Page MenuHomePhabricator

Onboarding Hugh Nowlan
Open, Stalled, LowPublic

Description

This is the onboarding ticket and checklist for @hnowlan SRE in the Core Platform team


Details

Related Gerrit Patches:

Event Timeline

Dzahn created this task.Jan 9 2020, 3:03 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 9 2020, 3:03 AM
Dzahn updated the task description. (Show Details)Jan 9 2020, 3:04 AM
Dzahn updated the task description. (Show Details)Jan 9 2020, 3:08 AM
Dzahn updated the task description. (Show Details)Jan 9 2020, 3:11 AM
Dzahn added a comment.Jan 9 2020, 3:16 AM

Welcome @hnowlan!

This checklist is from a template for onboarding in SRE.

I started by adding you to the ops mailing lists and i can see you already have a Wikitech user (great!).

Feel free to start with something like the checkbox confirming you can login on Phabricator and setup 2FA.

Also if you want to generate an SSH key and paste it here on the ticket that would be a step towards getting your shell access setup.

I'll talk to you about the details and other check boxes tomorrow. (am in PST)

Dzahn triaged this task as High priority.Jan 9 2020, 3:18 AM

SSH key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICIFfF8+3TrSBaPBKPwbmnBM7e0C9/TFHs9/2hHiq+3t nosmo@ocasey

hnowlan updated the task description. (Show Details)Jan 9 2020, 10:53 AM
hnowlan updated the task description. (Show Details)
hnowlan updated the task description. (Show Details)Jan 9 2020, 11:03 AM
Dzahn updated the task description. (Show Details)Jan 9 2020, 11:23 PM
Dzahn updated the task description. (Show Details)Jan 9 2020, 11:31 PM
Dzahn updated the task description. (Show Details)
Dzahn updated the task description. (Show Details)Jan 9 2020, 11:37 PM

Change 563557 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] admins: add Hugh Nowlan to ldap_only_admins (wmf)

https://gerrit.wikimedia.org/r/563557

Change 563557 merged by Dzahn:
[operations/puppet@production] admins: add Hugh Nowlan to ldap_only_admins (wmf)

https://gerrit.wikimedia.org/r/563557

Mentioned in SAL (#wikimedia-operations) [2020-01-10T19:47:00Z] <mutante> LDAP - add Hugh Nowlan to "wmf" group (T242309)

Dzahn added a comment.Jan 10 2020, 7:51 PM

@hnowlan The LDAP group gave you access to a bunch of web-based logins now: See https://wikitech.wikimedia.org/wiki/LDAP/Groups#wmf_group

Dzahn updated the task description. (Show Details)Jan 10 2020, 7:52 PM
Dzahn updated the task description. (Show Details)
Dzahn added a comment.Jan 10 2020, 7:54 PM

@hnowlan One more thing we'll need for the "pwstore" part will be a GPG key. If you already have one or want to create one you can go ahead uploading that to a keyserver and getting some signatures from other SREs.

Change 564171 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] admin: upgrade Hugh Nowlan to root shell user (ops)

https://gerrit.wikimedia.org/r/564171

To whomever needs the comment, as Hugh Nowlan's manager I approve his being approved for shell access, provided it is approved by the appropriate individuals within SRE.

Change 564171 merged by Giuseppe Lavagetto:
[operations/puppet@production] admin: upgrade Hugh Nowlan to root shell user (ops)

https://gerrit.wikimedia.org/r/564171

Joe updated the task description. (Show Details)Jan 23 2020, 7:57 AM
Joe added a subscriber: Joe.

@Dzahn can we please ensure this procedure is finished before next week?

Change 566823 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] icinga: let Hugh Nowlan run commands on all hosts and services

https://gerrit.wikimedia.org/r/566823

Change 566823 merged by Dzahn:
[operations/puppet@production] icinga: let Hugh Nowlan run commands on all hosts and services

https://gerrit.wikimedia.org/r/566823

Dzahn reassigned this task from Dzahn to hnowlan.Feb 3 2020, 11:02 PM

Hey Hugh, per chat at allhands. Can you test an Icinga command?

Dzahn added a comment.Feb 3 2020, 11:10 PM

Regarding the GPG key i see it on the keyserver but it has no new signatures yet. Looks like we are waiting for upload of a new version with the new sigs on it.

Unfortunately it seems I don't have permissions to issue commands. I attempted to downtime a service on a host that's not yet in use (restbase2023) and received a "Not Authorized" error. And yeah, I don't think people have signed things since all-hands yet.

@hnowlan There's an error in the username configured in https://gerrit.wikimedia.org/r/566823, let me fix that.

Change 570611 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Fix username in Icinga authorization config for Hugh

https://gerrit.wikimedia.org/r/570611

Change 570611 merged by Muehlenhoff:
[operations/puppet@production] Fix username in Icinga authorization config for Hugh

https://gerrit.wikimedia.org/r/570611

Moritz clarified how case sensitive logins affect Icinga - I've since logged in as Hnowlan and I can confirm I can run commands successfully.

hnowlan updated the task description. (Show Details)Feb 6 2020, 2:22 PM
Dzahn added a comment.Feb 6 2020, 4:25 PM

Aww, thanks for conforming and thanks Moritz for fixing it. This is exactly why i wanted to test it. The capitalization caught us a couple times before.

jbond added a subscriber: jbond.Feb 11 2020, 11:28 AM

@hnowlan can you provide you gpg key id

My GPG key ID is 0x63514D67ADFD2615, fp is B858 7E40 78C9 95C4 AAF0 1CFC 6351 4D67 ADFD 2615 (on keyservers here). It doesn't have any signatures yet, don't think people have gotten to those post all-hands

jbond added a comment.EditedFeb 11 2020, 1:27 PM

Oh good I'm guessing from your response that you did attend the key signing party at all hands. Also should mention that the link you provided didn't work for me i hit this error this is likely because sks is now pretty broken. i have uploaded your key to keys.openpgp.org however I'm not sure what the current guidance is on what keyservers to use wikitech still lists pool.sks-keyservers.net which dose have you key.

@MoritzMuehlenhoff should we still be using pool.sks-keyservers.net or should we update our documentation to use keys.openpgp.org (which strips signatures so not great), or potential set up our own server?

@MoritzMuehlenhoff: Could you please answer the last comment? Thanks!

Dzahn changed the task status from Open to Stalled.Feb 27 2020, 5:33 AM

While the keyserver networks have some structural issues which are pending some changes and a number of keys have been DDoSed by malicious key updates, there's currently not actual impediment to simply continue to use the SKS network (GPG clients have also added countermeasures against malformed keys, which were shipped in security updates of distros). As such, we can simply continue to use it for now.

Long term I'd like to simply store GPG keys for @wikimedia.org staff in our DNS zone file.

Volans lowered the priority of this task from High to Low.Mon, Mar 23, 3:25 PM