ansible: remove old github.com ssh key from known_hosts

[richardlau]

Refs: https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
Refs: #3254

---

This is untested. I won't be in a position to run a playbook until Tuesday.

[targos]

Tested with:

$ ansible-playbook --limit test-digitalocean-fedora32-x64-1 ansible/playbooks/jenkins/worker/create.yml --step --start-at-task="remove old github.com ssh keys"

PLAY [test,release,!*-win*] ********************************************************************************************
Perform task: TASK: jenkins-worker : remove old github.com ssh keys (N)o/(y)es/(c)ontinue: y

Perform task: TASK: jenkins-worker : remove old github.com ssh keys (N)o/(y)es/(c)ontinue: *****************************

TASK [jenkins-worker : remove old github.com ssh keys] *****************************************************************
changed: [test-digitalocean-fedora32-x64-1] => (item=ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==)

It seems to have worked fine!

[targos]

Just ran it on all (available) hosts

[mhdawson]

@targos did that include running on the docker maines along the linst of #3254 (comment)?

[mhdawson]

LGTM since it worked :)

[targos]

@mhdawson

did that include running on the docker maines along the linst of #3254 (comment)?

No, I wasn't aware of that command and just spent some time updating a lot of docker containers manually...

[targos]

ansible-playbook ansible/playbooks/jenkins/docker-host.yaml --step --start-at-task="remove old github.com ssh keys"

PLAY [test,release] ***********************************************************************************************************************************************************************************************************************

PLAY RECAP ********************************************************************************************************************************************************************************************************************************

 [ERROR]: No matching task "remove old github.com ssh keys" found. Note: --start-at-task can only follow static includes.

[mhdawson]

@targos thanks for taking the time/effort to do the manual updates, have you done them all? If not maybe we can split up the remaining ones?

[mhdawson]

@targos I'm not sure we can run just that step in the ansible/playbooks/jenkins/docker-host.yaml as I believe it works differently. I think running it fully would recreate all of the containers etc. I did not try running because I've not run it before and am therefore not that comfortable in how it works. I think @richardlau has run it more recently.

EDIT: should have mentioned that since Richard is out, updating manually in the short term makes sense to me as you have already done/started.

[targos]

@mhdawson I don't know what are the remaining ones :)

I started a new CI job here to monitor: https://ci.nodejs.org/job/node-test-pull-request/50600/ and updated test-digitalocean-ubuntu1804-x64-1
I'm going to stop for today, feel free to watch the results.

[mhdawson]

@targos thanks for all of your hard work.

[mhdawson]

Fixed up a few more hosts as mentioned in #3254

[mhdawson]

Resumed @targos build here to see if there are more hosts that will fail - https://ci.nodejs.org/job/node-test-pull-request/50601/

[MoLow]

Resumed @targos build here to see if there are more hosts that will fail - ci.nodejs.org/job/node-test-pull-request/50601

fails in https://ci.nodejs.org/job/node-test-commit-linux-containered/36770/nodes=ubi81_sharedlibs_openssl111fips_x64/console
on test-softlayer-ubi81_container-x64-1

[MoLow]

I am rerunning ansible-playbook ansible/playbooks/jenkins/docker-host.yaml --limit "test-softlayer-ubuntu1804_docker-x64-1" -vv with this branch checked out, I will resume the build once completed

[MoLow]

Resumed again: https://ci.nodejs.org/job/node-test-pull-request/50602/

[MoLow]

didn't seem to help: https://ci.nodejs.org/job/node-test-commit-linux-containered/36771/nodes=ubi81_sharedlibs_openssl111fips_x64/
what am I missing?

[richardlau]

didn't seem to help: https://ci.nodejs.org/job/node-test-commit-linux-containered/36771/nodes=ubi81_sharedlibs_openssl111fips_x64/ what am I missing?

See #3254 (comment) -- the containers are set up through a different set of Ansible tasks. I'm going to merge this PR and then work on a follow up to move the known_hosts for GitHub tasks to it's own role that will be called from both the jenkins-worker/create playbook and the docker-host playbook.