Convert all ldap globals into hiera variables instead
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	yuvipanda
	Jun 4 2015, 10:00 PM

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
ldap::client::labs: fix 'Unknown variable: '::restricted..'	operations/puppet	production	+5 -4
base: Use ::hostname instead of ::instancename	operations/puppet	production	+3 -17
Kill references to $::instancename	operations/puppet	production	+8 -10
Delete puppetvar stuff	mediawiki/extensions/OpenStackManager	master	+15 -549
ldap::role::client::labs: Allow restricted_from and _to from hiera	operations/puppet	production	+9 -5
toollabs: Allow $::node_dedicated_tool to be set from hiera	operations/puppet	production	+7 -7
role::labs::lvm::mnt: Allow mount_point to be set from hiera	operations/puppet	production	+4 -4
mediawiki_singlenode: Move $::labs_mediawiki_hostname to a param	operations/puppet	production	+4 -3
sentry: Stop using LDAP variables for hostname matching	operations/puppet	production	+1 -1
ssh: Disallow optional X forwarding	operations/puppet	production	+0 -4
wikitech: Stop setting default classes for new instances	operations/mediawiki-config	master	+1 -1
wikitech: Do not set realm in ldap by default	operations/mediawiki-config	master	+1 -1
designate: Stop populating default classes / variables	operations/puppet	production	+0 -4
Include role::labs::instance in labs via puppet	operations/puppet	production	+2 -1
labs: Set realm in hiera	operations/puppet	production	+2 -1
ssh: Remove ssh_restrict_network LDAP variable	operations/puppet	production	+0 -13
ssh: Disable LDAP key lookup for HBA	operations/puppet	production	+1 -4

Related Objects
Search...

Status	Assigned	Task
Resolved	Andrew	T42525 Cant add a security group to an existing instance
Resolved	Andrew	T87279 Make OpenStack Horizon useful for production labs
Resolved	Andrew	T91990 Horizon dashboard for managing instance puppet config
Resolved	Andrew	T101447 Convert all ldap globals into hiera variables instead
Duplicate	None	T97055 Allow per-host hiera customizations on wikitech
Resolved	scfc	T104202 Allow per-host hiera overrides via wikitech

Event Timeline

yuvipanda created this task.Jun 4 2015, 10:00 PM

yuvipanda raised the priority of this task from to Needs Triage.

yuvipanda updated the task description. (Show Details)

yuvipanda added a project: Cloud-Services.

yuvipanda added subscribers: yuvipanda, Joe, • chasemp, Andrew.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 4 2015, 10:00 PM

scfc added a subtask: T97055: Allow per-host hiera customizations on wikitech.Jun 4 2015, 11:32 PM

yuvipanda added a subtask: T104202: Allow per-host hiera overrides via wikitech.Jul 21 2015, 10:53 PM

Change 226246 had a related patch set uploaded (by Yuvipanda):
ssh: Disable LDAP key lookup for HBA

https://gerrit.wikimedia.org/r/226246

Change 226247 had a related patch set uploaded (by Yuvipanda):
ssh: Remove ssh_restrict_network LDAP variable

https://gerrit.wikimedia.org/r/226247

Change 226246 merged by Yuvipanda:
ssh: Disable LDAP key lookup for HBA

https://gerrit.wikimedia.org/r/226246

Change 226247 merged by Yuvipanda:
ssh: Remove ssh_restrict_network LDAP variable

https://gerrit.wikimedia.org/r/226247

yuvipanda mentioned this in rOPUPc2133d3dbfb7: ssh: Disable LDAP key lookup for HBA.Jul 21 2015, 11:31 PM

yuvipanda mentioned this in rOPUP86f221d24e42: ssh: Remove ssh_restrict_network LDAP variable.

scfc closed subtask T104202: Allow per-host hiera overrides via wikitech as Resolved.Aug 25 2015, 4:35 PM

These are the puppetVar attributes in the hosts database right? There's some remaining ssh_hba entries which haven't been cleaned up, as well as a load of instancecreator stuff, among other things.

Krenair removed a project: Patch-For-Review.Oct 12 2015, 2:27 AM

Krenair set Security to None.

Change 253654 had a related patch set uploaded (by Yuvipanda):
labs: Set realm in hiera

https://gerrit.wikimedia.org/r/253654

Restricted Application added a subscriber: StudiesWorld. · View Herald TranscriptNov 17 2015, 7:28 PM

gerritbot added a project: Patch-For-Review.Nov 17 2015, 7:28 PM

Change 253654 merged by Yuvipanda:
labs: Set realm in hiera

https://gerrit.wikimedia.org/r/253654

Change 253664 had a related patch set uploaded (by Yuvipanda):
Include role::labs::instance in labs via puppet

https://gerrit.wikimedia.org/r/253664

Change 253664 merged by Yuvipanda:
Include role::labs::instance in labs via puppet

https://gerrit.wikimedia.org/r/253664

Change 253801 had a related patch set uploaded (by Yuvipanda):
wikitech: Do not set realm in ldap by default

https://gerrit.wikimedia.org/r/253801

Change 253802 had a related patch set uploaded (by Yuvipanda):
wikitech: Stop setting default classes for new instances

https://gerrit.wikimedia.org/r/253802

Change 253807 had a related patch set uploaded (by Yuvipanda):
designate: Stop populating default classes / variables

https://gerrit.wikimedia.org/r/253807

yuvipanda claimed this task.Nov 18 2015, 1:14 AM

I've just removed all instances of ssh_hba from LDAP.

role::labs::instance class and realm variable are gone now too. The former is included via node.pp and the latter via hiera.

Change 253807 merged by Andrew Bogott:
designate: Stop populating default classes / variables

https://gerrit.wikimedia.org/r/253807

yuvipanda triaged this task as Low priority.Nov 23 2015, 6:03 PM

Change 253801 merged by jenkins-bot:
wikitech: Do not set realm in ldap by default

https://gerrit.wikimedia.org/r/253801

Change 253802 merged by jenkins-bot:
wikitech: Stop setting default classes for new instances

https://gerrit.wikimedia.org/r/253802

The puppetmaster ldap variable is now gone from deployment-prep and integration hosts

all the old 'instancecreator*' ones are gone too now.

Removed 'basicpuppet' from instance 'basic' which was un-sshable anyway.

Removed 'hash_path_suffix' ldap variable, since it's used in only one instance and nowhere in ops/puppet

puppetVar: deployment_server_override=
puppetVar: hadoop_cluster_name=
puppetVar: hadoop_namenodes=
puppetVar: ircecho_chans=
puppetVar: ircecho_infile=
puppetVar: ircecho_nick=
puppetVar: ircecho_server=
puppetVar: kafka_cluster=
puppetVar: kibana_authrealm=
puppetVar: labs_mediawiki_hostname=
puppetVar: logstash_irc_name=
puppetVar: lvm_mount_point=
puppetVar: node_dedicated_tool=
puppetVar: ocg_graylog_server_override=
puppetVar: ocg_redis_server_override=
puppetVar: ocg_statsd_server_override=
puppetVar: puppetmaster=
puppetVar: restricted_from=
puppetVar: restricted_to=
puppetVar: role::graphite::base::hostname=
puppetVar: salt_master_finger_override=
puppetVar: salt_master_override=
puppetVar: sentry_server_name=
puppetVar: ssh_x11_forwarding=
puppetVar: wikimetrics_backup=
puppetVar: wikimetrics_debug=
puppetVar: wikimetrics_server_name=
puppetVar: wikimetrics_server_port=
puppetVar: wikimetrics_ssl_redirect=

These are the remaining ones and they should all die.

Killed role::graphite::base::hostname as well since that too is a misnomer (confusion about hiera vs ldap I think?).

Killed the ircecho ldap stuff too. It's on the defunct icinga instance, and puppet had stopped caring about these for a while.

Killed the ocg stuff too, since it's not being used in puppet anymore.

Edited task description to match remaining ldap variables left. I've also removed the puppetmaster variable from the configure page so it can not be used easily anymore.

kibana_authrealm and logstash_irc_name are gone, unused.

yuvipanda updated the task description. (Show Details)Dec 15 2015, 10:26 PM

Change 259412 had a related patch set uploaded (by Yuvipanda):
sentry: Stop using LDAP variables for hostname matching

https://gerrit.wikimedia.org/r/259412

Change 259412 merged by Yuvipanda:
sentry: Stop using LDAP variables for hostname matching

https://gerrit.wikimedia.org/r/259412

Change 259420 had a related patch set uploaded (by Yuvipanda):
ssh: Disallow optional X forwarding

https://gerrit.wikimedia.org/r/259420

Change 259420 merged by Yuvipanda:
ssh: Disallow optional X forwarding

https://gerrit.wikimedia.org/r/259420

yuvipanda updated the task description. (Show Details)Dec 15 2015, 10:54 PM

Unlicking cookie!

yuvipanda added a parent task: T91990: Horizon dashboard for managing instance puppet config.Apr 19 2016, 11:49 PM

yuvipanda mentioned this in T91990: Horizon dashboard for managing instance puppet config.

yuvipanda mentioned this in T120165: Implement role based hiera lookups for labs.Jun 1 2016, 6:33 PM

(LDAP binds in the below are to bypass LDAP page size limits)

krenair@terbium:~$ ldapsearch -x -D "uid=novaadmin,ou=people,dc=wikimedia,dc=org" -w redacted objectClass=puppetClient | grep -o "puppetVar: .*=" | sort | uniq -c | sort -n
      1 puppetVar: deployment_server_override=
      1 puppetVar: hadoop_cluster_name=
      1 puppetVar: hadoop_journalnodes=
      1 puppetVar: hadoop_namenodes=
      1 puppetVar: role::puppet::self::master=
      2 puppetVar: node_dedicated_tool=
      2 puppetVar: restricted_from=
      2 puppetVar: sentry_server_name=
      5 puppetVar: lvm_mount_point=
      8 puppetVar: salt_master_finger_override=
      8 puppetVar: salt_master_override=
      9 puppetVar: restricted_to=
     12 puppetVar: labs_mediawiki_hostname=
     18 puppetVar: puppetmaster=
   7184 puppetVar: instancename=
   7184 puppetVar: instanceproject=

import ldap
ldap_conn = ldap.initialize('ldap://ldap-labs.eqiad.wikimedia.org:389')
ldap_conn.protocol_version = ldap.VERSION3
ldap_conn.simple_bind_s("uid=novaadmin,ou=people,dc=wikimedia,dc=org", "redacted")

hosts = ldap_conn.search_s(
    "ou=hosts,dc=wikimedia,dc=org",
    ldap.SCOPE_SUBTREE,
    "objectClass=puppetClient",
    attrlist=['puppetVar', 'dc'],
)
for dn, attrs in hosts:
    dc, = attrs['dc']
    if 'puppetVar' not in attrs:
        # wtf is dc=basic.puppet.node,ou=hosts,dc=wikimedia,dc=org ?
        continue
    puppetVars = dict(puppetVar.split('=') for puppetVar in attrs['puppetVar'] if not puppetVar.startswith('instance'))
    if len(puppetVars.keys()):
        print(dc + ": " + str(puppetVars))

results in:

tools-mail.tools.eqiad.wmflabs: {'restricted_to': 'tools.admin'}
tools-exec-cyberbot.tools.eqiad.wmflabs: {'node_dedicated_tool': 'cyberbot'}
tools-exec-gift.tools.eqiad.wmflabs: {'node_dedicated_tool': 'giftbot'}
mwui.editor-engagement.eqiad.wmflabs: {'labs_mediawiki_hostname': 'mwui'}
wikisource-dev.wikisource-dev.eqiad.wmflabs: {'labs_mediawiki_hostname': 'wikisource-dev.wmflabs.org'}
openid-wiki.openid.eqiad.wmflabs: {'labs_mediawiki_hostname': 'openid-wiki.instance-proxy.wmflabs.org'}
social-tools1.social-tools.eqiad.wmflabs: {'labs_mediawiki_hostname': 'social-tools'}
towtruck.visualeditor.eqiad.wmflabs: {'labs_mediawiki_hostname': 'togetherjs.wmflabs.org'}
ee-flow.editor-engagement.eqiad.wmflabs: {'labs_mediawiki_hostname': 'ee-flow.pmtpa.wmflabs'}
toro.editor-engagement.eqiad.wmflabs: {'labs_mediawiki_hostname': 'toro.wmflabs.org'}
piramido.editor-engagement.eqiad.wmflabs: {'labs_mediawiki_hostname': 'piramido.wmflabs.org'}
signwriting-ase-wiki.signwriting.eqiad.wmflabs: {'labs_mediawiki_hostname': 'http://ase.wikipedia.wmflabs.org'}
language-dev.language.eqiad.wmflabs: {'labs_mediawiki_hostname': 'LangDev'}
services-deploy.services.eqiad.wmflabs: {'salt_master_override': 'services-deploy', 'salt_master_finger_override': 'services-deploy', 'deployment_server_override': 'services-deploy'}
ttmserver-mediawiki01.ttmserver.eqiad.wmflabs: {'salt_master_override': 'ttmserver-salt01.eqiad.wmflabs', 'salt_master_finger_override': '42:bb:24:ad:a5:75:86:95:db:da:dd:33:c5:90:5d:3e'}
ttmserver-salt01.ttmserver.eqiad.wmflabs: {'salt_master_override': 'ttmserver-salt01.eqiad.wmflabs', 'salt_master_finger_override': '42:bb:24:ad:a5:75:86:95:db:da:dd:33:c5:90:5d:3e'}
ttmserver-elasticsearch01.ttmserver.eqiad.wmflabs: {'salt_master_override': 'ttmserver-salt01.eqiad.wmflabs', 'salt_master_finger_override': '42:bb:24:ad:a5:75:86:95:db:da:dd:33:c5:90:5d:3e'}
deployment-elastic05.deployment-prep.eqiad.wmflabs: {'lvm_mount_point': '/var/lib/elasticsearch'}
deployment-elastic06.deployment-prep.eqiad.wmflabs: {'lvm_mount_point': '/var/lib/elasticsearch'}
deployment-elastic07.deployment-prep.eqiad.wmflabs: {'lvm_mount_point': '/var/lib/elasticsearch'}
deployment-elastic08.deployment-prep.eqiad.wmflabs: {'lvm_mount_point': '/var/lib/elasticsearch'}
wikidataquality.wikidata-quality.eqiad.wmflabs: {'labs_mediawiki_hostname': 'wikidataquality.wmflabs.org'}
toolsbeta-mail.toolsbeta.eqiad.wmflabs: {'restricted_to': 'toolsbeta.admin'}
toolsbeta-master.toolsbeta.eqiad.wmflabs: {'restricted_to': 'toolsbeta.admin'}
shaved-yak.mediawiki-core-team.eqiad.wmflabs: {'puppetmaster': 'shaved-yak'}
etcd01.etcd.eqiad.wmflabs: {'puppetmaster': 'master'}
etcd03.etcd.eqiad.wmflabs: {'puppetmaster': 'master'}
master.etcd.eqiad.wmflabs: {'puppetmaster': 'master'}
confd-jessie.etcd.eqiad.wmflabs: {'puppetmaster': 'master'}
proofreadpage.wikisource-dev.eqiad.wmflabs: {'labs_mediawiki_hostname': 'wikisource-dev.wmflabs.org'}
deployment-logstash2.deployment-prep.eqiad.wmflabs: {'lvm_mount_point': '/var/lib/elasticsearch'}
confd-precise.etcd.eqiad.wmflabs: {'puppetmaster': 'master'}
bastion-01.bastion.eqiad.wmflabs: {'restricted_to': 'project-bastion', 'restricted_from': '(ops)'}
bastion-02.bastion.eqiad.wmflabs: {'restricted_to': 'project-bastion', 'restricted_from': '(ops)'}
bastion-restricted-01.bastion.eqiad.wmflabs: {'restricted_to': 'ops'}
bastion-restricted-02.bastion.eqiad.wmflabs: {'restricted_to': 'ops'}
fastcci-puppetmaster.fastcci.eqiad.wmflabs: {'puppetmaster': 'fastcci-puppetmaster'}
sentry-alpha.sentry.eqiad.wmflabs: {'sentry_server_name': 'sentry-alpha.wmflabs.org'}
sentry-01.sentry.eqiad.wmflabs: {'sentry_server_name': 'sentry-01.wmflabs.org'}
mdc-puppetmaster.mdc.eqiad.wmflabs: {'puppetmaster': 'mdc-puppetmaster'}
tools-grid-shadow.tools.eqiad.wmflabs: {'restricted_to': 'tools.admin'}
tools-grid-master.tools.eqiad.wmflabs: {'restricted_to': 'tools.admin'}
analytics303.analytics.eqiad.wmflabs: {'puppetmaster': 'analytics101', 'hadoop_namenodes': 'analytics300.analytics.eqiad.wmflabs,analytics302.analytics.eqiad.wmflabs', 'hadoop_cluster_name': 'analytics-labs-hadoop', 'hadoop_journalnodes': 'analytics300.analytics.eqiad.wmflabs,analytics302.analytics.eqiad.wmflabs,analytics303.analytics.eqiad.wmflabs'}
jessie.debdeploy.eqiad.wmflabs: {'salt_master_override': 'salzmeister.debdeploy.eqiad.wmflabs', 'salt_master_finger_override': '0b:c3:2d:5e:60:44:e4:7a:14:3b:e9:b9:07:1e:db:af'}
salzmeister.debdeploy.eqiad.wmflabs: {'salt_master_override': 'salzmeister.debdeploy.eqiad.wmflabs', 'salt_master_finger_override': '0b:c3:2d:5e:60:44:e4:7a:14:3b:e9:b9:07:1e:db:af'}
trusty.debdeploy.eqiad.wmflabs: {'salt_master_override': 'salzmeister.debdeploy.eqiad.wmflabs', 'salt_master_finger_override': '0b:c3:2d:5e:60:44:e4:7a:14:3b:e9:b9:07:1e:db:af'}
precise.debdeploy.eqiad.wmflabs: {'salt_master_override': 'salzmeister.debdeploy.eqiad.wmflabs', 'salt_master_finger_override': '0b:c3:2d:5e:60:44:e4:7a:14:3b:e9:b9:07:1e:db:af'}
kafka401.analytics.eqiad.wmflabs: {'puppetmaster': 'kafka401'}
kafka402.analytics.eqiad.wmflabs: {'puppetmaster': 'kafka401'}
kafka403.analytics.eqiad.wmflabs: {'puppetmaster': 'kafka401'}
druid101.analytics.eqiad.wmflabs: {'puppetmaster': 'druid101'}
druid103.analytics.eqiad.wmflabs: {'puppetmaster': 'druid101'}
druid102.analytics.eqiad.wmflabs: {'puppetmaster': 'druid101'}
cdh101.analytics.eqiad.wmflabs: {'puppetmaster': 'druid101'}
kafka501.analytics.eqiad.wmflabs: {'puppetmaster': 'kafka401'}
kafka601.analytics.eqiad.wmflabs: {'puppetmaster': 'kafka401'}
sonarqube.search.eqiad.wmflabs: {'role::puppet::self::master': 'localhost'}

• AlexMonk-WMF updated the task description. (Show Details)Aug 27 2016, 10:04 PM

• AlexMonk-WMF updated the task description. (Show Details)Aug 27 2016, 10:06 PM

Change 308820 had a related patch set uploaded (by Andrew Bogott):
role::labs::lvm::mnt: Allow mount_point to be set from hiera

https://gerrit.wikimedia.org/r/308820

Change 308812 had a related patch set uploaded (by Andrew Bogott):
mediawiki_singlenode: Move $::labs_mediawiki_hostname to a param

https://gerrit.wikimedia.org/r/308812

Change 308823 had a related patch set uploaded (by Andrew Bogott):
toollabs: Allow $::node_dedicated_tool to be set from hiera

https://gerrit.wikimedia.org/r/308823

Change 308826 had a related patch set uploaded (by Andrew Bogott):
ldap::role::client::labs: Allow restricted_from and _to from hiera

https://gerrit.wikimedia.org/r/308826

Change 308812 merged by Andrew Bogott:
mediawiki_singlenode: Move $::labs_mediawiki_hostname to a param

https://gerrit.wikimedia.org/r/308812

Change 308820 merged by Andrew Bogott:
role::labs::lvm::mnt: Allow mount_point to be set from hiera

https://gerrit.wikimedia.org/r/308820

Change 308823 merged by Andrew Bogott:
toollabs: Allow $::node_dedicated_tool to be set from hiera

https://gerrit.wikimedia.org/r/308823

Change 308826 merged by Andrew Bogott:
ldap::role::client::labs: Allow restricted_from and _to from hiera

https://gerrit.wikimedia.org/r/308826

All globals are now eliminated from ldap. Next is removing the gui from wikitech

Change 308903 had a related patch set uploaded (by Alex Monk):
Kill references to $::instancename

https://gerrit.wikimedia.org/r/308903

Change 308908 had a related patch set uploaded (by Alex Monk):
Delete puppetvar stuff

https://gerrit.wikimedia.org/r/308908

Change 308908 merged by jenkins-bot:
Delete puppetvar stuff

https://gerrit.wikimedia.org/r/308908

Change 308903 merged by Andrew Bogott:
Kill references to $::instancename

https://gerrit.wikimedia.org/r/308903

Andrew closed this task as Resolved.Sep 7 2016, 2:33 PM

Andrew claimed this task.

ReleaseTaggerBot added a project: MW-1.28-release (WMF-deploy-2016-09-13_(1.28.0-wmf.19)).Sep 7 2016, 3:00 PM

Change 309215 had a related patch set uploaded (by Alex Monk):
Use ::hostname instead of ::instancename to fix compatibility with labs ENC

https://gerrit.wikimedia.org/r/309215

Change 309215 merged by Yuvipanda:
base: Use ::hostname instead of ::instancename

https://gerrit.wikimedia.org/r/309215

• Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:50 PM

Change 633838 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ldap::client::labs: fix 'Unknown variable: '::restricted..'

https://gerrit.wikimedia.org/r/633838

Change 633838 merged by Dzahn:
[operations/puppet@production] ldap::client::labs: fix 'Unknown variable: '::restricted..'

https://gerrit.wikimedia.org/r/633838

Convert all ldap globals into hiera variables insteadClosed, ResolvedPublicActions

Description

Details

Related ObjectsSearch...

Event Timeline

Convert all ldap globals into hiera variables instead
Closed, ResolvedPublic
Actions

Related Objects
Search...