Page MenuHomePhabricator
Create Task
Maniphest T240382

Grant "contint-roots" and "releasers-mediawiki" to user brennen
Closed, ResolvedPublic
Actions

Description

We maintain four Jenkins instances and require root access to upgrade them or debug them when they go south (via jmap, jstack, strace etc). This request made specifically in the context of T239985, an upcoming Jenkins upgrade.

In the interest of reducing bus factor, we would like to elevate @brennen privileges for Jenkins. He should be added to the shell groups contint-roots and releasers-mediawiki.

contint-roots grants root access on the CI and on releases hosts

releasers-mediawiki grants Jenkins admin on release hosts

The hosts:

contint1001.wikimedia.org
contint2001.wikimedia.org
releases1001.eqiad.wmnet
releases2001.codfw.wmnet

Details

SubjectRepoBranchLines +/-
admin: Add brennen to contint-roots and releasers-mediawikioperations/puppetproduction+2 -2
Customize query in gerrit

Related Objects

Event Timeline

Jdforrester-WMF created this task.Dec 10 2019, 9:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 10 2019, 9:31 PM
Jdforrester-WMF renamed this task from Grant "releasers-mediawiki" to Grant "contint-roots" and "releasers-mediawiki" to user brennen.Dec 10 2019, 9:32 PM
Jdforrester-WMF added projects: Release-Engineering-Team-TODO, Continuous-Integration-Infrastructure, SRE-Access-Requests.
Jdforrester-WMF added a subscriber: brennen.
Restricted Application added a project: SRE. · View Herald TranscriptDec 10 2019, 9:32 PM
brennen added a comment.Dec 10 2019, 9:34 PM

For purposes of T239985, a Jenkins upgrade.

hashar updated the task description. (Show Details)Dec 10 2019, 9:38 PM
jcrespo moved this task from Untriaged to Manager/NDA Approval/Confirmation on the SRE-Access-Requests board.Dec 11 2019, 1:13 PM
jcrespo assigned this task to greg.Dec 11 2019, 1:19 PM
jcrespo added subscribers: greg, jcrespo.

Assigning to @greg for approval, as "service owner", please assign it back to me or comment with issues.

I will add the request to next monday for SRE discussion, as it includes extra root privileges. @brennen I suggest adding relevant purpose information like the one at T240382#5729680 to the header of this ticket for an expedited review by SRE members 0:-) (it has happened in the past that requests have been delayed because they were unclear- adding that comment to the top will help!).

Restricted Application added a project: User-greg. · View Herald TranscriptDec 11 2019, 1:19 PM
brennen updated the task description. (Show Details)Dec 11 2019, 3:59 PM
Jdforrester-WMF added a subscriber: thcipriani.Dec 11 2019, 4:01 PM

Service owner is @thcipriani, not Greg.

jcrespo added a comment.Dec 11 2019, 4:19 PM

Service owner is @thcipriani, not Greg.

Sorry about that. Thanks for correcting it.

jcrespo removed a project: User-greg.Dec 11 2019, 4:19 PM
Restricted Application added a project: User-greg. · View Herald TranscriptDec 11 2019, 4:19 PM
jcrespo reassigned this task from greg to thcipriani.EditedDec 11 2019, 4:57 PM
jcrespo removed a project: User-greg.

Assigning to @thcipriani for approval, as "service owner" and also direct report contact, please assign it back to me or comment with issues.

jcrespo triaged this task as Medium priority.Dec 11 2019, 5:27 PM
thcipriani reassigned this task from thcipriani to jcrespo.Dec 11 2019, 6:44 PM

Approved, thank you @jcrespo !

jcrespo moved this task from Should be empty (use Release-Engineering-Team) to Done (within RelEng) on the Release-Engineering-Team-TODO board.Dec 11 2019, 6:50 PM
jcrespo moved this task from Manager/NDA Approval/Confirmation to SRE Meeting Review on the SRE-Access-Requests board.
hashar subscribed.Dec 12 2019, 1:48 PM

+1 :)

hashar awarded a token.Dec 12 2019, 1:48 PM
jcrespo added a comment.Dec 16 2019, 5:29 PM

I mistakenly assumed I needed SRE agreement because of root, was reminded I did not, additions of people to existing groups are now approved by service owners (@thcipriani in this case). I will create the patch to deploy it ASAP.

gerritbot added a comment.Dec 16 2019, 6:11 PM

Change 558151 had a related patch set uploaded (by Jcrespo; owner: Jcrespo):
[operations/puppet@production] admin: Add brennen to contint-roots and releasers-mediawiki

https://gerrit.wikimedia.org/r/558151

gerritbot added a project: Patch-For-Review.Dec 16 2019, 6:11 PM
gerritbot added a comment.Dec 16 2019, 6:13 PM

Change 558151 merged by Jcrespo:
[operations/puppet@production] admin: Add brennen to contint-roots and releasers-mediawiki

https://gerrit.wikimedia.org/r/558151

jcrespo added a comment.Dec 16 2019, 6:16 PM

@brennen Change is deployed, please allow up to 30 minutes for the puppet change to propagate to all hosts and then check that your access has been granted correctly and resolve this ticket, or return it to me for fixes.

jcrespo moved this task from Backlog to Radar on the SRE board.Dec 16 2019, 6:16 PM
Maintenance_bot removed a project: Patch-For-Review.Dec 16 2019, 7:10 PM
hashar closed this task as Resolved.Dec 17 2019, 10:12 AM
puppet/modules/admin/data(productionu=)$ ./matrix.py brennen
grp/users	brennen
contint-admins	OK
contint-docker	OK
contint-roots	OK  <-----
deployment	OK
gerrit-admin	OK
releasers-mediawiki	OK <----

I have confirmed @brennen has sudo privileges on the hosts. Thank you @jcrespo

Jdforrester-WMF mentioned this in T248597: Grant "contint-roots" and "releasers-mediawiki" to user jforrester.Mar 26 2020, 4:07 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL