Page MenuHomePhabricator

Get Dan Duvall TEMP root to labnodepool1001.eqiad.wmnet
Closed, ResolvedPublic

Description

I have no idea how I got access / root on labnodepool1001.eqiad.wmnet

@dduvall needs such an access as well.

Event Timeline

hashar raised the priority of this task from to Needs Triage.
hashar updated the task description. (Show Details)
hashar added subscribers: hashar, dduvall.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 11 2015, 3:54 PM
Dzahn set Security to None.
Restricted Application added a project: acl*sre-team. · View Herald TranscriptJun 11 2015, 3:58 PM

hieradata/common/contint.yaml:nodepool_host: '10.64.20.18' # labnodepool1001.eqiad.wmnet

Seems to imply this is related to contint?

@Andrew: Are you aware of the context for this?

greg added a subscriber: greg.Jun 11 2015, 8:54 PM

This is for the Isolated CI project work. nodepool is part of the infrastucture for that.

greg added a comment.Jun 11 2015, 8:55 PM

If you need his manager's approval, you have mine. :)

hashar you got access to work out the contintnodepool case, but root was never intended to live on past this initial work https://phabricator.wikimedia.org/T95303. is the request here root or shell or a determined list of sudo commands?

chasemp added a comment.EditedJun 11 2015, 9:19 PM

For reference the design we have been working from places nodepool as a Cloud-Services managed resource that is offered to Release-Engineering-Team (or whoever) as it is more or less a part of labs and will need to be managed by the Cloud-Services team. To get things done (tm) we all agreed to get @hashar root so Operations wasn't blocking his initial configuration (which was grudgingly accepted as happening on this real physical host and not in a test scenario). But this is all temporary. The plan is once everything is puppetized we reimage with a sane permissions and user scheme before this sees the light of production :)

It seems the original changeset may have been over-permissioned to https://phabricator.wikimedia.org/diffusion/OPUP/browse/production/hieradata/hosts/labnodepool1001.yaml already idk, but the root case has been a definite temporary one-off.

I created this task in a hurry following a 1/1 I had with @dduvall. Following the Release-Engineering-Team offsite we decided to work more closely together inside the team, and hence Dan is going to take the lead on CI isolation just like me :-}

So the root request for labnodepool1001.eqiad.wmnet is still in the context of setting up the proof of concept and the access should indeed be removed once we switch to the real production service. I have updated T95303: Remove hashar and dduvall root access on to be installed labnodepool1001 already so we remember to remove Dan access as well.

I guess we will want to determine the fine sudo access we will end up needing. I have filled that as T102281.

sounds reasonable @hashar thanks

chasemp renamed this task from Get Dan Duvall access to labnodepool1001.eqiad.wmnet to Get Dan Duvall TEMP root to labnodepool1001.eqiad.wmnet.Jun 12 2015, 7:48 PM
Ottomata triaged this task as Medium priority.Jun 15 2015, 2:48 PM

We talked about this in last weeks ops meeting. We are fine with Mr. Duvall in this context.

chasemp closed this task as Resolved.Jun 22 2015, 8:06 PM
chasemp claimed this task.

Restricted Application added a subscriber: Matanya. · View Herald TranscriptJul 10 2015, 3:03 PM