Page MenuHomePhabricator

Requesting access to deployment hosts (tin/terbium) for Brian Wolff
Closed, ResolvedPublic

Description

Full name: Brian Wolff
Labs username/wikitech username: Brian_Wolff
Preferred shell username: bawolff
SSH Public key:


Reason: Security patch deployment

Event Timeline

Restricted Application added a project: Operations. · View Herald TranscriptJun 24 2016, 11:06 PM
Restricted Application added subscribers: Zppix, Aklapper. · View Herald Transcript

@Bawolff Please update the description with the information requested at https://wikitech.wikimedia.org/wiki/Requesting_shell_access, and after you have signed L3 (which I think you already have).

dpatrick changed Security from None to Access Request.Jun 24 2016, 11:07 PM

To deploy security patches he should get full access given by deployment rights, which includes all mw* servers etc.

To deploy security patches he should get full access given by deployment rights, which includes all mw* servers etc.

@Krenair, thanks. I was just about to update the ticket specifying just that.

For future reference, that is essentially what is meant by the second bullet point at https://wikitech.wikimedia.org/wiki/How_to_deploy_code#Deployment_requirements, correct?

"deployment access" means the ability to actually use the deployment commands on tin/mira to sync MW code (not just the ability to log in to those hosts), as well as the ability run stuff as MW on terbium and the app servers, and restart apache, HHVM, etc.

"deployment access" means the ability to actually use the deployment commands on tin/mira to sync MW code (not just the ability to log in to those hosts), as well as the ability run stuff as MW on terbium and the app servers, and restart apache, HHVM, etc.

Okay! Thanks for your help in clarifying!

Dzahn added a subscriber: Dzahn.Jun 27 2016, 10:56 AM

@Bawolff Please read and sign L3 and attach a (new) SSH public key to this ticket. Thank you!

Restricted Application removed a subscriber: Zppix. · View Herald TranscriptJun 27 2016, 10:56 AM
Dzahn changed the task status from Open to Stalled.Jun 29 2016, 9:14 PM
Dzahn assigned this task to Bawolff.
Bawolff updated the task description. (Show Details)Jul 3 2016, 6:15 PM
Bawolff updated the task description. (Show Details)Jul 3 2016, 6:19 PM
Bawolff changed the task status from Stalled to Open.Jul 5 2016, 5:48 PM

Ive signed L3 and filled out the description

Dzahn claimed this task.Jul 5 2016, 5:58 PM

Change 297456 had a related patch set uploaded (by Dzahn):
admin: create shell user for bawolff

https://gerrit.wikimedia.org/r/297456

Change 297457 had a related patch set uploaded (by Dzahn):
admin: add bawolff to deployers group

https://gerrit.wikimedia.org/r/297457

demon added a subscriber: demon.Jul 5 2016, 7:56 PM

Approved by Release-Engineering-Team for MW deploy access. Just needs ops review since it's sudo :)

FYI, we didn't have an ops meeting on Monday, this will be discussed on next weeks's meeting.

fgiunchedi triaged this task as Medium priority.Jul 11 2016, 10:34 AM

This was approved in the ops meeting

Change 297456 merged by Dzahn:
admin: create shell user for bawolff

https://gerrit.wikimedia.org/r/297456

Change 297457 merged by Dzahn:
admin: add bawolff to deployers group

https://gerrit.wikimedia.org/r/297457

Dzahn closed this task as Resolved.Jul 11 2016, 6:07 PM

on bast1001:

Notice: /Stage[main]/Admin/Admin::Hashuser[bawolff]/Admin::User[bawolff]/User[bawolff]/ensure: created
Notice: /Stage[main]/Admin/Admin::Hashuser[bawolff]/Admin::User[bawolff]/File[/home/bawolff]/ensure: created

on tin.eqiad.wmnet:

Notice: /Stage[main]/Admin/Admin::Hashuser[bawolff]/Admin::User[bawolff]/File[/home/bawolff]/ensure: created

on mira.codfw.wmnet:

Notice: /Stage[main]/Admin/Admin::Hashuser[bawolff]/Admin::User[bawolff]/Ssh::Userkey[bawolff]/File[/etc/ssh/userkeys/bawolff]/ensure: created

@Bawolff See above ^, your user (and key) has been created on bast1001 (and when puppet runs will also be on bast2001, bast3001 and bast4001). as well as on the deployment servers tin.eqiad.wmnet and mira.codfw.wmnet.

you can use any of the 4 bastions, probably you want the one closest to you (https://wikitech.wikimedia.org/wiki/Bastion)

please see this link https://wikitech.wikimedia.org/wiki/SSH_access for a config example to get your SSH client to connect via one of the bastion hosts to the deployment servers.

If any issues please let us know on IRC or simply reopen this ticket.

Mentioned in SAL [2016-07-11T18:08:29Z] <mutante> welcome new mediawiki deployer Brian Wolff (T138635)

Dzahn added a comment.Jul 11 2016, 6:18 PM

P.S.Yes, and the maintenance script hosts are included too. i checked your user exists there now.

in eqiad, terbium.eqiad.wmnet

in codfw, wasat.codfw.wmnet

Awesome. Thank you :)