Page MenuHomePhabricator
Create Task
Maniphest T165875

Update maintain-kubeusers to allow tool's to write to $HOME/.kube
Closed, ResolvedPublic
Actions

Description

webservice doesn't need to write into $HOME/.kube, but direct use of kubectl to launch a deployment needs to be able to write some metadata into the directory.

After updating, $HOME/.kube should have perms something like:

$ ls -adl .kube
drwxr-sr-x 3 tools.stashbot tools.stashbot 4096 Oct 25  2016 .kube

We could also make $HOME/.kube/config use the same chattr trick that we use for replica.my.cnf so that users can not accidentally delete the file.

Details

SubjectRepoBranchLines +/-
tools: Fix maintain-kubeusersoperations/puppetproduction+3 -5
tools: have maintain-kubeusers chown $HOME/.kubeoperations/puppetproduction+3 -1
Customize query in gerrit

Related Objects

Event Timeline

bd808 created this task.May 20 2017, 1:01 PM
Restricted Application added a project: Cloud-Services. · View Herald TranscriptMay 20 2017, 1:01 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
gerritbot subscribed.May 20 2017, 8:49 PM

Change 354839 had a related patch set uploaded (by BryanDavis; owner: Bryan Davis):
[operations/puppet@production] tools: have maintain-kubeusers chown $HOME/.kube

https://gerrit.wikimedia.org/r/354839

gerritbot added a project: Patch-For-Review.May 20 2017, 8:49 PM
gerritbot added a comment.May 24 2017, 2:27 PM

Change 354839 merged by Rush:
[operations/puppet@production] tools: have maintain-kubeusers chown $HOME/.kube

https://gerrit.wikimedia.org/r/354839

chasemp subscribed.May 24 2017, 2:31 PM
In T165875#3289112, @gerritbot wrote:

Change 354839 merged by Rush:
[operations/puppet@production] tools: have maintain-kubeusers chown $HOME/.kube

https://gerrit.wikimedia.org/r/354839

I am merging this but it doesn't fix up the existing .kube dirs for Tools.

bd808 claimed this task.May 24 2017, 6:06 PM

I'll clean up the permissions on the existing directories manually from labstore1005.eqiad.wmnet

Restricted Application added a project: User-bd808. · View Herald TranscriptMay 24 2017, 6:06 PM
bd808 moved this task from Backlog to In Progress on the Toolforge board.May 25 2017, 4:30 PM
bd808 moved this task from To Do to In Dev/Progress on the User-bd808 board.May 31 2017, 2:33 AM
bd808 added a project: cloud-services-team (Kanban).Jun 6 2017, 8:59 PM
bd808 moved this task from Inbox to Doing on the cloud-services-team (Kanban) board.Jun 6 2017, 9:00 PM
gerritbot added a comment.Jun 21 2017, 11:18 PM

Change 360779 had a related patch set uploaded (by BryanDavis; owner: Bryan Davis):
[operations/puppet@production] tools: fix chattr file path in maintain-kubeusers

https://gerrit.wikimedia.org/r/360779

Stashbot subscribed.Jun 22 2017, 12:12 AM

Mentioned in SAL (#wikimedia-cloud) [2017-06-22T00:12:34Z] <bd808> Set ownership and permissions on $HOME/.kube for all tools (T165875)

chasemp merged a task: T169715: Problem with kubernetes not being able to read ~/.kube/config file..Jul 5 2017, 3:21 PM
chasemp added a subscriber: Fnielsen.
gerritbot added a comment.Jul 5 2017, 3:22 PM

Change 360779 merged by Madhuvishy:
[operations/puppet@production] tools: Fix maintain-kubeusers

https://gerrit.wikimedia.org/r/360779

bd808 mentioned this in T169715: Problem with kubernetes not being able to read ~/.kube/config file..Jul 5 2017, 3:28 PM
chasemp added a comment.Jul 5 2017, 7:16 PM

@bd808 is this resolved then along with T169715?

bd808 added a comment.Jul 5 2017, 7:23 PM
In T165875#3408852, @chasemp wrote:

@bd808 is this resolved then along with T169715?

I still need to do the cleanup for directories created before the script was fixed. I started on that and then stalled out on figuring out how to do the uid/gid mappings from a host that is not using LDAP in nsswitch. I started looking again today though and should have something soon.

bd808 closed this task as Resolved.Jul 5 2017, 11:11 PM
In T165875#3289712, @bd808 wrote:

I'll clean up the permissions on the existing directories manually from labstore1005.eqiad.wmnet

$ ssh labstore1004.eqiad.wmnet
$ sudo -s
$ cd /exp/project/tools/project
$ for d in $(find . -maxdepth 2 -name .kube -type d -user root); do
  u=$(ls -ld ${d%%/.kube}|awk '{print $4}')
  echo $d $u
  chown $u:$u $d
  chmod 0775 $d
done
./nada/.kube 52816
./validator/.kube 52596
./prometheus/.kube root
./liangent/.kube 51115
./samoabot/.kube 51104
./test-lighttpd-precise/.kube 52520
./webarchivebot/.kube 52813
./jarbot/.kube 52831
./liangent-misc/.kube 51465
./phetools/.kube 52004
./jarallah/.kube 52835
./wikihistory/.kube 51512
./afcbot/.kube 51049
./sbot/.kube 51916
./repo/.kube root
./ebraminio-dev/.kube 51315
./himo/.kube 52807
./wikiminiatlas/.kube 51499
./davod/.kube 52785
./lyan/.kube 53332
./rotpunkt-bot/.kube 52770
./yemen/.kube 52789
./aaaaaa/.kube root
./crosswatch-monitoring/.kube 52537
./farhangestan/.kube 52569
./npp/.kube 52671
./maurelio/.kube 53110
./pathoschild-contrib/.kube 51337
./spbot/.kube 51190
./liangent-py/.kube 51118
./liangent-toolserver/.kube 52123
./framabot/.kube 53040
./liangent-django/.kube 51588
./passlicense/.kube 52784
./edinbot/.kube 51430
./zhwiki/.kube 51119
./fn/.kube 52232
./thedavetools/.kube 52924
$ (for d in $(find . -maxdepth 2 -name .kube -type d -user root); do u=$(ls -ld ${d%%/.kube}|awk '{print $4}'); echo $d $u; done)|sort
./aaaaaa/.kube root
./prometheus/.kube root
./repo/.kube root

The directories that are still owned by root are for disabled tools.

bd808 moved this task from Doing to Done on the cloud-services-team (Kanban) board.Jul 12 2017, 5:26 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits