Page MenuHomePhabricator
Create Task
Maniphest T162123

Refactor swift credentials to be global rather than per-site
Closed, ResolvedPublic
Actions

Description

swiftrepl is now running puppetized and running in eqiad as a timer once a week per site.

Left to do is shipping swiftrepl.conf from puppet, which requires being able to access all sites credentials, which in turn requires a refactor in swift's puppetization to have credentials from all sites in the same place. Unless we can look up other sites' hiera, in which case less refactorization will be needed.

Details

SubjectRepoBranchLines +/-
hiera: remove swift accounts_keyslabs/privatemaster+0 -31
swift: move accounts_keys to common hiera global_account_keysoperations/puppetproduction+18 -7
hiera: move swift credentials into commonlabs/privatemaster+28 -28
swift: use systemd::timer::job for swiftreploperations/puppetproduction+6 -18
swift: use systemd::unit for swiftrepl-mwoperations/puppetproduction+1 -1
swiftrepl: ensure system user and service runs as 'swiftrepl'operations/puppetproduction+2 -0
swift: use resurce for swiftrepl tidyoperations/puppetproduction+1 -0
site: turn on swiftrepl on swift frontendsoperations/puppetproduction+2 -0
swift: add swiftreploperations/puppetproduction+184 -0
swift: open per-port object server portsoperations/puppetproduction+19 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Volans created this task.Apr 4 2017, 9:29 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 4 2017, 9:29 AM
fgiunchedi added a project: User-fgiunchedi.Apr 12 2017, 8:30 AM
fgiunchedi added a parent task: T162792: Reduce Swift technical debt.May 15 2017, 4:24 PM
fgiunchedi mentioned this in T161717: Point swiftrepl to swift HTTPS.Jul 6 2017, 11:47 AM
Dzahn added a parent task: T165348: Check long-running screen/tmux sessions.Sep 13 2017, 7:16 PM
Volans mentioned this in T165348: Check long-running screen/tmux sessions.Sep 28 2017, 8:28 AM
Dzahn subscribed.Sep 21 2018, 12:43 AM

Afaict we are not going to have to rely on swiftrepl anymore soon. Is that right? In that case, would this ticket be declined?

fgiunchedi added a comment.Sep 21 2018, 9:08 AM

That's correct, let's leave it open until T204245: Run MediaWiki media originals active/active is fixed

Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 9:10 PM
CDanis mentioned this in T231110: bring swiftrepl back to life.Aug 23 2019, 6:26 PM
gerritbot added a comment.Sep 13 2019, 1:01 PM

Change 536586 had a related patch set uploaded (by Filippo Giunchedi; owner: Filippo Giunchedi):
[operations/puppet@production] WIP swift: add swiftrepl

https://gerrit.wikimedia.org/r/536586

gerritbot added a project: Patch-For-Review.Sep 13 2019, 1:01 PM
gerritbot added a comment.Sep 27 2019, 1:47 PM

Change 539535 had a related patch set uploaded (by Filippo Giunchedi; owner: Filippo Giunchedi):
[operations/puppet@production] swift: open per-port object server ports

https://gerrit.wikimedia.org/r/539535

gerritbot added a comment.Oct 1 2019, 6:26 PM

Change 539535 merged by Filippo Giunchedi:
[operations/puppet@production] swift: open per-port object server ports

https://gerrit.wikimedia.org/r/539535

fgiunchedi added a comment.Oct 1 2019, 6:33 PM
In T162123#5538678, @gerritbot wrote:

Change 539535 merged by Filippo Giunchedi:
[operations/puppet@production] swift: open per-port object server ports

https://gerrit.wikimedia.org/r/539535

Punched in the wrong task, this change was meant for T222366: Test swift object server deployment with one disk per tcp port

gerritbot added a comment.Oct 8 2019, 10:10 PM

Change 537613 had a related patch set uploaded (by Filippo Giunchedi; owner: Filippo Giunchedi):
[operations/puppet@production] site: turn on swiftrepl on swift frontends

https://gerrit.wikimedia.org/r/537613

gerritbot added a comment.Oct 17 2019, 3:18 PM

Change 536586 merged by Filippo Giunchedi:
[operations/puppet@production] swift: add swiftrepl

https://gerrit.wikimedia.org/r/536586

gerritbot added a comment.Oct 21 2019, 9:39 AM

Change 537613 merged by Filippo Giunchedi:
[operations/puppet@production] site: turn on swiftrepl on swift frontends

https://gerrit.wikimedia.org/r/537613

gerritbot added a comment.Oct 21 2019, 9:52 AM

Change 544845 had a related patch set uploaded (by Filippo Giunchedi; owner: Filippo Giunchedi):
[operations/puppet@production] swift: use resurce for swiftrepl tidy

https://gerrit.wikimedia.org/r/544845

gerritbot added a comment.Oct 21 2019, 10:05 AM

Change 544845 merged by Filippo Giunchedi:
[operations/puppet@production] swift: use resurce for swiftrepl tidy

https://gerrit.wikimedia.org/r/544845

Maintenance_bot removed a project: Patch-For-Review.Oct 21 2019, 10:10 AM
gerritbot added a comment.Oct 21 2019, 10:59 AM

Change 544863 had a related patch set uploaded (by Filippo Giunchedi; owner: Filippo Giunchedi):
[operations/puppet@production] swiftrepl: ensure system user and service runs as 'swiftrepl'

https://gerrit.wikimedia.org/r/544863

gerritbot added a project: Patch-For-Review.Oct 21 2019, 10:59 AM
gerritbot added a comment.Oct 21 2019, 11:03 AM

Change 544863 merged by Filippo Giunchedi:
[operations/puppet@production] swiftrepl: ensure system user and service runs as 'swiftrepl'

https://gerrit.wikimedia.org/r/544863

Maintenance_bot removed a project: Patch-For-Review.Oct 21 2019, 11:10 AM
gerritbot added a comment.Oct 21 2019, 1:30 PM

Change 544911 had a related patch set uploaded (by Filippo Giunchedi; owner: Filippo Giunchedi):
[operations/puppet@production] swift: use systemd::unit for swiftrepl-mw

https://gerrit.wikimedia.org/r/544911

gerritbot added a project: Patch-For-Review.Oct 21 2019, 1:30 PM

Change 544912 had a related patch set uploaded (by Filippo Giunchedi; owner: Filippo Giunchedi):
[operations/puppet@production] swift: use systemd::timer::job for swiftrepl

https://gerrit.wikimedia.org/r/544912

gerritbot added a comment.Oct 21 2019, 1:32 PM

Change 544911 abandoned by Filippo Giunchedi:
swift: use systemd::unit for swiftrepl-mw

Reason:
Not needed

https://gerrit.wikimedia.org/r/544911

gerritbot added a comment.Oct 21 2019, 1:43 PM

Change 544912 merged by Filippo Giunchedi:
[operations/puppet@production] swift: use systemd::timer::job for swiftrepl

https://gerrit.wikimedia.org/r/544912

fgiunchedi added a comment.Oct 21 2019, 1:54 PM

swiftrepl is now running puppetized on both codfw and eqiad and running as a timer once a week per site.

Left to do is shipping swiftrepl.conf from puppet, which requires being able to access all sites credentials, which in turn requires a refactor in swift's puppetization.

Maintenance_bot removed a project: Patch-For-Review.Oct 21 2019, 2:10 PM
fgiunchedi renamed this task from Running swiftrepl is not puppetized to Refactor swift credentials to be global rather than per-site.Nov 5 2019, 11:10 AM
fgiunchedi lowered the priority of this task from High to Medium.
fgiunchedi updated the task description. (Show Details)
fgiunchedi removed a project: User-fgiunchedi.Apr 20 2021, 12:12 PM
Stashbot added a comment.Jun 30 2021, 9:35 AM

Mentioned in SAL (#wikimedia-operations) [2021-06-30T09:35:19Z] <godog> start swiftrepl-mw on ms-fe2005 post-switchover (credentials were missing) - T162123

fgiunchedi moved this task from Inbox to Backlog on the SRE-swift-storage board.Aug 25 2021, 4:20 PM
MatthewVernon edited parent tasks, added: T299125: Swiftrepl doesn't work on bullseye (and swiftrepl.conf is deployed by hand); removed: T165348: Check long-running screen/tmux sessions.Dec 16 2022, 3:51 PM
MatthewVernon removed a parent task: T299125: Swiftrepl doesn't work on bullseye (and swiftrepl.conf is deployed by hand).
MatthewVernon added a parent task: T299125: Swiftrepl doesn't work on bullseye (and swiftrepl.conf is deployed by hand).
gerritbot added a comment.Dec 16 2022, 4:09 PM

Change 868718 had a related patch set uploaded (by MVernon; author: MVernon):

[labs/private@master] hiera: move swift accounts_keys into common

https://gerrit.wikimedia.org/r/868718

gerritbot added a project: Patch-For-Review.Dec 16 2022, 4:09 PM
gerritbot added a comment.Dec 16 2022, 4:21 PM

Change 868721 had a related patch set uploaded (by MVernon; author: MVernon):

[operations/puppet@production] swift: move accounts_keys to common hiera

https://gerrit.wikimedia.org/r/868721

MatthewVernon subscribed.Dec 16 2022, 4:24 PM

I've put out two CRs; an equivalent change will also need doing to private-puppet. They'll all need co-ordinating.

MatthewVernon added a comment.Dec 16 2022, 4:36 PM

[also review by a puppet expert :) ]

gerritbot added a comment.Dec 21 2022, 2:35 PM

Change 870555 had a related patch set uploaded (by MVernon; author: MVernon):

[operations/puppet@production] swift: add swift::rclone

https://gerrit.wikimedia.org/r/870555

MatthewVernon added a subscriber: jcrespo.Jan 9 2023, 2:51 PM
Dzahn unsubscribed.Jan 9 2023, 3:57 PM
Ladsgroup subscribed.Jan 9 2023, 5:20 PM
gerritbot added a comment.Jan 12 2023, 9:28 AM

Change 868718 merged by MVernon:

[labs/private@master] hiera: move swift credentials into common

https://gerrit.wikimedia.org/r/868718

MatthewVernon mentioned this in rLPRIbdcee3658eb6: hiera: move swift credentials into common.Jan 12 2023, 9:34 AM
gerritbot added a comment.Jan 12 2023, 9:36 AM

Change 868721 merged by MVernon:

[operations/puppet@production] swift: move accounts_keys to common hiera global_account_keys

https://gerrit.wikimedia.org/r/868721

gerritbot added a comment.Jan 12 2023, 10:00 AM

Change 879283 had a related patch set uploaded (by MVernon; author: MVernon):

[labs/private@master] hiera: remove swift accounts_keys

https://gerrit.wikimedia.org/r/879283

gerritbot added a comment.Jan 12 2023, 1:03 PM

Change 879283 merged by MVernon:

[labs/private@master] hiera: remove swift accounts_keys

https://gerrit.wikimedia.org/r/879283

MatthewVernon mentioned this in rLPRI6b8b18d8e260: hiera: remove swift accounts_keys.Jan 12 2023, 1:04 PM
MatthewVernon closed this task as Resolved.Jan 12 2023, 1:06 PM
MatthewVernon claimed this task.

Done - old site-specific profile::swift::accounts_keys removed in favour of new common hiera entry profile::swift::global_account_keys

MatthewVernon mentioned this in T344834: Captchas are broken in the beta cluster.Aug 24 2023, 9:02 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL