Page MenuHomePhabricator
Create Task
Maniphest T176314

Replace salt on integration and deployment-prep projects
Closed, ResolvedPublic
Actions

Description

As a side effect of sunsetting salt, Beta-Cluster-Infrastructure and Continuous-Integration-Infrastructure would need a replacement since we don't have access to the WMCS salt master.

For both beta and CI, we use salt for mass commands execution. Be it checking state of instances, manually upgrading packages, mass clean up or deploying some scripts.

The salt master instances are:

  • deployment-salt02.deployment-prep.eqiad.wmflabs
  • integration-saltmaster.integration.eqiad.wmflabs

That is provisioned on the instances using the puppet.git manifests with a hiera key to switch the master to point to the relevant master.

since salt is being removed, we need either:

  • cumin master (if there is a puppet class for standalone cumin master in labs)
  • cluster shell (apparently used by tools labs)

Details

SubjectRepoBranchLines +/-
prometheus: make ferm DNS record type configurableoperations/puppetproduction+26 -14
fab: migrate from salt to cuminintegration/configmaster+5 -5
cumin (WMCS): allow to setup cumin in a projectoperations/puppetproduction+128 -14
OpenStack backend: set default query params in configoperations/software/cuminmaster+28 -7
Customize query in gerrit

Related Objects
Search...

Event Timeline

hashar created this task.Sep 20 2017, 1:16 PM
hashar mentioned this in T175712: Install cumin in the WMCS infrastructure.
faidon added a comment.Sep 20 2017, 2:56 PM

beta, CI and other WMCS VPS projects are not environments that either TechOps or WMCS operate and as such, we hadn't incorporated it into our plans of the Salt deprecation (and that's also why it's not listed in our goals). To be honest, I wasn't even aware of this use of Salt, but even if I had known about it, I'm not sure how we could had reasonably do anything about it other than just give you a heads-up, given our unfamiliarity with this environment. Due to dependency on Trebuchet, this was a quarterly goal that was planned and coordinated with Release-Engineering-Team, so I don't think this was a surprise to you regardless? I'm being a little defensive because I see that you made this a subtask of T164780, tagged this as Goal and SRE etc., so I guess you disagree and/or this may be all a surprise to you after all? If not, then feel free to ignore this whole paragraph :)

I still don't consider this a blocker to our goal, nor something we (SRE) would need to do. (That said, if you decide to go the way of Cumin, we'd be happy to help of course :). There isn't much time left until the end of the quarter, so if you don't manage to get rid of Salt by then and want to retain the capability of mass execution, you will probably have to cherry-pick reverts in your puppetmaster, as the plan is to remove all Salt-related code from operations/puppet, and before that, push code that will uninstall the minion and cleanup everything Salt-related across the fleet. The target date for all this is the end of the quarter (September 30th) and it seems that this is still on-track.

demon subscribed.Sep 20 2017, 3:13 PM

I don't really feel like nitpicking over projects or dependencies, but I'm pretty much in agreement with @faidon here and I definitely see our path forward....

This task is correct in that we'll want to replace salt with cumin in these places. At the same time, it clearly isn't going to block ops' goal in production -- that absolutely should move forward as planned. @Volans kindly offered on IRC a bit ago to help us with the migration...after the production work is done :)

bd808 added a comment.Sep 20 2017, 5:03 PM

https://github.com/bd808/wikimedia-cloud-vps-hostgroup-generator provides an out-of-the-box solution for using clush from any computer to target commands to any Cloud VPS project. Patches to https://github.com/bd808/wikimedia-cloud-vps-hostgroup-generator/blob/master/conf/classifiers.yaml are welcome to provide better targeting for projects that want to use this tool.

greg added a comment.Sep 20 2017, 6:20 PM

For the record, the choice of tags is automatic by the "create subtask" menu option. I don't think @hashar explicitly made those choices.

Thanks @bd808 for the other options.

greg removed projects: Goal, SRE.Sep 20 2017, 9:19 PM

leaving ops-software-dev as this is about cumin (though that may not be what we use in the end): is there a better cumin-only project ya'll use?

Volans added a comment.Sep 20 2017, 9:37 PM

@greg no, that's the right one, cumin it's an additional hashtag of this one ;) Thanks

hashar added a comment.Sep 22 2017, 5:29 PM

I have filled this task for what it is: replace salt on integration and beta. There is no evilness intended!

Surely I would have appreciated a drop-in replacement for role::salt::masters::labs::project_master since that has been used for ages and is in the puppet.git repo. Ideally that would have been caught up in the migration plan.

Cumin is most probably state of the art puppetized, so I guess it is going to be straightforward to deploy on beta / integration. One just need time to figure out classes to be applied, the hiera variables to change and maybe a bit of cruft to set the master to be a master.

gerritbot added a comment.Sep 26 2017, 2:56 PM

Change 380760 had a related patch set uploaded (by Volans; owner: Volans):
[operations/software/cumin@master] OpenStack backend: set default query params in config

https://gerrit.wikimedia.org/r/380760

gerritbot added a project: Patch-For-Review.Sep 26 2017, 2:56 PM
gerritbot added a comment.Sep 26 2017, 5:57 PM

Change 380760 merged by jenkins-bot:
[operations/software/cumin@master] OpenStack backend: set default query params in config

https://gerrit.wikimedia.org/r/380760

gerritbot added a comment.Sep 27 2017, 10:06 AM

Change 380947 had a related patch set uploaded (by Volans; owner: Volans):
[operations/puppet@production] cumin (WMCS): allow to setup cumin in a project

https://gerrit.wikimedia.org/r/380947

Volans moved this task from Backlog to In Progress on the SRE-tools board.Sep 27 2017, 1:42 PM
Volans moved this task from In Progress to In Code Review on the SRE-tools board.
gerritbot added a comment.Sep 27 2017, 2:58 PM

Change 380947 merged by Volans:
[operations/puppet@production] cumin (WMCS): allow to setup cumin in a project

https://gerrit.wikimedia.org/r/380947

Volans added a comment.Sep 27 2017, 3:03 PM

@hashar want to do the honors of being the first tester? 😉
https://wikitech.wikimedia.org/wiki/Help:Cumin_master

hashar edited projects, added Release-Engineering-Team (Kanban); removed Patch-For-Review.Sep 27 2017, 5:13 PM
In T176314#3639946, @Volans wrote:

@hashar want to do the honors of being the first tester? 😉
https://wikitech.wikimedia.org/wiki/Help:Cumin_master

That looks very great! I was expecting it to be straightforward (apply puppet class + set hiera) and that step by step tutorial sounds like it is going to be a walk in the park ! :-D

antoine-approve

gerritbot added a comment.Sep 27 2017, 7:52 PM

Change 381073 had a related patch set uploaded (by Hashar; owner: Hashar):
[operations/puppet@production] prometheus: force ferm dns resolution to Ipv4

https://gerrit.wikimedia.org/r/381073

gerritbot added a project: Patch-For-Review.Sep 27 2017, 7:52 PM
hashar added subscribers: elukey, Ottomata, fgiunchedi.EditedSep 27 2017, 8:03 PM

It took me 14 minutes from the time I have opened https://wikitech.wikimedia.org/wiki/Keyholder until I got some cumin command more or less working. That is quite an achievement, my accolades to anyone that got involved in integrating cumin with OpenStack, and of course huge kudos to @Volans for the wikitech doc.

deployment-prep had some oddities:

  • iptables rules not being updated, because ferm was still present while no puppet class was still applying it. That resulted in obsolete rules. I have purged ferm on those hosts.
  • the ferm rule for prometheus (poke @fgiunchedi forces AAAA resolution. However labs does not have any IPv6 support. That caused ferm to fail. Hacked by switching to A resolution ( https://gerrit.wikimedia.org/r/381073 )
  • deployment-kafka-jumbo-1.deployment-prep.eqiad.wmflabs is not reacheable. Puppet is disabled, I guess @elukey or @Ottomata would know.

Summary is:

$ sudo cumin -o txt '*' 'true' 
0.4% (1/70) of nodes failed to execute command 'true': deployment-kafka-jumbo-1.deployment-prep.eqiad.wmflabs
_____FORMATTED_OUTPUT_____
deployment-kafka-jumbo-1.deployment-prep.eqiad.wmflabs: Permission denied (publickey).

So for Beta-Cluster-Infrastructure that is mostly done. Gotta update documentation here and there and write some announcement.

Will tackle Continuous-Integration-Infrastructure next.

NOTE: gotta recreate the beta cluster instance to use the name deployment-cumin (hostnames have to be unique cluster wide)
hashar claimed this task.Sep 27 2017, 8:55 PM

I have provisioned integration-cumin and deployment-cumin. Have a few scripts to switch to use cumin then I guess we can drop salt from both projects and announce the change \o/

gerritbot added a comment.Sep 27 2017, 9:12 PM

Change 381129 had a related patch set uploaded (by Hashar; owner: Hashar):
[integration/config@master] fab: migrate from salt to cumin

https://gerrit.wikimedia.org/r/381129

hashar added a comment.Sep 27 2017, 9:28 PM

I created deployment-cumin and integration-cumin . Gotta update a few documentation here and there + write an announcement.

I guess we can drop salt tomorrow morning first thing \o/

Stashbot subscribed.Sep 28 2017, 8:31 AM

Mentioned in SAL (#wikimedia-releng) [2017-09-28T08:31:10Z] <hashar> Removing salt configuration from integration and deployment-prep projects. Replaced by cumin. - T176314

Stashbot added a comment.Sep 28 2017, 8:39 AM

Mentioned in SAL (#wikimedia-releng) [2017-09-28T08:39:07Z] <hashar> Deleted integration-saltmaster and deployment-salt02 . Replaced by integration-cumin and deployment-cumin - T176314

hashar added a comment.Sep 28 2017, 8:41 AM

@elukey has run puppet on deployment-kafka-jumbo-1.deployment-prep.eqiad.wmflabs. 69/69 instances are reachable!

gerritbot added a comment.Sep 28 2017, 8:52 AM

Change 381129 merged by jenkins-bot:
[integration/config@master] fab: migrate from salt to cumin

https://gerrit.wikimedia.org/r/381129

hashar closed this task as Resolved.Sep 28 2017, 8:55 AM

Salt has been purged entirely!!

https://wikitech.wikimedia.org/wiki/Help:Cumin_master has been the instrumental part to handle all the migration in less than half a day. My special kudos to everyone involved and thank you for your patience!

greg edited projects, added RelEng-Archive-FY201718-Q1; removed Release-Engineering-Team (Kanban).Sep 29 2017, 5:25 PM
hashar added a comment.Sep 29 2017, 7:01 PM

I have a made a short announce on the QA list: https://lists.wikimedia.org/pipermail/qa/2017-September/002658.html

Hello,

On deployment-prep and integration, I have removed Salt entirely in
favor of Cumin.

It is mostly similar but way better to keep the inventory, make sure you
reach all the instances.  Cumin comes with an elaborate query scheme.

One requires sudo access to be able to use it since commands are
executed on instances as the root user.

Instances:

- deployment-cumin.deployment-prep.eqiad.wmflabs
- integration-cumin.integration.eqiad.wmflabs

Examples:

 sudo cumin '*' 'true'
 sudo cumin 'name:deployment-mediawiki' 'true'

The documentation is quite nice, you certainly want to read the part
about selecting hosts:

https://wikitech.wikimedia.org/wiki/Cumin
hashar mentioned this in T178457: nutcracker fails to start due to lack of /var/run/nutcracker (ex: deployment-videoscaler01 has memcached failures).Oct 18 2017, 8:27 AM
hashar mentioned this in T153468: Ferm's upstream Net::DNS Perl library questionable handling of NOERROR responses without records causing puppet errors when we try to @resolve AAAA in labs.Jan 8 2018, 11:15 AM
gerritbot added a comment.Mar 19 2018, 10:03 PM

Change 381073 abandoned by Hashar:
prometheus: make ferm DNS record type configurable

https://gerrit.wikimedia.org/r/381073

Krenair mentioned this in T135427: Beta puppetmaster cherry-pick process.Jun 5 2018, 7:37 PM
gerritbot added a comment.Aug 6 2018, 8:40 PM

Change 381073 restored by Krinkle:
prometheus: make ferm DNS record type configurable

Reason:
Restoring because a version of this is still live on beta.

https://gerrit.wikimedia.org/r/381073

gerritbot added a comment.Oct 31 2018, 2:25 PM

Change 381073 abandoned by Hashar:
prometheus: make ferm DNS record type configurable

Reason:
That is probably outdated, I lack bandwith to rebase it properly.

https://gerrit.wikimedia.org/r/381073

gerritbot added a comment.Sep 25 2019, 5:44 PM

Change 381073 restored by Dzahn:
prometheus: make ferm DNS record type configurable

https://gerrit.wikimedia.org/r/381073

gerritbot added a comment.Nov 18 2019, 7:53 PM

Change 381073 abandoned by Hashar:
prometheus: make ferm DNS record type configurable

https://gerrit.wikimedia.org/r/381073

Krinkle mentioned this in T244624: Beta puppet patch "prometheus: make ferm DNS record type configurable".Feb 7 2020, 11:36 PM
Volans mentioned this in rCUMINc83c64afd559: OpenStack backend: set default query params in config.May 25 2023, 5:55 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL