Store resources for Ansible on jenkins ci master

[mhdawson]

We've discussed a few times storing resources somewhere that can be used by Ansible when those resources are not available publicly.

Now that I have infra access I was thinking I would do the following based on an earlier suggestion from @jbergstroem:

• create a new user on the ci machine called resources
• generate a new keypair for that user
• have the ansible scripts render the key onto the test machines. It would have to have been extracted from the secrets repo and put into a known location by the individual running ansible
• have the ansible scripts scp the resource from the ci machine using the user resources and the associated key

I'm still looking at alternatives but my immediate need is to get gyp onto the zOS machines. Once in place we could use it to store the resources needed for the AIX installs as well as any other similar examples

@nodejs/build what do you think ?

[mhdawson]

One other alternative might be to have the scripts transfer the resources to the local machine where ansible is running first and then transfer from there to target machine (assuming I can do that in ansible). That would avoid having to transfer the ssh key to the target machines.

[gibfahn]

+1 on this, I think it makes sense (and we discussed it in a Build WG meeting a while back, IIRC there were no strong objections).

One other alternative might be to have the scripts transfer the resources to the local machine where ansible is running first and then transfer from there to target machine

I'd rather we go with your first suggestion than this, transferring everything twice seems like it'd take a lot longer and be more error-prone.

• generate a new keypair for that user

• have the ansible scripts render the key onto the test machines. It would have to have been extracted from the secrets repo and put into a known location by the individual running ansible

Could we do it with the nodejs_build_test key? If the resources user just used the test key to authenticate, then ansible could just copy the key from ~/.ssh/nodejs_build_test.pub.

[rvagg]

As per our discussion in the meeting this week: https://ci.nodejs.org/downloads/ and the insecure http://ci.nodejs.org/downloads/ are now publicly accessible for resources we need to share for our installations.

The files are served from /home/downloads/www/ from the user account downloads. This account has its own key which is available to build/infra folks at secrets/build/infra/downloads@ci.nodejs.org.key just upload files into the www directory for that user and they'll be available. This key only has access to the downloads account but once you're on the machine you can get access to anything we haven't fully secured in the jenkins config so we probably shouldn't be too liberal passing it around but I think we can be a bit broader than just build/infra. I have no problem sharing it with team members who actually have resources to upload, like I imagine @gibfahn does.

Remember to preference https in your ansible scripts wherever possible, http only makes sense for machines that can't download via https such as the zOS (or is it AIX?) machines.

[gibfahn]

@mhdawson could you give me access to the account?

[mhdawson]

I'm not sure what the plan was for giving out the key since its stored in the infra secrets. If you have some binaries you want me to upload just send them over.

[mhdawson]

I see the comments above about sharing the key
@gibfahn lets connect so I can give you the key.

[mhdawson]

I added zos/gyp.tar.gz (edited had wrong name), thinking it may make sense to have directories for platforms