Page MenuHomePhabricator
Create Task
Maniphest T214541

python3-ldap3 mixed versions and future traps
Open, MediumPublic
Actions

Description

While trying to deploy https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/482237/ I realized that the python3-ldap3 library that we get from apt is really old. Newer versions of the library provide nice features like easy support for paged result sets. See this diff in gerrit for an example of the difference in lines of code needed for this common use-case.

Also we have different versions on various hosts due to some usage of backports and pinning. Both role::labs::db::maintain_dbusers and toollabs::maintain_kubeusers pin to the jessie backports package (0.9.9.3-1~bpo8+2) which is just slightly newer than the default jessie package (0.9.4.2-1).

Even more fun, newer versions of the library are not compatible with existing usage in several scripts. Once we start building things out on Buster (which has python3-ldap3 2.4.1-1) this is going to cause problems with the following scripts:

  • modules/grafana/files/grafana_auth_ldap_migrate.py
  • modules/ldap/files/reset-ldap-password
  • modules/profile/files/wmcs/nfs/maintain-dbusers.py
  • modules/toollabs/files/maintain-kubeusers
  • modules/toollabs/files/toolviews.py

openstack::puppet::master::enc also installs python3-ldap3, but it does not seem to be used directly there. This appears to be leftover from an earlier version of the modules/profile/files/puppetmaster/labs-puppet-enc.py script (rOPUPc658ac3d3795).

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+19 -28toolforge: Update toolviews.py for ldap3 v2.4.1
Customize query in gerrit

Related Objects
Search...

Event Timeline

bd808 created this task.Jan 24 2019, 1:15 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 24 2019, 1:15 AM
Bstorm added a subscriber: Bstorm.Jan 24 2019, 1:32 AM
Krenair added a subscriber: Krenair.Mar 15 2019, 7:58 PM
GTirloni added a project: cloud-services-team (Kanban).Mar 21 2019, 8:56 PM
Bstorm mentioned this in T194859: Toolforge maintain-kubeusers doesn't fail well when LDAP servers are unreachable.Jul 29 2019, 9:35 PM
bd808 updated the task description. (Show Details)Aug 8 2019, 2:41 AM
bd808 mentioned this in T237080: Toolviews data loading from Toolforge front proxy access log stopped on 2019-10-28.Nov 1 2019, 2:19 AM
gerritbot added a comment.Nov 1 2019, 3:21 AM

Change 547700 had a related patch set uploaded (by BryanDavis; owner: Bryan Davis):
[operations/puppet@production] toolforge: Update toolviews.py for ldap3 v2.4.1

https://gerrit.wikimedia.org/r/547700

gerritbot added a project: Patch-For-Review.Nov 1 2019, 3:21 AM
bd808 removed a project: Patch-For-Review.Nov 1 2019, 3:30 AM
bd808 updated the task description. (Show Details)
gerritbot added a comment.Nov 1 2019, 8:07 PM

Change 547700 merged by Phamhi:
[operations/puppet@production] toolforge: Update toolviews.py for ldap3 v2.4.1

https://gerrit.wikimedia.org/r/547700

Bstorm triaged this task as Medium priority.Feb 11 2020, 5:43 PM
Bstorm added a comment.Jan 21 2021, 4:48 PM

There's nothing incompatible that I can find in our usage. modules/profile/files/wmcs/nfs/maintain-dbusers.py uses methods that still work on later versions. They are just really ugly. On the other hand, old versions of ldap3 in python do *not* work with python 3.7+. I ran into this today with https://github.com/toolforge/toolsctl

That said, we don't have many stretch things running this stuff now other than nfs servers.

fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 9:44 PM
fnegri moved this task from Kanban to Inbox on the cloud-services-team board.
taavi added a subscriber: taavi.Feb 11 2023, 10:11 PM

Out of that list I think maintain-dbusers is the only remaining issue.

taavi added a parent task: T303663: Split maintain-dbusers.py into two parts, one to run on cloudcontrol nodes and one to run on an NFS server VM.Feb 11 2023, 10:11 PM
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL