Page MenuHomePhabricator
Create Task
Maniphest T277604

Permissions / ownership interfere with publishing dev-images
Closed, ResolvedPublic
Actions

Description

Just running through publishing dev-images with @jeena, discovered that previous updater of /srv/dev-images on contint1002 winds up owning some files in .git with insufficient group-level access to update things.

We should fix this, since we'd like to extend publishing permissions to several folks outside of RelEng.

Details

SubjectRepoBranchLines +/-
contint: build dev-images with a system useroperations/puppetproduction+18 -11
Customize query in gerrit
TitleReferenceAuthorSource BranchDest Branch
fab: build images with user dockerpkg-builderrepos/releng/dev-images!39hasharfab-shared-usermain
Customize query in GitLab

Related Objects
Search...

Event Timeline

brennen created this task.Mar 16 2021, 9:50 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 16 2021, 9:50 PM
brennen added projects: Release-Engineering-Team, Release-Engineering-Team-TODO (2021-01-01 to 2021-03-31 (Q3)).Mar 16 2021, 10:04 PM
brennen moved this task from Backlog to Next on the User-brennen board.
brennen added a parent task: T274303: dev-images +2 rights and Docker registry credentials for FR-Tech.
thcipriani triaged this task as Medium priority.Mar 23 2021, 4:14 PM
thcipriani edited projects, added Release-Engineering-Team (Local Dev); removed Release-Engineering-Team.
thcipriani moved this task from INBOX to Maintenance on the Release-Engineering-Team-TODO (2021-01-01 to 2021-03-31 (Q3)) board.
thcipriani subscribed.

The way this works on the deployment servers (IIRC) is the /etc/profile assigns a umask of 002 -- maybe that could work here too

thcipriani assigned this task to brennen.Mar 23 2021, 4:15 PM
thcipriani edited projects, added Release-Engineering-Team-TODO (2021-04-01 to 2021-06-30 (Q4)); removed Release-Engineering-Team-TODO (2021-01-01 to 2021-03-31 (Q3)).Apr 20 2021, 12:37 AM
thcipriani removed a project: Release-Engineering-Team (Local Dev).Apr 20 2021, 1:23 AM
thcipriani edited projects, added Release-Engineering-Team (Doing); removed Release-Engineering-Team-TODO (2021-04-01 to 2021-06-30 (Q4)).Apr 20 2021, 4:25 AM
thcipriani lowered the priority of this task from Medium to Low.Apr 20 2021, 4:48 PM
brennen mentioned this in T274303: dev-images +2 rights and Docker registry credentials for FR-Tech.Jul 15 2021, 4:53 PM
brennen moved this task from Next to Backlog on the User-brennen board.Sep 1 2021, 7:04 PM
thcipriani edited projects, added Release-Engineering-Team (Priority Backlog 📥); removed Release-Engineering-Team (Doing).Sep 7 2022, 3:51 PM
dancy subscribed.Jun 28 2023, 8:32 PM
hashar subscribed.Jul 5 2023, 10:47 AM

Eventually that is addressed by https://gerrit.wikimedia.org/r/c/operations/puppet/+/927975 which switch the repo and deploy script to use a shared system user dockerpkg-builder.

gerritbot added a comment.Jul 5 2023, 10:47 AM

Change 927975 had a related patch set uploaded (by Hashar; author: Hashar):

[operations/puppet@production] contint: build dev-images with a system user

https://gerrit.wikimedia.org/r/927975

gerritbot added a project: Patch-For-Review.Jul 5 2023, 10:47 AM
gerritbot added a comment.Jul 5 2023, 11:16 AM

Change 927975 merged by Clément Goubert:

[operations/puppet@production] contint: build dev-images with a system user

https://gerrit.wikimedia.org/r/927975

Maintenance_bot removed a project: Patch-For-Review.Jul 5 2023, 11:31 AM
hashar claimed this task.Jul 5 2023, 11:52 AM
hashar closed this task as Resolved.Jul 5 2023, 1:52 PM

The fab build script for dev-images is fixed by https://gitlab.wikimedia.org/repos/releng/dev-images/-/merge_requests/39

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL