgfritch@laptop 94prpsaAkBwTzMmF9JR4WA 3adb8aad97b1f78c74d3ae91f21f4b165749843dacabad74f0039212c5a5db39
I suspect the script was re-run multiple times causing a mismatch between the hashed creds and secret file...We could probably update the script to avoid something similar in the future (attached).
Updated by adam kraitman over 4 years ago
Hey Michael Fritch, I have updated your VPN credentials, Please try now
Updated by Michael Fritch over 4 years ago
Hi Adam, VPN access appears to be working correctly now. Thanks!
Updated by adam kraitman over 4 years ago
- Status changed from In Progress to Resolved