Page MenuHomePhabricator
Create Task
Maniphest T106477

Reduce rpcbind use
Closed, ResolvedPublic
Actions

Description

We have rpcbind needlessly installed/running on half the fleet.

It gets pulled in as a "Recommends:" of nagios-plugins-standard for the check_rpc Nagios plugin, but that plugin is only used on dataset1001 and maybe a few other hosts. We should trim that down.

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+1 -23Drop cache/LVS NFS override
operations/puppetproduction+5 -1Strip nfs-common/rpcbind during jessie base installation
operations/puppetproduction+2 -0labstore: Explicitly declare package dependencies for nfs-common and rpcbind
Customize query in gerrit

Related Objects

Event Timeline

MoritzMuehlenhoff created this task.Jul 22 2015, 7:03 AM
MoritzMuehlenhoff raised the priority of this task from to Low.
MoritzMuehlenhoff updated the task description. (Show Details)
MoritzMuehlenhoff added a project: acl*sre-team.
MoritzMuehlenhoff added a subscriber: MoritzMuehlenhoff.
Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptJul 22 2015, 7:03 AM
Dzahn awarded a token.Aug 22 2015, 1:15 AM
Dzahn added a subscriber: Dzahn.
MoritzMuehlenhoff claimed this task.Sep 24 2015, 12:26 PM
MoritzMuehlenhoff set Security to None.
MoritzMuehlenhoff added a comment.Jan 15 2016, 10:27 AM

A similar issue exists with smbclient: nagios-plugins-standard recommends it, which in turn pulls in a lot of Samba-related libraries. Since we neither use CIFS shares nor any Windows systems, I doubt it is used at all.

MoritzMuehlenhoff added a comment.May 4 2017, 5:03 PM

nfs-common and rpcbind get installed during the initial d-i base installation. At this point our apt config to not install recommended packages is not yet in place (and I've also found no preseed option to configure that). IIRC d-i also uses anna and not apt, so maybe it's not even supported.

I think the cleanest solution would be to remove nfs-common and rpcbind in late-command.sh and fix our puppet code to explicitly install the packages where they're actually needed (dumps/NFS and labstore). And remove them from the rest.

Although rpcbind is normally blocked by ferm, it's better to not even have it installed from the start. Also e.g. lvs and cp* already have a hack in place (base::no_nfs_client), which would then be obsolete as well.

fgiunchedi added a subscriber: fgiunchedi.May 5 2017, 8:21 AM
In T106477#3236038, @MoritzMuehlenhoff wrote:

nfs-common and rpcbind get installed during the initial d-i base installation. At this point our apt config to not install recommended packages is not yet in place (and I've also found no preseed option to configure that). IIRC d-i also uses anna and not apt, so maybe it's not even supported.

I think the cleanest solution would be to remove nfs-common and rpcbind in late-command.sh and fix our puppet code to explicitly install the packages where they're actually needed (dumps/NFS and labstore). And remove them from the rest.

Sounds good to me!

fgiunchedi awarded a token.May 5 2017, 8:21 AM
gerritbot added a subscriber: gerritbot.May 5 2017, 9:36 AM

Change 352097 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] labstore: Explicitly declare package dependencies for nfs-common and rpcbind

https://gerrit.wikimedia.org/r/352097

gerritbot added a project: Patch-For-Review.May 5 2017, 9:36 AM
gerritbot added a comment.May 5 2017, 10:44 AM

Change 352105 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Strip nfs-common/rpcbind during jessie base installation

https://gerrit.wikimedia.org/r/352105

MoritzMuehlenhoff added a comment.May 5 2017, 1:10 PM

I doublechecked production hosts:

Hosts which have an /etc/exports:

dataset1001.wikimedia.org
labstore1003.eqiad.wmnet
labstore1004.eqiad.wmnet
labstore1005.eqiad.wmnet
ms1001.wikimedia.org

Hosts which have an NFS mount in their mtab:

dataset1001.wikimedia.org
labstore1003.eqiad.wmnet
labstore1005.eqiad.wmnet
ms1001.wikimedia.org
snapshot1001.eqiad.wmnet
snapshot1005.eqiad.wmnet
snapshot1006.eqiad.wmnet
snapshot1007.eqiad.wmnet
stat1002.eqiad.wmnet
stat1003.eqiad.wmnet

gerritbot added a comment.May 5 2017, 1:34 PM

Change 352097 merged by Rush:
[operations/puppet@production] labstore: Explicitly declare package dependencies for nfs-common and rpcbind

https://gerrit.wikimedia.org/r/352097

gerritbot added a comment.May 8 2017, 6:41 AM

Change 352105 merged by Muehlenhoff:
[operations/puppet@production] Strip nfs-common/rpcbind during jessie base installation

https://gerrit.wikimedia.org/r/352105

gerritbot added a comment.May 9 2017, 6:21 AM

Change 352748 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Drop cache/LVS NFS override

https://gerrit.wikimedia.org/r/352748

Stashbot added a subscriber: Stashbot.May 9 2017, 7:34 AM

Mentioned in SAL (#wikimedia-operations) [2017-05-09T07:34:54Z] <moritzm> removing unneeded rpcbind/nfs-common packages (T106477)

gerritbot added a comment.May 12 2017, 6:38 AM

Change 352748 merged by Muehlenhoff:
[operations/puppet@production] Drop cache/LVS NFS override

https://gerrit.wikimedia.org/r/352748

MoritzMuehlenhoff closed this task as Resolved.May 15 2017, 9:03 AM

rpcbind and nfs-common have been removed from all jessie hosts except those which actually use NFS. In addition our base d-i jessie installation strips nfs-common and rpcbind during base install.

MoritzMuehlenhoff mentioned this in T107412: Jessie imaging installs nfs-common needlessly.Jul 5 2017, 12:38 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL