Page MenuHomePhabricator
Create Task
Maniphest T158968

'prometheus' service user vs. actual human account 'prometheus'
Closed, ResolvedPublic
Actions

Description

The Prometheus monitoring packages use a service user name 'Prometheus'. But, on labs we already have a user by that name.

That produced some conflicts during package installation, which is probably not a huge deal. On the other hand, the fact that someone can log in as a service/monitoring user is probably not great.

It's not their fault, of course, since their account predates our use of Prometheus software.

Related Objects
Search...

Event Timeline

Andrew created this task.Feb 24 2017, 4:05 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 24 2017, 4:05 PM
Andrew added a comment.Feb 24 2017, 4:11 PM

I've emailed prometheus (the user) to see if I can just delete their account. If the answer is 'no' then I'm not sure how to proceed.

scfc subscribed.Feb 24 2017, 4:47 PM

I think renaming the shell account name should be enough; deleting should not be necessary.

zhuyifei1999 subscribed.Feb 24 2017, 4:47 PM
scfc created subtask T158971: Add "prometheus" to https://wikitech.wikimedia.org/wiki/MediaWiki:Titleblacklist.Feb 24 2017, 4:49 PM
Ricordisamoa subscribed.Feb 25 2017, 12:06 AM

Quite ironic for an unforeseen conflict to concern a name meaning "forethought", isn't it?

tom29739 subscribed.Feb 26 2017, 2:22 PM
bd808 closed subtask T158971: Add "prometheus" to https://wikitech.wikimedia.org/wiki/MediaWiki:Titleblacklist as Resolved.Mar 26 2017, 11:01 PM
bd808 closed this task as Resolved.Jul 13 2017, 7:46 PM
bd808 claimed this task.
bd808 added projects: LDAP, cloud-services-team (Kanban).
bd808 subscribed.

I rediscovered this problem while working on T170178: Update wikitech Titleblacklist. My first change was T170178#3436416 where I just changed the uid for the account. That turned out to be problematic because the missing prometheus LDAP account broke Puppet runs where it is used. Looking deeper I found that we actually have files owned by the numeric uid as well. Here's what I came up with as the fix:

  • rename prometheus to jberkley
  • change home dir and numeric uid for jberkley
  • add a new prometheus user with the old numeric uid
dn: uid=prometheus,ou=people,dc=wikimedia,dc=org
changetype: add
objectClass: inetorgperson
objectClass: posixAccount
uidNumber: 14736
gidNumber: 500
homeDirectory: /var/lib/prometheus
loginShell: /bin/false
uid: prometheus
cn: Prometheus daemon
sn: Prometheus daemon
description: Hack to clean up T170178
Restricted Application added a project: User-bd808. · View Herald TranscriptJul 13 2017, 7:46 PM
bd808 moved this task from Inbox to Done on the cloud-services-team (Kanban) board.Jul 13 2017, 8:12 PM
bd808 mentioned this in T170774: Cannot create account on Wikitech wiki.Jul 16 2017, 11:06 PM
bd808 mentioned this in T179386: Prometheus crontab installations via Puppet failing on Toolforge bastion hosts due to remote crontab wrapper script.Jan 23 2018, 12:48 AM
zhuyifei1999 mentioned this in T196137: toolforge: prometheus issue is filling up email queue.Jun 5 2018, 10:26 AM
fgiunchedi mentioned this in T167245: prometheus-node-exporter - invalid group: ‘prometheus:prometheus'.Jan 15 2019, 1:36 PM
fgiunchedi mentioned this in T168509: Upgrade of prometheus-node-exporter complains with: chown: invalid group: ‘prometheus:prometheus’.
bd808 moved this task from To Do to Done on the User-bd808 board.Jul 15 2020, 9:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL