Volker Eckl is an existing "ldap_only" admin.
Recently deployment of the design website content has been switched from git::clone to scap (T235677) to be able to deploy large files.
For that he now needs access to the deployment server and deployer rights.
A new deployment group should be created for this.
Additional members of the group should be ''ladsgroup" and "jdrewniak". Both are existing mw deployers in "deployment" group.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Volker_E | T235677 Automatic pickup of Gerrit clone master doesn't happen due to missing git-lfs – new deployment env | |||
| Resolved | Dzahn | T236518 new deployment group and access for design site - Volker Eckl, Jan Drewniak, Amir Sarabadani, Mukunda Modell |
This probably needs a new group since it's not really a service and it's not part of mediawiki, neither wikidev nor deploy-service are really appropriate.
And then it would be best to have more than one person in that group. Could you list backup deployers?
I assume @Ladsgroup would be another deployer.
@Volker_E: is there anyone else who should be able to deploy the style guide?
Change 546303 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] admins: create new deploy group for design, add 3 users
@Dzahn I'm on clinic duty this week! Does this need any more waiting period time or SRE meeting discussion? I think it doesn't, and am happy to merge if not.
@Ottomata Thank you! No, i don't think it needs more discussion. But i think it needs to be amended (see Moritz' comment on it) and a +1 from somebody in releng (Greg or Tyler) would be great. I can amend later or feel free to do it.
Change 546303 merged by Ottomata:
[operations/puppet@production] admins: create new deploy group for design, add 3 users
@thcipriani can you help with https://gerrit.wikimedia.org/r/c/operations/puppet/+/547014? I'm not entirely sure of what needs to happen there.
Added some info on the patchset. tl;dr: we need a new keypair added to puppet secrets. Then we update profile::keyholder::server::agents to include the new private key with the deploy-design trusted group. Additionally, changing the deploy_user on scap::target (as the patchset already does) should handle creating the user on the target *and* installing the public key in authorized_keys for that user.
Since it's already been deployed once as deploy-service I kind of expect there to be some manual chowning necessary on the target machines as well :)
Created new keypair for design and committed in private repo on the puppetmaster.
remote: modules/secret/secrets/keyholder/design | 28 ++++++++++++++++++++++++++++ remote: modules/secret/secrets/keyholder/design.pub | 1 +
The passphrase to arm the key is the same for all deployment keys (since T154943).
It's stored in pwstore in the file deployment-key-passphrase.
Renamed the keys to use the "deploy_" prefix. (Some keys are just called $service, some deploy_$services and some $service_deploy).
rename modules/secret/secrets/keyholder/{design => deploy_design} (100%)
rename modules/secret/secrets/keyholder/{design.pub => deploy_design.pub} (100%)Change 547044 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[labs/private@master] add fake deployment keys for new design group
Change 547044 merged by Dzahn:
[labs/private@master] add fake deployment keys for new design group
The 3 users exist on the deployment server and are members of the new group:
[deploy1001:~] $ id volker-e uid=12186(volker-e) gid=500(wikidev) groups=500(wikidev),815(deploy-design) [deploy1001:~] $ id jdrewniak uid=13379(jdrewniak) gid=500(wikidev) groups=500(wikidev),705(deployment),815(deploy-design) [deploy1001:~] $ id ladsgroup uid=3182(ladsgroup) gid=500(wikidev) groups=500(wikidev),705(deployment),763(deploy-service),815(deploy-design)
I created a new keypair for deployment (keyholder) and committed in the private repo on the puppetmaster.
Then, https://gerrit.wikimedia.org/r/c/operations/puppet/+/547014 has been merged and deployed.
This removed the deploy-service user on bromine.eqiad.wmnet and vega.codfw.wmnet, the backend servers, and added the deploy-design user, group and new key.
This should be resolved now. Also see T235677#5620452. Please let us know if any unexpected issues arise.
Change 547290 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] admins: add twentyafterfour to design deployers
Change 547290 merged by Dzahn:
[operations/puppet@production] admins: add twentyafterfour to design deployers