Page MenuHomePhabricator

Continuous integration for mediawiki-vagrant
Closed, DeclinedPublic

Description

Current status: blocked on The box 'debian/stretch64' could not be found. See T183456#3985227 and T183456#3985341.


T181353: [EPIC] Migrate MediaWiki-Vagrant base image to Debian Stretch and T183366: Can not provision cirrussearch mediawiki-vagrant role got me thinking about lack of CI (continuous integration) for mediawiki-vagrant.

For start, we should provision a clean mediawiki-vagrant every day, then provision each role, one by one. It could be done with a simple script:

vagrant roles list -1 | xargs -I % sh -cx 'echo -----------; vagrant roles reset; vagrant provision; vagrant roles enable %; vagrant provision'

or (from T181353#3853609)

#!/bin/bash
set -x
while read -r role
do
    echo "Provisionning role '$role'"
    (
        vagrant roles reset
        vagrant provision
        vagrant roles enable "$role"
        vagrant provision
    ) > "$role.txt" 2>&1
done < "$(vagrant roles list -1)"

To make the process faster, instead of vagrant roles reset; vagrant provision, vagrant snapshot save and vagrant snapshot restore could be used.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
zeljkofilipin triaged this task as Normal priority.Dec 21 2017, 11:35 AM
zeljkofilipin updated the task description. (Show Details)
zeljkofilipin added a comment.EditedDec 21 2017, 1:24 PM

Prepare a clean mediawiki-vagrant

vagrant destroy
vagrant up
vagrant snapshot save clean

Run the script.

time (vagrant roles list -1 | xargs -I % sh -cx 'time (vagrant roles enable %; vagrant provision; vagrant roles reset; vagrant snapshot restore clean); printf "\n\n\n\n\n"')
zeljkofilipin added a comment.EditedDec 22 2017, 9:58 AM

Results for the above script: P6499 (stretch), jessie.

@bd808 @dduvall I would like to set up CI for MediaWiki-Vagrant. The goal is to provision vagrant and all roles (one by one) daily.

I have talked with @hashar about it and looks like the first step would be creating a VM. I would need to install vagrant and virtualbox on it. Looks like there is already a mediawiki-vagrant project.

Could you please add me to the project? I don't have much experience with Wikimedia Cloud. Let me know if you think this is not a good idea, or if something else should be done.

Mentioned in SAL (#wikimedia-cloud) [2017-12-22T16:24:59Z] <bd808> Added Zfilipin as project admin to unblock work on T183456

@zeljkofilipin I have added you as a project admin so that you can create new VMs through https://horizon.wikimedia.org/. You can find a bit of documentation on building new instances at https://wikitech.wikimedia.org/wiki/Help:Instances.

I remember @dduvall working on some ideas around MediaWiki-Vagrant automated testing before, so you should definitely try to sync up with him on basic ideas. Having something that tries to prove each role provisions cleanly by itself once per day (or even once per week) seems like it would be an interesting place to start. Clean Puppet runs certainly do not prove that everything about a role is correct, but its a good place to start.

hashar added a subscriber: scfc.EditedDec 22 2017, 10:01 PM

MediaWiki-Vagrant has libvirt support made by @scfc (and update to jessie with https://gerrit.wikimedia.org/r/399945 ) T71223 T154296

I would recommend a stretch labs instance then follow https://wiki.debian.org/KVM#Installation or in short:

sudo su -
apt install qemu-kvm libvirt-clients libvirt-daemon-system
apt install nfs-kernel-server
adduser jenkins-deploy libvirt
adduser jenkins-deploy libvirt-qemu

Verify rights

sudo -u jenkins-deploy virsh list --all

Install Vagrant and plugins:

sudo apt install --yes vagrant vagrant-libvirt vagrant-mutate

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Probably unneeded since mwv uses debian/stretch64 which has a libvirt box.
Then follow the doc in MediaWiki-Vagrant file support/README-libvirt.md which are:

vagrant box add debian/contrib-stretch64
vagrant mutate debian/contrib-stretch64 libvirt

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Gave it a try on a Stretch machine and it works.

vagrant up --provider=libvirt
greg lowered the priority of this task from Normal to Low.Jan 2 2018, 11:00 PM
greg added a subscriber: greg.

I'm going to set this to Low priority, what with minikube/docker on the horizon.

zeljkofilipin removed zeljkofilipin as the assignee of this task.Jan 11 2018, 4:02 PM

Clean Puppet runs certainly do not prove that everything about a role is correct, but its a good place to start.

After provisioning the role, we could run unit and/or integration tests.

There is also Help:MediaWiki-Vagrant in Cloud VPS. I could not get it to work. :( Will try again.

hashar added a comment.Feb 1 2018, 1:26 AM

vagrant up --provider=libvirt ends up falling with:

Error while activating network: Call to virNetworkCreate failed: internal error: Failed to initialize a valid firewall backend.

From /var/log/daemon.log:

Feb  1 01:25:06 test-stretch-93 libvirtd[13080]: 2018-02-01 01:25:06.020+0000: 13083: error : virFirewallApply:916 : internal error: Failed to initialize a valid firewall backend
Feb  1 01:25:06 test-stretch-93 lldpd[420]: removal request for address of fe80::5054:ff:fef5:45aa%19, but no knowledge of it
Feb  1 01:25:06 test-stretch-93 lldpd[404]: 2018-02-01T01:25:06 [INFO/netlink] removal request for address of fe80::5054:ff:fef5:45aa%19, but no knowledge of it
Feb  1 01:25:06 test-stretch-93 lldpd[404]: 2018-02-01T01:25:06 [WARN/netlink] removal request for virbr1-nic, but no knowledge of it
Feb  1 01:25:06 test-stretch-93 lldpd[420]: removal request for virbr1-nic, but no knowledge of it
Feb  1 01:25:06 test-stretch-93 systemd-udevd[23839]: Could not generate persistent MAC address for virbr1: No such file or directory
Feb  1 01:25:06 test-stretch-93 systemd-udevd[23840]: link_config: could not get ethtool features for virbr1-nic
Feb  1 01:25:06 test-stretch-93 systemd-udevd[23840]: Could not set offload features of virbr1-nic: No such device
Feb  1 01:25:06 test-stretch-93 libvirtd[13080]: 2018-02-01 01:25:06.059+0000: 13080: error : virFileReadAll:1388 : Failed to open file '/sys/class/net/virbr1-nic/operstate': No such file or directory
Feb  1 01:25:06 test-stretch-93 libvirtd[13080]: 2018-02-01 01:25:06.059+0000: 13080: error : virNetDevGetLinkInfo:1880 : unable to read: /sys/class/net/virbr1-nic/operstate: No such file or directory

No clue what that means though.

Cloud VPS problems possibly related to T180377: Does role::labs::mediawiki_vagrant provision cleanly on Debian Stretch hosts?? I did test basic provisioning on a Jessie host in the mediawiki-vagrant project quite a bit before merging the development branch to master, but there certainly could be edge cases that still need to be worked out. The libvirt backend was not something I have personally tested. VirtualBox and LXC are the only providers that I personally test and try to make sure are supported.

I am confused.

  • @hashar says I should use a base image and install required packages manually. He recommends libvirt provider.
  • @bd808 says I should use role::labs::mediawiki_vagrant Puppet role, as documented in Help:MediaWiki-Vagrant in Cloud VPS. He recommends LXC provider.
zeljkofilipin added a comment.EditedFeb 20 2018, 12:37 PM

Help:MediaWiki-Vagrant in Cloud VPS says:

Choose a Jessie image type. Stretch may not yet work.

  • go to mediawiki-vagrant instances
  • launch instance
  • details
    • instance name: T183456-jessie
    • availability zone: nova
    • count: 1
  • source
    • debian-8.10-jessie image
  • flavor
    • m1.small
  • security groups
    • default
    • web
  • launch instance
  • T183456-jessie Puppet Configuration
    • role::labs::mediawiki_vagrant - apply class
~$ ssh T183456-jessie.eqiad.wmflabs
Linux t183456-jessie 4.9.0-0.bpo.5-amd64 #1 SMP Debian 4.9.65-3+deb9u1~bpo8+2 (2018-01-04) x86_64
Debian GNU/Linux 8.10 (jessie)
The last Puppet run was at Tue Feb 20 12:48:05 UTC 2018 (8 minutes ago). 
Last login: Tue Feb 20 12:49:16 2018 from bastion-01.bastion.eqiad.wmflabs
zfilipin@t183456-jessie:~$ sudo puppet agent --test --verbose
Info: Using configured environment 'future'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for t183456-jessie.mediawiki-vagrant.eqiad.wmflabs
Notice: /Stage[main]/Base::Environment/Tidy[/var/tmp/core]: Tidying 0 files
Info: Applying configuration version '1519131445'
Notice: /Stage[main]/Vagrant/Package[vagrant]/ensure: created
Notice: /Stage[main]/Vagrant/User[mwvagrant]/ensure: created
Notice: /Stage[main]/Vagrant/File[/srv/vagrant-data]/ensure: created
Notice: /Stage[main]/Vagrant/File[/srv/vagrant-data/.profile]/ensure: defined content as '{md5}783a35b55df1e624485455747849e9f5'
Notice: /Stage[main]/Vagrant/File[/usr/local/bin/mwvagrant]/ensure: defined content as '{md5}cf4ab7cbd69b810efa5eb9e100b39ca1'
Notice: /Stage[main]/Vagrant/File[/etc/profile.d/alias-vagrant.sh]/ensure: defined content as '{md5}3f60bc64dda459dd8a6923d79d7c9099'
Notice: /Stage[main]/Lxc/Package[bridge-utils]/ensure: created
Notice: /Stage[main]/Lxc/Package[dnsmasq-base]/ensure: created
Notice: /Stage[main]/Lxc/Package[redir]/ensure: created
Notice: /Stage[main]/Lxc/File[/srv/lxc]/ensure: created
Notice: /Stage[main]/Lxc/File[/var/lib/lxc]/ensure: created
Notice: /Stage[main]/Packages::Build_essential/Package[build-essential]/ensure: created
Notice: /Stage[main]/Packages::Ruby_dev/Package[ruby-dev]/ensure: created
Notice: /Stage[main]/Deployment::Umask_wikidev/File[/etc/profile.d/umask-wikidev.sh]/ensure: defined content as '{md5}f7b7a8f111035aecfdf604a0449e2c22'
Notice: /Stage[main]/Vagrant/Sudo::Group[wikidev_mwvagrant]/File[/etc/sudoers.d/wikidev_mwvagrant]/ensure: defined content as '{md5}f3a81be2ecaee007ebda402d5206ba9d'
Info: /Stage[main]/Vagrant/Sudo::Group[wikidev_mwvagrant]/File[/etc/sudoers.d/wikidev_mwvagrant]: Scheduling refresh of Exec[sudo_group_wikidev_mwvagrant_linting]
Notice: /Stage[main]/Vagrant/Sudo::Group[wikidev_mwvagrant]/Exec[sudo_group_wikidev_mwvagrant_linting]: Triggered 'refresh' from 1 events
Notice: /Stage[main]/Lxc/Apt::Pin[libapparmor1]/File[/etc/apt/preferences.d/libapparmor1.pref]/ensure: defined content as '{md5}bda03ecda8f1ba8c55788308426c6d04'
Info: /Stage[main]/Lxc/Apt::Pin[libapparmor1]/File[/etc/apt/preferences.d/libapparmor1.pref]: Scheduling refresh of Exec[apt-get update]
Notice: /Stage[main]/Lxc/Apt::Pin[liblxc1]/File[/etc/apt/preferences.d/liblxc1.pref]/ensure: defined content as '{md5}2ef029d7dc787551034c241cba59c5b1'
Info: /Stage[main]/Lxc/Apt::Pin[liblxc1]/File[/etc/apt/preferences.d/liblxc1.pref]: Scheduling refresh of Exec[apt-get update]
Notice: /Stage[main]/Lxc/Apt::Pin[libseccomp2]/File[/etc/apt/preferences.d/libseccomp2.pref]/ensure: defined content as '{md5}cbdb81250d608f9ee51557d1c9738667'
Info: /Stage[main]/Lxc/Apt::Pin[libseccomp2]/File[/etc/apt/preferences.d/libseccomp2.pref]: Scheduling refresh of Exec[apt-get update]
Notice: /Stage[main]/Lxc/Apt::Pin[lxc]/File[/etc/apt/preferences.d/lxc.pref]/ensure: defined content as '{md5}ae40d399ebee04e155edc62201b707ec'
Info: /Stage[main]/Lxc/Apt::Pin[lxc]/File[/etc/apt/preferences.d/lxc.pref]: Scheduling refresh of Exec[apt-get update]
Notice: /Stage[main]/Lxc/Apt::Pin[python3-lxc]/File[/etc/apt/preferences.d/python3_lxc.pref]/ensure: defined content as '{md5}0fa9b7803a7bdb6580be3f7edf1bb237'
Info: /Stage[main]/Lxc/Apt::Pin[python3-lxc]/File[/etc/apt/preferences.d/python3_lxc.pref]: Scheduling refresh of Exec[apt-get update]
Notice: /Stage[main]/Apt/Exec[apt-get update]: Triggered 'refresh' from 5 events
Notice: /Stage[main]/Lxc/Package[lxc]/ensure: created
Notice: /Stage[main]/Lxc/File[/etc/default/lxc-net]/ensure: defined content as '{md5}8221a1e5fd6f1a1453d7763defdda199'
Info: /Stage[main]/Lxc/File[/etc/default/lxc-net]: Scheduling refresh of Service[lxc-net]
Notice: /Stage[main]/Lxc/File[/etc/lxc/default.conf]/content: 
--- /etc/lxc/default.conf	2017-03-16 09:05:18.000000000 +0000
+++ /tmp/puppet-file20180220-14694-1p4vios	2018-02-20 12:58:12.683880373 +0000
@@ -1 +1,4 @@
-lxc.network.type = empty
+lxc.network.type = veth
+lxc.network.link = lxcbr0
+lxc.network.flags = up
+lxc.network.hwaddr = 00:16:3e:xx:xx:xx

Info: Computing checksum on file /etc/lxc/default.conf
Info: /Stage[main]/Lxc/File[/etc/lxc/default.conf]: Filebucketed /etc/lxc/default.conf to puppet with sum f2c11b30bddcb6326e4b57d1619c6f3a
Notice: /Stage[main]/Lxc/File[/etc/lxc/default.conf]/content: content changed '{md5}f2c11b30bddcb6326e4b57d1619c6f3a' to '{md5}fe17c51d187e42473681dc45981f0b2f'
Notice: /Stage[main]/Lxc/File[/etc/lxc/default.conf]/mode: mode changed '0644' to '0444'
Info: /Stage[main]/Lxc/File[/etc/lxc/default.conf]: Scheduling refresh of Service[lxc-net]
Info: /Stage[main]/Lxc/File[/etc/lxc/default.conf]: Scheduling refresh of Service[lxc-net]
Notice: /Stage[main]/Lxc/Service[lxc-net]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Lxc/Service[lxc-net]: Unscheduling refresh on Service[lxc-net]
Notice: /Stage[main]/Vagrant::Lxc/Vagrant::Plugin[vagrant-lxc]/Exec[install_vagrant_plugin_vagrant-lxc]/returns: executed successfully
Notice: /Stage[main]/Vagrant::Lxc/Sudo::User[vagrant-lxc]/File[/etc/sudoers.d/vagrant-lxc]/ensure: defined content as '{md5}c8aa8b528ff76512a7588008915b8bc9'
Info: /Stage[main]/Vagrant::Lxc/Sudo::User[vagrant-lxc]/File[/etc/sudoers.d/vagrant-lxc]: Scheduling refresh of Exec[sudo_user_vagrant-lxc_linting]
Notice: /Stage[main]/Vagrant::Lxc/Sudo::User[vagrant-lxc]/Exec[sudo_user_vagrant-lxc_linting]: Triggered 'refresh' from 1 events
Notice: /Stage[main]/Vagrant::Mediawiki/File[/etc/exports]/ensure: defined content as '{md5}1950db21df8cb189d037ac315a56a12b'
Notice: /Stage[main]/Vagrant::Mediawiki/Package[nfs-kernel-server]/ensure: created
Notice: /Stage[main]/Vagrant::Mediawiki/File[/etc/apparmor.d/abstractions/lxc/container-base]/content: 
--- /etc/apparmor.d/abstractions/lxc/container-base	2017-03-16 09:05:18.000000000 +0000
+++ /tmp/puppet-file20180220-14694-l181y2	2018-02-20 12:58:19.024346156 +0000
@@ -38,10 +38,10 @@
   # profiles are supported, for container isolation this should be changed to
   # something like:
   #   unix (receive) peer=(label=unconfined),
-  unix (receive),
+  #unix (receive),
 
   # Allow all unix in the container
-  unix peer=(label=@{profile_name}),
+  #unix peer=(label=@{profile_name}),
 
   # ignore DENIED message on / remount
   deny mount options=(ro, remount) -> /,
@@ -60,6 +60,15 @@
   mount fstype=fuse,
   mount fstype=fuse.*,
 
+  # allow NFS
+  # http://bridge.grumpy-troll.org/2014/03/lxc-routed-on-ubuntu/
+  mount fstype=nfs,
+  mount fstype=nfs4,
+  mount fstype=rpc_pipefs,
+
+  # allow bind mount of /lib/init/fstab for lxcguest
+  mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
+
   # deny access under /proc/bus to avoid e.g. messing with pci devices directly
   deny @{PROC}/bus/** wklx,
 
@@ -89,21 +98,12 @@
   deny /sys/kernel/security/** rwklx,
   mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
   mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
+  # T154294 - allow systemd to be mounted rw
+  mount options=(rw, nosuid, nodev, noexec) -> /sys/fs/cgroup/systemd/,
 
   # deny reads from debugfs
   deny /sys/kernel/debug/{,**} rwklx,
 
-  # allow paths to be made slave, shared, private or unbindable
-  # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
-#  mount options=(rw,make-slave) -> **,
-#  mount options=(rw,make-rslave) -> **,
-#  mount options=(rw,make-shared) -> **,
-#  mount options=(rw,make-rshared) -> **,
-#  mount options=(rw,make-private) -> **,
-#  mount options=(rw,make-rprivate) -> **,
-#  mount options=(rw,make-unbindable) -> **,
-#  mount options=(rw,make-runbindable) -> **,
-
   # allow bind-mounts of anything except /proc, /sys and /dev
   mount options=(rw,bind) /[^spd]*{,/**},
   mount options=(rw,bind) /d[^e]*{,/**},

Info: Computing checksum on file /etc/apparmor.d/abstractions/lxc/container-base
Info: /Stage[main]/Vagrant::Mediawiki/File[/etc/apparmor.d/abstractions/lxc/container-base]: Filebucketed /etc/apparmor.d/abstractions/lxc/container-base to puppet with sum e111834cbdac665e67d54bffa4689356
Notice: /Stage[main]/Vagrant::Mediawiki/File[/etc/apparmor.d/abstractions/lxc/container-base]/content: content changed '{md5}e111834cbdac665e67d54bffa4689356' to '{md5}33d9f77a70cb9c41590132828fbe7074'
Notice: /Stage[main]/Vagrant::Mediawiki/File[/usr/local/bin/labs-vagrant]/ensure: defined content as '{md5}e269b3591d3a7a86cb1206af081a27de'
Notice: /Stage[main]/Vagrant::Mediawiki/File[/usr/local/bin/start-mwvagrant.sh]/ensure: defined content as '{md5}32f073f6282702147aa1b6d0b598c234'
Notice: /Stage[main]/Vagrant::Mediawiki/Git::Clone[mediawiki/vagrant]/File[/srv/mediawiki-vagrant]/ensure: created
Notice: /Stage[main]/Vagrant::Mediawiki/Git::Clone[mediawiki/vagrant]/Exec[git_clone_mediawiki/vagrant]/returns: executed successfully
Notice: /Stage[main]/Vagrant::Mediawiki/File[/srv/mediawiki-vagrant/.settings.yaml]/ensure: defined content as '{md5}8abc833e0045e50fcc6fa2485746f360'
Notice: /Stage[main]/Vagrant::Mediawiki/Base::Service_unit[mediawiki-vagrant]/File[/lib/systemd/system/mediawiki-vagrant.service]/ensure: defined content as '{md5}883bf0bc2a6c7941a78230a7395b4038'
Info: /Stage[main]/Vagrant::Mediawiki/Base::Service_unit[mediawiki-vagrant]/File[/lib/systemd/system/mediawiki-vagrant.service]: Scheduling refresh of Exec[systemd reload for mediawiki-vagrant]
Notice: /Stage[main]/Vagrant::Mediawiki/Base::Service_unit[mediawiki-vagrant]/Exec[systemd reload for mediawiki-vagrant]: Triggered 'refresh' from 1 events
Notice: Applied catalog in 51.15 seconds
zfilipin@t183456-jessie:~$ logout
Connection to t183456-jessie.eqiad.wmflabs closed.
Killed by signal 1.

~$ ssh T183456-jessie.eqiad.wmflabs
Linux t183456-jessie 4.9.0-0.bpo.5-amd64 #1 SMP Debian 4.9.65-3+deb9u1~bpo8+2 (2018-01-04) x86_64
Debian GNU/Linux 8.10 (jessie)
The last Puppet run was at Tue Feb 20 12:57:29 UTC 2018 (4 minutes ago). 
Last login: Tue Feb 20 12:56:52 2018 from bastion-01.bastion.eqiad.wmflabs
zfilipin@t183456-jessie:~$
zfilipin@t183456-jessie:~$ cd /srv/mediawiki-vagrant/

zfilipin@t183456-jessie:/srv/mediawiki-vagrant$ vagrant up
Bringing machine 'default' up with 'lxc' provider...
==> default: Box 'debian/stretch64' could not be found. Attempting to find and install...
    default: Box Provider: lxc
    default: Box Version: >= 0
The box 'debian/stretch64' could not be found or
could not be accessed in the remote catalog. If this is a private
box on HashiCorp's Atlas, please verify you're logged in via
`vagrant login`. Also, please double-check the name. The expanded
URL and error message are shown below:

URL: ["https://atlas.hashicorp.com/debian/stretch64"]
Error: The requested URL returned error: 404 Not Found

The same steps as above, but creating T183456-stretch instance using debian-9.3-stretch image.

