Page MenuHomePhabricator

Restore perf-roots access to xhgui (tungsten)
Closed, ResolvedPublic

Description

# test system for performance team (T117888)
node 'tungsten.eqiad.wmnet' {
    role(test::system, xhgui::app)
}

It seems there are no access rights applied to it, which presumably means it's root-only at the moment. Given it only runs xghui, and is explicitly intended for the Performance Team, should be uncontroversial.

Main purpose is for me to handle these tasks:

Details

Related Gerrit Patches:

Event Timeline

Krinkle created this task.Mar 23 2017, 9:49 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 23 2017, 9:49 PM

Change 344531 had a related patch set uploaded (by Krinkle):
[operations/puppet@production] Grant admin rights on tungsten to perf-roots

https://gerrit.wikimedia.org/r/344531

Dzahn added a subscriber: Dzahn.Mar 23 2017, 11:29 PM

Did tungsten have a different role before? Was that role::webperf? Because that still includes the perf-roots admin group but itself does not seem to be used.

role/common/webperf.yaml: - perf-roots

Can we base the access on a role, like xhgui::app? It's nicer than host name since access can move with the role.

Dzahn claimed this task.Mar 27 2017, 5:25 PM

@RobH @Krinkle @Muehlenhoff

Ok, so i researched the history of this a bit and this access got lost over time.

In https://gerrit.wikimedia.org/r/#/c/249966/5 you can see how we added the admin group perf-roots to the role graphite. That included an "approved in ops meeting" in the comments and all that.

That was in October 2015.

Back then tungsten was the graphite host (CNAME pointed to it: https://phabricator.wikimedia.org/rODNSaa65bd19dd70aab58e42599c820f9d4b207b439c).

Then in November 2015 we did T117888 ("tungsten was originally allocated for graphite, so it has the specs to be a time-series data storage backend. That makes it fit for being repurposed for InfluxDB.") which meant tungsten was reinstalled with just test system role, ultimately removing access for perf-roots. It did not affect ori since he had global root.

So this ticket is the result of all that. And adding "perf-roots" to role xhgui, which is currently used on tungsten should be considered a fix of existing root on tungsten rather than a new request. So it should not need the usual approvals etc.

Krinkle renamed this task from Grant perf-roots access to tungsten to Restore perf-roots access to xhgui (tungsten).Mar 27 2017, 11:28 PM
Krinkle moved this task from Inbox to Blocked or Needs-CR on the Performance-Team board.

Sound fine to me, I don't think this needs new meeting approval, since it was just a regression. But let's update the description: on the perf-roots group entry in data.yaml to reflect the status quo.

Change 344531 merged by Dzahn:
[operations/puppet@production] Add admin group perf-roots to role xhgui.

https://gerrit.wikimedia.org/r/344531

Change 345191 had a related patch set uploaded (by Dzahn):
[operations/puppet@production] admin: fix admin group for xhgui::app role, adjust description

https://gerrit.wikimedia.org/r/345191

Change 345191 merged by Dzahn:
[operations/puppet@production] admin: fix admin group for xhgui::app role, adjust description

https://gerrit.wikimedia.org/r/345191

Dzahn closed this task as Resolved.EditedMar 28 2017, 6:01 PM
Dzahn added a subscriber: Gilles.

Alright, thanks for your comments Moritz. Done and adjusted the group description as well.

@Krinkle @Gilles You have tungsten access (back) now.

[tungsten:~] $ id krinkle
uid=2008(krinkle) gid=500(wikidev) groups=500(wikidev),766(perf-roots)

[tungsten:~] $ id gilles
uid=4319(gilles) gid=500(wikidev) groups=500(wikidev),766(perf-roots)

[tungsten:~] $ sudo cat /etc/sudoers.d/perf-roots 
# This file is managed by Puppet!

%perf-roots ALL = (ALL) NOPASSWD: ALL