Page MenuHomePhabricator
Create Task
Maniphest T290144

Deployers unable to ssh to parse* hosts
Closed, ResolvedPublic
Actions

Description

Deployers can ssh to all mw hosts (appservers, api-appservers, maintenance, jobrunners, etc.) to e.g. run scap pull or another one of a narrow set of commands during investigations.

But, they can't ssh to any of the parse* hosts because they don't seem to inherit or or otherwise have set the standard set of appserver-ish admin_groups.

I don't know if there are plans for, or decisions made against, having parsoid be a role within the mediawiki:: hierarchy. But in the interim perhaps it would make sense to add these two groups (deployers and perf-roots) to the parsoid role.

https://wikitech.wikimedia.org/wiki/Incident_documentation/2021-09-01_partial_parsoid_outage

Details

SubjectRepoBranchLines +/-
add deployment and perf-roots shell groups to parsoid hostsoperations/puppetproduction+2 -0
Customize query in gerrit

Event Timeline

Krinkle created this task.Sep 1 2021, 11:18 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 1 2021, 11:18 AM
Krinkle moved this task from Limbo to Watching on the Performance-Team (Radar) board.Sep 1 2021, 11:18 AM
Urbanecm subscribed.Sep 1 2021, 11:20 AM
Urbanecm added a comment.Sep 1 2021, 11:23 AM

I support this. After all, any deployer already has sufficient access to SSH in via the mwdeploy system user (https://wikitech.wikimedia.org/wiki/Keyholder describes how that can be done). As such, adding deployers to the admin groups will not increase deployer's actual permission set.

Adding perf-roots would grant them root at those hosts (something that cannot be done through the method described above), but I think that's also fine.

Krinkle updated the task description. (Show Details)Sep 1 2021, 11:23 AM
Maintenance_bot added a project: SRE.Sep 1 2021, 11:45 AM
RhinosF1 subscribed.Sep 1 2021, 12:23 PM
Krinkle edited projects, added Sustainability (Incident Followup); removed Performance-Team (Radar), Release-Engineering-Team.Sep 1 2021, 12:45 PM
Krinkle updated the task description. (Show Details)Sep 1 2021, 12:53 PM
Legoktm subscribed.Sep 1 2021, 3:10 PM

+1 to granting permissions like normal appservers, this seems like an oversight once Parsoid moved to PHP and is now part of MediaWiki proper rather than a separate service.

jijiki added subscribers: jbond, Muehlenhoff.Sep 1 2021, 3:11 PM
jijiki subscribed.
jijiki added a project: Infrastructure-Foundations.Sep 1 2021, 3:21 PM
Dzahn subscribed.Sep 1 2021, 4:06 PM

What Lego said, access should mimick what we do with regular appservers.

gerritbot added a comment.Sep 1 2021, 4:10 PM

Change 715988 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] add deploment and perf-roots shell groups to parsoid hosts

https://gerrit.wikimedia.org/r/715988

gerritbot added a project: Patch-For-Review.Sep 1 2021, 4:10 PM
fgiunchedi triaged this task as Medium priority.Sep 2 2021, 6:41 AM
gerritbot added a comment.Sep 2 2021, 3:03 PM

Change 715988 merged by Dzahn:

[operations/puppet@production] add deployment and perf-roots shell groups to parsoid hosts

https://gerrit.wikimedia.org/r/715988

Dzahn added a comment.Sep 2 2021, 3:05 PM

After merging the change above I ran puppet on parse2001 and saw all the deployer shell accounts being created.

On all other hosts it will happen automatically within 30 minutes.

Maintenance_bot removed a project: Patch-For-Review.Sep 2 2021, 3:10 PM
Arlolra edited projects, added Parsoid (Tracking); removed Parsoid.Sep 2 2021, 9:19 PM
Dzahn closed this task as Resolved.Sep 3 2021, 11:27 AM
Dzahn claimed this task.

This should be resolved now.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits