Jump to content

User:Accraze/Tools/ssh

From Wikitech

Much of our work at WMF is done on remote machines. We access these machines using SSH with the following configuration. This is a guide and literate config for my setup. The auto-generate code and org files for these configs are stored in my dotfiles repo on wmf gitlab: https://gitlab.wikimedia.org/accraze/dotfiles/-/blob/main/.ssh/config

Production Config

First let's setup some base rules for all WMF hosts. This will ensure that we do not need to enter our username all the time etc. 

    ###########################
    ##   Production Config  ###
    ###########################

    # Turn this on for Match to work.
    CanonicalizeHostname yes

    # Defaults for all WMF hosts.
    Match host=*.wikimedia.org,*.wmnet
        ForwardAgent no
        IdentitiesOnly yes
        KbdInteractiveAuthentication no
        PasswordAuthentication no
        User accraze

Bastion

At WMF, we use bastion as an initial connection to all other internal servers. You should use the HostName that is closest to your locale. 

   # Configure the initial connection to the bastion host, with the one
   # HostName closest to you
   Host bast
       HostName bast1003.wikimedia.org
       IdentityFile ~/.ssh/wmf_rsa

Next, we need to proxy all connections to internal servers through the bastion host. 

   # Proxy all connections to internal servers through the bastion host
   Host *.wmnet *.wikimedia.org !gerrit.wikimedia.org !bast*.wikimedia.org
       ProxyJump bast
       IdentityFile ~/.ssh/wmf_rsa

Gerrit

We use Gerrit for code review at WMF. You will need to follow the instructions on the wiki article to make sure you have correctly generated an ssh key and setup an account. 

   Host gerrit.wikimedia.org
       Port 29418
       IdentityFile ~/.ssh/id_rsa

Cloud Config

WMF offers a number of cloud-based platforms for the community. wmflabs is often used for staging/testing purposes. wmcloud is for VPS servers and toolforge is a simplified k8s offering for tool builders. Similar to the production config, we will use bastion (on wmflabs.org) as the initial connection to other internal servers. 

    ###########################
    ##      Cloud Config    ###
    ###########################
    Host *.wmflabs.org *.wmcloud.org *.toolforge.org
      User accraze

    Host *.wmflabs *.wikimedia.cloud
      User accraze
      ProxyJump bastion.wmflabs.org:22

Machine-Learning

Our production ml-serve clusters should already be covered with the production configuration above. We do use a Cloud VPS server for development purposes (ml-sandbox). I like using an alias host to simplify connecting to it, as well as increasing the ServerAliveInterval so the connection does not get broken. 

   Host ml-sandbox
     Hostname ml-sandbox.machine-learning.eqiad1.wikimedia.cloud
     ServerAliveInterval 600

Gitlab

WMF has been rolling out it's own Gitlab instance. It is currently not used in production, however it is a nice place to put non-critical code and help test out features. 

   # WMF GitLab instance
   Host gitlab.wikimedia.org
     PreferredAuthentications publickey
     IdentityFile ~/.ssh/id_ed25519
Retrieved from "https://wikitech.wikimedia.org/w/index.php?title=User:Accraze/Tools/ssh&oldid=1956406"