Page MenuHomePhabricator
Create Task
Maniphest T260930

jenkins-deploy user is not in the docker group
Closed, ResolvedPublic
Actions

Description

I have created a new Jenkins agent and the jenkins-deploy user is not in the docker group:

jenkins-deploy@integration-agent-docker-1020:~$ groups
wikidev project-bastion project-deployment-prep project-integration project-puppet-diffs

$ getent group docker
docker:x:498:

Whereas on old agents it is properly setup:

jenkins-deploy@integration-agent-docker-1001:~$ groups
wikidev docker project-bastion project-deployment-prep project-integration project-puppet-diffs

$ getent group docker
docker:x:498:jenkins-deploy

Details

SubjectRepoBranchLines +/-
ci: bring back jenkins-deploy in the docker groupoperations/puppetproduction+12 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

hashar created this task.Aug 20 2020, 5:34 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 20 2020, 5:34 PM
hashar added a parent task: T260916: Move CI instances to use ceph in WMCS.Aug 20 2020, 5:35 PM
hashar added a subscriber: jbond.Aug 20 2020, 5:39 PM

The group addition has been removed in Puppet by https://gerrit.wikimedia.org/r/c/operations/puppet/+/572707 which moved the group management to data.yaml. Although that works for production, the admin module is not used to manage user and groups on WMCS instances. But maybe that can be done in LDAP?

hashar claimed this task.Aug 20 2020, 5:39 PM
Dzahn subscribed.Aug 20 2020, 5:43 PM

I guess one solution is to add a "if $realm = labs" ( we don't like those very much but sometimes they are still needed) and inside that add the old method with the "exec usermod" back.

https://gerrit.wikimedia.org/r/c/operations/puppet/+/572707/4/modules/profile/manifests/ci/docker.pp

gerritbot added a comment.Aug 20 2020, 6:37 PM

Change 621563 had a related patch set uploaded (by Hashar; owner: Hashar):
[operations/puppet@production] ci: bring back jenkins-deploy in the docker group

https://gerrit.wikimedia.org/r/621563

gerritbot added a project: Patch-For-Review.Aug 20 2020, 6:37 PM
hashar added a comment.Aug 20 2020, 6:43 PM

Cherry picked the puppet patch and applied it:

integration-agent-docker-1020:~$ sudo -H -u jenkins-deploy docker ps
CONTAINER ID        IMAGE
Stashbot added a comment.Aug 20 2020, 6:44 PM

Mentioned in SAL (#wikimedia-releng) [2020-08-20T18:44:10Z] <hashar> Pooling integration-agent-docker-1020 # T260930 / T260916

Stashbot mentioned this in T260916: Move CI instances to use ceph in WMCS.Aug 20 2020, 6:44 PM
hashar merged a task: T260961: Docker CI errors on integration-agent-docker-1020.Aug 21 2020, 7:31 AM
hashar added subscribers: Reedy, thcipriani.
gerritbot added a comment.Aug 21 2020, 8:54 AM

Change 621563 merged by Jbond:
[operations/puppet@production] ci: bring back jenkins-deploy in the docker group

https://gerrit.wikimedia.org/r/621563

hashar closed this task as Resolved.Aug 21 2020, 8:56 AM

I have rebased the CI puppetmaster

I have disconnected/reconnected the integration-agent-docker-1020 agent to have the java process take in account it belong to the docker group.

Wrote a dummy Jenkins job running on the new integration-agent-docker-1020 that ran docker ps successfuly.

Maintenance_bot removed a project: Patch-For-Review.Aug 21 2020, 9:10 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits