Requesting access to contint-admins for taavi
Closed, ResolvedPublicRequest
Actions

Assigned To

Authored By

	taavi
	May 27 2022, 6:20 AM

Description

Requestor provided information and prerequisites

This section is to be completed by the individual requesting access.

Wikitech username: User:Majavah
Email address: hi+wm@taavi.wtf
SSH public key (must be a separate key from Wikimedia cloud SSH access): existing production shell account
Requested group membership: contint-admins and ldap/ciadmin
Reason for access: so that I can deploy CI config changes and troubleshoot/fix some CI issues (like T309371)
Name of approving party (manager for WMF/WMDE staff): @thcipriani
Ensure you have signed the L3 Wikimedia Server Access Responsibilities document: yes
Please coordinate obtaining a comment of approval on this task from the approving party.

SRE Clinic Duty Confirmation Checklist for Access Requests

This checklist should be used on all access requests to ensure that all steps are covered, including expansion to existing access. Please double check the step has been completed before checking it off.

This section is to be confirmed and completed by a member of the SRE team.

- User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
- User has a valid NDA on file with WMF legal. (All WMF Staff/Contractor hiring are covered by NDA. Other users can be validated via the NDA tracking sheet)
- User has provided the following: wikitech username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform)
- User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not shared with any other service (this includes not sharing with WMCS access, no shared keys.)
- access request (or expansion) has sign off of WMF sponsor/manager (sponsor for volunteers, manager for wmf staff)
- access request (or expansion) has sign off of group approver indicated by the approval field in data.yaml

For additional details regarding access request requirements, please see https://wikitech.wikimedia.org/wiki/Requesting_shell_access

Details

	Subject	Repo	Branch	Lines +/-
	admin: add taavi to contint-admins	operations/puppet	production	+1 -1

Customize query in gerrit

Related Objects

Mentioned Here: T309371: Gerrit: all patches are being reported as merge conflicts

Event Timeline

taavi created this task.May 27 2022, 6:20 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 27 2022, 6:20 AM

RhinosF1 subscribed.May 27 2022, 6:22 AM

fwiw, +1 — be very useful to have an additional user who could resolve issues like T309371: Gerrit: all patches are being reported as merge conflicts

Zabe updated the task description. (Show Details)May 27 2022, 7:24 AM

checked off boxes (L3 signed, NDA, has existing shell access, etc).

Will need approval from group approver (Tyler).

(if this needs an additional sponsor I can be that)

Sorry for the delay, I'll figure this out in the team meeting tomorrow!

brennen awarded a token.Jun 1 2022, 4:21 PM

I am not entirely sure what contint-admins group grants but I will review it. The main concern I have is the CI stack is very fragile :-\

@hashar This is the, pretty specific (good thing!), list of things that contint-admins grants:

privileges: ['ALL = (jenkins) NOPASSWD: ALL',
             'ALL = (jenkins-slave) NOPASSWD: ALL',
             'ALL = (doc-uploader) NOPASSWD: ALL',
             'ALL = (zuul) NOPASSWD: ALL',
             'ALL = NOPASSWD: /etc/init.d/jenkins',
             'ALL = NOPASSWD: /usr/sbin/service jenkins start',
             'ALL = NOPASSWD: /usr/sbin/service jenkins stop',
             'ALL = NOPASSWD: /usr/sbin/service jenkins restart',
             'ALL = NOPASSWD: /usr/sbin/service jenkins status',
             'ALL = NOPASSWD: /usr/sbin/service zuul reload',
             'ALL = NOPASSWD: /usr/sbin/service zuul restart',
             'ALL = NOPASSWD: /usr/sbin/service zuul start',
             'ALL = NOPASSWD: /usr/sbin/service zuul stop',
             'ALL = NOPASSWD: /usr/sbin/service zuul status',
             'ALL = NOPASSWD: /usr/sbin/service zuul-merger reload',
             'ALL = NOPASSWD: /usr/sbin/service zuul-merger restart',
             'ALL = NOPASSWD: /usr/sbin/service zuul-merger start',
             'ALL = NOPASSWD: /usr/sbin/service zuul-merger stop',
             'ALL = NOPASSWD: /usr/sbin/service zuul-merger status',
             'ALL = NOPASSWD: /bin/journalctl*',
             'ALL = NOPASSWD: /usr/local/sbin/puppet-run']

So "run (any) commands as jenkins/zuul, restart all the CI-related services, look at the logs, upload docs, run puppet" basically.

MoritzMuehlenhoff triaged this task as Medium priority.Jun 2 2022, 8:10 AM

In T309375#7963808, @Dzahn wrote:

checked off boxes (L3 signed, NDA, has existing shell access, etc).

Will need approval from group approver (Tyler).

@hashar and I talked this through, and I chatted with @Majavah to make sure they'd seen all the giant scary caveats in the zuul docs. I also confirmed they'd exercise caution with all the commands that the jenkins/zuul/doc-uploader users can run.

tl;dr: I approve the access request 🎉

Thanks for volunteering @Majavah !

taavi removed hashar as the assignee of this task.Jun 17 2022, 12:53 PM

Dzahn updated the task description. (Show Details)Jun 17 2022, 11:33 PM

Dzahn moved this task from Untriaged to Ready To Go on the SRE-Access-Requests board.

Change 806487 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] admin: add taavi to contint-admins

https://gerrit.wikimedia.org/r/806487

gerritbot added a project: Patch-For-Review.Jun 17 2022, 11:37 PM

Legoktm awarded a token.Jun 18 2022, 1:10 AM

Change 806487 merged by Slyngshede:

[operations/puppet@production] admin: add taavi to contint-admins