Page MenuHomePhabricator
Create Task
Maniphest T120165

Implement role based hiera lookups for labs
Closed, DeclinedPublic
Actions

Description

Lots of messiness (such as the base::puppet vs puppet vs puppetmaster) one can not easily be fixed in labs due to the fact that prod has role based hiera lookups and labs does not. This needs to be fixed.

@hashar wrote on T136080:

Production has a lot of settings under hiera /hieradata/role/* which are not looked up on labs project. Found that while looking at:

Examples:

hieradata/role/common/mediawiki/appserver.yaml:17:nutcracker::verbosity: "4"
hieradata/role/common/cache/text.yaml:2:cache::cluster: text

The reason are the production vs labs hierarchy being different, the labs one does not have a role_hierarchy:

production

./modules/puppetmaster/files/production.hiera.yaml

:hierarchy:
  - "hosts/%{::hostname}"
  - "regex/%{::fqdn}"
  - "%{::site}/%{::realm}"
  - "%{::site}"
  - "private/%{::site}/%{::realm}"
  - "private/%{::site}"
  - "common"
  - "private/common"

:role_hierarchy:
  - "%{::site}"
  - "common"
  - "private/%{::site}"
  - "private/common"

labs

./modules/puppetmaster/files/labs.hiera.yaml

:hierarchy:
  - "labs/hosts/%{::hostname}"
  - "labs/%{::labsproject}/host/%{::hostname}"
  - "labs/%{::labsproject}/common"
  - "labs"
  - "secret/%{::labsproject}"
  - "private/%{::labsproject}"
  - common
  - "secret/common"
  - "private/common"

That apparently got introduced in May 2015 with 196fd9dbbaa7fb26305b94b53caa3dc6990efad0

Related Objects
Search...

Event Timeline

yuvipanda created this task.Dec 3 2015, 5:08 AM
yuvipanda raised the priority of this task from to High.
yuvipanda updated the task description. (Show Details)
yuvipanda added projects: Cloud-Services, SRE, Puppet.
yuvipanda added subscribers: yuvipanda, Joe.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 3 2015, 5:08 AM
yuvipanda raised the priority of this task from High to Needs Triage.Dec 3 2015, 8:29 AM
yuvipanda set Security to None.
Restricted Application added a subscriber: StudiesWorld. · View Herald TranscriptDec 3 2015, 8:29 AM
yuvipanda mentioned this in T120159: Phase out the 'puppet' module with fire, make self hosted puppetmasters use the puppetmaster module.Dec 3 2015, 10:15 AM
chasemp triaged this task as Medium priority.Dec 3 2015, 2:22 PM
mmodell subscribed.Apr 13 2016, 6:04 AM

Is this really difficult to do? I'm very interested in fixing this but not at all sure where to start.

mmodell awarded a token.Apr 13 2016, 6:05 AM
scfc mentioned this in T136222: Unmount unneeded NFS mounts from tool labs hosts.May 26 2016, 12:34 AM
scfc mentioned this in T136080: Hiera hierarchy hieradata/role/* is not applied on labs (eg deployment-prep).
Dzahn subscribed.May 26 2016, 12:40 AM

https://wikitech.wikimedia.org/wiki/Puppet_Hiera#Role-based_lookup

It's that "the new parser function/keyword, called role" is something that we (Joe) made ourself and doesn't come from upstream. The question is why that parser function isn't also in labs.

hashar updated the task description. (Show Details)May 26 2016, 10:38 AM
hashar merged a task: T136080: Hiera hierarchy hieradata/role/* is not applied on labs (eg deployment-prep).
hashar added a project: Beta-Cluster-Infrastructure.
hashar moved this task from To Triage to Externally Blocked on the Beta-Cluster-Infrastructure board.
hashar added subscribers: scfc, Zppix.
hashar subscribed.
Joe added a comment.May 26 2016, 10:44 AM

The role keyword is used in production to refer to large groups of hosts; we DEFINITELY don't want to have role lookups in labs for the same values we use in production; also, we can't use the "role" keyword in labs as it uses ldap for defining nodes and that function is thought for use at the node scope.

I am honestly unsure when and how this can be useful, and the examples I see cited are just cases in which people forgot to add hiera lookups for labs, which will happen with role-based lookups as well.

You can mimic easily this functionality by adding to the labs hiera something like

- role/%{::_role}

and then adding

$role = abcd

in the ldap definiton of a host.

But, honestly, what would this solve? Remember every new hiera lookup adds complexity where we'd like to reduce it

hashar added a parent task: T136077: deployment-cache-upload04/text04 Could not find data item cache::cluster in hiera no default supplied at /etc/puppet/modules/role/manifests/cache/base.pp:17.Jun 1 2016, 9:38 AM
yuvipanda added a comment.Jun 1 2016, 6:32 PM

What this would concretely solve (for me) is projects like tools, where now I have to manually set hiera config on each host of a particular type (/me looks at https://wikitech.wikimedia.org/wiki/Hiera:Tools/host/tools-k8s-etcd-01, https://wikitech.wikimedia.org/wiki/Hiera:Tools/host/tools-k8s-etcd-02, https://wikitech.wikimedia.org/wiki/Hiera:Tools/host/tools-k8s-etcd-03, etc - tons of these). Remember labs isn't just used to test production changes - some of us live here :)

yuvipanda added a comment.Jun 1 2016, 6:33 PM

We're also trying to kill all LDAP variables, see T101447

hashar mentioned this in T136078: On beta nutcracker::verbosity default to 5 while prod uses 4, fills disk with a lot of log spam.Jun 30 2016, 10:34 AM
hashar added a parent task: T136078: On beta nutcracker::verbosity default to 5 while prod uses 4, fills disk with a lot of log spam.
greg moved this task from Externally Blocked to Tag on the Beta-Cluster-Infrastructure board.Aug 5 2016, 8:57 PM
hashar added a parent task: T146627: Make deployment-prep puppetmaster more similar to Production puppetmaster.Sep 26 2016, 10:56 AM
yuvipanda added a comment.Sep 26 2016, 2:48 PM

I'm no longer convinced we have to do this. https://phabricator.wikimedia.org/T91990 should cover most of the things we want from this.

MZMcBride subscribed.Oct 3 2016, 4:47 AM
thcipriani mentioned this in T161675: Re-think puppet management for deployment-prep.Mar 29 2017, 5:36 PM
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:45 PM
Krenair mentioned this in T173552: Puppet broken on deployment-pdf01.Aug 18 2017, 1:08 AM
hashar mentioned this in T180935: Various puppet issues in deployment-prep.Nov 20 2017, 9:38 AM
EddieGP closed this task as Declined.Apr 13 2018, 11:25 PM
EddieGP subscribed.

I agree with the previous comments. Horizons prefix functionality seems to cover about everything this was expected provide. Doing this would neither extinguish the fact that people have to remember setting hiera values for the cloud services, nor would it help to reduce the mess that cloud service hiera currently is. I'm thus boldly declining this.

hashar mentioned this in T232644: Check bandwidth limitation on integration-castor03.integration.eqiad.wmflabs / cloudvirt1002.Sep 19 2019, 6:15 PM
hashar mentioned this in T237033: Scap can't clear opcache on mw servers in Beta Cluster.Jan 11 2020, 9:44 PM
dcaro mentioned this in T280324: Puppet failing on deployment-logstash03.deployment-prep.eqiad.wmflabs.Apr 16 2021, 9:57 AM
jbond subscribed.Apr 16 2021, 10:24 AM
dancy mentioned this in T319681: Puppet failure on deploy-1004.devtools.eqiad1.wikimedia.cloud.Oct 6 2022, 3:24 PM
jbond mentioned this in T196034: Define scap::sources in a way that is shared between prod and beta.Aug 21 2023, 10:21 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits