Difference between revisions of "Production access"
(Remove link to outdated notes doc)
(→Setting up your SSH config: Add a config block for direct bastion connection, because the previous `Host bast` doesn't apply and the right key isn't picked up)
|Line 115:||Line 115:|
Host *.wmnet *.wikimedia.org !gerrit.wikimedia.org !bast*.wikimedia.org
Host *.wmnet *.wikimedia.org !gerrit.wikimedia.org !bast*.wikimedia.org
Revision as of 22:01, 15 January 2021
For instructions on accessing public Cloud VPS and Toolforge instances, see Help:Access.
Production (sometimes called prod) is the network of servers that run the real, live Wikimedia websites. Access to production is necessary for deploying updates and other site reliability engineering work, as well as for accessing sensitive data. This page explains how to request and set up this access.
Remember: production access is extremely sensitive. With production access, it's possible to break our websites or steal private data about users' activities. If you have access, act carefully and take the server access responsibilities seriously. Immediately contact the SRE team if you have any doubts about security or if something goes wrong.
To minimize risk to the sites, only a small number of people outside of the SRE team hold any production access, and that access is limited to specific systems and processes. Access is managed through groups rather than people; a person (technically, an ssh-authenticated account) belongs to one or more groups, and each group has its own list of access privileges. All access privileges require a clear, ongoing need for the access. If you have a one-time need for data, request the data from the Analytics team instead.
There are three distinct processes for changing production access:
Change the privileges of an access group
An existing access group, usually with existing members, can be granted additional privileges, to allow members of the group to perform additional work.
- a ticket in Phabricator
- Use the tag SRE-Access-Requests.
- Include the name of an existing group
- Include the requested change in access, in as much specific detail (host names, etc) as possible.
- Include the reason the change is requested, including the impact if the change is rejected
Add WMF/WMDE Staff to an access group
For WMF and WMDE staff, membership in an access group is at the discretion of their manager, who should request access on behalf of the person as detailed below.
Add a volunteer to an access group
Volunteer access is granted at the discretion of the SRE team.
- You must have a non-disclosure agreement with the Wikimedia Foundation. Follow the volunteer NDA process.
- You must have support from a relevant Wikimedia Foundation employee: this should be the employee you will be collaborating with.
- Complete the access request process as detailed below.
Access Request Process
If you've satisified the eligibility requirements above, follow these steps to submit a request.
To follow these instructions, you'll need the following accounts:
- A Phabricator account. If you don't have one, see the instructions for creating an account on mediawiki.org.
- A Wikimedia developer account. If you don't have one, follow the link.
Signing the agreement
Next, read and sign the Acknowledgement of Wikimedia Server Access Responsibilities. Make sure you actually read it; this is a legal agreement and by signing it, you are committing to follow the security practices it describes.
Generating your SSH key
Since production access uses the Secure Shell protocol (SSH), you'll have to generate a new SSH keypair. Do not reuse an existing key; this presents an unacceptable security risk.
GitHub has a good help page (note that you can switch between Mac, Windows, and Linux documentation right under the title).
We recommend that you use an ED25519 key (or, alternatively, a 4096-bit RSA key). Do not use DSA keys as they are insecure and rejected by our SSH servers.
To generate an ED25519 key, run the following command in your terminal:
ssh-keygen -t ed25519
To generate an RSA key, run the following command in your terminal:
ssh-keygen -t rsa -b 4096 -o
Some systems don't support the newer
-o option which saves private keys in a slightly more secure format (OpenSSH rather than PEM), but those should be fairly rare, it was introduced in 6.5
The minimum bit length for this key is
-b 2048, which is currently the default length for OpenSSH. More bits won't hurt.
Remember: the key you use for production access must be different from the key you use for Cloud VPS, so do not paste it into the Openstack field under Special:Preferences on this wiki).
Filing the request
- Create a ticket requesting access.
- In the title, replace "RESOURCE" and "USER" with your name and the resource you need access to. (For new user requests, make a separate ticket for each user.)
- Add the following information to the description:
- USER's full name
- USER's wikitech username
- Your developer access username (that is, the one you use for Cloud VPS SSH, not Wikitech login. Wikitech shows this as "instance shell account name" in preferences). We will use this as your production shell username.
- The public key from new your SSH keypair. (See for example the Gerrit instructions how to copy your public SSH key.)
- Requested group membership. A complete list of groups that USER should be added to. These groups change frequently, so consult the most recent available list where possible.
- A detailed reason for your request. In particular, describe which specific servers you need access to and why. We err on the side of giving fewer permissions rather than more, so the more detailed your request, the more likely you are to get all the permissions you need.
- Get approvals from the following people as comments to the Phabricator task. The comments should be made directly through the web interface, not via email.
- The relevant Wikimedia Foundation/Wikimedia Deutschland employee, as explained above.
- The project lead where your access will be granted. For Analytics and Data systems this is Andrew Otto.
- Wait for SRE approval, if needed:
- If you're requesting the same level of access as the rest of your team already has (e.g. because you've joined the team and you're requesting to be added to the group) then no further approval is necessary; your manager's on-ticket approval (or for non-staff, your WMDE's manager or WMF sponsor's on-ticket approval) is sufficient.
- Otherwise, if you request any new level of sudo privileges for a group (or for yourself individually, outside of your group membership), then your request must have a security review at a biweekly SRE meeting. Sudo access is granted on an extremely limited basis, and will typically apply to the smallest permissions possible (user/process restricted over all). Expect this process to take at least two business weeks.
- When your request is approved, you will be asked to provide your full legal name, preferred email address for contact, and physical address to the Wikimedia Foundation Legal team (or your employee contact may forward this information on your behalf). This information will be used to customize a non-disclosure agreement, which you will be asked to read, comprehend, and electrically sign through the Foundation's contract management system. The agreement will be similar to the Volunteer NDA.
- The Wikimedia Foundation employee that will be supervising your work will coordinate final sign off by an Executive level staff of the Wikimedia Foundation when all other criteria have been met before your access is granted.
- Shell access and access to private data are different things. Access to data is granted to volunteers only if they have a formal collaboration with the research team.
If five business days pass without visible progress, please comment on the ticket to request an update, or directly contact the SRE on Clinic Duty that week.
Production shell users, their keys, and their permissions are managed in
modules/admin/data/data.yaml in the operations/puppet.git repository.
Setting up your access
Setting up your SSH config
The standard configuration for people not having root access is to have the ssh connection to be established on a bastion and proxy the command to the target host inside the cluster. To do this, add the following to your SSH config file (usually located at $HOME/.ssh/config), but change YOURUSERNAME to be your shell username on the Wikimedia servers:
# Turn this on for Match to work. CanonicalizeHostname yes # Defaults for all WMF hosts. Match host=*.wikimedia.org,*.wmnet ForwardAgent no IdentitiesOnly yes KbdInteractiveAuthentication no PasswordAuthentication no User YOURUSERNAME # Configure the initial connection to the bastion host, with the one # HostName closest to you Host bast HostName bast3004.wikimedia.org IdentityFile ~/.ssh/prod.key # Proxy all connections to internal servers through the bastion host Host *.wmnet *.wikimedia.org !gerrit.wikimedia.org !bast*.wikimedia.org ProxyJump bast IdentityFile ~/.ssh/prod.key # Configure direct connection to the bastion hosts Host bast*.wikimedia.org IdentityFile ~/.ssh/prod.key Host gerrit.wikimedia.org Port 29418 IdentityFile ~/.ssh/cloud.key
In the example above you may replace bast1002.wikimedia.org with the bastion that is physically closest to you:
bast1003.wikimedia.orgin the eqiad cluster in Virginia, United States
bast2002.wikimedia.orgin the codfw cluster in Texas, United States
bast3005.wikimedia.orgin the esams cluster in Amsterdam, The Netherlands
bast4003.wikimedia.orgin the ulsfo cluster in San Francisco, United States
bast5002.wikimedia.orgin the eqsin cluster in Singapore
Advanced: operations config
If you will be setting up new servers or doing other administration work, you can use the below advanced configuration instead. Otherwise, skip this section. If you're not sure, you almost certainly don't need this!
|Advanced $HOME/.ssh/config for production root users|
|The following content has been placed in a collapsed box for improved usability.|
## Production & External Zones Host bast1002.wikimedia.org bast2002.wikimedia.org bast3004.wikimedia.org bast4002.wikimedia.org bast5001.wikimedia.org bastion-restricted.wmflabs.org StrictHostKeyChecking yes ProxyCommand none ControlMaster auto IdentitiesOnly yes # See https://wikitech.wikimedia.org/wiki/Managing_multiple_SSH_agents#Using_multiple_agents_via_systemd for setting up multiple agents using systemd Host *.wikimedia.org !gerrit.wikimedia.org !git-ssh.wikimedia.org User your_username_here StrictHostKeyChecking yes IdentitiesOnly yes IdentityAgent /run/user/1000/ssh-prod.socket IdentityFile ~/.ssh/your_production_ssh_key UserKnownHostsFile ~/.ssh/known_hosts.d/wmf-prod ProxyCommand ssh -a -W %h:%p bast1002.wikimedia.org ## Internal Zones Host *.mgmt.eqiad.wmnet *.mgmt.codfw.wmnet *.mgmt.ulsfo.wmnet *.mgmt.esams.wmnet *.mgmt.eqsin.wmnet User root StrictHostKeyChecking no # See https://wikitech.wikimedia.org/wiki/Managing_multiple_SSH_agents#Using_multiple_agents_via_systemd for setting up multiple agents using systemd Host *.wmnet User your_username_here StrictHostKeyChecking yes IdentitiesOnly yes IdentityAgent /run/user/1000/ssh-prod.socket IdentityFile ~/.ssh/your_production_ssh_key UserKnownHostsFile ~/.ssh/known_hosts.d/wmf-prod Host *.eqiad.wmnet ProxyCommand ssh -a -W %h:%p bast1002.wikimedia.org Host *.codfw.wmnet ProxyCommand ssh -a -W %h:%p bast2002.wikimedia.org Host *.esams.wmnet ProxyCommand ssh -a -W %h:%p bast3004.wikimedia.org Host *.ulsfo.wmnet ProxyCommand ssh -a -W %h:%p bast4002.wikimedia.org Host *.eqsin.wmnet ProxyCommand ssh -a -W %h:%p bast5001.wikimedia.org ## Networking Equipment Host *-eqiad.wikimedia.org *-eqord.wikimedia.org ProxyCommand ssh -a -W %h:%p bast1002.wikimedia.org Host *-codfw.wikimedia.org *-eqdfw.wikimedia.org ProxyCommand ssh -a -W %h:%p bast2002.wikimedia.org Host *-esams.wikimedia.org *-knams.wikimedia.org ProxyCommand ssh -a -W %h:%p bast3004.wikimedia.org Host *-ulsfo.wikimedia.org ProxyCommand ssh -a -W %h:%p bast4002.wikimedia.org Host *-eqsin.wikimedia.org ProxyCommand ssh -a -W %h:%p bast5001.wikimedia.org ## Gerrit and Cloud VPS # See https://wikitech.wikimedia.org/wiki/Managing_multiple_SSH_agents#Using_multiple_agents_via_systemd for setting up multiple agents using systemd Host gerrit.wikimedia.org User your_username_here StrictHostKeyChecking yes ProxyCommand none IdentitiesOnly yes IdentityAgent /run/user/1000/ssh-cloud.socket IdentityFile ~/.ssh/your_development_ssh_key UserKnownHostsFile ~/.ssh/known_hosts.d/wmf-cloud # See https://wikitech.wikimedia.org/wiki/Managing_multiple_SSH_agents#Using_multiple_agents_via_systemd for setting up multiple agents using systemd Host *.wmflabs.org *.wmflabs User your_username_here IdentityFile ~/.ssh/your_development_ssh_key IdentityAgent /run/user/1000/ssh-cloud.socket StrictHostKeyChecking no UserKnownHostsFile ~/.ssh/known_hosts.d/wmf-cloud ProxyCommand ssh -a -W %h:%p bastion-restricted.wmflabs.org
|The above content has been placed in a collapsed box for improved usability.|
Known host files
To ensure the validity of the hosts you connect to, enable the StrictHostKeyChecking yes option and create a local list of known hosts. A [utility script is available] to generate that list and keep it up to date. Read the instructions in the script's header for help on usage. If you need any additional help, contact the script's authors.
Before you can use the script, you'll need to bootstrap this setup with at least one bastion host. Disable strict host key checking, ssh to a bastion, and make sure the fingerprint matches what's listed at Help:SSH Fingerprints.
Do not use SSH agent forwarding (the
-A command line option). Agent forwarding does not make it possible to steal your private key itself, but it does make it possible for someone to hijack your SSH agent and thus your identity, so we do not do it. The
-a option (with a lower case "a") disables agent forwarding, and is thus included in the sample configurations below.
This page used to recommend that you add the following lines to protect against an SSH bug from 2016, don't use any longer:
However, we are now using an updated version which removed the vulnerable options, so you will get an error if your config includes the lines above. Just remove them from your config to connect.
Do not use your production cluster SSH key for any other service, including Gerrit or Cloud VPS.
- Fundraising infrastructure config
- Greg Grossmeier's SSH config
- Managing multiple SSH agents
- (experimental) Bash script to detect the correct bastion and auto-fix SSH config
If your production access has been approved but you aren't able to log in, you can ask for help in the Phabricator ticket for your access request. If you got access a long time ago and it's a new problem, you can file a new ticket and tag it with #operations.
Wherever you ask for help, make sure you include your SSH configuration (but not your key itself!) and the output you get when you run your ssh command with the
-v option (verbose mode).
If you are prompted for a password when attempting to SSH into production, it generally means that your client is misconfigured -- most often you are presenting the wrong public key to the server.
ssh -v can help you debug this. When debugging, in order to keep things clear, it's best to attempt to connect directly to a bastion host, e.g.
ssh -v bast1002.eqiad.wmnet.
- Help:Accessing Cloud VPS instances for instructions on accessing Cloud VPS and Toolforge instances
- Help:SSH Fingerprints for fingerprints of ssh bastion servers
- Proxy access to cluster for direct web access to production servers behind the firewall
- Yubikey-SSH and Yubikey4 and gpg-agent for instructions on using a YubiKey device to manage your ssh key
- Managing multiple SSH agents for help configuring separate ssh-agent instances for different security realms
- Fundraising/tech/ssh config for help configuring ssh for access to hosts in the frack environment
- The form automatically adds the ticket to the SRE-Access-Requests project so the SRE team will see your request.
- You can also put your public key on your wiki user page, in a Phabricator paste, or in a Gerrit patchset you upload, but you can't include it in an email reply to the task.
- This protects against email spoofing.