Page MenuHomePhabricator
Create Task
Maniphest T170355

Figure out process for deleting an unused tool
Closed, ResolvedPublic
Actions

Description

See Toolforge (Tools to be deleted) for information on how to nominate a tool for deletion.

We have a growing list of tools that have been volunteered for deleting by their maintainers. We probably also have quite a large number of tools that are being "name squatted" and could be reclaimed with gentle prodding of their maintainers. But, we don't have a well defined process for what steps are actually necessary to delete a tool. We should make that checklist and then figure out if automating it is worthwhile or not.

Deletion checklist

  • Remove all maintainers from tool group
  • Remove tool from maintainers list for all other tools
  • Archive tool's crontab
  • Stop all running jobs owned by tool on job grid
  • Delete all deployments owned by the tool on Kubernetes
  • Revoke Kubernetes credentials for tool
  • Remove Kubernetes namespace for tool
  • Archive any ToolsDB databases owned by the tool
  • Revoke database credentials for tool
  • Revoke elasticsearch credentials for tool
  • Archive tool homedir
  • Archive any Diffusion repositories owned by the tool
  • Delete tool account and group from LDAP

Details

Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Dvorapa subscribed.Apr 9 2018, 7:16 AM
In T170355#3428508, @bd808 wrote:
In T170355#3428384, @Aklapper wrote:

For everyone's understanding: This is a complement to T102066 (abandoned tools that nobody wants to take over and/or should die because of technical reasons)?

I think the tools that have been self-nominated so far are mostly failed experiments or things that have graduated to other hosting/folded into other tools. But, yes the archival step would be intended to preserve a record in case someone petitioned to revive the tool as a fork.

Yeah, I think some of them were created only for testing, learning Toolforge, or trying to create some tool and not be successful at all (like me). Also because of this there should be some more easier process to remove user's own tool within some time from creation (7 days?)..

zhuyifei1999 updated the task description. (Show Details)May 6 2018, 5:47 PM
zhuyifei1999 updated the task description. (Show Details)
Cirdan subscribed.May 23 2018, 3:23 PM
GTirloni subscribed.Nov 1 2018, 5:49 PM
AfroThundr3007730 subscribed.Dec 5 2018, 9:59 PM
GTirloni added a project: cloud-services-team (Kanban).Dec 20 2018, 6:50 PM
GTirloni unsubscribed.
bd808 mentioned this in T211972: Delete tool 'prometheus'.Dec 27 2018, 5:10 PM
bd808 updated the task description. (Show Details)Feb 15 2019, 12:33 AM
bd808 updated the task description. (Show Details)Mar 17 2019, 10:13 PM
MarcoAurelio subscribed.Mar 17 2019, 11:01 PM

With a backlog of 45 (a.t.m.) requests for tool deletions, is the checklist above complete so we can start honoring (or at least study) those requests? Thanks.

bd808 added a comment.Mar 17 2019, 11:07 PM
In T170355#5031053, @MarcoAurelio wrote:

With a backlog of 45 (a.t.m.) requests for tool deletions, is the checklist above complete so we can start honoring (or at least study) those requests? Thanks.

Having a list of abandoned tools is not a cause for alarm if the length of the list is 1 or 1000. Implementation of a repeatable cleanup process is a hard problem. I would like to devote some time in the coming months to attempting to find a resolution, but I am also in no hurry to do so. We now have a process documented in this task and on wikitech that can be used by tool maintainers to detach themselves from a tool they no longer wish to maintain. This was the most important aspect to solve. The remaining work is administrative and not something that should be a concern for the Toolforge maintainer community.

bd808 updated the task description. (Show Details)Mar 25 2019, 11:09 PM
bd808 mentioned this in Toolforge (Tools to be deleted).
bd808 closed subtask T133777: Tools that should get archived/deleted (tracking) as Resolved.Mar 25 2019, 11:17 PM
bd808 removed a subtask: T133777: Tools that should get archived/deleted (tracking).
bd808 updated the task description. (Show Details)May 19 2019, 8:05 AM
Bstorm triaged this task as High priority.Feb 11 2020, 5:54 PM
chasemp unsubscribed.Feb 11 2020, 5:54 PM
Andrew moved this task from Inbox to Soon! on the cloud-services-team (Kanban) board.Mar 10 2020, 4:32 PM
Andrew added a parent task: T133777: Tools that should get archived/deleted (tracking).May 24 2021, 1:51 PM
Andrew edited subscribers, added: chasemp; removed: MarcoAurelio.EditedMay 24 2021, 1:58 PM

This looks like enough steps that we should probably be automating things! A few questions:

  • Is it important that this process be fully reversable? (If 'yes' then we have to worry about restoring access creds in the future, and preventing namespace collisions)
  • Do we want an api for this (so that e.g. striker can archive/restore a tool) or just a CLI?
  • Is there any important tool state stored in Striker's database, or is all the important state in NFS and ldap?
bd808 added a comment.EditedMay 24 2021, 2:59 PM
In T170355#7107647, @Andrew wrote:

This looks like enough steps that we should probably be automating things! A few questions:

  • Is it important that this process be fully reversable? (If 'yes' then we have to worry about restoring access creds in the future, and preventing namespace collisions)

I'm open to hearing arguments about why "undo" of a delete is important, but I my current opinion is that it is not.

  • Do we want an api for this (so that e.g. striker can archive/restore a tool) or just a CLI?

Fully automated would be awesome, but a checklist with N steps requiring use of M cli tools would be a perfectly reasonable way to start. There are several different backends to deal with (Kubernetes, Grid Engine, ToolsDB, Wiki Replicas, Phabricator, LDAP, ...) which I think means that getting to full one-click automation will be non-trivial. It would probably end up being a command-and-control endpoint that called out to several other endpoints to do the work in any case so that we could isolate credentials and failure zones.

  • Is there any important tool state stored in Striker's database, or is all the important state in NFS and ldap?

The only thing that is in Striker's DB really would be toolinfo records which are read by admin.toolforge.org, Hay's Directory, and (coming soon) Toolhub. These can currently be deleted by a tool maintainer or an admin via the Striker UI. Exposing that as an API could be done, but would require us to figure out API auth for Striker.

Andrew added a comment.May 24 2021, 3:22 PM

Proposed: striker has disable/enable option, when a tool is disabled (via ldap login block) it also touches the password-last-updated date.

Grid and k8s should check if the

Andrew added a comment.May 25 2021, 6:06 PM

Whoah, that's what happens when I try to type during a meeting. Here's a proposed workflow:

  1. An admin or a tool member can mark a tool as 'disabled'. They can also mark it as 'enabled'. When a tool is marked as disabled a datestamp is set and *waves hands* running procs, pods and crons are stopped and prevented from restarting.
  2. A periodic cronjob or an admin-run script (maybe running on an NFS server) periodically checks for tools that have been disabled for more than 30 days. Those tools have their files and config archived into a tarball to the best of our ability; credentials are revoked and ldap entries are removed
  3. If, after a tool has been archived, a user requests that a tool be revived (possibly via the abandoned tool workflow) we will (by hand) copy the archived tarball from step 2 into the tool dir of their choice. After that they're on their own.
Quiddity unsubscribed.May 25 2021, 7:07 PM
taavi subscribed.Jun 1 2021, 8:17 PM
Andrew claimed this task.Jun 14 2021, 2:42 AM
Andrew added a comment.EditedJun 14 2021, 2:52 AM

We will use the ldap pwdAccountLockedTime field to indicate that a tool is disabled (and when it was disabled).

Setting or clearing this will be left to Striker. I'm not sure if the option should be available in user space or not; I'd like users to be able to decom their own tools but the ability to re-enable will interfere with admin powers to kill off malicious tools.

Here's how to find disabled tools with the cli:

ldapsearch -W -H ldap://ldap-labs.eqiad.wikimedia.org:389 -D uid=novaadmin,ou=people,dc=wikimedia,dc=org -b ou=people,ou=servicegroups,dc=wikimedia,dc=org "(pwdAccountLockedTime=*)" "+"
Andrew added a comment.EditedJun 14 2021, 3:06 AM

We're going to need several new agents and additional changes to support this. Here's an updated version of the checklist from the original description.

First, for the disabling phase:

  • archive crontab [6]
  • Stop all running jobs owned by tool on job grid [2]
  • Delete all deployments owned by the tool on Kubernetes [3]
  • Prevent the launching of new grid jobs [4]
  • Prevent the launching of new k8s deployments [5]

Then for the archiving phase:

  • Remove all maintainers from tool group [1]
  • Remove tool from maintainers list for all other tools [1]
  • Archive any ToolsDB databases owned by the tool [1]
  • Revoke database credentials for tool [7]
  • Revoke elasticsearch credentials for tool [1]
  • Archive tool homedir [1]
  • Delete tool account and group from LDAP [1]

And I'm not sure we should do this one automatically at all:

  • Archive any Diffusion repositories owned by the tool

[1] Cron job that detects long-disabled tools, edits ldap and archives files. Possibly runs on an NFS server in order to archive things off of NFS (as per the current closed-cps-project archive process)

[2] Cron job that runs on a grid master, detects disabled tools and stops their associated jobs

[3] Cron job that runs on a k8s host, detects disabled tools and stops associated k8s deployments; detects archive candidates and revokes k8s permissions

[4] Disable logins as disabled tool.

