Page MenuHomePhabricator
Create Task
Maniphest T254589

Add new cloud-cumin keys
Closed, ResolvedPublic
Actions

Description

Yesterday's incident (T254491) erased our cumin keys. Fortunately, the active keys are still cached in keyholder, and seem to be active on most VM hosts. We need to generate new keys without losing contact with VMs in the meantime:

    1. disable puppet crons on cloud-cumin-01 and cloud-cumin-02
    2. enable puppet fleet-wide with: sudo cumin --force --timeout 30 -o json "A:all" "puppet agent --enable"
    3. wait 30+ minutes
    4. assess where puppet is and isn't running with sudo cumin --force --timeout 30 -o json "A:all" "/usr/local/lib/nagios/plugins/check_puppetrun -w 3600 -c 86400"
    5. repair puppet failures that are straightforward to repair
    6. repeat steps 2-4 as needed
    7. create and commit new cumin keys
    8. wait 30+ minutes
    9. manually run puppet on cloud-cumin-02 and 'keyholder arm' there
  • At this point we should have most VMs answering to cloud-cumin-02, and a few stragglers answering to cloud-cumin-01
    1. eliminate those stragglers, if necessary by copying in the new key by hand
    2. run puppet and keyholder arm on cloud-cumin-01

Details

SubjectRepoBranchLines +/-
Add an even newer cloud-vps cumin keylabs/privatemaster+1 -1
Replace cumin public key for cloud VMslabs/privatemaster+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Andrew created this task.Jun 5 2020, 3:05 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 5 2020, 3:05 PM
Andrew updated the task description. (Show Details)Jun 5 2020, 3:05 PM
Andrew updated the task description. (Show Details)
Andrew updated the task description. (Show Details)Jun 5 2020, 3:08 PM
Stashbot added a comment.Jun 5 2020, 3:08 PM

Mentioned in SAL (#wikimedia-cloud) [2020-06-05T15:08:57Z] <andrewbogott> trying to re-enable puppet without losing cumin contact, as per https://phabricator.wikimedia.org/T254589

Andrew added a project: cloud-services-team (Kanban).Jun 5 2020, 3:59 PM
gerritbot added a comment.Jun 5 2020, 6:04 PM

Change 602755 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[labs/private@master] Replace cumin public key for cloud VMs

https://gerrit.wikimedia.org/r/602755

gerritbot added a project: Patch-For-Review.Jun 5 2020, 6:04 PM
gerritbot added a comment.Jun 5 2020, 6:10 PM

Change 602755 merged by Andrew Bogott:
[labs/private@master] Replace cumin public key for cloud VMs

https://gerrit.wikimedia.org/r/602755

Maintenance_bot removed a project: Patch-For-Review.Jun 5 2020, 6:10 PM
Andrew mentioned this in rLPRI3ba6e7b76e91: Replace cumin public key for cloud VMs.Jun 5 2020, 6:10 PM
bd808 added a parent task: T254491: Puppet labs/private.git data loss incident affecting some projects.Jun 5 2020, 7:31 PM
Andrew added a comment.Jun 5 2020, 7:49 PM

I'm at step 9, taking a pause because I need to do some other things yet this afternoon.

gerritbot added a comment.Jun 6 2020, 2:38 AM

Change 602788 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[labs/private@master] Add an even newer cloud-vps cumin key

https://gerrit.wikimedia.org/r/602788

gerritbot added a project: Patch-For-Review.Jun 6 2020, 2:38 AM

Change 602788 merged by Andrew Bogott:
[labs/private@master] Add an even newer cloud-vps cumin key

https://gerrit.wikimedia.org/r/602788

Andrew mentioned this in rLPRI63f7be2a9afa: Add an even newer cloud-vps cumin key.Jun 6 2020, 2:40 AM
Maintenance_bot removed a project: Patch-For-Review.Jun 6 2020, 3:10 AM
Andrew closed this task as Resolved.Jun 6 2020, 4:34 AM
Andrew claimed this task.

cumin now has access to 736/738 instances with the new key, so I'm calling this done

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL