Page MenuHomePhabricator

Get Dan Duvall TEMP root to labnodepool1001.eqiad.wmnet
Closed, ResolvedPublic


I have no idea how I got access / root on labnodepool1001.eqiad.wmnet

@dduvall needs such an access as well.

Event Timeline

hashar raised the priority of this task from to Needs Triage.
hashar updated the task description. (Show Details)
hashar added subscribers: hashar, dduvall.

hieradata/common/contint.yaml:nodepool_host: '' # labnodepool1001.eqiad.wmnet

Seems to imply this is related to contint?

@Andrew: Are you aware of the context for this?

This is for the Isolated CI project work. nodepool is part of the infrastucture for that.

If you need his manager's approval, you have mine. :)

hashar you got access to work out the contintnodepool case, but root was never intended to live on past this initial work is the request here root or shell or a determined list of sudo commands?

For reference the design we have been working from places nodepool as a Cloud-Services managed resource that is offered to Release-Engineering-Team (or whoever) as it is more or less a part of labs and will need to be managed by the Cloud-Services team. To get things done (tm) we all agreed to get @hashar root so SRE wasn't blocking his initial configuration (which was grudgingly accepted as happening on this real physical host and not in a test scenario). But this is all temporary. The plan is once everything is puppetized we reimage with a sane permissions and user scheme before this sees the light of production :)

It seems the original changeset may have been over-permissioned to already idk, but the root case has been a definite temporary one-off.

I created this task in a hurry following a 1/1 I had with @dduvall. Following the Release-Engineering-Team offsite we decided to work more closely together inside the team, and hence Dan is going to take the lead on CI isolation just like me :-}

So the root request for labnodepool1001.eqiad.wmnet is still in the context of setting up the proof of concept and the access should indeed be removed once we switch to the real production service. I have updated T95303: Remove hashar and dduvall root access on to be installed labnodepool1001 already so we remember to remove Dan access as well.

I guess we will want to determine the fine sudo access we will end up needing. I have filled that as T102281.

chasemp renamed this task from Get Dan Duvall access to labnodepool1001.eqiad.wmnet to Get Dan Duvall TEMP root to labnodepool1001.eqiad.wmnet.Jun 12 2015, 7:48 PM
Ottomata triaged this task as Medium priority.Jun 15 2015, 2:48 PM

We talked about this in last weeks ops meeting. We are fine with Mr. Duvall in this context.