Page MenuHomePhabricator
Create Task
Maniphest T138635

Requesting access to deployment hosts (tin/terbium) for Brian Wolff
Closed, ResolvedPublic
Actions

Description

Full name: Brian Wolff
Labs username/wikitech username: Brian_Wolff
Preferred shell username: bawolff
SSH Public key:

Bawolff public key739 BDownload

Reason: Security patch deployment

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
admin: add bawolff to deployers groupoperations/puppetproduction+1 -1
admin: create shell user for bawolffoperations/puppetproduction+9 -0
Customize query in gerrit

Related Objects

Event Timeline

dpatrick created this task.Jun 24 2016, 11:06 PM
Restricted Application added a project: SRE. · View Herald TranscriptJun 24 2016, 11:06 PM
Restricted Application added subscribers: Zppix, Aklapper. · View Herald Transcript
dpatrick added a comment.Jun 24 2016, 11:07 PM

@Bawolff Please update the description with the information requested at https://wikitech.wikimedia.org/wiki/Requesting_shell_access, and after you have signed L3 (which I think you already have).

dpatrick changed Security from None to Access Request.Jun 24 2016, 11:07 PM
Krenair subscribed.Jun 24 2016, 11:08 PM

To deploy security patches he should get full access given by deployment rights, which includes all mw* servers etc.

dpatrick added a comment.Jun 24 2016, 11:13 PM
In T138635#2405986, @Krenair wrote:

To deploy security patches he should get full access given by deployment rights, which includes all mw* servers etc.

@Krenair, thanks. I was just about to update the ticket specifying just that.

For future reference, that is essentially what is meant by the second bullet point at https://wikitech.wikimedia.org/wiki/How_to_deploy_code#Deployment_requirements, correct?

Krenair added a comment.Jun 24 2016, 11:16 PM

"deployment access" means the ability to actually use the deployment commands on tin/mira to sync MW code (not just the ability to log in to those hosts), as well as the ability run stuff as MW on terbium and the app servers, and restart apache, HHVM, etc.

dpatrick added a comment.Jun 24 2016, 11:17 PM
In T138635#2406022, @Krenair wrote:

"deployment access" means the ability to actually use the deployment commands on tin/mira to sync MW code (not just the ability to log in to those hosts), as well as the ability run stuff as MW on terbium and the app servers, and restart apache, HHVM, etc.

Okay! Thanks for your help in clarifying!

Dzahn subscribed.Jun 27 2016, 10:56 AM

@Bawolff Please read and sign L3 and attach a (new) SSH public key to this ticket. Thank you!

Restricted Application removed a subscriber: Zppix. · View Herald TranscriptJun 27 2016, 10:56 AM
Dzahn changed the task status from Open to Stalled.Jun 29 2016, 9:14 PM
Dzahn assigned this task to Bawolff.
Bawolff updated the task description. (Show Details)Jul 3 2016, 6:15 PM
Bawolff updated the task description. (Show Details)Jul 3 2016, 6:19 PM
Bawolff changed the task status from Stalled to Open.Jul 5 2016, 5:48 PM

Ive signed L3 and filled out the description

Dzahn claimed this task.Jul 5 2016, 5:58 PM
gerritbot subscribed.Jul 5 2016, 6:51 PM

Change 297456 had a related patch set uploaded (by Dzahn):
admin: create shell user for bawolff

https://gerrit.wikimedia.org/r/297456

gerritbot added a project: Patch-For-Review.Jul 5 2016, 6:51 PM
gerritbot added a comment.Jul 5 2016, 6:55 PM

Change 297457 had a related patch set uploaded (by Dzahn):
admin: add bawolff to deployers group

https://gerrit.wikimedia.org/r/297457

Dzahn mentioned this in rOPUP75d7a78cad6a: admin: create shell user for bawolff.Jul 5 2016, 6:57 PM
Dzahn mentioned this in rOPUPe7eb41986b40: admin: add bawolff to deployers group.
demon subscribed.Jul 5 2016, 7:56 PM

Approved by Release-Engineering-Team for MW deploy access. Just needs ops review since it's sudo :)

MoritzMuehlenhoff subscribed.Jul 6 2016, 9:05 AM

FYI, we didn't have an ops meeting on Monday, this will be discussed on next weeks's meeting.

fgiunchedi triaged this task as Medium priority.Jul 11 2016, 10:34 AM
MoritzMuehlenhoff added a comment.Jul 11 2016, 4:54 PM

This was approved in the ops meeting

gerritbot added a comment.Jul 11 2016, 5:46 PM

Change 297456 merged by Dzahn:
admin: create shell user for bawolff

https://gerrit.wikimedia.org/r/297456

Dzahn mentioned this in rOPUP9d9d4564f5cd: admin: create shell user for bawolff.Jul 11 2016, 5:46 PM
Dzahn mentioned this in rOPUP7713ee1ed217: admin: create shell user for bawolff.
Dzahn mentioned this in rOPUP42a1d0dc3fa6: admin: add bawolff to deployers group.Jul 11 2016, 5:50 PM
gerritbot added a comment.Jul 11 2016, 5:50 PM

Change 297457 merged by Dzahn:
admin: add bawolff to deployers group

https://gerrit.wikimedia.org/r/297457

Dzahn mentioned this in rOPUP2f9d8e8144ba: admin: add bawolff to deployers group.Jul 11 2016, 5:50 PM
Dzahn closed this task as Resolved.Jul 11 2016, 6:07 PM

on bast1001:

Notice: /Stage[main]/Admin/Admin::Hashuser[bawolff]/Admin::User[bawolff]/User[bawolff]/ensure: created
Notice: /Stage[main]/Admin/Admin::Hashuser[bawolff]/Admin::User[bawolff]/File[/home/bawolff]/ensure: created

on tin.eqiad.wmnet:

Notice: /Stage[main]/Admin/Admin::Hashuser[bawolff]/Admin::User[bawolff]/File[/home/bawolff]/ensure: created

on mira.codfw.wmnet:

Notice: /Stage[main]/Admin/Admin::Hashuser[bawolff]/Admin::User[bawolff]/Ssh::Userkey[bawolff]/File[/etc/ssh/userkeys/bawolff]/ensure: created

@Bawolff See above ^, your user (and key) has been created on bast1001 (and when puppet runs will also be on bast2001, bast3001 and bast4001). as well as on the deployment servers tin.eqiad.wmnet and mira.codfw.wmnet.

you can use any of the 4 bastions, probably you want the one closest to you (https://wikitech.wikimedia.org/wiki/Bastion)

please see this link https://wikitech.wikimedia.org/wiki/SSH_access for a config example to get your SSH client to connect via one of the bastion hosts to the deployment servers.

If any issues please let us know on IRC or simply reopen this ticket.

Dzahn removed a project: Patch-For-Review.Jul 11 2016, 6:07 PM
Stashbot subscribed.Jul 11 2016, 6:08 PM

Mentioned in SAL [2016-07-11T18:08:29Z] <mutante> welcome new mediawiki deployer Brian Wolff (T138635)

Dzahn added a comment.Jul 11 2016, 6:18 PM

P.S.Yes, and the maintenance script hosts are included too. i checked your user exists there now.

in eqiad, terbium.eqiad.wmnet

in codfw, wasat.codfw.wmnet

Bawolff added a comment.Jul 11 2016, 7:55 PM

Awesome. Thank you :)

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits