In order to access tbpl.mozilla.org, my ldap account needs to have vpn access to mpt.

vpn access is for moco employees. Can you give us some context for this? Or copy someone within moco that can vouch for you and describe what this is for and how it will be used?

As one of the most active tbpl developers I would like to be able to actually connect to tbpl.mozilla.org (see dependent bug) for which I have root access. This is needed so I can deploy fixes to (the future, mozilla hosted) tbpl. Markus who currently hosts tbpl on his own server has a lot of other work to do and may not be there to deploy needed changes. Ehsan can vouch for me, he also contributed quite a lot to tbpl.

I'll vouch for Arpad!

This is fine - we'll do this like we've done for other hosts (dm-oink01 or dp-dxr01 for instance). You'll have an LDAP based user login and can sudo to root. Ideally you shouldn't even need to be root. None of this requires VPN. The dependent bug is marked resolved - not sure if this bug morphs into "get access" or the other bug is reopened.

(In reply to comment #4) > None of this requires VPN. The dependent bug is marked resolved - not sure if > this bug morphs into "get access" or the other bug is reopened. Well tbpl.m.o in not accessible from the outside yet. I’m fine with waiting until it is.

Another idea... what do you need to do -on- the box? Could you update your code in hg and have some process that pulls code automatically for you so you wouldn't ever need to be on the host?

(In reply to comment #6) > Another idea... what do you need to do -on- the box? Could you update your > code in hg and have some process that pulls code automatically for you so you > wouldn't ever need to be on the host? That would be most awesome. In the other bug it was said that we would get a minimal box with nothing on it that we install ourselves. But if everything works and the code from hg is automatically pulled then that it the best solution.

tbpl.mozilla.org has been alive for some time now, however its ssh port is not exposed to the public, so I can still not connect to it. Doing an automatic hg pull as suggested in comment 6 seems like a nice idea, but it would mean that anybody with commit access can change the code that is run on the server, which does not seem like a desirable situation either. So is this bug a WONTFIX then?

fox2mike, ideas how to best accomplish this?

Arpad, I'm not in favour of opening up ssh on tbpl.mozilla.org. If you absolutely need to get on the box, I don't mind allowing ssh connections to the box from the world, or if you have a static host somewhere, I'd be more than happy to allow ssh into tbpl only from that box, makes it easier for us too. You've got a point about automated hg pulls causing issues, I'm not sure if hg does tags or if you can setup a branch and auto pull from that, so that development can continue as well. So to conclude, while I'm not happy opening up ssh to the world, if there is no other option, I'll do it. Let me know?

Any reason why VPN access with a static route only for tbpl wouldn't work here? It's been done before for non-corporate employees that needed access to one (or more) box(en).

Nevermind, I guess I can just bug someone on irc to pull who has access to the box.

(In reply to comment #11) > Any reason why VPN access with a static route only for tbpl wouldn't work here? > It's been done before for non-corporate employees that needed access to one (or > more) box(en). We don't do that for anyone anymore. Too hard to maintain.