Page MenuHomePhabricator

Grant "contint-roots" and "releasers-mediawiki" to user brennen
Closed, ResolvedPublic


We maintain four Jenkins instances and require root access to upgrade them or debug them when they go south (via jmap, jstack, strace etc). This request made specifically in the context of T239985, an upcoming Jenkins upgrade.

In the interest of reducing bus factor, we would like to elevate @brennen privileges for Jenkins. He should be added to the shell groups contint-roots and releasers-mediawiki.

contint-roots grants root access on the CI and on releases hosts

releasers-mediawiki grants Jenkins admin on release hosts

The hosts:

Event Timeline

Jdforrester-WMF renamed this task from Grant "releasers-mediawiki" to Grant "contint-roots" and "releasers-mediawiki" to user brennen.Dec 10 2019, 9:32 PM
Jdforrester-WMF added a subscriber: brennen.

For purposes of T239985, a Jenkins upgrade.

jcrespo added subscribers: greg, jcrespo.

Assigning to @greg for approval, as "service owner", please assign it back to me or comment with issues.

I will add the request to next monday for SRE discussion, as it includes extra root privileges. @brennen I suggest adding relevant purpose information like the one at T240382#5729680 to the header of this ticket for an expedited review by SRE members 0:-) (it has happened in the past that requests have been delayed because they were unclear- adding that comment to the top will help!).

Service owner is @thcipriani, not Greg.

Sorry about that. Thanks for correcting it.

jcrespo removed a project: User-greg.

Assigning to @thcipriani for approval, as "service owner" and also direct report contact, please assign it back to me or comment with issues.

jcrespo triaged this task as Medium priority.Dec 11 2019, 5:27 PM

I mistakenly assumed I needed SRE agreement because of root, was reminded I did not, additions of people to existing groups are now approved by service owners (@thcipriani in this case). I will create the patch to deploy it ASAP.

Change 558151 had a related patch set uploaded (by Jcrespo; owner: Jcrespo):
[operations/puppet@production] admin: Add brennen to contint-roots and releasers-mediawiki

Change 558151 merged by Jcrespo:
[operations/puppet@production] admin: Add brennen to contint-roots and releasers-mediawiki

@brennen Change is deployed, please allow up to 30 minutes for the puppet change to propagate to all hosts and then check that your access has been granted correctly and resolve this ticket, or return it to me for fixes.

puppet/modules/admin/data(productionu=)$ ./ brennen
grp/users	brennen
contint-admins	OK
contint-docker	OK
contint-roots	OK  <-----
deployment	OK
gerrit-admin	OK
releasers-mediawiki	OK <----

I have confirmed @brennen has sudo privileges on the hosts. Thank you @jcrespo