[5] Disable logins as disabled tool.

[6] Runs on cron submit host, archives user crontab

[7] This can probably be handled by maintain-dbusers

gerritbot added a comment.Jun 14 2021, 3:34 AM

Change 699577 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Toolforge bastions: add a broken shell for disabled tools

https://gerrit.wikimedia.org/r/699577

gerritbot added a project: Patch-For-Review.Jun 14 2021, 3:34 AM
bd808 added a comment.Jun 14 2021, 6:02 PM
In T170355#7154124, @Andrew wrote:

We will use the ldap pwdAccountLockedTime field to indicate that a tool is disabled (and when it was disabled).

Setting or clearing this will be left to Striker. I'm not sure if the option should be available in user space or not; I'd like users to be able to decom their own tools but the ability to re-enable will interfere with admin powers to kill off malicious tools.

Here's how to find disabled tools with the cli:

ldapsearch -W -H ldap://ldap-labs.eqiad.wikimedia.org:389 -D uid=novaadmin,ou=people,dc=wikimedia,dc=org -b ou=people,ou=servicegroups,dc=wikimedia,dc=org "(pwdAccountLockedTime=*)" "+"

pwdPolicySubentry=cn=disabled,ou=ppolicies,dc=wikimedia,dc=org may be a better setting to rely on, at least for positive account locking. See the analysis at T168692#5065458 for some reasoning behind that.

Andrew added a comment.Jun 14 2021, 6:51 PM
In T170355#7156164, @bd808 wrote:
In T170355#7154124, @Andrew wrote:

We will use the ldap pwdAccountLockedTime field to indicate that a tool is disabled (and when it was disabled).

Setting or clearing this will be left to Striker. I'm not sure if the option should be available in user space or not; I'd like users to be able to decom their own tools but the ability to re-enable will interfere with admin powers to kill off malicious tools.

Here's how to find disabled tools with the cli:

ldapsearch -W -H ldap://ldap-labs.eqiad.wikimedia.org:389 -D uid=novaadmin,ou=people,dc=wikimedia,dc=org -b ou=people,ou=servicegroups,dc=wikimedia,dc=org "(pwdAccountLockedTime=*)" "+"

pwdPolicySubentry=cn=disabled,ou=ppolicies,dc=wikimedia,dc=org may be a better setting to rely on, at least for positive account locking. See the analysis at T168692#5065458 for some reasoning behind that.

That doesn't include a datestamp does it?

bd808 added a comment.Jun 14 2021, 6:54 PM
In T170355#7156354, @Andrew wrote:
In T170355#7156164, @bd808 wrote:

pwdPolicySubentry=cn=disabled,ou=ppolicies,dc=wikimedia,dc=org may be a better setting to rely on, at least for positive account locking. See the analysis at T168692#5065458 for some reasoning behind that.

That doesn't include a datestamp does it?

No, it does not. I think its reasonable to try using pwdAccountLockedTime to track the time of change, but that we should also do the belt-and-suspenders addition of setting pwdPolicySubentry=cn=disabled,ou=ppolicies,dc=wikimedia,dc=org on the tool user account. In reality those accounts do not have passwords anyway, but these are the easy LDAP schema bits to fiddle with.

gerritbot added a comment.Jun 20 2021, 10:32 PM

Change 699577 merged by Andrew Bogott:

[operations/puppet@production] Toolforge bastions: add a broken shell for disabled tools

https://gerrit.wikimedia.org/r/699577

Maintenance_bot removed a project: Patch-For-Review.Jun 20 2021, 11:10 PM
Andrew added a comment.Jun 23 2021, 2:44 PM

Tool disable process(1).png (1×1 px, 151 KB)

Tool restore process(1).png (930×1 px, 143 KB)

gerritbot added a comment.Jun 24 2021, 7:29 PM

Change 701455 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Add config file for the disable_tool script

https://gerrit.wikimedia.org/r/701455

gerritbot added a project: Patch-For-Review.Jun 24 2021, 7:29 PM
gerritbot added a comment.Jun 24 2021, 7:43 PM

Change 701455 merged by Andrew Bogott:

[operations/puppet@production] Add config file for the disable_tool script

https://gerrit.wikimedia.org/r/701455

gerritbot added a comment.Jun 24 2021, 7:50 PM

Change 701458 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] profile::wmcs::nfs::primary: Fix exchanged ldap pass and dn

https://gerrit.wikimedia.org/r/701458

gerritbot added a comment.Jun 24 2021, 7:53 PM

Change 701458 merged by Andrew Bogott:

[operations/puppet@production] profile::wmcs::nfs::primary: Fix exchanged ldap pass and dn

https://gerrit.wikimedia.org/r/701458

Maintenance_bot removed a project: Patch-For-Review.Jun 24 2021, 8:10 PM
gerritbot added a comment.Jun 28 2021, 2:53 PM

Change 701928 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] toolforge: add a profile for installing the disable_tool script

https://gerrit.wikimedia.org/r/701928

gerritbot added a project: Patch-For-Review.Jun 28 2021, 2:53 PM
gerritbot added a comment.Jul 1 2021, 7:18 PM

Change 701928 merged by Andrew Bogott:

[operations/puppet@production] toolforge: add a profile for installing the disable_tool script

https://gerrit.wikimedia.org/r/701928

gerritbot added a comment.Jul 1 2021, 7:32 PM

Change 702745 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] profile::toolforge::disable_tool: fix typos

https://gerrit.wikimedia.org/r/702745

gerritbot added a comment.Jul 1 2021, 7:37 PM

Change 702745 merged by Andrew Bogott:

[operations/puppet@production] profile::toolforge::disable_tool: standardize on the singular 'disable_tool'

https://gerrit.wikimedia.org/r/702745

taavi moved this task from Backlog to In Progress on the Toolforge board.Jul 18 2021, 2:55 PM
gerritbot added a comment.Jul 21 2021, 8:33 PM

Change 706035 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] nfs: use disable-tool.py to archive disabled+expired tools

https://gerrit.wikimedia.org/r/706035

Andrew mentioned this in T285403: Add striker UI features for disabling/enabling/deleting tools,.Jul 21 2021, 8:55 PM
gerritbot added a comment.Jul 22 2021, 5:01 PM

Change 706035 merged by Andrew Bogott:

[operations/puppet@production] nfs: use disable-tool.py to archive disabled+expired tools

https://gerrit.wikimedia.org/r/706035

Andrew closed subtask T285011: Add process to stop and disable k8s jobs for disabled tools as Resolved.Jul 22 2021, 6:12 PM
gerritbot added a comment.Jul 22 2021, 9:21 PM

Change 706768 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] disable_tool: run every 5 minutes rather than every 10

https://gerrit.wikimedia.org/r/706768

gerritbot added a comment.Jul 22 2021, 9:23 PM

Change 706768 merged by Andrew Bogott:

[operations/puppet@production] disable_tool: run every 5 minutes rather than every 10

https://gerrit.wikimedia.org/r/706768

Andrew closed subtask T284940: Add agent to disable/enable grid tools as Resolved.Jul 23 2021, 7:44 PM
Andrew closed subtask T284946: agent to archive (or de-archive) crontabs for disabled or re-enabled tools as Resolved.
Andrew reopened subtask T284946: agent to archive (or de-archive) crontabs for disabled or re-enabled tools as Open.Aug 5 2021, 10:00 PM
Bstorm closed subtask T285332: Purge db creds for archived tools as Resolved.Aug 11 2021, 9:30 PM
Andrew closed subtask T284946: agent to archive (or de-archive) crontabs for disabled or re-enabled tools as Resolved.Aug 24 2021, 8:44 PM
dcaro edited projects, added cloud-services-team (FY2021/2022-Q3); removed cloud-services-team (Kanban).Oct 4 2021, 3:14 PM
gerritbot added a comment.Oct 12 2021, 9:13 PM

Change 730344 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Added mark_tool commandline to cloudcontrol nodes

https://gerrit.wikimedia.org/r/730344

gerritbot added a comment.Oct 12 2021, 9:21 PM

Change 730344 merged by Andrew Bogott:

[operations/puppet@production] Added mark_tool commandline to cloudcontrol nodes

https://gerrit.wikimedia.org/r/730344

gerritbot added a comment.Oct 13 2021, 1:10 AM

Change 730387 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] profile::manifests::toolforge::disable_tool: fix password/dn mixup

https://gerrit.wikimedia.org/r/730387

gerritbot added a comment.Oct 13 2021, 1:10 AM

Change 730388 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] disable_tool.conf.erb: add some additional entries for tool archiving

https://gerrit.wikimedia.org/r/730388

gerritbot added a comment.Oct 13 2021, 1:14 AM

Change 730387 merged by Andrew Bogott:

[operations/puppet@production] profile::manifests::toolforge::disable_tool: fix password/dn mixup

https://gerrit.wikimedia.org/r/730387

gerritbot added a comment.Oct 13 2021, 1:14 AM

Change 730388 merged by Andrew Bogott:

[operations/puppet@production] disable_tool.conf.erb: add some additional entries for tool archiving

https://gerrit.wikimedia.org/r/730388

gerritbot added a comment.Oct 13 2021, 2:56 AM

Change 730393 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] disable_tool.conf: remove some spurious quotemarks

https://gerrit.wikimedia.org/r/730393

gerritbot added a comment.Oct 13 2021, 2:59 AM

Change 730393 merged by Andrew Bogott:

[operations/puppet@production] disable_tool.conf: remove some spurious quotemarks

https://gerrit.wikimedia.org/r/730393

Andrew moved this task from ToDo to In Progress on the cloud-services-team (FY2021/2022-Q3) board.Oct 18 2021, 3:21 PM
gerritbot added a comment.Nov 16 2021, 6:54 PM

Change 739326 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] mark_tool: Remove reliance of /etc/ldap.conf or /etc/ldap/ldap.conf

https://gerrit.wikimedia.org/r/739326

gerritbot added a comment.Nov 16 2021, 7:02 PM

Change 739326 merged by Andrew Bogott:

[operations/puppet@production] mark_tool: Remove reliance of /etc/ldap.conf or /etc/ldap/ldap.conf

https://gerrit.wikimedia.org/r/739326

gerritbot added a comment.Nov 16 2021, 7:14 PM

Change 739331 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] disable_tool: add ldap uri to the config file

https://gerrit.wikimedia.org/r/739331

gerritbot added a comment.Nov 16 2021, 7:21 PM

Change 739331 merged by Andrew Bogott:

[operations/puppet@production] disable_tool: add ldap uri to the config file

https://gerrit.wikimedia.org/r/739331

gerritbot added a comment.Nov 18 2021, 7:09 PM

Change 739917 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] disable_tool: run every 2 minutes rather than every 5

https://gerrit.wikimedia.org/r/739917

gerritbot added a comment.Nov 18 2021, 7:54 PM

Change 739917 merged by Andrew Bogott:

[operations/puppet@production] disable_tool: run every 2 minutes rather than every 5

https://gerrit.wikimedia.org/r/739917

gerritbot added a comment.Jan 4 2022, 5:22 PM

Change 751474 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[cloud/toolforge/disable-tool@master] Move _kill_grid_jobs from the grid master to the cron host

https://gerrit.wikimedia.org/r/751474

gerritbot added a comment.Jan 4 2022, 6:53 PM

Change 751474 merged by Andrew Bogott:

[cloud/toolforge/disable-tool@master] Move _kill_grid_jobs from the grid master to the cron host

https://gerrit.wikimedia.org/r/751474

Andrew mentioned this in rCTDTc1cba78103a3: Move _kill_grid_jobs from the grid master to the cron host.Jan 4 2022, 6:53 PM
Andrew closed subtask T298291: tools-sgegrid-master needs to be a submit host for tool deletion as Resolved.Jan 4 2022, 8:11 PM
Andrew closed this task as Resolved.Jan 20 2022, 6:03 PM

All of the backend work for this task is done. we don't have a UI for that, but the UI work is T285403 so I'm going to close this one.

bd808 mentioned this in T316991: Add API to export toolinfo v1.2 compatible data.Sep 7 2022, 3:43 AM
bd808 closed subtask T285403: Add striker UI features for disabling/enabling/deleting tools, as Resolved.Oct 31 2022, 10:33 PM
Andrew added a subtask: T332514: Store state information for the disable tool process outside NFS.Apr 10 2023, 5:11 PM
Andrew mentioned this in T333477: Migrate tools nfs from labstore1004 server to a ceph-backed VM.Apr 10 2023, 5:18 PM
Maintenance_bot removed a project: Patch-For-Review.Apr 10 2023, 5:30 PM
Andrew added a subtask: T353642: Relocate disable-tool-archive-dbs.service.Jan 2 2024, 6:50 PM
dcaro changed the status of subtask T332514: Store state information for the disable tool process outside NFS from Open to In Progress.Jan 24 2024, 3:48 PM
Andrew closed subtask T353642: Relocate disable-tool-archive-dbs.service as Resolved.Jan 24 2024, 10:18 PM
Andrew mentioned this in T147242: define a prebaked way to temporarily disable access for a user or Tool.Feb 7 2024, 8:40 PM
bd808 mentioned this in T362313: Archive Phabricator project tags for disabled tools.Apr 18 2024, 4:49 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits