Page MenuHomePhabricator
Create Task
Maniphest T218575

Reallocate LDAP database from labtestservices2001
Closed, ResolvedPublic
Actions

Description

The server labtestservices2001 requires decommission T218022: decommission: labtestservices2001.wikimedia.org but it contains a LDAP database we need to keep around.

We could either:

  • create a proper LDAP server in codfw
  • copy&paste the database to another server

Details

SubjectRepoBranchLines +/-
acme_chief: generate certs for cloudservices2002-dev.wikimedia.orgoperations/puppetproduction+7 -0
openstack: codfw1dev: cloudservices2002-dev introduce hiera keys for openldapoperations/puppetproduction+9 -0
openstack: codfw1dev: cloudservices2002-dev: include openldap profileoperations/puppetproduction+1 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

aborrero created this task.Mar 18 2019, 1:59 PM
aborrero mentioned this in T218022: decommission: labtestservices2001.wikimedia.org.
aborrero mentioned this in T217891: CloudVPS: rework codfw deployments.
aborrero mentioned this in T220101: labtestservices2002: rename to cloudservices2002-dev and reimage to stretch in codfw1dev.Apr 4 2019, 1:01 PM
aborrero added a comment.Apr 5 2019, 10:48 AM

I will be reallocating the database to cloudservices2002-dev, which has been imaged today.

gerritbot added a comment.Apr 5 2019, 10:53 AM

Change 501539 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] openstack: codfw1dev: cloudservices2002-dev: include openldap profile

https://gerrit.wikimedia.org/r/501539

gerritbot added a project: Patch-For-Review.Apr 5 2019, 10:53 AM

Change 501539 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] openstack: codfw1dev: cloudservices2002-dev: include openldap profile

https://gerrit.wikimedia.org/r/501539

gerritbot added a comment.Apr 5 2019, 11:10 AM

Change 501544 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] openstack: codfw1dev: cloudservices2002-dev introduce hiera keys for openldap

https://gerrit.wikimedia.org/r/501544

gerritbot added a comment.Apr 5 2019, 11:24 AM

Change 501544 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] openstack: codfw1dev: cloudservices2002-dev introduce hiera keys for openldap

https://gerrit.wikimedia.org/r/501544

aborrero triaged this task as High priority.Apr 5 2019, 11:52 AM
gerritbot added a comment.Apr 5 2019, 11:57 AM

Change 501550 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] acme_chief: generate certs for cloudservices2002-dev.wikimedia.org

https://gerrit.wikimedia.org/r/501550

gerritbot added a comment.Apr 5 2019, 12:04 PM

Change 501550 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] acme_chief: generate certs for cloudservices2002-dev.wikimedia.org

https://gerrit.wikimedia.org/r/501550

Andrew claimed this task.Apr 5 2019, 3:10 PM
MoritzMuehlenhoff added a comment.Apr 11 2019, 7:39 AM

These test hosts don't use replication and are standalone, right? I think then we can simply do a "slapcat > foo.ldif" on the old trusty host, then stop slapd on the new stretch host and use slapadd to transfer the LDIF data.

Andrew added a comment.Apr 12 2019, 2:40 PM

I was planning to move this to clouddb2001-dev, but have noticed that that box is on a private vlan. I'm assuming we need ldap on a public vlan so that VMs can reach it, right? Or will VMs in the new codfw deploy also be on the private vlan?

aborrero added a comment.Apr 15 2019, 2:57 PM

Before any other change, I see this:

aborrero@clouddb2001-dev:~ $ sudo tcpdump -i any port 389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
14:56:10.581116 IP6 cloudservices2002-dev.wikimedia.org.44940 > clouddb2001-dev.codfw.wmnet.ldap: Flags [S], seq 1091679480, win 28800, options [mss 1440,sackOK,TS val 220844216 ecr 0,nop,wscale 9], length 0
14:56:14.709663 IP6 cloudservices2002-dev.wikimedia.org.44940 > clouddb2001-dev.codfw.wmnet.ldap: Flags [S], seq 1091679480, win 28800, options [mss 1440,sackOK,TS val 220845248 ecr 0,nop,wscale 9], length 0

i.e, a connection from a server with public IP reaching clouddb2001-dev which has private address.

aborrero added a subscriber: ayounsi.Apr 16 2019, 9:55 AM
In T218575#5107323, @Andrew wrote:

I was planning to move this to clouddb2001-dev, but have noticed that that box is on a private vlan. I'm assuming we need ldap on a public vlan so that VMs can reach it, right? Or will VMs in the new codfw deploy also be on the private vlan?

You were right. After yesterday conversation with @ayounsi, we can't do this. We will need to build the LDAP server in cloudservices2002-dev.wikimedia.org or elsewhere.

aborrero mentioned this in T221106: cloudservices2002-dev: bootstrap.Apr 16 2019, 3:58 PM
Andrew added a comment.Apr 19 2019, 4:48 PM

ldap on cloudservices2002-dev is populated now, thanks to Moritz's suggestion.

I was a bit surprised to find ldap already installed on that host... is that all puppetized already?

aborrero added a comment.Apr 22 2019, 9:12 AM
In T218575#5125659, @Andrew wrote:

ldap on cloudservices2002-dev is populated now, thanks to Moritz's suggestion.

I was a bit surprised to find ldap already installed on that host... is that all puppetized already?

Thanks! Yes, I think I added openldap in preparation for the near future.

class role::wmcs::openstack::codfw1dev::services {
    system::role { $name: }
    include ::standard
    include ::profile::base::firewall
    include ::profile::openstack::codfw1dev::pdns::auth::db
    include ::profile::openstack::codfw1dev::pdns::auth::service
    include ::profile::openstack::codfw1dev::pdns::recursor::service
    include ::profile::openstack::codfw1dev::designate::service
    include ::profile::openldap                    <------------------
}
Stashbot added a comment.Apr 22 2019, 11:14 AM

Mentioned in SAL (#wikimedia-cloud) [2019-04-22T11:14:15Z] <arturo> create by hand /var/cache/labsaliaser/labs-ip-aliases.json in cloudservices2002-dev (T218575)

aborrero added a comment.Apr 22 2019, 11:15 AM

I just created the /var/cache/labsaliaser/labs-ip-aliases.json file in cloudservices2002-dev with content {"aliasmapping": {}, "extra_records": {"puppet.": "208.80.153.108"}} to silence a pdns daemon error. This is in puppet, so not sure why is not showing up in the server.

Also, I will proceed with T218022: decommission: labtestservices2001.wikimedia.org now that @Andrew managed to rescue the LDAP database.

aborrero closed this task as Resolved.Apr 22 2019, 11:30 AM

Closing this task, we can follow up with cloudservices2002-dev specific bits on T221106: cloudservices2002-dev: bootstrap.

Andrew closed subtask T221106: cloudservices2002-dev: bootstrap as Resolved.Apr 26 2019, 6:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits