Page MenuHomePhabricator
Create Task
Maniphest T245114

Migrate Cumin hosts to Buster
Closed, ResolvedPublic
Actions

Description

Tentatively scheduled for next quarter (as it's blocked on the decision whether to proceed with Mariadb 10.4).

High level steps involved:

  • Reimage cumin2001
  • Test workflows and adapt any potential tweaks on the OS/Python side
  • Tell everyone to move to cumin2001 and reimage cumin1001

Details

Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

MoritzMuehlenhoff created this task.Feb 13 2020, 8:56 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 13 2020, 8:56 AM
Volans subscribed.Feb 13 2020, 8:59 AM
jbond triaged this task as Medium priority.Feb 13 2020, 11:47 AM
jbond subscribed.
jcrespo subscribed.Feb 13 2020, 11:51 AM

Cumin should for the most part be able to be upgraded to 10.4 with ease as it only holds the client, not the server, and that is why easier to upgrade (and it should be transparent).

The main issue on db/backups side is that snapshots are scheduled from cumin, and we should make sure those continue uninterrupted (mostly transfer.py and the maria backup scripts).

Marostegui subscribed.Feb 19 2020, 9:26 AM

I have checked the 10.4.12 mariadb client (and previos 10.4.11) on buster (on db1107) for the last few weeks without encountering any issues.

Krenair subscribed.Mar 5 2020, 11:49 PM

Noticed in T236576 that cumin is not packaged for buster. Is that going to change soon or should I make a new stretch instance?

Jdforrester-WMF added a parent task: T247045: Migrate all of production metal and VMs to Buster or later.Mar 6 2020, 12:35 AM
Volans added a comment.Mar 6 2020, 9:44 AM

@Krenair sure, we'll need to make the buster package anyway for the prod migration. If you have a date in mind for your migration let me know so that I can adjust on when doing the buster package. Should be pretty trivial.

Krenair added a comment.Mar 6 2020, 9:53 AM

Thanks Volans. I'm planning to do it as soon as the package is available.

Krenair mentioned this in T236576: Move all Wikimedia CI (WMCS integration project) instances from jessie to stretch.Mar 12 2020, 10:44 PM
Jdforrester-WMF added a parent task: T236576: Move all Wikimedia CI (WMCS integration project) instances from jessie to stretch.May 4 2020, 10:42 PM
hashar subscribed.May 5 2020, 12:40 PM

CI on WMCS uses a cumin master. Krenair already created the Buster instance integration-cumin-02.integration.eqiad.wmflabs. We can use it to experiment :]

Jdforrester-WMF edited parent tasks, added: T252071: Move all Wikimedia CI (WMCS integration project) instances from stretch to buster/bullseye; removed: T236576: Move all Wikimedia CI (WMCS integration project) instances from jessie to stretch.May 6 2020, 8:49 PM
Volans added a comment.May 6 2020, 8:51 PM

I'm working on the cumin release, I need to find some solution for some dependency incompatibility between code and the versions in Debian. I'll update the task with more information in the next few days.

gerritbot added a comment.Jun 9 2020, 11:10 AM

Change 603965 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Use the cumin profile in role::cluster::management

https://gerrit.wikimedia.org/r/603965

gerritbot added a project: Patch-For-Review.Jun 9 2020, 11:10 AM
gerritbot added a comment.Jun 9 2020, 11:19 AM

Change 603965 merged by Muehlenhoff:
[operations/puppet@production] Use the cumin profile in role::cluster::management

https://gerrit.wikimedia.org/r/603965

Maintenance_bot removed a project: Patch-For-Review.Jun 9 2020, 12:10 PM
gerritbot added a comment.Jun 9 2020, 2:25 PM

Change 604023 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] On buster install python3-tqdm from the spicerack component

https://gerrit.wikimedia.org/r/604023

gerritbot added a project: Patch-For-Review.Jun 9 2020, 2:25 PM
Volans added a comment.Jun 9 2020, 6:21 PM

@Krenair @MoritzMuehlenhoff I've finally! built and uploaded cumin 4.0.0~rc1 to our APT in wikimedia-buster.
The package is installable and from some quick test on a local setup it should work as expected.
The only problem is that we depend on a specific version of tqdm and hence that must be installed and pinned from the one in the component/spicerack APT component. The version in buster has incompatibility issues. So @Krenair a patch like [1] will be needed also for the WMCS setup of cumin in puppet.

FYI I didn't have yet tested the puppetdb or openstack backends.

[1] https://gerrit.wikimedia.org/r/c/operations/puppet/+/604023

Stashbot added a comment.Jun 10 2020, 9:35 AM

Mentioned in SAL (#wikimedia-operations) [2020-06-10T09:35:47Z] <volans> imported 0.0.38-1+deb10u1 into buster-wikimedia APT - T245114

jcrespo mentioned this in T253736: Package transferpy framework.Jun 10 2020, 11:11 AM
gerritbot added a comment.Jun 10 2020, 11:32 AM

Change 604023 merged by Muehlenhoff:
[operations/puppet@production] On buster install python3-tqdm from the spicerack component

https://gerrit.wikimedia.org/r/604023

Maintenance_bot removed a project: Patch-For-Review.Jun 10 2020, 12:10 PM
gerritbot added a comment.Jun 11 2020, 2:01 PM

Change 604715 had a related patch set uploaded (by Volans; owner: Volans):
[operations/software/homer/deploy@master] Add support for buster in the build process

https://gerrit.wikimedia.org/r/604715

gerritbot added a project: Patch-For-Review.Jun 11 2020, 2:01 PM
gerritbot added a comment.Jun 12 2020, 6:04 PM

Change 604715 merged by Volans:
[operations/software/homer/deploy@master] Add support for buster in the build process

https://gerrit.wikimedia.org/r/604715

Maintenance_bot removed a project: Patch-For-Review.Jun 12 2020, 6:11 PM
Stashbot added a comment.Jun 15 2020, 8:34 AM

Mentioned in SAL (#wikimedia-operations) [2020-06-15T08:34:52Z] <moritzm> reimaging cumin2001 T245114

gerritbot added a comment.Jun 15 2020, 9:38 AM

Change 605545 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Readd the spicerack component on Stretch

https://gerrit.wikimedia.org/r/605545

gerritbot added a project: Patch-For-Review.Jun 15 2020, 9:38 AM
gerritbot added a comment.Jun 15 2020, 9:49 AM

Change 605545 merged by Muehlenhoff:
[operations/puppet@production] Readd the spicerack component on Stretch

https://gerrit.wikimedia.org/r/605545

Maintenance_bot removed a project: Patch-For-Review.Jun 15 2020, 10:11 AM
gerritbot added a comment.Jun 15 2020, 10:46 AM

Change 605558 had a related patch set uploaded (by Volans; owner: Volans):
[operations/puppet@production] homer: fix initial clone of private repo

https://gerrit.wikimedia.org/r/605558

gerritbot added a project: Patch-For-Review.Jun 15 2020, 10:46 AM
Stashbot added a comment.Jun 15 2020, 10:54 AM

Mentioned in SAL (#wikimedia-operations) [2020-06-15T10:54:08Z] <moritzm> imported python-phabricator 0.7.0-2~wmf2 to apt.wikimedia.org/buster-wikimedia T245114

gerritbot added a comment.Jun 15 2020, 11:25 AM

Change 605558 merged by Volans:
[operations/puppet@production] homer: fix initial clone of private repo

https://gerrit.wikimedia.org/r/605558

gerritbot added a comment.Jun 15 2020, 11:31 AM

Change 605564 had a related patch set uploaded (by Volans; owner: Volans):
[operations/puppet@production] homer: enforce resource order

https://gerrit.wikimedia.org/r/605564

gerritbot added a comment.Jun 15 2020, 12:41 PM

Change 605583 had a related patch set uploaded (by Volans; owner: Volans):
[operations/puppet@production] git::clone: allow to pass environment variables

https://gerrit.wikimedia.org/r/605583

gerritbot added a comment.Jun 15 2020, 1:15 PM

Change 605583 merged by Volans:
[operations/puppet@production] git::clone: allow to pass environment variables

https://gerrit.wikimedia.org/r/605583

gerritbot added a comment.Jun 15 2020, 1:15 PM

Change 605564 merged by Volans:
[operations/puppet@production] homer: set the keyholder env variable

https://gerrit.wikimedia.org/r/605564

gerritbot added a comment.Jun 15 2020, 1:19 PM

Change 605590 had a related patch set uploaded (by Volans; owner: Volans):
[operations/puppet@production] homer: fix git clone URL

https://gerrit.wikimedia.org/r/605590

gerritbot added a comment.Jun 15 2020, 1:20 PM

Change 605590 merged by Volans:
[operations/puppet@production] homer: fix git clone URL

https://gerrit.wikimedia.org/r/605590

Maintenance_bot removed a project: Patch-For-Review.Jun 15 2020, 2:11 PM
gerritbot added a comment.Jun 15 2020, 4:59 PM

Change 605623 had a related patch set uploaded (by Volans; owner: Volans):
[operations/software/homer/deploy@master] Include pip into the built wheels

https://gerrit.wikimedia.org/r/605623

gerritbot added a project: Patch-For-Review.Jun 15 2020, 4:59 PM
Marostegui added a comment.Jun 16 2020, 7:44 AM

Would it be possible to save /home directories somewhere so they are available once the host is back?
It is not a lot of data to save:

root@cumin1001:/home# du -shc .
4.9G	.
4.9G	total
gerritbot added a comment.Jun 16 2020, 7:56 AM

Change 605623 merged by Volans:
[operations/software/homer/deploy@master] Include pip into the built wheels

https://gerrit.wikimedia.org/r/605623

gerritbot added a comment.Jun 16 2020, 8:05 AM

Change 605827 had a related patch set uploaded (by Volans; owner: Volans):
[operations/software/homer/deploy@master] Name expansion doesn't work, make it explicit

https://gerrit.wikimedia.org/r/605827

gerritbot added a comment.Jun 16 2020, 8:07 AM

Change 605827 merged by Volans:
[operations/software/homer/deploy@master] Name expansion doesn't work, make it explicit

https://gerrit.wikimedia.org/r/605827

Maintenance_bot removed a project: Patch-For-Review.Jun 16 2020, 8:11 AM
gerritbot added a comment.Jun 16 2020, 8:13 AM

Change 605828 had a related patch set uploaded (by Volans; owner: Volans):
[operations/puppet@production] homer: adapt plugin path to new installation

https://gerrit.wikimedia.org/r/605828

gerritbot added a project: Patch-For-Review.Jun 16 2020, 8:13 AM

Change 605828 merged by Volans:
[operations/puppet@production] homer: adapt plugin path to new installation

https://gerrit.wikimedia.org/r/605828

gerritbot added a comment.Jun 16 2020, 8:50 AM

Change 605844 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] reimage banner for cumin1001

https://gerrit.wikimedia.org/r/605844

gerritbot added a comment.Jun 16 2020, 9:23 AM

Change 605844 merged by Muehlenhoff:
[operations/puppet@production] reimage banner for cumin1001

https://gerrit.wikimedia.org/r/605844

Maintenance_bot removed a project: Patch-For-Review.Jun 16 2020, 10:10 AM
Stashbot added a comment.Jun 22 2020, 8:33 AM

Mentioned in SAL (#wikimedia-operations) [2020-06-22T08:33:50Z] <moritzm> reimaging cumin1001 to buster T245114

gerritbot added a comment.Jun 22 2020, 10:42 AM

Change 606986 had a related patch set uploaded (by Hashar; owner: Hashar):
[operations/puppet@production] cumin: fix python3 version on Buster

https://gerrit.wikimedia.org/r/606986

gerritbot added a project: Patch-For-Review.Jun 22 2020, 10:42 AM
hashar added a comment.Jun 22 2020, 11:44 AM

I have:

  • created deployment-cumin.deployment-prep.eqiad.wmflabs and integration-cumin.integration.eqiad.wmflabs.
  • Cherry picked a python3.7 fix from https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/606986/2 on each puppet master
  • Updated profile::openstack::eqiad1::cumin::project_masters in horizon to add the new cumin masters (which in turns allow them in the ssh pub key
    • And ran puppet on an instance of each project
  • armed keyholder

deployment-prep (FIXED)

$ sudo -H SSH_AUTH_SOCK=/run/keyholder/proxy.sock ssh root@deployment-deploy01.deployment-prep.eqiad.wmflabs
root@deployment-deploy01.deployment-prep.eqiad.wmflabs: Permission denied (publickey).

It rejects the IP somehow even though the log states it is permitted?

Jun 22 11:35:49 deployment-deploy01 sshd[8276]: Connection from 172.16.1.151 port 45308 on 172.16.4.18 port 22
Jun 22 11:35:49 deployment-deploy01 sshd[8276]: Authentication tried for root with correct key but not from a permitted host (host=172.16.1.151, ip=172.16.1.151).
Jun 22 11:35:49 deployment-deploy01 sshd[8276]: Failed publickey for root from 172.16.1.151 port 45308 ssh2: ED25519 SHA256:uesq4783AjnMh1XlOwJWGlyMLkxgIlaSNrvUZBhvqQs

On deployment-deploy01 there is:

/etc/ssh/userkeys/root.d/cumin
# Cumin Masters. TODO: use 'restrict' once available across the fleet (> jessie)
from="172.16.1.151,172.16.1.135,172.16.5.1,172.16.6.176,172.16.4.46,172.16.6.133",no-agent-forwarding,no-port-forwarding,no-x11-forwarding,no-user-rc ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICcav+ECiF6hW2XRuP7R8nqDw4hPlD0OChsGvB6K27jK root@cloudinfra-internal-puppetmaster-02

from="172.16.5.1,172.16.6.176",no-agent-forwarding,no-port-forwarding,no-x11-forwarding,no-user-rc ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHMS6pXywYSw1kaZQivozB8qUx0vd1gqiAnVqJuS365B root@deployment-cumin

Cause there are bunch of hiera keys and I updated the wrong one I guess.

gerritbot added a comment.Jun 22 2020, 11:48 AM

Change 606986 merged by Muehlenhoff:
[operations/puppet@production] cumin: fix labs install on Buster

https://gerrit.wikimedia.org/r/606986

hashar added a comment.Jun 22 2020, 11:58 AM

On integration I am hitting a wall, the keyholder refuses to grant access:

For integration, the agent refuses to sign:

integration-cumin:~$ sudo -H SSH_AUTH_SOCK=/run/keyholder/proxy.sock ssh root@integration-agent-docker-1004.integration.eqiad.wmflabs
sign_and_send_pubkey: signing failed: agent refused operation
root@integration-agent-docker-1004.integration.eqiad.wmflabs: Permission denied (publickey).

I can't find the issue :-\

Maintenance_bot removed a project: Patch-For-Review.Jun 22 2020, 12:11 PM
Volans added a comment.Jun 22 2020, 12:21 PM

@hashar I've systemctl restart keyholder-proxy.service and ssh seems to work fine now and I can run cumin too.

gerritbot added a comment.Jun 22 2020, 12:37 PM

Change 607009 had a related patch set uploaded (by Hashar; owner: Hashar):
[integration/config@master] Move to integration-cumin (Buster)

https://gerrit.wikimedia.org/r/607009

gerritbot added a project: Patch-For-Review.Jun 22 2020, 12:37 PM
gerritbot added a comment.Jun 22 2020, 1:02 PM

Change 607009 merged by jenkins-bot:
[integration/config@master] Move to integration-cumin (Buster)

https://gerrit.wikimedia.org/r/607009

hashar added a comment.Jun 22 2020, 1:10 PM

It is complete for integration.

On deployment-prep I kept around the old instance just in case but I guess I will delete it at the end of this week.

Maintenance_bot removed a project: Patch-For-Review.Jun 22 2020, 1:10 PM
MoritzMuehlenhoff closed this task as Resolved.Jun 22 2020, 1:10 PM
MoritzMuehlenhoff claimed this task.

All cumin hosts in production are now running Buster.

thcipriani mentioned this in T268337: New Scap release candidate .deb not visible on deployment-cumin.Nov 23 2020, 6:48 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL