Requesting access to contint-admins for addshore
Closed, ResolvedPublicRequest
Actions

Assigned To

Authored By

	Addshore
	Aug 13 2017, 2:31 AM

Description

I would like to request access to contint-admins in order to be able to deploy changes to jenkins configuration etc.
Many people believe I have access to do these deploys (@Legoktm, @Reedy etc.) but I really don't.
Please let me stop annoying @hashar with my menial problems and tasks by granting me with the contint-admins group.

Details

	Subject	Repo	Branch	Lines +/-
	Add addshore to contint-admins	operations/puppet	production	+1 -1
	admins: add additional admin addshore to contint-admins	operations/puppet	production	+1 -1

Customize query in gerrit

Event Timeline

Addshore created this task.Aug 13 2017, 2:31 AM

Restricted Application added a project: SRE. · View Herald TranscriptAug 13 2017, 2:31 AM

Restricted Application added a subscriber: • Aklapper. · View Herald Transcript

Addshore added a project: User-Addshore.Aug 13 2017, 2:31 AM

Addshore moved this task from Unsorted 💣 to Active 🚁 on the User-Addshore board.

Reedy awarded a token.Aug 13 2017, 2:32 AM

Yes please. I made addshore download and install jenkins-job-builder assuming he could deploy changes and then...he couldn't. :(

Change 371663 had a related patch set uploaded (by Greg Grossmeier; owner: Greg Grossmeier):
[operations/puppet@production] Add addshore to contint-admins

https://gerrit.wikimedia.org/r/371663

gerritbot added a project: Patch-For-Review.Aug 13 2017, 3:29 AM

(obvious +1 from me)

Change 372211 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] admins: add additional admin addshore to contint-admins

https://gerrit.wikimedia.org/r/372211

Please note this requires review in the Ops meeting for approval.

RobH moved this task from Untriaged to Group Manager Approval Pending on the SRE-Access-Requests board.Aug 17 2017, 4:07 PM

The request to give addshore contint-admins was approved in today's operations team meeting.

Change 372211 merged by Dzahn:
[operations/puppet@production] admins: add additional admin addshore to contint-admins

https://gerrit.wikimedia.org/r/372211

Hi @Addshore you have been added to the group now, as requested. i merged it on puppetmaster.

on contint1001:

Notice: /Stage[main]/Admin/Admin::Hashuser[addshore]/Admin::User[addshore]/Ssh::Userkey[addshore]/File[/etc/ssh/userkeys/addshore]/ensure: created
Notice: /Stage[main]/Admin/Admin::Groupmembers[contint-admins]/Exec[contint-admins_ensure_members]/returns: executed successfully

[contint1001:~] $ id addshore
uid=2178(addshore) gid=500(wikidev) groups=500(wikidev),719(contint-admins)

Let us know if any unexpected problems. Claiming it's resolved. Cheers

And here are the things you can do as root:

[contint1001:~] $ sudo cat /etc/sudoers.d/contint-admins 
# This file is managed by Puppet!

%contint-admins ALL = (jenkins) NOPASSWD: ALL
%contint-admins ALL = (jenkins-slave) NOPASSWD: ALL
%contint-admins ALL = (gerritslave) NOPASSWD: ALL
%contint-admins ALL = (nodepool) NOPASSWD: ALL
%contint-admins ALL = (zuul) NOPASSWD: ALL
%contint-admins ALL = NOPASSWD: /etc/init.d/jenkins
%contint-admins ALL = NOPASSWD: /usr/sbin/service nodepool start
%contint-admins ALL = NOPASSWD: /usr/sbin/service nodepool stop
%contint-admins ALL = NOPASSWD: /usr/sbin/service nodepool restart
%contint-admins ALL = NOPASSWD: /usr/sbin/service nodepool status
%contint-admins ALL = NOPASSWD: /usr/sbin/service zuul-merger reload
%contint-admins ALL = NOPASSWD: /usr/sbin/service zuul-merger restart
%contint-admins ALL = NOPASSWD: /usr/sbin/service zuul-merger start
%contint-admins ALL = NOPASSWD: /usr/sbin/service zuul-merger stop
%contint-admins ALL = NOPASSWD: /usr/sbin/service zuul-merger status
%contint-admins ALL = NOPASSWD: /bin/journalctl*
%contint-admins ALL = NOPASSWD: /usr/local/sbin/puppet-run

Addshore moved this task from Active 🚁 to Closing ✔️ on the User-Addshore board.Aug 22 2017, 4:12 PM

Yay! I also added him to the "integration" group on gerrit so he can merge changes in the repositories before deploying them.

Mentioned in SAL (#wikimedia-operations) [2017-08-23T15:35:55Z] <legoktm> added addshore to "integration" gerrit group (T173233)

The modules/admin contint-admins grants shell access to the contint machines. Additionally, the user needs to be added to the LDAP group ciadmin (since T169557)

Addshore reopened this task as Open.Aug 28 2017, 8:50 AM

Mentioned in SAL (#wikimedia-releng) [2017-08-28T08:52:33Z] <hashar> gerrit: added ldap/ciadmin to the 'integration' group. T169557 T173233

Per IRC perhaps @greg needs to sign off on this.

<•moritzm> addshore: sure, I can do that, but Greg should ack this on the Phab task. they have requested the addition of the group last Friday and the initial set of ciadmin members were all limited to RelEng

@MoritzMuehlenhoff this task is to grant @Addshore access to the CI machines. He got shell access to the servers hosting zuul/nodepool/jenkins already.

T169557 has limited Jenkins administration initially with just releng (cn=ciadmin). This task is about adding addshore, the shell part is handled, we now need to grant him access to Jenkins admin.

Greg +1ed it above.

Ok, makes sense. I've added @addhore to cn=ciadmin.

Looks like everything is now working!

Change 371663 abandoned by Dzahn:
Add addshore to contint-admins

Reason:
duplicate of https://gerrit.wikimedia.org/r/#/c/372211/

https://gerrit.wikimedia.org/r/371663

Requesting access to contint-admins for addshoreClosed, ResolvedPublicRequestActions

Description

Details

Event Timeline

Requesting access to contint-admins for addshore
Closed, ResolvedPublicRequest
Actions