Requesting access to contint-admins for addshore
Closed, ResolvedPublicrequest

Description

I would like to request access to contint-admins in order to be able to deploy changes to jenkins configuration etc.
Many people believe I have access to do these deploys (@Legoktm, @Reedy etc.) but I really don't.
Please let me stop annoying @hashar with my menial problems and tasks by granting me with the contint-admins group.

Addshore created this task.Aug 13 2017, 2:31 AM
Restricted Application added a project: Operations. · View Herald TranscriptAug 13 2017, 2:31 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Reedy awarded a token.Aug 13 2017, 2:32 AM

Yes please. I made addshore download and install jenkins-job-builder assuming he could deploy changes and then...he couldn't. :(

Change 371663 had a related patch set uploaded (by Greg Grossmeier; owner: Greg Grossmeier):
[operations/puppet@production] Add addshore to contint-admins

https://gerrit.wikimedia.org/r/371663

greg added a comment.Aug 13 2017, 3:30 AM

(obvious +1 from me)

Change 372211 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] admins: add additional admin addshore to contint-admins

https://gerrit.wikimedia.org/r/372211

RobH added a subscriber: RobH.Aug 17 2017, 4:07 PM

Please note this requires review in the Ops meeting for approval.

RobH moved this task from Backlog to ops meeting on the Ops-Access-Requests board.Aug 17 2017, 4:07 PM
RobH added a comment.Aug 21 2017, 5:09 PM

The request to give addshore contint-admins was approved in today's operations team meeting.

Change 372211 merged by Dzahn:
[operations/puppet@production] admins: add additional admin addshore to contint-admins

https://gerrit.wikimedia.org/r/372211

Dzahn closed this task as Resolved.Aug 21 2017, 6:15 PM
Dzahn claimed this task.
Dzahn added a subscriber: Dzahn.

Hi @Addshore you have been added to the group now, as requested. i merged it on puppetmaster.

on contint1001:

Notice: /Stage[main]/Admin/Admin::Hashuser[addshore]/Admin::User[addshore]/Ssh::Userkey[addshore]/File[/etc/ssh/userkeys/addshore]/ensure: created
Notice: /Stage[main]/Admin/Admin::Groupmembers[contint-admins]/Exec[contint-admins_ensure_members]/returns: executed successfully

[contint1001:~] $ id addshore
uid=2178(addshore) gid=500(wikidev) groups=500(wikidev),719(contint-admins)

Let us know if any unexpected problems. Claiming it's resolved. Cheers

Dzahn added a comment.Aug 21 2017, 6:17 PM

And here are the things you can do as root:

[contint1001:~] $ sudo cat /etc/sudoers.d/contint-admins 
# This file is managed by Puppet!

%contint-admins ALL = (jenkins) NOPASSWD: ALL
%contint-admins ALL = (jenkins-slave) NOPASSWD: ALL
%contint-admins ALL = (gerritslave) NOPASSWD: ALL
%contint-admins ALL = (nodepool) NOPASSWD: ALL
%contint-admins ALL = (zuul) NOPASSWD: ALL
%contint-admins ALL = NOPASSWD: /etc/init.d/jenkins
%contint-admins ALL = NOPASSWD: /usr/sbin/service nodepool start
%contint-admins ALL = NOPASSWD: /usr/sbin/service nodepool stop
%contint-admins ALL = NOPASSWD: /usr/sbin/service nodepool restart
%contint-admins ALL = NOPASSWD: /usr/sbin/service nodepool status
%contint-admins ALL = NOPASSWD: /usr/sbin/service zuul-merger reload
%contint-admins ALL = NOPASSWD: /usr/sbin/service zuul-merger restart
%contint-admins ALL = NOPASSWD: /usr/sbin/service zuul-merger start
%contint-admins ALL = NOPASSWD: /usr/sbin/service zuul-merger stop
%contint-admins ALL = NOPASSWD: /usr/sbin/service zuul-merger status
%contint-admins ALL = NOPASSWD: /bin/journalctl*
%contint-admins ALL = NOPASSWD: /usr/local/sbin/puppet-run

Yay! I also added him to the "integration" group on gerrit so he can merge changes in the repositories before deploying them.

Mentioned in SAL (#wikimedia-operations) [2017-08-23T15:35:55Z] <legoktm> added addshore to "integration" gerrit group (T173233)

The modules/admin contint-admins grants shell access to the contint machines. Additionally, the user needs to be added to the LDAP group ciadmin (since T169557)

Addshore reopened this task as Open.Mon, Aug 28, 8:50 AM

Mentioned in SAL (#wikimedia-releng) [2017-08-28T08:52:33Z] <hashar> gerrit: added ldap/ciadmin to the 'integration' group. T169557 T173233

Per IRC perhaps @greg needs to sign off on this.

<•moritzm> addshore: sure, I can do that, but Greg should ack this on the Phab task. they have requested the addition of the group last Friday and the initial set of ciadmin members were all limited to RelEng

@MoritzMuehlenhoff this task is to grant @Addshore access to the CI machines. He got shell access to the servers hosting zuul/nodepool/jenkins already.

T169557 has limited Jenkins administration initially with just releng (cn=ciadmin). This task is about adding addshore, the shell part is handled, we now need to grant him access to Jenkins admin.

Greg +1ed it above.

Ok, makes sense. I've added @addhore to cn=ciadmin.

Addshore closed this task as Resolved.Mon, Aug 28, 11:22 AM

Looks like everything is now working!