Page MenuHomePhabricator
Create Task
Maniphest T254931

missing maps postgres passwords in clouddb-services
Closed, ResolvedPublic
Actions

Description

puppet onclouddb1003.clouddb-services.eqiad1.wikimedia.cloud fails like this:

Function lookup() did not find a value for the name 'profile::wmcs::services::postgres::osm_password'

There are four allied passwords in the manifest; probably all four of them were wiped by T254491

$osm_password = hiera('profile::wmcs::services::postgres::osm_password'),
$kolossos_password = hiera('profile::wmcs::services::postgres::kolossos_password'),
$aude_password = hiera('profile::wmcs::services::postgres::aude_password'),
$planemad_password = hiera('profile::wmcs::services::postgres::planemad_password'),

I'm not clear on if anyone is currently using those passwords or if they can be rotated.

Related Objects
Search...

Event Timeline

Andrew created this task.Jun 9 2020, 7:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 9 2020, 7:07 PM
Andrew updated the task description. (Show Details)Jun 9 2020, 7:08 PM
Aklapper added a comment.Jun 9 2020, 7:11 PM

@Andrew: Can you please associate at least one active project with this task, so others can find it? Thanks.

Andrew added a project: cloud-services-team (Kanban).Jun 9 2020, 7:18 PM
Bstorm subscribed.Jun 9 2020, 10:05 PM

$kolossos_password = hiera('profile::wmcs::services::postgres::kolossos_password'),
$aude_password = hiera('profile::wmcs::services::postgres::aude_password')
These two are read-write accounts for both Toolforge tools and maps things. They also represent unique data on the server. I think I can find them. I'll check the others.

bd808 added a parent task: T254491: Puppet labs/private.git data loss incident affecting some projects.Jun 9 2020, 10:42 PM
Stashbot added a comment.Jun 9 2020, 10:55 PM

Mentioned in SAL (#wikimedia-cloud) [2020-06-09T22:55:27Z] <bstorm_> Reset the passwords for T254931

RhinosF1 subscribed.Jun 9 2020, 11:00 PM
bd808 renamed this task from missing postgres passwords on to missing postgres passwords in clouddb-services.Jun 9 2020, 11:02 PM
bd808 added a project: Cloud-VPS.
bd808 added a project: Data-Services.
bd808 moved this task from Backlog to Maps on the Data-Services board.
Bstorm renamed this task from missing postgres passwords in clouddb-services to missing maps postgres passwords in clouddb-services.Jun 9 2020, 11:24 PM
Bstorm triaged this task as Unbreak Now! priority.
Restricted Application added a subscriber: Liuxinyu970226. · View Herald TranscriptJun 9 2020, 11:24 PM
Bstorm closed this task as Resolved.Jun 9 2020, 11:25 PM
Bstorm claimed this task.
Bstorm added a comment.EditedJun 9 2020, 11:29 PM

This would have also fixed the Wikilabels db server's puppet.

jbond subscribed.Jun 10 2020, 9:28 AM

@Bstorm thanks for fixing this however could you let me know what you did as i notice private/labs is still missing from labtestpuppetmaster2001 and I'm unsure if its still needed there?

It would also be useful to know in general what labtestpuppetmaster is still used for?

thanks

aborrero subscribed.Jun 10 2020, 10:04 AM
In T254931#6210032, @jbond wrote:

@Bstorm thanks for fixing this however could you let me know what you did as i notice private/labs is still missing from labtestpuppetmaster2001 and I'm unsure if its still needed there?

It would also be useful to know in general what labtestpuppetmaster is still used for?

Let me chime in.

In past times, the general puppetmaster for cloud VMs (in project that dodn't have a local puppetmaster) was an actual hardware server. This got eventually moved to VMs inside the cloud (puppetmasters in https://openstack-browser.toolforge.org/project/cloudinfra). This is for our eqiad1 openstack deployment. We have another openstack deployment in codfw, called codfw1dev. More info here: https://wikitech.wikimedia.org/wiki/Portal:Cloud_VPS/Admin/Deployments

We are in the process of migrating this actual hardware server puppetmaster (labtestpuppetmaster2001) to virtual machines inside the codfw1dev deployment itself, see T242607: Create in-cloud puppetmaster for codfw1dev

jbond added a comment.Jun 11 2020, 9:44 AM

thanks @aborrero

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits