Greetings.
Yesterday I re-installed bastion02.fedoraproject.org. Moving it to ansible and rhel7.
Today I would like to do bastion01. :)
I plan to start the process around 18UTC today.
* Switch openvpn to bastion02 * Shutdown postfix on bastion01 * Save postfix queue off * Take down bastion01, saving disk (At this point anyone ssh tunning via bastion01 will be disconnected) * Fresh install/ansiblizing. * Restore postfix queue * Update sshfp and ssh_known_hosts for folks to verify against.
While I could copy the ssh host keys from the old instances, I am not going to do that in this case. The host keys on those machines have been copied forward through a number of re-installs and I think it's time to have newly generated ones.
This of course means that everyone who has shell access will need to remove the old ssh host key from their known_hosts and add and check the new one. If you are using the: VerifyHostKeyDNS ssh option, ssh will verify the host key against the sshfp dns record. If you aren't you can check it against: https://admin.fedoraproject.org/ssh_known_hosts
In the event the new bastion01 has issues, I will have the old disk and can switch back to that instance if needed.
Thanks,
kevin
infrastructure@lists.fedoraproject.org