~$ ssh T183456-stretch.eqiad.wmflabs
Linux t183456-stretch 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64
Debian GNU/Linux 9.3 (stretch)
The last Puppet run was at Tue Feb 20 13:01:59 UTC 2018 (7 minutes ago). 
Last login: Tue Feb 20 12:49:34 2018 from 10.68.17.232
zfilipin@t183456-stretch:~$
zfilipin@t183456-stretch:~$ sudo puppet agent --test --verbose
Info: Using configured environment 'future'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for t183456-stretch.mediawiki-vagrant.eqiad.wmflabs
Notice: /Stage[main]/Base::Environment/Tidy[/var/tmp/core]: Tidying 0 files
Info: Applying configuration version '1519132201'
Notice: Currently this role is only supported on Debian Jessie.
Notice: /Stage[main]/Role::Labs::Mediawiki_vagrant/Notify[Currently this role is only supported on Debian Jessie.]/message: defined 'message' as 'Currently this role is only supported on Debian Jessie.'
Notice: /Stage[main]/Vagrant/Package[vagrant]/ensure: created
Notice: /Stage[main]/Vagrant/User[mwvagrant]/ensure: created
Notice: /Stage[main]/Vagrant/File[/srv/vagrant-data]/ensure: created
Notice: /Stage[main]/Vagrant/File[/srv/vagrant-data/.profile]/ensure: defined content as '{md5}783a35b55df1e624485455747849e9f5'
Notice: /Stage[main]/Vagrant/File[/usr/local/bin/mwvagrant]/ensure: defined content as '{md5}cf4ab7cbd69b810efa5eb9e100b39ca1'
Notice: /Stage[main]/Vagrant/File[/etc/profile.d/alias-vagrant.sh]/ensure: defined content as '{md5}3f60bc64dda459dd8a6923d79d7c9099'
Notice: /Stage[main]/Lxc/Package[bridge-utils]/ensure: created
Notice: /Stage[main]/Lxc/Package[dnsmasq-base]/ensure: created
Notice: /Stage[main]/Lxc/Package[redir]/ensure: created
Notice: /Stage[main]/Lxc/Package[lxc]/ensure: created
Notice: /Stage[main]/Lxc/File[/etc/default/lxc-net]/ensure: defined content as '{md5}8221a1e5fd6f1a1453d7763defdda199'
Info: /Stage[main]/Lxc/File[/etc/default/lxc-net]: Scheduling refresh of Service[lxc-net]
Notice: /Stage[main]/Lxc/File[/etc/lxc/default.conf]/content: 
--- /etc/lxc/default.conf	2017-10-27 17:13:31.000000000 +0000
+++ /tmp/puppet-file20180220-11598-vgq40g	2018-02-20 13:10:19.988338951 +0000
@@ -1 +1,4 @@
-lxc.network.type = empty
+lxc.network.type = veth
+lxc.network.link = lxcbr0
+lxc.network.flags = up
+lxc.network.hwaddr = 00:16:3e:xx:xx:xx

Info: Computing checksum on file /etc/lxc/default.conf
Info: /Stage[main]/Lxc/File[/etc/lxc/default.conf]: Filebucketed /etc/lxc/default.conf to puppet with sum f2c11b30bddcb6326e4b57d1619c6f3a
Notice: /Stage[main]/Lxc/File[/etc/lxc/default.conf]/content: content changed '{md5}f2c11b30bddcb6326e4b57d1619c6f3a' to '{md5}fe17c51d187e42473681dc45981f0b2f'
Notice: /Stage[main]/Lxc/File[/etc/lxc/default.conf]/mode: mode changed '0644' to '0444'
Info: /Stage[main]/Lxc/File[/etc/lxc/default.conf]: Scheduling refresh of Service[lxc-net]
Info: /Stage[main]/Lxc/File[/etc/lxc/default.conf]: Scheduling refresh of Service[lxc-net]
Notice: /Stage[main]/Lxc/Service[lxc-net]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Lxc/Service[lxc-net]: Unscheduling refresh on Service[lxc-net]
Notice: /Stage[main]/Lxc/File[/srv/lxc]/ensure: created
Info: /Stage[main]/Lxc/File[/var/lib/lxc]: Recursively backing up to filebucket
Notice: /Stage[main]/Lxc/File[/var/lib/lxc]/ensure: ensure changed 'directory' to 'link'
Notice: /Stage[main]/Packages::Build_essential/Package[build-essential]/ensure: created
Notice: /Stage[main]/Packages::Ruby_dev/Package[ruby-dev]/ensure: created
Notice: /Stage[main]/Deployment::Umask_wikidev/File[/etc/profile.d/umask-wikidev.sh]/ensure: defined content as '{md5}f7b7a8f111035aecfdf604a0449e2c22'
Notice: /Stage[main]/Vagrant/Sudo::Group[wikidev_mwvagrant]/File[/etc/sudoers.d/wikidev_mwvagrant]/ensure: defined content as '{md5}f3a81be2ecaee007ebda402d5206ba9d'
Info: /Stage[main]/Vagrant/Sudo::Group[wikidev_mwvagrant]/File[/etc/sudoers.d/wikidev_mwvagrant]: Scheduling refresh of Exec[sudo_group_wikidev_mwvagrant_linting]
Notice: /Stage[main]/Vagrant/Sudo::Group[wikidev_mwvagrant]/Exec[sudo_group_wikidev_mwvagrant_linting]: Triggered 'refresh' from 1 events
Notice: /Stage[main]/Vagrant::Lxc/Vagrant::Plugin[vagrant-lxc]/Exec[install_vagrant_plugin_vagrant-lxc]/returns: executed successfully
Notice: /Stage[main]/Vagrant::Lxc/Sudo::User[vagrant-lxc]/File[/etc/sudoers.d/vagrant-lxc]/ensure: defined content as '{md5}c8aa8b528ff76512a7588008915b8bc9'
Info: /Stage[main]/Vagrant::Lxc/Sudo::User[vagrant-lxc]/File[/etc/sudoers.d/vagrant-lxc]: Scheduling refresh of Exec[sudo_user_vagrant-lxc_linting]
Notice: /Stage[main]/Vagrant::Lxc/Sudo::User[vagrant-lxc]/Exec[sudo_user_vagrant-lxc_linting]: Triggered 'refresh' from 1 events
Notice: /Stage[main]/Vagrant::Mediawiki/File[/etc/exports]/ensure: defined content as '{md5}1950db21df8cb189d037ac315a56a12b'
Notice: /Stage[main]/Vagrant::Mediawiki/Package[nfs-kernel-server]/ensure: created
Notice: /Stage[main]/Vagrant::Mediawiki/Service[nfs-kernel-server]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Vagrant::Mediawiki/Service[nfs-kernel-server]: Unscheduling refresh on Service[nfs-kernel-server]
Notice: /Stage[main]/Vagrant::Mediawiki/File[/etc/apparmor.d/abstractions/lxc/container-base]/content: 
--- /etc/apparmor.d/abstractions/lxc/container-base	2017-10-27 17:13:31.000000000 +0000
+++ /tmp/puppet-file20180220-11598-i5ppga	2018-02-20 13:10:32.288383697 +0000
@@ -38,10 +38,10 @@
   # profiles are supported, for container isolation this should be changed to
   # something like:
   #   unix (receive) peer=(label=unconfined),
-  unix (receive),
+  #unix (receive),
 
   # Allow all unix in the container
-  unix peer=(label=@{profile_name}),
+  #unix peer=(label=@{profile_name}),
 
   # ignore DENIED message on / remount
   deny mount options=(ro, remount) -> /,
@@ -60,6 +60,15 @@
   mount fstype=fuse,
   mount fstype=fuse.*,
 
+  # allow NFS
+  # http://bridge.grumpy-troll.org/2014/03/lxc-routed-on-ubuntu/
+  mount fstype=nfs,
+  mount fstype=nfs4,
+  mount fstype=rpc_pipefs,
+
+  # allow bind mount of /lib/init/fstab for lxcguest
+  mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
+
   # deny access under /proc/bus to avoid e.g. messing with pci devices directly
   deny @{PROC}/bus/** wklx,
 
@@ -89,21 +98,12 @@
   deny /sys/kernel/security/** rwklx,
   mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
   mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
+  # T154294 - allow systemd to be mounted rw
+  mount options=(rw, nosuid, nodev, noexec) -> /sys/fs/cgroup/systemd/,
 
   # deny reads from debugfs
   deny /sys/kernel/debug/{,**} rwklx,
 
-  # allow paths to be made slave, shared, private or unbindable
-  # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
-#  mount options=(rw,make-slave) -> **,
-#  mount options=(rw,make-rslave) -> **,
-#  mount options=(rw,make-shared) -> **,
-#  mount options=(rw,make-rshared) -> **,
-#  mount options=(rw,make-private) -> **,
-#  mount options=(rw,make-rprivate) -> **,
-#  mount options=(rw,make-unbindable) -> **,
-#  mount options=(rw,make-runbindable) -> **,
-
   # allow bind-mounts of anything except /proc, /sys and /dev
   mount options=(rw,bind) /[^spd]*{,/**},
   mount options=(rw,bind) /d[^e]*{,/**},

Info: Computing checksum on file /etc/apparmor.d/abstractions/lxc/container-base
Info: /Stage[main]/Vagrant::Mediawiki/File[/etc/apparmor.d/abstractions/lxc/container-base]: Filebucketed /etc/apparmor.d/abstractions/lxc/container-base to puppet with sum e111834cbdac665e67d54bffa4689356
Notice: /Stage[main]/Vagrant::Mediawiki/File[/etc/apparmor.d/abstractions/lxc/container-base]/content: content changed '{md5}e111834cbdac665e67d54bffa4689356' to '{md5}33d9f77a70cb9c41590132828fbe7074'
Notice: /Stage[main]/Vagrant::Mediawiki/File[/usr/local/bin/labs-vagrant]/ensure: defined content as '{md5}e269b3591d3a7a86cb1206af081a27de'
Notice: /Stage[main]/Vagrant::Mediawiki/File[/usr/local/bin/start-mwvagrant.sh]/ensure: defined content as '{md5}32f073f6282702147aa1b6d0b598c234'
Notice: /Stage[main]/Vagrant::Mediawiki/Git::Clone[mediawiki/vagrant]/File[/srv/mediawiki-vagrant]/ensure: created
Notice: /Stage[main]/Vagrant::Mediawiki/Git::Clone[mediawiki/vagrant]/Exec[git_clone_mediawiki/vagrant]/returns: executed successfully
Notice: /Stage[main]/Vagrant::Mediawiki/File[/srv/mediawiki-vagrant/.settings.yaml]/ensure: defined content as '{md5}8abc833e0045e50fcc6fa2485746f360'
Notice: /Stage[main]/Vagrant::Mediawiki/Base::Service_unit[mediawiki-vagrant]/File[/lib/systemd/system/mediawiki-vagrant.service]/ensure: defined content as '{md5}883bf0bc2a6c7941a78230a7395b4038'
Info: /Stage[main]/Vagrant::Mediawiki/Base::Service_unit[mediawiki-vagrant]/File[/lib/systemd/system/mediawiki-vagrant.service]: Scheduling refresh of Exec[systemd reload for mediawiki-vagrant]
Notice: /Stage[main]/Vagrant::Mediawiki/Base::Service_unit[mediawiki-vagrant]/Exec[systemd reload for mediawiki-vagrant]: Triggered 'refresh' from 1 events
Notice: Applied catalog in 28.21 seconds
zfilipin@t183456-stretch:~$ logout
Connection to t183456-stretch.eqiad.wmflabs closed.
Killed by signal 1.

~$ ssh T183456-stretch.eqiad.wmflabs
Linux t183456-stretch 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64
Debian GNU/Linux 9.3 (stretch)
The last Puppet run was at Tue Feb 20 13:10:05 UTC 2018 (0 minutes ago). 
Last login: Tue Feb 20 13:09:31 2018 from 10.68.17.232
zfilipin@t183456-stretch:~$
zfilipin@t183456-stretch:~$ cd /srv/mediawiki-vagrant/

zfilipin@t183456-stretch:/srv/mediawiki-vagrant$ vagrant up
Bringing machine 'default' up with 'lxc' provider...
==> default: Box 'debian/stretch64' could not be found. Attempting to find and install...
    default: Box Provider: lxc
    default: Box Version: >= 0
The box 'debian/stretch64' could not be found or
could not be accessed in the remote catalog. If this is a private
box on HashiCorp's Atlas, please verify you're logged in via
`vagrant login`. Also, please double-check the name. The expanded
URL and error message are shown below:

URL: ["https://atlas.hashicorp.com/debian/stretch64"]
Error: The requested URL returned error: 404 Not Found
zeljkofilipin updated the task description. (Show Details)

The failure to download the debian/stretch64 base image is something I have seen one other report of on IRC. The image should be the one from https://app.vagrantup.com/debian/boxes/stretch64 but maybe the fact that they stopped putting lxc provider support on the newer versions listed there means that we need to find another base image?

MediaWiki-Vagrant is not guaranteed to work on a Debian Stretch Cloud VPS instance yet. See T180377: Does role::labs::mediawiki_vagrant provision cleanly on Debian Stretch hosts?.

Feel free to follow @hashar's advice instead if you would like. That setup will not be managed by Puppet unless you write classes for it and submit them to operations/puppet.git. It will also not be supported by me in my MediaWiki-Vagrant volunteer capacity at all. There are E_TOOMANYTHINGS already for me to keep up with.

I'm not really sure how much value we will see from these tests in the long or short term either. "Runs Puppet without failing" is a pretty low bar for testing and without strong ownership from anyone of the Puppet code or the MediaWiki-Vagrant product itself I'm not sure that if you had a report of what was broken anyone would actually take the time to fix it. I would love to be proven wrong about that, but if it ends up that I'm the only person who will be responding to bug reports I'd rather not have an automated nag system.

zeljkofilipin closed this task as Declined.Feb 21 2018, 9:50 AM

Looks like this would not be useful even if we got it working. :(

Tgr added a subscriber: Tgr.May 25 2018, 2:02 PM

This problem was later fixed in T187978: Hashicorp broke downloading base images (boxes) using Vagrant < v1.9.6, right?
I think this would be somewhat useful (I would certainly appreciate a warning if a role I wrote or worked on broke - granted that's not a huge number) and I'm somewhat skeptical as to how soon the brave new world of minikube / docker will arrive.

Mentioned in SAL (#wikimedia-cloud) [2019-10-27T21:46:32Z] <bd808> Deleted old instances "mwv-stretch-migration", "T183456-jessie", and "T183456-stretch" (T236530)

Mentioned in SAL (#wikimedia-cloud) [2019-10-27T21:46:32Z] <bd808> Deleted old instances "mwv-stretch-migration", "T183456-jessie", and "T183456-stretch" (T236530)