Page MenuHomePhabricator
Create Task
Maniphest T102133

Get Dan Duvall TEMP root to labnodepool1001.eqiad.wmnet
Closed, ResolvedPublic
Actions

Description

I have no idea how I got access / root on labnodepool1001.eqiad.wmnet

@dduvall needs such an access as well.

Related Objects

Event Timeline

hashar created this task.Jun 11 2015, 3:54 PM
hashar raised the priority of this task from to Needs Triage.
hashar updated the task description. (Show Details)
hashar added a project: Continuous-Integration-Scaling.
hashar added subscribers: hashar, dduvall.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 11 2015, 3:54 PM
Dzahn added a project: SRE-Access-Requests.Jun 11 2015, 3:58 PM
Dzahn set Security to None.
Restricted Application added a project: acl*sre-team. · View Herald TranscriptJun 11 2015, 3:58 PM
Krenair subscribed.Jun 11 2015, 4:00 PM

hieradata/common/contint.yaml:nodepool_host: '10.64.20.18' # labnodepool1001.eqiad.wmnet

Seems to imply this is related to contint?

coren added subscribers: Andrew, coren.Jun 11 2015, 8:52 PM

@Andrew: Are you aware of the context for this?

greg subscribed.Jun 11 2015, 8:54 PM

This is for the Isolated CI project work. nodepool is part of the infrastucture for that.

greg added a comment.Jun 11 2015, 8:55 PM

If you need his manager's approval, you have mine. :)

chasemp subscribed.Jun 11 2015, 9:14 PM

hashar you got access to work out the contintnodepool case, but root was never intended to live on past this initial work https://phabricator.wikimedia.org/T95303. is the request here root or shell or a determined list of sudo commands?

chasemp added a comment.EditedJun 11 2015, 9:19 PM

For reference the design we have been working from places nodepool as a Cloud-Services managed resource that is offered to Release-Engineering-Team (or whoever) as it is more or less a part of labs and will need to be managed by the Cloud-Services team. To get things done (tm) we all agreed to get @hashar root so SRE wasn't blocking his initial configuration (which was grudgingly accepted as happening on this real physical host and not in a test scenario). But this is all temporary. The plan is once everything is puppetized we reimage with a sane permissions and user scheme before this sees the light of production :)

It seems the original changeset may have been over-permissioned to https://phabricator.wikimedia.org/diffusion/OPUP/browse/production/hieradata/hosts/labnodepool1001.yaml already idk, but the root case has been a definite temporary one-off.

hashar mentioned this in T95303: Remove hashar and dduvall root access on to be installed labnodepool1001.Jun 12 2015, 7:41 PM
hashar added a comment.Jun 12 2015, 7:46 PM

I created this task in a hurry following a 1/1 I had with @dduvall. Following the Release-Engineering-Team offsite we decided to work more closely together inside the team, and hence Dan is going to take the lead on CI isolation just like me :-}

So the root request for labnodepool1001.eqiad.wmnet is still in the context of setting up the proof of concept and the access should indeed be removed once we switch to the real production service. I have updated T95303: Remove hashar and dduvall root access on to be installed labnodepool1001 already so we remember to remove Dan access as well.

I guess we will want to determine the fine sudo access we will end up needing. I have filled that as T102281.

chasemp added a comment.Jun 12 2015, 7:48 PM

sounds reasonable @hashar thanks

chasemp renamed this task from Get Dan Duvall access to labnodepool1001.eqiad.wmnet to Get Dan Duvall TEMP root to labnodepool1001.eqiad.wmnet.Jun 12 2015, 7:48 PM
Ottomata triaged this task as Medium priority.Jun 15 2015, 2:48 PM
chasemp added a comment.Jun 22 2015, 7:49 PM

We talked about this in last weeks ops meeting. We are fine with Mr. Duvall in this context.

chasemp closed this task as Resolved.Jun 22 2015, 8:06 PM
chasemp claimed this task.

dude (124×199 px, 16 KB)

chasemp added a comment.Jun 22 2015, 8:08 PM

https://gerrit.wikimedia.org/r/#/c/219959/

dduvall added a comment.Jun 22 2015, 8:42 PM

Thanks!

hashar moved this task from Backlog to Done on the Continuous-Integration-Scaling board.Jul 10 2015, 3:03 PM
Restricted Application added a subscriber: Matanya. · View Herald TranscriptJul 10 2015, 3:03 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL