Page MenuHomePhabricator
Create Task
Maniphest T110794

SCAP fails with Permission denied (publickey)
Closed, ResolvedPublic
Actions

Description

(Not an unbreak now because the code to be deployed is not critical)

While deploying a change for mysql configuration due to a hardware failure (T103230), all proxys and nodes failed to sync:

root@tin:/srv/mediawiki-staging$ sync-file wmf-config/db-eqiad.php "Depool db1028, return ES servers back from maintenance"
...
09:28:41 ['/srv/deployment/scap/scap/bin/sync-common', '--no-update-l10n', '--include', 'wmf-config', '--include', 'wmf-config/db-eqiad.php', 'mw1010.eqiad.wmnet', 'mw1033.eqiad.wmnet', 'mw1070.eqiad.wmnet', 'mw1097.eqiad.wmnet', 'mw1216.eqiad.wmnet', 'mw1161.eqiad.wmnet', 'mw1201.eqiad.wmnet', 'mw2001.codfw.wmnet', 'mw2041.codfw.wmnet', 'mw2080.codfw.wmnet', 'mw2119.codfw.wmnet', 'mw2187.codfw.wmnet'] on mw2136.codfw.wmnet returned [255]: Permission denied (publickey).

sync-common: 100% (ok: 0; fail: 466; left: 0)                                   
09:28:41 466 apaches had sync errors
09:28:41 Finished sync-apaches (duration: 00m 03s)
09:28:41 Synchronized wmf-config/db-eqiad.php: Depool db1028, return ES servers back from maintenance (duration: 00m 03s)

This was a hardware maintenance deployment, and I can live without it because mediawiki detects it and depools automatically, but it would be an unbreak now in other cases.

I remember bblack talking about deployment key changes, probably related.
Related: T110791 T110793

Details

SubjectRepoBranchLines +/-
ssh-agent-proxy: break out of select loop once client is doneoperations/puppetproduction+7 -13
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedjcrespoT103230 Disk issue on db1028
 ResolvedoriT110794 SCAP fails with Permission denied (publickey)

Event Timeline

jcrespo created this task.Aug 29 2015, 9:47 AM
jcrespo raised the priority of this task from to High.
jcrespo updated the task description. (Show Details)
jcrespo subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 29 2015, 9:47 AM
jcrespo added projects: Release-Engineering-Team, Deployments.Aug 29 2015, 9:47 AM
jcrespo set Security to None.
jcrespo added a parent task: T103230: Disk issue on db1028.Aug 29 2015, 9:50 AM
Krenair added a project: acl*sre-team.Aug 29 2015, 2:02 PM
Krenair subscribed.
Restricted Application added a subscriber: Matanya. · View Herald TranscriptAug 29 2015, 2:02 PM
Krenair added a subscriber: ori.Aug 29 2015, 2:03 PM

Keyholder issue?

krenair@tin:~$ SSH_AUTH_SOCK=/run/keyholder/proxy.sock ssh mwdeploy@mw2001
Permission denied (publickey).
Krenair added a comment.Aug 29 2015, 2:04 PM

(Works fine from mira.)

Krenair added a comment.Aug 29 2015, 2:15 PM

Yeah, icinga has been showing this for tin's keyholder service for the past 14 hours: CRITICAL: Keyholder is not armed. Run 'keyholder arm' to arm it.
Needs ops to fix

hashar subscribed.Aug 31 2015, 8:04 AM

Seems a root has to arm it with:

sudo -u keyholder env SSH_AUTH_SOCK=/run/keyholder/agent.sock ssh-add /etc/keyholder.d/mwdeploy_rsa
jcrespo added a comment.Aug 31 2015, 8:16 AM

If that is true, it should be documented at https://wikitech.wikimedia.org/wiki/Heterogeneous_deployment#In_your_own_repo_via_gerrit and https://wikitech.wikimedia.org/wiki/How_to_deploy_code#Deployment_requirements (even if it is considered common knowledge).

gerritbot subscribed.Aug 31 2015, 8:18 AM

Change 234955 had a related patch set uploaded (by Ori.livneh):
ssh-agent-proxy: break out of select loop once client is done

https://gerrit.wikimedia.org/r/234955

gerritbot added a project: Patch-For-Review.Aug 31 2015, 8:18 AM

Change 234955 merged by Ori.livneh:
ssh-agent-proxy: break out of select loop once client is done

https://gerrit.wikimedia.org/r/234955

ori mentioned this in rOPUP5ed040e06eb6: ssh-agent-proxy: break out of select loop once client is done.Aug 31 2015, 8:20 AM
ori closed this task as Resolved.Aug 31 2015, 8:23 AM
ori claimed this task.

@jcrespo, I'll update the docs.

Reedy mentioned this in T111062: Scap should abort early when Keyholder is not armed.Sep 1 2015, 3:25 PM
greg moved this task from INBOX to Done on the Release-Engineering-Team board.Sep 8 2015, 8:44 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL