Greetings. Yesterday I re-installed bastion02.fedoraproject.org. Moving it to ansible and rhel7. Today I would like to do bastion01. :) I plan to start the process around 18UTC today. * Switch openvpn to bastion02 * Shutdown postfix on bastion01 * Save postfix queue off * Take down bastion01, saving disk (At this point anyone ssh tunning via bastion01 will be disconnected) * Fresh install/ansiblizing. * Restore postfix queue * Update sshfp and ssh_known_hosts for folks to verify against. While I could copy the ssh host keys from the old instances, I am not going to do that in this case. The host keys on those machines have been copied forward through a number of re-installs and I think it's time to have newly generated ones. This of course means that everyone who has shell access will need to remove the old ssh host key from their known_hosts and add and check the new one. If you are using the: VerifyHostKeyDNS ssh option, ssh will verify the host key against the sshfp dns record. If you aren't you can check it against: https://admin.fedoraproject.org/ssh_known_hosts In the event the new bastion01 has issues, I will have the old disk and can switch back to that instance if needed. Thanks, kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
