Page MenuHomePhabricator

Requesting access to contint-admins for addshore
Closed, ResolvedPublicRequest


I would like to request access to contint-admins in order to be able to deploy changes to jenkins configuration etc.
Many people believe I have access to do these deploys (@Legoktm, @Reedy etc.) but I really don't.
Please let me stop annoying @hashar with my menial problems and tasks by granting me with the contint-admins group.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Yes please. I made addshore download and install jenkins-job-builder assuming he could deploy changes and then...he couldn't. :(

Change 371663 had a related patch set uploaded (by Greg Grossmeier; owner: Greg Grossmeier):
[operations/puppet@production] Add addshore to contint-admins

Change 372211 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] admins: add additional admin addshore to contint-admins

Please note this requires review in the Ops meeting for approval.

The request to give addshore contint-admins was approved in today's operations team meeting.

Change 372211 merged by Dzahn:
[operations/puppet@production] admins: add additional admin addshore to contint-admins

Dzahn claimed this task.
Dzahn added a subscriber: Dzahn.

Hi @Addshore you have been added to the group now, as requested. i merged it on puppetmaster.

on contint1001:

Notice: /Stage[main]/Admin/Admin::Hashuser[addshore]/Admin::User[addshore]/Ssh::Userkey[addshore]/File[/etc/ssh/userkeys/addshore]/ensure: created
Notice: /Stage[main]/Admin/Admin::Groupmembers[contint-admins]/Exec[contint-admins_ensure_members]/returns: executed successfully

[contint1001:~] $ id addshore
uid=2178(addshore) gid=500(wikidev) groups=500(wikidev),719(contint-admins)

Let us know if any unexpected problems. Claiming it's resolved. Cheers

And here are the things you can do as root:

[contint1001:~] $ sudo cat /etc/sudoers.d/contint-admins 
# This file is managed by Puppet!

%contint-admins ALL = (jenkins) NOPASSWD: ALL
%contint-admins ALL = (jenkins-slave) NOPASSWD: ALL
%contint-admins ALL = (gerritslave) NOPASSWD: ALL
%contint-admins ALL = (nodepool) NOPASSWD: ALL
%contint-admins ALL = (zuul) NOPASSWD: ALL
%contint-admins ALL = NOPASSWD: /etc/init.d/jenkins
%contint-admins ALL = NOPASSWD: /usr/sbin/service nodepool start
%contint-admins ALL = NOPASSWD: /usr/sbin/service nodepool stop
%contint-admins ALL = NOPASSWD: /usr/sbin/service nodepool restart
%contint-admins ALL = NOPASSWD: /usr/sbin/service nodepool status
%contint-admins ALL = NOPASSWD: /usr/sbin/service zuul-merger reload
%contint-admins ALL = NOPASSWD: /usr/sbin/service zuul-merger restart
%contint-admins ALL = NOPASSWD: /usr/sbin/service zuul-merger start
%contint-admins ALL = NOPASSWD: /usr/sbin/service zuul-merger stop
%contint-admins ALL = NOPASSWD: /usr/sbin/service zuul-merger status
%contint-admins ALL = NOPASSWD: /bin/journalctl*
%contint-admins ALL = NOPASSWD: /usr/local/sbin/puppet-run

Yay! I also added him to the "integration" group on gerrit so he can merge changes in the repositories before deploying them.

Mentioned in SAL (#wikimedia-operations) [2017-08-23T15:35:55Z] <legoktm> added addshore to "integration" gerrit group (T173233)

The modules/admin contint-admins grants shell access to the contint machines. Additionally, the user needs to be added to the LDAP group ciadmin (since T169557)

Mentioned in SAL (#wikimedia-releng) [2017-08-28T08:52:33Z] <hashar> gerrit: added ldap/ciadmin to the 'integration' group. T169557 T173233

Per IRC perhaps @greg needs to sign off on this.

<•moritzm> addshore: sure, I can do that, but Greg should ack this on the Phab task. they have requested the addition of the group last Friday and the initial set of ciadmin members were all limited to RelEng

@MoritzMuehlenhoff this task is to grant @Addshore access to the CI machines. He got shell access to the servers hosting zuul/nodepool/jenkins already.

T169557 has limited Jenkins administration initially with just releng (cn=ciadmin). This task is about adding addshore, the shell part is handled, we now need to grant him access to Jenkins admin.

Greg +1ed it above.

Ok, makes sense. I've added @addhore to cn=ciadmin.

Looks like everything is now working!

Change 371663 abandoned by Dzahn:
Add addshore to contint-admins

duplicate of