CI machines (contint1001 etc.) have the contint-roots group on their role [ 1 ], so that RelEngers can do various things, and fix occasional issues.
However, doc machines (just doc1001 right now) don't [ 2 ] This has meant needing to ping SREs to fix things when they go wrong, rather than fixing it ourselves.
Should we adjust the two to match?
Could you give an example of a specific thing on doc1001 that needed fixing as root? We already spent quite some time on solving the occasional permission issues there and since recently that should be solved. Just switching to root users at this point would feel like a step backwards as opposed to using the already existing doc-uploader group.
This was a hold-over discussion item that came up when the git ownership got broken in docroot (which as you say, got fixed last month, thank you) and I think(?) another time before that. I'd ideally like @hashar to weigh-in as to whether they can think of other situations.
Marking as stalled for now until they're back.
I 'll remove the SRE-Access-Requests tag for based on the task status. Feel free to readd when it's back to Open so SRE can work on it.
The material is published as user doc-uploader and we have sudo access for that user.
Only case I needed root on that machine was to fix some permissions, though that is supposedly fixed.
root grants access to the Apache error log, but I never had to look in them.
So I guess we don't need root, and if need we can revisit.
Alright, based on the last comment i will call it declined then. Reopen if the need arises, of course.