Page MenuHomePhabricator
Create Task
Maniphest T179729

Adding phedenskog to perf-team
Closed, ResolvedPublicRequest
Actions

Description

https://wikitech.wikimedia.org/wiki/Production_shell_access#New_users

  1. Read, comprehend, and sign: https://phabricator.wikimedia.org/L3
  2. Have NDA signed and on-file with Legal.
  3. Public key SSH (Must be different from the Labs key for Wikitech/Gerrit)
  4. Approvals from at least one employee and/or relevant service/team lead.

Request details:

  • Username: phedenskog
  • Full name: Peter Hedenskog
  • Public key SSH: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxyWdrsYsbZuCFvBYGJAc/dhzp1Jfg0il+FFux+LB8F2iJ6jSA46LGT2JPPGumx72+ArGkr+xddgnzBfyutrkrRRTRI30yszFXJsm07GG9I8mAdj/6UXhWsNDBJy7xTvUYMD8TTbtXCT7dTdAg8BxpwKEvW04wZX2HIVDcwDBIMfxRvsvSS352FmfQ7OSytW9/82egMZlcbF6GDJytV6Sk8Zbh5EldtA5EH7pLexlSR8FFSi88h2NF+c6I8rHPpiorbB1jqA2b3krbMhe8vp13VS319L+b6VfsS4OgR5XUnFVHr3SiQ/eqtGwivOnXVFZBngpqzeat7AxPlDMl93l1 phedenskog@WMF1412
  • Reason: @Peter is a member of the Performance Team and should have access to the servers where our services run on (e.g. hafnium for webperf/navtiming, and tungsten for xhgui - Note: host names to change per T158837).

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Add phedenskog to perf-team groupoperations/puppetproduction+1 -1
Add shell user for phedenskogoperations/puppetproduction+9 -4
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedRequestNoneT179729 Adding phedenskog to perf-team
 ResolvedMoritzMuehlenhoffT179728 Create perf-team shell group

Event Timeline

Krinkle created this task.Nov 3 2017, 8:25 PM
Restricted Application added a project: SRE. · View Herald TranscriptNov 3 2017, 8:25 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Krinkle added a parent task: T179728: Create perf-team shell group.Nov 3 2017, 8:25 PM
Krinkle updated the task description. (Show Details)
Krinkle updated the task description. (Show Details)Nov 3 2017, 8:29 PM
Krinkle updated the task description. (Show Details)

I approve, naturally :-)

Peter updated the task description. (Show Details)Nov 5 2017, 12:33 PM
Dzahn subscribed.Nov 6 2017, 7:43 AM

access to the servers where our services run on (e.g. hafnium for webperf/navtiming, and tungsten for xhgui - Note: host names to change per T158837).

Access is (should be) generally based on puppet role names, not host names. So in this case, this is:

  • access to hosts using xhgui::app (admin groups in hieradata/role/common/xhgui/app.yaml = perf-roots)
  • access to hosts using role::webperf (admin groups in hieradata/role/common/webperf.yaml = perf-roots, eventlogging-admins)

So we can summarize it as "membership in perf-roots" and access will move to wherever the role is applied which adds this group. We don't have to think about host names.

Dzahn renamed this task from Requesting access to perf-teams for phedenskog to Requesting access to perf-teams for phedenskog (add phedenskog to perf-roots).Nov 6 2017, 7:44 AM
Dzahn added a subscriber: Muehlenhoff.Nov 6 2017, 7:47 AM

Though... Also see T179317#3731710 "perf-roots grants full root access to nearly half the servers in production"

@Muehlenhoff

Krinkle removed a parent task: T179728: Create perf-team shell group.Nov 6 2017, 7:01 PM
Krinkle added a subtask: T179728: Create perf-team shell group.
Krinkle added a comment.Nov 6 2017, 7:36 PM
In T179729#3736609, @Dzahn wrote:

Access is (should be) generally based on puppet role names, not host names.

Yeah, we use roles (mainly webperf and xhgui for the purpose of this task). And access to these roles will be granted via the perf-team group once T179728 is resolved, which should happen before this task. This is a request for perf-team (per task title).

Krinkle triaged this task as High priority.Nov 6 2017, 8:54 PM
Krinkle added a project: Performance-Team.
Krinkle moved this task from Inbox, needs triage to Blocked (old) on the Performance-Team board.
Dzahn added a comment.Nov 7 2017, 5:17 AM

@Krinkle Now that i saw the other ticket to create "perf-team" i understand better. Gotcha!

Krinkle mentioned this in T179728: Create perf-team shell group.Nov 8 2017, 8:39 AM
MoritzMuehlenhoff renamed this task from Requesting access to perf-teams for phedenskog (add phedenskog to perf-roots) to Adding phedenskog to perf-team.Nov 8 2017, 8:42 AM
MoritzMuehlenhoff claimed this task.
MoritzMuehlenhoff closed subtask T179728: Create perf-team shell group as Resolved.
MoritzMuehlenhoff added a comment.Nov 8 2017, 8:44 AM

I've updated the title to reflect the recent creation of perf-team. I'll create a Gerrit patch, but this needs to be approved in next Monday's Ops meeting first.

gerritbot subscribed.Nov 9 2017, 2:12 PM

Change 390244 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Add shell user for phedenskog

https://gerrit.wikimedia.org/r/390244

gerritbot added a project: Patch-For-Review.Nov 9 2017, 2:12 PM

Change 390245 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Add phedenskog to perf-team group

https://gerrit.wikimedia.org/r/390245

RobH subscribed.Nov 13 2017, 7:18 PM

Please note this was reviewed and approved in our operations team meeting today. I'll go ahead and rebase/merge @MoritzMuehlenhoff's patchsets.

gerritbot added a comment.Nov 13 2017, 7:18 PM

Change 390244 merged by RobH:
[operations/puppet@production] Add shell user for phedenskog

https://gerrit.wikimedia.org/r/390244

gerritbot added a comment.Nov 13 2017, 7:20 PM

Change 390245 merged by RobH:
[operations/puppet@production] Add phedenskog to perf-team group

https://gerrit.wikimedia.org/r/390245

RobH closed this task as Resolved.Nov 13 2017, 7:22 PM
RobH removed MoritzMuehlenhoff as the assignee of this task.
RobH removed a project: Patch-For-Review.
RobH added a subscriber: MoritzMuehlenhoff.

This is now live (after ops meeting approval). Since this affects a fair number of systems, manually kicking puppet for this seems excessive. All affected systems will call in within 30 minutes and get the updates.

If you have any issues logging in after 17:50 GMT, please feel free to re-open this task, or ping me in irc (nick RobH).

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits