Page MenuHomePhabricator

Convert all ldap globals into hiera variables instead
Closed, ResolvedPublic

Description

LDAP can inject global variables into puppet, and people can set these via wikitech. Hiera can also be used for similar purposes, causing confusion.

Kill the LDAP globals. This involves:

  1. Finding all the places (globals and which instances they are in) they are used in
  2. Provide alternatives in hiera
  3. Kill the globals
  4. Kill the globals functionality from OpenStackManager

Globals left to kill:

  • hadoop_journalnodes=
  • role::puppet::self::master=
  • deployment_server_override=
  • hadoop_cluster_name=
  • hadoop_namenodes=
  • kafka_cluster=
  • kibana_authrealm=
  • labs_mediawiki_hostname=
  • logstash_irc_name=
  • lvm_mount_point=
  • node_dedicated_tool=
  • puppetmaster=
  • restricted_from=
  • restricted_to=
  • salt_master_finger_override=
  • salt_master_override=
  • sentry_server_name=
  • ssh_x11_forwarding=
  • wikimetrics_backup=
  • wikimetrics_debug=
  • wikimetrics_server_name=
  • wikimetrics_server_port=
  • wikimetrics_ssl_redirect=

Event Timeline

yuvipanda raised the priority of this task from to Needs Triage.
yuvipanda updated the task description. (Show Details)
yuvipanda added a project: Cloud-Services.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 4 2015, 10:00 PM

Change 226246 had a related patch set uploaded (by Yuvipanda):
ssh: Disable LDAP key lookup for HBA

https://gerrit.wikimedia.org/r/226246

Change 226247 had a related patch set uploaded (by Yuvipanda):
ssh: Remove ssh_restrict_network LDAP variable

https://gerrit.wikimedia.org/r/226247

Change 226246 merged by Yuvipanda:
ssh: Disable LDAP key lookup for HBA

https://gerrit.wikimedia.org/r/226246

Change 226247 merged by Yuvipanda:
ssh: Remove ssh_restrict_network LDAP variable

https://gerrit.wikimedia.org/r/226247

These are the puppetVar attributes in the hosts database right? There's some remaining ssh_hba entries which haven't been cleaned up, as well as a load of instancecreator stuff, among other things.

Krenair set Security to None.

Change 253654 had a related patch set uploaded (by Yuvipanda):
labs: Set realm in hiera

https://gerrit.wikimedia.org/r/253654

Restricted Application added a subscriber: StudiesWorld. · View Herald TranscriptNov 17 2015, 7:28 PM

Change 253654 merged by Yuvipanda:
labs: Set realm in hiera

https://gerrit.wikimedia.org/r/253654

Change 253664 had a related patch set uploaded (by Yuvipanda):
Include role::labs::instance in labs via puppet

https://gerrit.wikimedia.org/r/253664

Change 253664 merged by Yuvipanda:
Include role::labs::instance in labs via puppet

https://gerrit.wikimedia.org/r/253664

Change 253801 had a related patch set uploaded (by Yuvipanda):
wikitech: Do not set realm in ldap by default

https://gerrit.wikimedia.org/r/253801

Change 253802 had a related patch set uploaded (by Yuvipanda):
wikitech: Stop setting default classes for new instances

https://gerrit.wikimedia.org/r/253802

Change 253807 had a related patch set uploaded (by Yuvipanda):
designate: Stop populating default classes / variables

https://gerrit.wikimedia.org/r/253807

I've just removed all instances of ssh_hba from LDAP.

role::labs::instance class and realm variable are gone now too. The former is included via node.pp and the latter via hiera.

Change 253807 merged by Andrew Bogott:
designate: Stop populating default classes / variables

https://gerrit.wikimedia.org/r/253807

yuvipanda triaged this task as Low priority.Nov 23 2015, 6:03 PM

Change 253801 merged by jenkins-bot:
wikitech: Do not set realm in ldap by default

https://gerrit.wikimedia.org/r/253801

Change 253802 merged by jenkins-bot:
wikitech: Stop setting default classes for new instances

https://gerrit.wikimedia.org/r/253802

The puppetmaster ldap variable is now gone from deployment-prep and integration hosts

all the old 'instancecreator*' ones are gone too now.

Removed 'basicpuppet' from instance 'basic' which was un-sshable anyway.

Removed 'hash_path_suffix' ldap variable, since it's used in only one instance and nowhere in ops/puppet

puppetVar: deployment_server_override=
puppetVar: hadoop_cluster_name=
puppetVar: hadoop_namenodes=
puppetVar: ircecho_chans=
puppetVar: ircecho_infile=
puppetVar: ircecho_nick=
puppetVar: ircecho_server=
puppetVar: kafka_cluster=
puppetVar: kibana_authrealm=
puppetVar: labs_mediawiki_hostname=
puppetVar: logstash_irc_name=
puppetVar: lvm_mount_point=
puppetVar: node_dedicated_tool=
puppetVar: ocg_graylog_server_override=
puppetVar: ocg_redis_server_override=
puppetVar: ocg_statsd_server_override=
puppetVar: puppetmaster=
puppetVar: restricted_from=
puppetVar: restricted_to=
puppetVar: role::graphite::base::hostname=
puppetVar: salt_master_finger_override=
puppetVar: salt_master_override=
puppetVar: sentry_server_name=
puppetVar: ssh_x11_forwarding=
puppetVar: wikimetrics_backup=
puppetVar: wikimetrics_debug=
puppetVar: wikimetrics_server_name=
puppetVar: wikimetrics_server_port=
puppetVar: wikimetrics_ssl_redirect=

These are the remaining ones and they should all die.

Killed role::graphite::base::hostname as well since that too is a misnomer (confusion about hiera vs ldap I think?).

yuvipanda added a comment.EditedDec 15 2015, 10:15 PM

Killed the ircecho ldap stuff too. It's on the defunct icinga instance, and puppet had stopped caring about these for a while.

Killed the ocg stuff too, since it's not being used in puppet anymore.

Edited task description to match remaining ldap variables left. I've also removed the puppetmaster variable from the configure page so it can not be used easily anymore.

kibana_authrealm and logstash_irc_name are gone, unused.

Change 259412 had a related patch set uploaded (by Yuvipanda):
sentry: Stop using LDAP variables for hostname matching

https://gerrit.wikimedia.org/r/259412

Change 259412 merged by Yuvipanda:
sentry: Stop using LDAP variables for hostname matching

https://gerrit.wikimedia.org/r/259412

Change 259420 had a related patch set uploaded (by Yuvipanda):
ssh: Disallow optional X forwarding

https://gerrit.wikimedia.org/r/259420

Change 259420 merged by Yuvipanda:
ssh: Disallow optional X forwarding

https://gerrit.wikimedia.org/r/259420

yuvipanda removed yuvipanda as the assignee of this task.Mar 19 2016, 9:08 AM

Unlicking cookie!

(LDAP binds in the below are to bypass LDAP page size limits)

krenair@terbium:~$ ldapsearch -x -D "uid=novaadmin,ou=people,dc=wikimedia,dc=org" -w redacted objectClass=puppetClient | grep -o "puppetVar: .*=" | sort | uniq -c | sort -n
      1 puppetVar: deployment_server_override=
      1 puppetVar: hadoop_cluster_name=
      1 puppetVar: hadoop_journalnodes=
      1 puppetVar: hadoop_namenodes=
      1 puppetVar: role::puppet::self::master=
      2 puppetVar: node_dedicated_tool=
      2 puppetVar: restricted_from=
      2 puppetVar: sentry_server_name=
      5 puppetVar: lvm_mount_point=
      8 puppetVar: salt_master_finger_override=
      8 puppetVar: salt_master_override=
      9 puppetVar: restricted_to=
     12 puppetVar: labs_mediawiki_hostname=
     18 puppetVar: puppetmaster=
   7184 puppetVar: instancename=
   7184 puppetVar: instanceproject=
import ldap
ldap_conn = ldap.initialize('ldap://ldap-labs.eqiad.wikimedia.org:389')
ldap_conn.protocol_version = ldap.VERSION3
ldap_conn.simple_bind_s("uid=novaadmin,ou=people,dc=wikimedia,dc=org", "redacted")

hosts = ldap_conn.search_s(
    "ou=hosts,dc=wikimedia,dc=org",
    ldap.SCOPE_SUBTREE,
    "objectClass=puppetClient",
    attrlist=['puppetVar', 'dc'],
)
for dn, attrs in hosts:
    dc, = attrs['dc']
    if 'puppetVar' not in attrs:
        # wtf is dc=basic.puppet.node,ou=hosts,dc=wikimedia,dc=org ?
        continue
    puppetVars = dict(puppetVar.split('=') for puppetVar in attrs['puppetVar'] if not puppetVar.startswith('instance'))
    if len(puppetVars.keys()):
        print(dc + ": " + str(puppetVars))

results in:

tools-mail.tools.eqiad.wmflabs: {'restricted_to': 'tools.admin'}
tools-exec-cyberbot.tools.eqiad.wmflabs: {'node_dedicated_tool': 'cyberbot'}
tools-exec-gift.tools.eqiad.wmflabs: {'node_dedicated_tool': 'giftbot'}
mwui.editor-engagement.eqiad.wmflabs: {'labs_mediawiki_hostname': 'mwui'}
wikisource-dev.wikisource-dev.eqiad.wmflabs: {'labs_mediawiki_hostname': 'wikisource-dev.wmflabs.org'}
openid-wiki.openid.eqiad.wmflabs: {'labs_mediawiki_hostname': 'openid-wiki.instance-proxy.wmflabs.org'}
social-tools1.social-tools.eqiad.wmflabs: {'labs_mediawiki_hostname': 'social-tools'}
towtruck.visualeditor.eqiad.wmflabs: {'labs_mediawiki_hostname': 'togetherjs.wmflabs.org'}
ee-flow.editor-engagement.eqiad.wmflabs: {'labs_mediawiki_hostname': 'ee-flow.pmtpa.wmflabs'}
toro.editor-engagement.eqiad.wmflabs: {'labs_mediawiki_hostname': 'toro.wmflabs.org'}
piramido.editor-engagement.eqiad.wmflabs: {'labs_mediawiki_hostname': 'piramido.wmflabs.org'}
signwriting-ase-wiki.signwriting.eqiad.wmflabs: {'labs_mediawiki_hostname': 'http://ase.wikipedia.wmflabs.org'}
language-dev.language.eqiad.wmflabs: {'labs_mediawiki_hostname': 'LangDev'}
services-deploy.services.eqiad.wmflabs: {'salt_master_override': 'services-deploy', 'salt_master_finger_override': 'services-deploy', 'deployment_server_override': 'services-deploy'}
ttmserver-mediawiki01.ttmserver.eqiad.wmflabs: {'salt_master_override': 'ttmserver-salt01.eqiad.wmflabs', 'salt_master_finger_override': '42:bb:24:ad:a5:75:86:95:db:da:dd:33:c5:90:5d:3e'}
ttmserver-salt01.ttmserver.eqiad.wmflabs: {'salt_master_override': 'ttmserver-salt01.eqiad.wmflabs', 'salt_master_finger_override': '42:bb:24:ad:a5:75:86:95:db:da:dd:33:c5:90:5d:3e'}
ttmserver-elasticsearch01.ttmserver.eqiad.wmflabs: {'salt_master_override': 'ttmserver-salt01.eqiad.wmflabs', 'salt_master_finger_override': '42:bb:24:ad:a5:75:86:95:db:da:dd:33:c5:90:5d:3e'}
deployment-elastic05.deployment-prep.eqiad.wmflabs: {'lvm_mount_point': '/var/lib/elasticsearch'}
deployment-elastic06.deployment-prep.eqiad.wmflabs: {'lvm_mount_point': '/var/lib/elasticsearch'}
deployment-elastic07.deployment-prep.eqiad.wmflabs: {'lvm_mount_point': '/var/lib/elasticsearch'}
deployment-elastic08.deployment-prep.eqiad.wmflabs: {'lvm_mount_point': '/var/lib/elasticsearch'}
wikidataquality.wikidata-quality.eqiad.wmflabs: {'labs_mediawiki_hostname': 'wikidataquality.wmflabs.org'}
toolsbeta-mail.toolsbeta.eqiad.wmflabs: {'restricted_to': 'toolsbeta.admin'}
toolsbeta-master.toolsbeta.eqiad.wmflabs: {'restricted_to': 'toolsbeta.admin'}
shaved-yak.mediawiki-core-team.eqiad.wmflabs: {'puppetmaster': 'shaved-yak'}
etcd01.etcd.eqiad.wmflabs: {'puppetmaster': 'master'}
etcd03.etcd.eqiad.wmflabs: {'puppetmaster': 'master'}
master.etcd.eqiad.wmflabs: {'puppetmaster': 'master'}
confd-jessie.etcd.eqiad.wmflabs: {'puppetmaster': 'master'}
proofreadpage.wikisource-dev.eqiad.wmflabs: {'labs_mediawiki_hostname': 'wikisource-dev.wmflabs.org'}
deployment-logstash2.deployment-prep.eqiad.wmflabs: {'lvm_mount_point': '/var/lib/elasticsearch'}
confd-precise.etcd.eqiad.wmflabs: {'puppetmaster': 'master'}
bastion-01.bastion.eqiad.wmflabs: {'restricted_to': 'project-bastion', 'restricted_from': '(ops)'}
bastion-02.bastion.eqiad.wmflabs: {'restricted_to': 'project-bastion', 'restricted_from': '(ops)'}
bastion-restricted-01.bastion.eqiad.wmflabs: {'restricted_to': 'ops'}
bastion-restricted-02.bastion.eqiad.wmflabs: {'restricted_to': 'ops'}
fastcci-puppetmaster.fastcci.eqiad.wmflabs: {'puppetmaster': 'fastcci-puppetmaster'}
sentry-alpha.sentry.eqiad.wmflabs: {'sentry_server_name': 'sentry-alpha.wmflabs.org'}
sentry-01.sentry.eqiad.wmflabs: {'sentry_server_name': 'sentry-01.wmflabs.org'}
mdc-puppetmaster.mdc.eqiad.wmflabs: {'puppetmaster': 'mdc-puppetmaster'}
tools-grid-shadow.tools.eqiad.wmflabs: {'restricted_to': 'tools.admin'}
tools-grid-master.tools.eqiad.wmflabs: {'restricted_to': 'tools.admin'}
analytics303.analytics.eqiad.wmflabs: {'puppetmaster': 'analytics101', 'hadoop_namenodes': 'analytics300.analytics.eqiad.wmflabs,analytics302.analytics.eqiad.wmflabs', 'hadoop_cluster_name': 'analytics-labs-hadoop', 'hadoop_journalnodes': 'analytics300.analytics.eqiad.wmflabs,analytics302.analytics.eqiad.wmflabs,analytics303.analytics.eqiad.wmflabs'}
jessie.debdeploy.eqiad.wmflabs: {'salt_master_override': 'salzmeister.debdeploy.eqiad.wmflabs', 'salt_master_finger_override': '0b:c3:2d:5e:60:44:e4:7a:14:3b:e9:b9:07:1e:db:af'}
salzmeister.debdeploy.eqiad.wmflabs: {'salt_master_override': 'salzmeister.debdeploy.eqiad.wmflabs', 'salt_master_finger_override': '0b:c3:2d:5e:60:44:e4:7a:14:3b:e9:b9:07:1e:db:af'}
trusty.debdeploy.eqiad.wmflabs: {'salt_master_override': 'salzmeister.debdeploy.eqiad.wmflabs', 'salt_master_finger_override': '0b:c3:2d:5e:60:44:e4:7a:14:3b:e9:b9:07:1e:db:af'}
precise.debdeploy.eqiad.wmflabs: {'salt_master_override': 'salzmeister.debdeploy.eqiad.wmflabs', 'salt_master_finger_override': '0b:c3:2d:5e:60:44:e4:7a:14:3b:e9:b9:07:1e:db:af'}
kafka401.analytics.eqiad.wmflabs: {'puppetmaster': 'kafka401'}
kafka402.analytics.eqiad.wmflabs: {'puppetmaster': 'kafka401'}
kafka403.analytics.eqiad.wmflabs: {'puppetmaster': 'kafka401'}
druid101.analytics.eqiad.wmflabs: {'puppetmaster': 'druid101'}
druid103.analytics.eqiad.wmflabs: {'puppetmaster': 'druid101'}
druid102.analytics.eqiad.wmflabs: {'puppetmaster': 'druid101'}
cdh101.analytics.eqiad.wmflabs: {'puppetmaster': 'druid101'}
kafka501.analytics.eqiad.wmflabs: {'puppetmaster': 'kafka401'}
kafka601.analytics.eqiad.wmflabs: {'puppetmaster': 'kafka401'}
sonarqube.search.eqiad.wmflabs: {'role::puppet::self::master': 'localhost'}
Andrew added a comment.EditedSep 6 2016, 6:21 PM

Updated list of remaining globals:

  • deployment_server_override
  • labs_mediawiki_hostname
  • lvm_mount_point
  • node_dedicated_tool
  • puppetmaster
  • restricted_from
  • restricted_to
  • role::puppet::self::master
  • salt_master_finger_override
  • salt_master_override
  • sentry_server_name

Change 308820 had a related patch set uploaded (by Andrew Bogott):
role::labs::lvm::mnt: Allow mount_point to be set from hiera

https://gerrit.wikimedia.org/r/308820

Change 308812 had a related patch set uploaded (by Andrew Bogott):
mediawiki_singlenode: Move $::labs_mediawiki_hostname to a param

https://gerrit.wikimedia.org/r/308812

Change 308823 had a related patch set uploaded (by Andrew Bogott):
toollabs: Allow $::node_dedicated_tool to be set from hiera

https://gerrit.wikimedia.org/r/308823

Change 308826 had a related patch set uploaded (by Andrew Bogott):
ldap::role::client::labs: Allow restricted_from and _to from hiera

https://gerrit.wikimedia.org/r/308826

Change 308812 merged by Andrew Bogott:
mediawiki_singlenode: Move $::labs_mediawiki_hostname to a param

https://gerrit.wikimedia.org/r/308812

Change 308820 merged by Andrew Bogott:
role::labs::lvm::mnt: Allow mount_point to be set from hiera

https://gerrit.wikimedia.org/r/308820

Change 308823 merged by Andrew Bogott:
toollabs: Allow $::node_dedicated_tool to be set from hiera

https://gerrit.wikimedia.org/r/308823

Change 308826 merged by Andrew Bogott:
ldap::role::client::labs: Allow restricted_from and _to from hiera

https://gerrit.wikimedia.org/r/308826

All globals are now eliminated from ldap. Next is removing the gui from wikitech

Change 308903 had a related patch set uploaded (by Alex Monk):
Kill references to $::instancename

https://gerrit.wikimedia.org/r/308903

Change 308908 had a related patch set uploaded (by Alex Monk):
Delete puppetvar stuff

https://gerrit.wikimedia.org/r/308908

Change 308908 merged by jenkins-bot:
Delete puppetvar stuff

https://gerrit.wikimedia.org/r/308908

Change 308903 merged by Andrew Bogott:
Kill references to $::instancename

https://gerrit.wikimedia.org/r/308903

Andrew closed this task as Resolved.Sep 7 2016, 2:33 PM
Andrew claimed this task.

Change 309215 had a related patch set uploaded (by Alex Monk):
Use ::hostname instead of ::instancename to fix compatibility with labs ENC

https://gerrit.wikimedia.org/r/309215

Change 309215 merged by Yuvipanda:
base: Use ::hostname instead of ::instancename

https://gerrit.wikimedia.org/r/309215