Page MenuHomePhabricator

Give WMDE-Fisch permission to upload wikidiff2 releases (releasers-wikidiff2)
Closed, ResolvedPublic

Description

@WMDE-Fisch (realname: Christoph Jauera) will be partly taking over release manager duties for wikidiff2 from me, and will need access to upload tarballs to releases.wikimedia.org. Note that the "releasers-wikidiff2" group doesn't exist yet, it's being created as part of T202473.

As far as I can tell, Fisch doesn't have a shell account yet, so they'll need to follow the steps on https://wikitech.wikimedia.org/wiki/Production_shell_access#New_users

SRE Clinic Duty Checklist for Access Requests

Most requirements are outlined on https://wikitech.wikimedia.org/wiki/Requesting_shell_access

This checklist should be used on all access requests to ensure that all steps are covered. This includes expansion to access. Please do not check off items on the list below unless you are in Ops and have confirmed the step.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform. (add to releasers-wikidiff2 group)
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff) @Legoktm is requesting this for this person to take over some responsibilities from them
  • - non-sudo requests: 3 business day wait must pass with no objections being noted on the task - Ends Monday, 2018-08-27.
  • - Patchset for access request user: https://gerrit.wikimedia.org/r/454873 group addition: https://gerrit.wikimedia.org/r/454879

Details

Related Gerrit Patches:

Event Timeline

Legoktm created this task.Aug 22 2018, 12:24 AM
Restricted Application added a project: Operations. · View Herald TranscriptAug 22 2018, 12:24 AM
Addshore moved this task from Unsorted 💣 to Watching 👀 on the User-Addshore board.
Addshore awarded a token.
WMDE-Fisch added a comment.EditedAug 22 2018, 11:22 AM

Following the steps on https://wikitech.wikimedia.org/wiki/Production_shell_access#New_users for new users:

Full name: Christoph Jauera
Developer access username wmde-fisch
Public key: P7878

RobH assigned this task to WMDE-Fisch.Aug 22 2018, 10:57 PM
RobH triaged this task as Normal priority.
RobH updated the task description. (Show Details)
RobH added subscribers: RStallman-legalteam, RobH.

Please note that @WMDE-Fisch will need to provide/work on some further steps for us to process this request:

We have your username as WMDE-Fisch (from your wikitech account) and know what group you need (releasers-wikidiff2 per T202473). However, we need a few more things from you:

  • Please coordinate with WMDE and WMF Legal (typically @RStallman-legalteam) to have a signed NDA on file with us. (This is required for ALL shell access requests.)
  • Please review and sign the L3 document.
    • Provide a public ssh key, this key (per the L3 document) should be dedicated to WMF production shell access ONLY and not used anywhere else (not even WMF cloud services.)

Once we have that info/NDA on file for you, we should be able to move forward with this request.

RobH updated the task description. (Show Details)Aug 22 2018, 10:59 PM
  • Please review and sign the L3 document.
    • Provide a public ssh key, this key (per the L3 document) should be dedicated to WMF production shell access ONLY and not used anywhere else (not even WMF cloud services.)

Hi @RobH, thanks for taking care of this.

I signed the L3 and provided a SSH Key above. I just created that key yesterday and will exclusively use it for the WMF production shell access.

Once we have that info/NDA on file for you, we should be able to move forward with this request.

Per https://tools.wmflabs.org/ldap/user/wmde-fisch they're already in the LDAP nda group.

RobH added a comment.Aug 23 2018, 6:17 PM

Once we have that info/NDA on file for you, we should be able to move forward with this request.

Per https://tools.wmflabs.org/ldap/user/wmde-fisch they're already in the LDAP nda group.

Indeed, I overlooked them because in re-checking, I see their entry on the tracking sheet for NDA!

So I'll go ahead and work on the patchsets. If no objections are noted, your access will merge live on Monday, 2018-08-27.

