Page MenuHomePhabricator
Create Task
Maniphest T298165

mediawiki-multiversion image builder should also poll private and security patches git repositories
Closed, ResolvedPublic1 Estimated Story Points
Actions

Description

Currently the image build process polls mediawiki/core and operations/mediawiki-config repositories. It would be nice if it could also poll /srv/mediawiki-staging/private and /srv/patches on the active deployment host (which it already has access to).

Marking as low priority since T297673: Build MediaWiki images for kubernetes on the deployment servers might make this obsolete.

Details

SubjectRepoBranchLines +/-
P:mediawiki::deployment: fix ferm syntaxoperations/puppetproduction+1 -1
Define git::daemon class and use it in profile::mediawiki::deployment::serveroperations/puppetproduction+82 -1
profile::releases::mediawiki::private: Enable timer and alter target directoryoperations/puppetproduction+2 -1
Customize query in gerrit

Related Objects

Event Timeline

Legoktm triaged this task as Low priority.Dec 21 2021, 10:32 PM
Legoktm created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 21 2021, 10:32 PM
dancy changed the task status from Open to In Progress.Dec 22 2021, 4:52 PM

As a first step I updated the Jenkins trigger to monitor /srv/patches on the releases server and verified that an image build occurs when it is updated. This directory is rsync'd from the deploy server every 10 minutes. We can reduce the interval to make it more responsive to patch updates if desired.

dancy added a project: Release-Engineering-Team.Dec 22 2021, 4:54 PM
dancy set the point value for this task to 1.

Dealing with private settings will require a bit more setup.

gerritbot added a comment.Dec 22 2021, 5:58 PM

Change 749566 had a related patch set uploaded (by Ahmon Dancy; author: Ahmon Dancy):

[operations/puppet@production] profile::releases::mediawiki::private: Enable timer and alter target directory

https://gerrit.wikimedia.org/r/749566

gerritbot added a project: Patch-For-Review.Dec 22 2021, 5:58 PM
gerritbot added a comment.Jan 4 2022, 8:33 PM

Change 751481 had a related patch set uploaded (by Ahmon Dancy; author: Ahmon Dancy):

[operations/puppet@production] Define git::daemon class and use it in profile::mediawiki::deployment::server

https://gerrit.wikimedia.org/r/751481

gerritbot added a comment.Jan 4 2022, 8:33 PM

Change 749566 abandoned by Ahmon Dancy:

[operations/puppet@production] profile::releases::mediawiki::private: Enable timer and alter target directory

Reason:

Going with a different approach

https://gerrit.wikimedia.org/r/749566

gerritbot added a comment.Jan 5 2022, 8:56 PM

Change 751481 merged by Dzahn:

[operations/puppet@production] Define git::daemon class and use it in profile::mediawiki::deployment::server

https://gerrit.wikimedia.org/r/751481

gerritbot added a comment.Jan 5 2022, 9:01 PM

Change 751805 had a related patch set uploaded (by Dzahn; author: Majavah):

[operations/puppet@production] P:mediawiki::deployment: fix ferm syntax

https://gerrit.wikimedia.org/r/751805

gerritbot added a comment.Jan 5 2022, 9:02 PM

Change 751805 merged by Dzahn:

[operations/puppet@production] P:mediawiki::deployment: fix ferm syntax

https://gerrit.wikimedia.org/r/751805

Maintenance_bot removed a project: Patch-For-Review.Jan 5 2022, 9:10 PM
Dzahn subscribed.Jan 5 2022, 9:15 PM

deployed Ahmon's change, first only on codfw, which was good because there was a little fix needed in the ferm rules (see above, thanks Majvah)

after this things looked fine. then also deployed to deploy1002. Now there is the new git-daemon running on both of them:

● git-daemon.service - Git daemon
   Loaded: loaded (/lib/systemd/system/git-daemon.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2022-01-05 20:58:43 UTC; 8min ago
 Main PID: 21309 (git-daemon)
netstat -tulepn | grep git
tcp        0      0 0.0.0.0:9418            0.0.0.0:*               LISTEN      499        7933471    21309/git-daemon    
tcp6       0      0 :::9418                 :::*                    LISTEN      499        7933472    21309/git-daemon

and firewall rules allow only releases servers to connect:

root@deploy2002:/# iptables -L | grep git
ACCEPT     tcp  --  releases1002.eqiad.wmnet  anywhere             tcp dpt:git
ACCEPT     tcp  --  releases2002.codfw.wmnet  anywhere             tcp dpt:git

This is for both deploy1002 and deploy2002 now.

Dzahn added a project: serviceops-radar.Jan 5 2022, 9:18 PM
dancy closed this task as Resolved.EditedJan 5 2022, 9:59 PM
dancy claimed this task.

Thanks @Dzahn. That allowed me to configure releases-jenkins to poll git://deployment.eqiad.wmnet/srv/patches and git://deployment.eqiad.wmnet/srv/mediawiki-staging/private and respond to new commits in a timely manner. I verified that it works by making test commits on the deploy server.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL