Changes between Version 7 and Version 8 of jessie-stretch-upgrade


Ignore:
Timestamp:
Oct 18, 2017, 2:57:40 PM (8 years ago)
Author:
Jamie McClelland
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • jessie-stretch-upgrade

    v7 v8  
    11= Jessie Stretch Upgrade Page =
     2
     3== Root gpg key and monkeysphere ==
     4
     5All of our servers can easily ssh between themselves through the monkeysphere. For the monkeysphere to work, the root user on each machine has to maintain an ssh-agent.
     6
     7Prior to stretch, we could not load a monkeysphere key into ssh-agent that didn't have a password (so we set the password to 'monkeys' for all keys). With stretch, you can't load a key into ssh-agent in an automated way that ''has'' a password. Sigh. Also, you cannot automate the change of a gpg key password.
     8
     9As a result: upon upgrading sites to stretch, you must manually remove the password for the root user's gpg key:
     10
     11{{{
     12gpg --change-passphrase root@$(hostname).mayfirst.org
     13}}}
     14
     15The current password is: monkeys
     16
     17If you don't, you will get this warning when you run puppet:
     18
     19{{{
     20remote: Error: /bin/false returned 1 instead of one of [0]
     21remote: Error: /Stage[main]/Mayfirst::M_minimal/M_gpg::Private_key[root]/Exec[admin:please-manually-change-passphrase-from-monkeys-to-empty-for-root-user-on-this-host]/returns: change from notrun to 0 failed: /bin/false returned 1 instead of one of [0]
     22}}}
    223
    324== Silence ==
     
    1839With stretch, `syslog` has been purged. That means all services and programs that depend on it have been modified (fail2ban, many of the mf-scripts, etc).
    1940
    20 == Root gpg key and monkeysphere ==
    21 
    22 All of our servers can easily ssh between themselves through the monkeysphere. For the monkeysphere to work, the root user on each machine has to maintain an ssh-agent.
    23 
    24 Prior to stretch, we could not load a monkeysphere key into ssh-agent that didn't have a password (so we set the password to 'monkeys' for all keys). With stretch, you can't load a key into ssh-agent in an automated way that ''has'' a password. Sigh. Also, you cannot automate the change of a gpg key password.
    25 
    26 As a result: upon upgrading sites to stretch, you must manually remove the password for the root user's gpg key:
    27 
    28 {{{
    29 gpg --change-passphrase root@$(hostname).mayfirst.org
    30 }}}
    31 
    32 The current password is: monkeys
    33 
    34 If you don't, you will get this warning when you run puppet:
    35 
    36 {{{
    37 remote: Error: gpg --pinentry-mode loopback --passphrase '' --export-secret-keys  --armour 1>/dev/null 2>/dev/null returned 2 instead of one of [0]
    38 remote: Error: /Stage[main]/Mayfirst::M_minimal/M_gpg::Private_key[root]/Exec[admin:please-manually-change-passphrase-from-monkeys-to-empty-for-root-user-on-this-host]/returns: change from notrun to 0 failed: gpg --pinentry-mode loopback --passphrase '' --export-secret-keys  --armour 1>/dev/null 2>/dev/null returned 2 instead of one of [0]
    39 }}}
    4041
    4142== Predictable Network Interfaces Names ==