Change 454873 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] adding Christoph Fischer to production shell users

https://gerrit.wikimedia.org/r/454873

Change 454879 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] adding Christoph Jauera to releasers-wikidiff2

https://gerrit.wikimedia.org/r/454879

RobH removed WMDE-Fisch as the assignee of this task.Aug 23 2018, 6:25 PM
RobH updated the task description. (Show Details)

@WMDE-Fisch I have updated the real name to reflect the name given here (see https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/454873/). Please let me know if that's right, and then we can merge these patches.

@WMDE-Fisch I have updated the real name to reflect the name given here (see https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/454873/). Please let me know if that's right, and then we can merge these patches.

Thanks, left a comment. You could change the email address as well.

Please have another look at the patch and let me know.

Please have another look at the patch and let me know.

Done, thanks :-)!

Change 454873 merged by ArielGlenn:
[operations/puppet@production] adding Christoph Jauera to production shell users

https://gerrit.wikimedia.org/r/454873

Change 454879 merged by ArielGlenn:
[operations/puppet@production] adding Christoph Jauera to releasers-wikidiff2

https://gerrit.wikimedia.org/r/454879

ArielGlenn updated the task description. (Show Details)Aug 28 2018, 10:44 AM

As soon as the user verifies that access works as expected, we can close this ticket.

As soon as the user verifies that access works as expected, we can close this ticket.

So this is the first time for me doing something with production shell access, I might do something wrong but:

Snippet from my config:

Host bast3002.wikimedia.org
    # Direct connection for the bastion host
    ProxyCommand none
    ControlMaster auto

Host *.wikimedia.org *.wmnet !gerrit.wikimedia.org !git-ssh.wikimedia.org
    User wmde-fisch
    IdentityFile /home/chfi/.ssh/wmdev_rsa
    IdentityAgent /run/user/1000/ssh-wmdev.socket
    IdentitiesOnly yes
    ForwardAgent no
    ProxyCommand ssh -a -W %h:%p bast3002.wikimedia.org

Snippet of ssh output with -vvv:

debug1: Host 'deployment.eqiad.wmnet' is known and matches the ECDSA host key.
debug1: Found key in /home/chfi/.ssh/known_hosts:57
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug2: key: /home/chfi/.ssh/wmdev_rsa (0x561e6c69b0d0), explicit
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,keyboard-interactive
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:s2pf0PPzJblbGXx+nOuveeLGE482SRqPx58iP07Tgns /home/chfi/.ssh/wmdev_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:

Sorry about this, but the task asks for access to upload things onto the release hosts (release1001/2001), and so that's what you got. I verified that your home directory and key are there. Do you/will you need access for other sorts of things?

Sorry about this, but the task asks for access to upload things onto the release hosts (release1001/2001), and so that's what you got. I verified that your home directory and key are there. Do you/will you need access for other sorts of things?

Thanks for checking - lets first wait for someone to confirm, that my process is correct there. :-)

As soon as the user verifies that access works as expected, we can close this ticket.

So this is the first time for me doing something with production shell access, I might do something wrong but:

You don't need access to tin (I'll update the wikipage), try ssh releases1001.eqiad.wmnet and then check that you can write to /srv/org/wikimedia/releases/wikidiff2?

WMDE-Fisch closed this task as Resolved.Aug 29 2018, 7:28 AM
WMDE-Fisch claimed this task.

You don't need access to tin (I'll update the wikipage), try ssh releases1001.eqiad.wmnet and then check that you can write to /srv/org/wikimedia/releases/wikidiff2?

Works, I can connect and I seem to have write rights in that directory, thanks \o/.

Dzahn added a subscriber: Dzahn.Aug 29 2018, 1:37 PM

releases.wikimedia.org has 2 backends, releases1001 and releases2001, so one in eqiad and one in codfw and both are active.

The contents of /srv/org/wikimedia/releases are rsynced from $active_server to $passive_server by puppet code in profile::releases::mediawiki.

What is defined as active/passive server is in Hiera in common.yaml as releases_server and releases_server_failover.

So you are doing right uploading it to releases1001.. it will then be synced to the other server.

It is possible though that one day we switch what is the active server for maintenance, datacenter switch-over or a failure. In that case you would upload to releases2001.