Page MenuHomePhabricator
Create Task
Maniphest T164780

Sunset our use of Salt
Closed, ResolvedPublic
Actions

Description

cumin is now at a place where it's sufficiently mature enough (or at least as mature) and battle-tested to be able to serve as a SaltStack replacement for our limited use cases, or at least where it's close to becoming that.

For infrastructure simplicity, as well as security reasons (Salt is yet another way for root-level access), we should devise a plan forward to fully deprecate Salt for all our use cases.

At least the following need to happen for this to complete:

  • Migrate everything that's still on trebuchet to scap3
  • Remove trebuchet from everywhere installed + its puppet manifests
  • Migrate debdeploy to cumin, potentially adding features that are missing
  • Retire and/or replace custom salt grains from puppet
  • Find and replace all salt references in documentation (wikitech)
  • Uninstall salt-minion and salt masters from everywhere in production
  • Migrate Cloud VPS to be able to use Cumin as distributed command execution
  • Uninstall salt-minion and salt masters from everywhere in Labs?
  • Remove Icinga monitoring of salt-minions in prod
  • Remove wmf-auto-reimage / wmf-reimage dependencies on salt
  • Search for all Trebuchet-related and Salt/SaltStack-related tasks on Phabricator and resolve them (free-text search too, there are a lot). Archive the Trebuchet and Salt components

Details

SubjectRepoBranchLines +/-
wmf-auto-reimage: remove Salt actionsoperations/puppetproduction+1 -39
mariadb: Remove custom salt grains due to salt deprecationoperations/puppetproduction+0 -20
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedMoritzMuehlenhoffT164780 Sunset our use of Salt
 ResolvedthciprianiT129290 [keyresult] Migrate remaining trebuchet deployed services
 InvalidNoneT129155 Deploy sentry with scap3
 ResolvedthciprianiT129154 Deploy iegreview with scap3
 DeclinedNoneT129153 Deploy rcstream with scap3
 ResolvedakosiarisT129152 Deploy servermon with scap3
 ResolvedelukeyT129151 Deploy analytics-refinery with scap3
 ResolvedYurikT129150 Deploy kartotherian with scap3
 ResolvedthciprianiT129149 Deploy discovery-analytics with scap3
 ResolvedthciprianiT129148 Deploy jobrunner with scap3 (Trebuchet jobrunner/jobrunner)
 ResolvedthciprianiT167098 scap should allow restarting multiple services
 ResolvedthciprianiT167104 Figure out how to disable starting of jobrunner/jobchron in the non-active DC
 Resolved bearNDT129147 Deploy mobileapps/deploy with scap3
 ResolvedYurikT129146 Deploy tilerator with scap3
 ResolvedoriT129145 remove fluoride from the deployments directory
 ResolvedSmalyshevT129144 Deploy wdqs with scap3
 ResolvedDzahnT138628 Add wdqs-admins to deploy-services group
 Resolved mobrovacT129143 Deploy zotero/translators with scap3
 DeclinedNoneT129142 Deploy ocg with scap3
 Resolved mobrovacT129140 Deploy zotero/translation-server with scap3
 ResolvedfgiunchediT129139 Deploy statsv with scap3
 ResolvedakosiarisT129136 Deploy libreNMS with scap3
 ResolvedNiharikaT129134 Deploy scholarships with scap3
 Resolved mmodellT114363 Deploy Phabricator with scap3
 ResolvedthciprianiT116207 enforcing deployment from `/srv/deployment` is wrong
 Resolved mmodellT125853 Move /srv/phab/repos to /srv/repos
 Resolved mmodellT125851 Refactor phabricator module in puppet to remove git tag pinning behavior
 Resolved mmodellT113072 Make puppet provider for scap3
 ResolvedfgiunchediT126660 rebuild scap debian package (we forgot to include refreshCdbJsonFiles)
 Resolved mmodellT127215 scap::target should use scap's debian package instead of trebuchet
 DeclinedNoneT151996 Deploy elasticsearch plugins with scap3 (Trebuchet elasticsearch/plugins)
 ResolvedthciprianiT165748 Deploy logstash/plugins with scap3
 Resolved mobrovacT116340 Deploy logstash logback encoder with scap3
 ResolveddduvallT129420 Support git-fat in scap3 deployment
 Resolved mobrovacT137371 Deploy cassandra metrics collector via scap3
 InvalidNoneT170839 Migrate dropwizard/metrics to scap3
 Resolved demonT170881 Cleanup /srv/deployment
 DeclinedKrinkleT118772 Use scap3 to deploy eventlogging/eventlogging
 ResolvedOttomataT131263 Stop using global python setup.py install for eventlogging deploy
 ResolvedOttomataT131354 Make sure ALL eventlogging dependencies are available in both jessie and trusty via .deb packages
 ResolvedKrinkleT131977 Stop using global eventlogging install on hafnium (and any other eventlogging lib user)
 Resolved mobrovacT130948 Scap3 promote stage not working
 ResolvedMoritzMuehlenhoffT164817 Migrate debdeploy to cumin
 ResolvedVolansT166300 Remove Salt from wmf-auto-reimage / wmf-reimage
 ResolvedGehelT158560 Use debian packages instead of salt to deploy elasticsearch plugins
 Resolved dcausseT164367 Update Vagrant to include the new language plugins
 ResolvedVolansT175711 Cumin: create backend for OpenStack
 ResolvedVolansT175712 Install cumin in the WMCS infrastructure
 ResolvedhasharT176314 Replace salt on integration and deployment-prep projects
 ResolvedMoritzMuehlenhoffT176632 Remove salt master (and related packages) from labcontrol1001

Event Timeline

faidon created this task.May 8 2017, 7:00 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 8 2017, 7:00 PM
faidon added a subtask: T129290: [keyresult] Migrate remaining trebuchet deployed services.May 8 2017, 7:00 PM
jcrespo subscribed.May 8 2017, 7:04 PM
  • retire/and or substitute custom salt grains from puppet (?)
Andrew subscribed.May 8 2017, 7:06 PM
faidon updated the task description. (Show Details)May 8 2017, 7:07 PM
faidon mentioned this in T164595: Stretch vs. Salt.
greg subscribed.May 8 2017, 7:08 PM
MoritzMuehlenhoff created subtask T164817: Migrate debdeploy to cumin.May 9 2017, 7:20 AM
Aklapper added a project: Technical-Debt.May 9 2017, 7:44 AM
Qse24h closed this task as a duplicate of T164723: New git repository: <repo name>.May 9 2017, 10:07 AM
Qse24h closed this task as a duplicate of T164723: New git repository: <repo name>.
Qse24h closed this task as a duplicate of T164723: New git repository: <repo name>.
Qse24h closed this task as a duplicate of T164723: New git repository: <repo name>.
Qse24h closed this task as a duplicate of T164723: New git repository: <repo name>.
Qse24h closed this task as a duplicate of T164723: New git repository: <repo name>.
Qse24h closed this task as a duplicate of T164723: New git repository: <repo name>.
Qse24h closed this task as a duplicate of T164723: New git repository: <repo name>.
Qse24h closed this task as a duplicate of T164723: New git repository: <repo name>.
Qse24h closed this task as a duplicate of T164723: New git repository: <repo name>.
Peachey88 reopened this task as Open.May 9 2017, 10:09 AM
jcrespo updated the task description. (Show Details)May 10 2017, 4:39 PM
thcipriani subscribed.May 10 2017, 5:40 PM
Volans created subtask T166300: Remove Salt from wmf-auto-reimage / wmf-reimage.May 25 2017, 10:52 AM
hashar added a subtask: T158560: Use debian packages instead of salt to deploy elasticsearch plugins.May 31 2017, 7:20 AM
hashar subscribed.

Per T151996#3300615 the deployment of ElasticSearch will not be migrated from Trebuchet to Scap but instead use Debian packages which is T158560. Now a sub task of this sunset task.

hashar mentioned this in T151996: Deploy elasticsearch plugins with scap3 (Trebuchet elasticsearch/plugins).May 31 2017, 7:22 AM
Volans added a project: Goal.Jul 3 2017, 1:25 PM
Volans updated the task description. (Show Details)Jul 3 2017, 1:28 PM
bd808 subscribed.Jul 3 2017, 4:23 PM
gerritbot subscribed.Aug 10 2017, 8:07 AM

Change 370993 had a related patch set uploaded (by Jcrespo; owner: Jcrespo):
[operations/puppet@production] mariadb: Remove custom salt grains due to salt deprecation

https://gerrit.wikimedia.org/r/370993

gerritbot added a project: Patch-For-Review.Aug 10 2017, 8:07 AM
gerritbot added a comment.Aug 22 2017, 7:59 AM

Change 370993 merged by Jcrespo:
[operations/puppet@production] mariadb: Remove custom salt grains due to salt deprecation

https://gerrit.wikimedia.org/r/370993

MoritzMuehlenhoff closed subtask T164817: Migrate debdeploy to cumin as Resolved.Sep 11 2017, 2:17 PM
MoritzMuehlenhoff updated the task description. (Show Details)
Volans created subtask T175711: Cumin: create backend for OpenStack.Sep 12 2017, 4:43 PM
Volans created subtask T175712: Install cumin in the WMCS infrastructure.
debt closed subtask T158560: Use debian packages instead of salt to deploy elasticsearch plugins as Resolved.Sep 15 2017, 8:18 PM
thcipriani closed subtask T129290: [keyresult] Migrate remaining trebuchet deployed services as Resolved.Sep 18 2017, 9:12 PM
demon updated the task description. (Show Details)Sep 18 2017, 9:23 PM
Volans closed subtask T175712: Install cumin in the WMCS infrastructure as Resolved.Sep 20 2017, 11:48 AM
hashar created subtask T176314: Replace salt on integration and deployment-prep projects.Sep 20 2017, 1:16 PM
faidon mentioned this in T176314: Replace salt on integration and deployment-prep projects.Sep 20 2017, 2:56 PM
Volans closed subtask T166300: Remove Salt from wmf-auto-reimage / wmf-reimage as Resolved.Sep 21 2017, 1:41 PM
MoritzMuehlenhoff updated the task description. (Show Details)Sep 21 2017, 5:27 PM
Volans updated the task description. (Show Details)Sep 21 2017, 7:07 PM
Volans closed subtask T175711: Cumin: create backend for OpenStack as Resolved.Sep 21 2017, 11:04 PM
Volans updated the task description. (Show Details)
MoritzMuehlenhoff updated the task description. (Show Details)Sep 22 2017, 1:16 PM
gerritbot added a comment.Sep 25 2017, 12:24 PM

Change 380493 had a related patch set uploaded (by Volans; owner: Volans):
[operations/puppet@production] wmf-auto-reimage: remove Salt actions

https://gerrit.wikimedia.org/r/380493

gerritbot added a comment.Sep 25 2017, 12:27 PM

Change 380493 merged by Volans:
[operations/puppet@production] wmf-auto-reimage: remove Salt actions

https://gerrit.wikimedia.org/r/380493

MoritzMuehlenhoff updated the task description. (Show Details)Sep 25 2017, 12:53 PM
MoritzMuehlenhoff updated the task description. (Show Details)Sep 25 2017, 1:10 PM
Andrew created subtask T176632: Remove salt master (and related packages) from labcontrol1001.Sep 25 2017, 1:47 PM
Dzahn updated the task description. (Show Details)Sep 25 2017, 4:07 PM
Dzahn subscribed.

Saw Icinga alerts for salt-minions not running (on argon and chlorine)

"PROCS CRITICAL: 0 processes with regex args '^/usr/bin/python /usr/bin/salt-minion'" (https://icinga.wikimedia.org/cgi-bin/icinga/extinfo.cgi?type=2&host=argon&service=salt-minion+processes)

Made me think we should remove all of these monitoring checks now, as part of removing salt. Added a checkbox above.

Dzahn updated the task description. (Show Details)Sep 25 2017, 5:32 PM
Dzahn added a comment.Sep 25 2017, 5:38 PM

Nevermind, it was already removed by Moritz. These alerts i saw were just still there because puppet was disabled on these hosts for some Kubernetes tests by Alex. He fixed these and thye are gone now.

The only ones left now are some UNKNOWNs that are explained by other issues: cp4024 (T174891) , lvs1008 (T150256), db1022/db1023 (T166486)

Once salt is removed in labs we can also remove the "unaccepted salt keys" icinga check on labcontrol1001/1002 (@Andrew) and then that's all and Icinga is free of any salt checks.

https://icinga.wikimedia.org/cgi-bin/icinga/status.cgi?search_string=salt

MoritzMuehlenhoff updated the task description. (Show Details)Sep 28 2017, 7:17 AM
hashar closed subtask T176314: Replace salt on integration and deployment-prep projects as Resolved.Sep 28 2017, 8:55 AM
hashar added subscribers: elukey, MoritzMuehlenhoff.

deployment-prep / integration WMCS projects no more rely on salt (thank you @Volans / @MoritzMuehlenhoff / @bd808 / @elukey and others).

MoritzMuehlenhoff closed subtask T176632: Remove salt master (and related packages) from labcontrol1001 as Resolved.Sep 28 2017, 9:21 AM
MoritzMuehlenhoff closed this task as Resolved.Sep 28 2017, 12:18 PM
MoritzMuehlenhoff claimed this task.
MoritzMuehlenhoff updated the task description. (Show Details)

This is done (there's a few pending openstack puppet cleanups, but nothing really blocking to close this bug).

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits