Page MenuHomePhabricator
Create Task
Maniphest T287063

Refactor profile::analytics::cluster::users
Closed, ResolvedPublic
Actions

Description

As of today, all the hosts/vms of the DE infrastructure should be on Debian Buster. A big work that was done while reimaging was to move to a fixed uid/gid scheme for most of our users (hdfs, yarn, analytics, etc..). See https://gerrit.wikimedia.org/r/c/operations/puppet/+/666657 for an example of how we allocated fixed uid/gid.

In this task we should:

  1. verify that all the users that we allocated in data.yaml are effectively deployed across all nodes (namely that we have the same uid/gid everywhere for say druid, hdfs, analytics-privatedata, etc..)
  2. deprecate profile::analytics::cluster::users in favor of data.yaml (basically remove the profile and uncomment what written in data.yaml)

Note: allocating users via data.yaml means that they will be deployed across all the hosts managed by puppet (even non analytics ones). This should be fine but it would be good to verify this with John and Moritz beforehand, just to be sure.

I have not totally 'deprecated' profile::analytics::cluster::users. Instead, it should now only be used to sync system users declared in puppet classes (not the admin module) to all nodes where they are needed. Puppet classes should maintain control over the daemon system users they need.

'Human' system users exist for human users to sudo to and schedule productionized jobs as a shared user. These are controlled by the admin module and have been removed from profile::analytics::cluster::users.

Details

SubjectRepoBranchLines +/-
Use admin module to manage system user for use by human usersoperations/puppetproduction+143 -234
admin::user: add support for nonexistent home directoryoperations/puppetproduction+27 -17
Customize query in gerrit

Related Objects

Event Timeline

elukey created this task.Jul 21 2021, 6:08 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 21 2021, 6:08 AM
elukey mentioned this in T278423: Upgrade the Hadoop masters to Debian Buster.Jul 21 2021, 6:08 AM
Ottomata claimed this task.Jul 22 2021, 1:51 PM
Ottomata added a project: Analytics-Kanban.

Thanks Luca! I'd like to work on this ASAP, as it kinda blocks T284225: Create airflow instances for Platform Engineering and Research

Ottomata mentioned this in T284225: Create airflow instances for Platform Engineering and Research.Jul 22 2021, 1:52 PM
Ottomata moved this task from Next Up to In Progress on the Analytics-Kanban board.Jul 23 2021, 7:41 PM
Ottomata added subscribers: jbond, MoritzMuehlenhoff.

Note: allocating users via data.yaml means that they will be deployed across all the hosts managed by puppet (even non analytics ones). This should be fine but it would be good to verify this with John and Moritz beforehand, just to be sure.

@MoritzMuehlenhoff @jbond should be ok, yes?

Ottomata added a comment.Jul 23 2021, 7:55 PM
19:54:31 [@cumin1001:/home/otto] $ sudo cumin 'R:Class = profile::hadoop::common' 'for u in swift hdfs yarn mapred analytics druid hadoop analytics-privatedata analytics-product analytics-search; do id $u >/dev/null 2>/dev/null  && echo "$u $(id -u $u):$(id -g $u)" || true; done'
120 hosts will be targeted:
...

===== NODE GROUP =====
(13) an-presto[1001-1005].eqiad.wmnet,an-test-presto1001.eqiad.wmnet,an-test-ui1001.eqiad.wmnet,an-tool[1008-1009].eqiad.wmnet,flerovium.eqiad.wmnet,furud.codfw.wmnet,labstore[1006-1007].wikimedia.org
----- OUTPUT of 'for u in swift h...)" || true; done' -----
hdfs 903:903
yarn 904:904
mapred 905:905

===== NODE GROUP =====
(11) an-druid[1001-1002].eqiad.wmnet,an-test-druid1001.eqiad.wmnet,druid[1001-1008].eqiad.wmnet
----- OUTPUT of 'for u in swift h...)" || true; done' -----
hdfs 903:903
yarn 904:904
mapred 905:905
druid 907:907

===== NODE GROUP =====
(96) an-airflow1001.eqiad.wmnet,an-coord[1001-1002].eqiad.wmnet,an-launcher1002.eqiad.wmnet,an-master[1001-1002].eqiad.wmnet,an-test-client1001.eqiad.wmnet,an-test-coord1001.eqiad.wmnet,an-test-master[1001-1002].eqiad.wmnet,an-test-worker[1001-1003].eqiad.wmnet,an-worker[1078-1128,1130-1132,1135-1138].eqiad.wmnet,analytics[1058-1077].eqiad.wmnet,stat[1004-1008].eqiad.wmnet
----- OUTPUT of 'for u in swift h...)" || true; done' -----
hdfs 903:903
yarn 904:904
mapred 905:905
analytics 906:906
druid 907:907
analytics-privatedata 909:909
analytics-product 910:910
analytics-search 911:911

Looks good to me!

gerritbot added a comment.Jul 23 2021, 8:03 PM

Change 707564 had a related patch set uploaded (by Ottomata; author: Ottomata):

[operations/puppet@production] Deprecate profile::analytics::cluster::users

https://gerrit.wikimedia.org/r/707564

gerritbot added a project: Patch-For-Review.Jul 23 2021, 8:03 PM
gerritbot added a comment.Jul 27 2021, 1:13 PM

Change 708288 had a related patch set uploaded (by Jbond; author: John Bond):

[operations/puppet@production] admin::user: add support for nonexistent home directory

https://gerrit.wikimedia.org/r/708288

jbond added a comment.Jul 27 2021, 2:29 PM
In T287063#7233625, @Ottomata wrote:

Note: allocating users via data.yaml means that they will be deployed across all the hosts managed by puppet (even non analytics ones). This should be fine but it would be good to verify this with John and Moritz beforehand, just to be sure.

@MoritzMuehlenhoff @jbond should be ok, yes?

yes i think this is fine, we already do this for reprepro

gerritbot added a comment.Jul 28 2021, 1:19 PM

Change 708288 merged by Jbond:

[operations/puppet@production] admin::user: add support for nonexistent home directory

https://gerrit.wikimedia.org/r/708288

gerritbot added a comment.Jul 28 2021, 1:31 PM

Change 707564 merged by Ottomata:

[operations/puppet@production] Use admin module to manage system user for use by human users

https://gerrit.wikimedia.org/r/707564

Ottomata renamed this task from Deprecate profile::analytics::cluster::users to Refactor profile::analytics::cluster::users.Jul 28 2021, 1:44 PM
Ottomata updated the task description. (Show Details)
Ottomata triaged this task as High priority.Jul 28 2021, 2:09 PM
Ottomata moved this task from In Progress to Done on the Analytics-Kanban board.
Maintenance_bot removed a project: Patch-For-Review.Jul 28 2021, 2:10 PM
Ottomata closed this task as Resolved.Jul 29 2021, 4:04 PM
Ottomata mentioned this in T291384: Standardize the stats system user uid.Sep 20 2021, 1:46 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL