Page MenuHomePhabricator

Requesting access to terbium.eqiad.wmnet for cparle
Closed, ResolvedPublicRequest

Description

Username: cparle
Full name: Cormac Parle

Public key:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDTroA/q8voMNw9A4skHh1DQLIP2Hb3L4bb9dwinwFER cormacparle@Cormacs-MacBook-Pro.local

I need access to terbium.eqiad.wmnet to run a maintenance script to repair bad file headers in swift. See https://phabricator.wikimedia.org/T178849

@MarkTraceur as my acting manager could you approve please? Also cc @Gilles

Event Timeline

Cparle created this task.Nov 29 2017, 2:19 PM
Restricted Application added a project: Operations. · View Herald TranscriptNov 29 2017, 2:19 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

With @Cparle working on the backend of Multimedia files, the necessity to run maintenance script is kind of inevitable for that sort of task. His work in that area increases the currently low human redundancy we have with people who know how to take care of these issues in production. He has shown to be capable of fully understanding the underlying code and stack and I trust him with performing data recovery in production.

Dzahn added a subscriber: Dzahn.Nov 29 2017, 8:42 PM

Confirmed that L3 has already been signed by cparle. A user exists in admin module but in the "ldap_only_users" section. Adding real shell access means having to move that account, it should not be duplicate.

This should also mean membership in the admin group "restricted" which gives access to mediawiki maintenance servers. (it's never based on host names, so that means terbium and wasat nowadays but maybe other hosts in the future, whatever uses the role for maintenance servers).

Dzahn added a comment.Nov 29 2017, 8:47 PM

@Gilles @Cparle Or would it make sense to just add the maintenance command to a cronjob and let it run automatically at fixed intervals? Does it really need to be manual? I'd be happy to help getting another cron on maintenance servers into puppet.

IMHO manual access is necessary in case it doesn't work as expected, etc. It's always convenient to be able to eval things as prod mediawiki and so on when working on this sort of that. And yes, the maintenance servers group is fine.

Dzahn claimed this task.Dec 4 2017, 6:33 PM

Change 395061 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] admins: add cparle to group 'restricted'

https://gerrit.wikimedia.org/r/395061

Change 395061 merged by Dzahn:
[operations/puppet@production] admins: add cparle to group 'restricted'

https://gerrit.wikimedia.org/r/395061

Dzahn closed this task as Resolved.Dec 4 2017, 7:09 PM

Hi @Cparle

your request has been approved and the code change has been merged.

Puppet created your user on terbium.eqiad.wmnet (and wasat.codfw.wmnet the equivalent maintenance server in codfw) and on the [[ https://wikitech.wikimedia.org/wiki/Bastion | bastion host ]]s.

See https://wikitech.wikimedia.org/wiki/Production_shell_access#Standard_config for SSH config examples how to connect via a bastion to a maintenance server (terbium).

Let us know if there are any problems with the access.

Daniel

Dzahn added a comment.Dec 4 2017, 7:12 PM

P.S. Like all shell users, this also gives you a home dir on https://wikitech.wikimedia.org/wiki/People.wikimedia.org so you can use https://people.wikimedia.org/~cparle/ if you like.

Cparle added a comment.Dec 5 2017, 9:49 AM

Awesome, thanks v much @Dzahn