Page MenuHomePhabricator
Create Task
Maniphest T152059

role::puppetmaster::standalone clones Git repositories as gitpuppet, git-sync-upstream overwrites them as root
Open, Needs TriagePublic
Actions

Description

On a fresh instance with role::puppetmaster::standalone applied (no class parameters), /var/lib/git/labs/private is initially owned by gitpuppet:root and /var/lib/git/operations/puppet by gitpuppet:gitpuppet. Subsequently, git-sync-upstream runs every 10 minutes as root and will overwrite some/create new files with each update. This is confusing and could cause subtle bugs.

IMHO changing the initial clone to be owned by root is preferable because if an admin as root messes around with the Git repositories and git-sync-upstream would run as gitpuppet, it could stop working due to permissions.

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+2 -0puppetmaster: Clone repositories in Labs as root
Customize query in gerrit

Related Objects

Event Timeline

scfc created this task.Dec 1 2016, 12:35 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 1 2016, 12:35 AM
scfc mentioned this in T152095: On standalone puppetmasters labstore files in /usr/local/sbin get group 998 (gitpuppet).Dec 1 2016, 1:42 PM
gerritbot added a subscriber: gerritbot.Dec 1 2016, 2:56 PM

Change 324727 had a related patch set uploaded (by Tim Landscheidt):
puppetmaster: Clone repositories in Labs as root

https://gerrit.wikimedia.org/r/324727

gerritbot added a project: Patch-For-Review.Dec 1 2016, 2:56 PM
scfc claimed this task.Dec 1 2016, 2:58 PM
Aklapper added a project: Toolforge.Mar 21 2020, 8:53 PM
Aklapper added subscribers: Phamhi, aborrero.

In the meantime,

In theory, the two added lines in https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/324727/ could still be applied in line 58.
Would be nice to get input / a decision here.

Aklapper removed scfc as the assignee of this task.Jun 1 2020, 8:12 AM

Assignee has not been active since 2018 hence resetting task assignee.

Aklapper added a project: Infrastructure-Foundations.Jun 21 2021, 8:59 PM
taavi mentioned this in T325128: git: detected dubious ownership in repository at '/srv/mediawiki-staging'.Dec 14 2022, 6:08 PM
aborrero mentioned this in T325280: cloud puppetmasters fail to run git-sync-upstream.Dec 15 2022, 12:19 PM
taavi edited projects, added Cloud-VPS; removed Toolforge.Feb 11 2023, 10:22 PM
taavi merged a task: T184259: labspuppetmaster1001: have consistency in owner of git repos.Feb 12 2023, 5:18 PM
taavi added a subscriber: elukey.
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL