Page MenuHomePhabricator

Deployers unable to ssh to parse* hosts
Closed, ResolvedPublic


Deployers can ssh to all mw hosts (appservers, api-appservers, maintenance, jobrunners, etc.) to e.g. run scap pull or another one of a narrow set of commands during investigations.

But, they can't ssh to any of the parse* hosts because they don't seem to inherit or or otherwise have set the standard set of appserver-ish admin_groups.

I don't know if there are plans for, or decisions made against, having parsoid be a role within the mediawiki:: hierarchy. But in the interim perhaps it would make sense to add these two groups (deployers and perf-roots) to the parsoid role.

Event Timeline

I support this. After all, any deployer already has sufficient access to SSH in via the mwdeploy system user ( describes how that can be done). As such, adding deployers to the admin groups will not increase deployer's actual permission set.

Adding perf-roots would grant them root at those hosts (something that cannot be done through the method described above), but I think that's also fine.

+1 to granting permissions like normal appservers, this seems like an oversight once Parsoid moved to PHP and is now part of MediaWiki proper rather than a separate service.

What Lego said, access should mimick what we do with regular appservers.

Change 715988 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] add deploment and perf-roots shell groups to parsoid hosts

fgiunchedi triaged this task as Medium priority.Sep 2 2021, 6:41 AM

Change 715988 merged by Dzahn:

[operations/puppet@production] add deployment and perf-roots shell groups to parsoid hosts

After merging the change above I ran puppet on parse2001 and saw all the deployer shell accounts being created.

On all other hosts it will happen automatically within 30 minutes.

Dzahn claimed this task.

This should be resolved now.