Page MenuHomePhabricator
Create Task
Maniphest T313259

Deploy Phabricator with scap
Closed, ResolvedPublic5 Estimated Story Points
Actions

Description

Currently, we deploy Phabricator fairly manually, using the steps outlined here:

https://wikitech.wikimedia.org/wiki/Phabricator/Deployment

We should use scap instead.

Originally, we planned to get that working on phab2001, then use it for the new machines (phab1002, phab2002).

As an intermediate step to that, we're planning to test necessary puppet changes and new scap configuration with the local puppetmaster in devtools.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
scap: Allow deploy user to keep scap3 environment variables with sudooperations/puppetproduction+14 -1
phabricator: Fix sudo env_keep formatoperations/puppetproduction+8 -7
phabricator: use content, not source with a plain fileoperations/puppetproduction+5 -5
phabricator: move scap user sudo defaults to file, fix puppetoperations/puppetproduction+10 -4
phabricator: Allow deploy user to keep scap3 environment variables with sudooperations/puppetproduction+20 -6
checks: Define environment variables for current/done/revs dirsmediawiki/tools/scapmaster+3 -0
scap: set keyholder_key: phabricatorphabricator/deploymentwmf/stable+1 -0
scap: remove tag plugin & asciitable dependencyphabricator/deploymentwmf/stable+5 -329
Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Restricted Application added a subscriber: Aklapper. ยท View Herald TranscriptJul 18 2022, 6:53 PM
thcipriani updated the task description. (Show Details)Jul 19 2022, 10:45 PM
thcipriani updated the task description. (Show Details)
thcipriani moved this task from Backlog to Ready on the Release-Engineering-Team (The Decommission Mission ๐Ÿ’€) board.Jul 20 2022, 5:39 PM
brennen claimed this task.Jul 20 2022, 5:40 PM
brennen changed the task status from Open to In Progress.Jul 21 2022, 5:39 PM
brennen moved this task from To Triage to Infrastructure on the Phabricator board.

Notes so far:

  • Deploy targets live in scap/phabricator-targets in the repo
  • /srv/phab is a symlink to /srv/deployment/phabricator/deployment
    • This is managed in operations/puppet/modules/phabricator/manifests/init.pp - $phabdir linked to $deploy_root
  • /srv/phab/phabricator/conf
    • conf/* is in .gitignore in the phab repo, so presumably the stuff here won't be present after a scap deploy is run since the target of the /srv/phab symlink is rewritten with a new checkout?
    • But this is $confdir in puppet and there's at least some stuff for writing local/local.json - is this getting applied?

Neglected to add a Bug field, but seeing what happens with this: 816016: scap: target phab2001 for trial run

brennen moved this task from Ready to In progress on the Release-Engineering-Team (The Decommission Mission ๐Ÿ’€) board.Jul 21 2022, 5:39 PM
brennen moved this task from Backlog to Doing/Involved on the User-brennen board.
gerritbot added a comment.Jul 21 2022, 6:22 PM

Change 816027 had a related patch set uploaded (by Brennen Bearnes; author: Brennen Bearnes):

[phabricator/deployment@wmf/stable] scap: remove tag plugin & asciitable dependency

https://gerrit.wikimedia.org/r/816027

gerritbot added a project: Patch-For-Review.Jul 21 2022, 6:22 PM
gerritbot added a comment.Jul 21 2022, 7:30 PM

Change 816027 merged by Brennen Bearnes:

[phabricator/deployment@wmf/stable] scap: remove tag plugin & asciitable dependency

https://gerrit.wikimedia.org/r/816027

brennen mentioned this in rPHDEPf962d0ebd156: scap: remove tag plugin & asciitable dependency.Jul 21 2022, 7:30 PM
Maintenance_bot removed a project: Patch-For-Review.Jul 21 2022, 8:30 PM
brennen added a comment.Jul 22 2022, 7:48 PM

scap deploy -v -l 'phab2001.codfw.wmnet' fails from deploy1002 -

...
Received disconnect from 10.192.32.147 port 22:2: Too many authentication failures                                                                
Disconnected from 10.192.32.147 port 22

There's a phabricator key:

debug1: Will attempt key: /etc/keyholder.d/phabricator

...but I don't think it gets as far as offering this before erroring out.

Dzahn subscribed.Jul 22 2022, 8:11 PM

10.64.32.28 is deploy1002

in the logs on phab2001, looking for connections from deploy1002:

Jul 19 14:23:02 phab2001 sshd[13278]: Connection from 10.64.32.28 port 53702 on 10.192.32.147 port 22
Jul 19 14:23:03 phab2001 sshd[13278]: Accepted key ED25519 ... found at /etc/ssh/userkeys/scap:1

Jul 19 14:23:03 phab2001 sshd[13316]: Starting session: command for scap from 10.64.32.28 port 53702 id 0
Jul 19 14:23:04 phab2001 sshd[13316]: Received disconnect from 10.64.32.28 port 53702:11: disconnected by user
Jul 19 14:23:04 phab2001 sshd[13316]: Disconnected from user scap 10.64.32.28 port 53702

.

Jul 21 22:02:54 phab2001 sshd[27864]: Accepted key ED25519 SHA256:...found at /etc/ssh/userkeys/scap:1
Jul 21 22:02:54 phab2001 sshd[27864]: Accepted publickey for scap from 10.64.32.28 port 54460 ssh2: ED25519 SHA256:...
Jul 21 22:02:54 phab2001 sshd[27864]: pam_unix(sshd:session): session opened for user scap by (uid=0)
Jul 21 22:02:54 phab2001 systemd-logind[967]: New session 34676 of user scap.
Jul 21 22:02:55 phab2001 sshd[27864]: User child is on pid 27887
Jul 21 22:02:55 phab2001 sshd[27887]: Starting session: command for scap from 10.64.32.28 port 54460 id 0
Jul 21 22:02:55 phab2001 sshd[27887]: Received disconnect from 10.64.32.28 port 54460:11: disconnected by user
Jul 21 22:02:55 phab2001 sshd[27887]: Disconnected from user scap 10.64.32.28 port 54460
Jul 21 22:02:55 phab2001 sshd[27864]: pam_unix(sshd:session): session closed for user scap
Dzahn added a comment.Jul 22 2022, 8:15 PM

root@deploy1002:/home/dzahn# ssh -i /etc/keyholder.d/phabricator scap@phab2001.codfw.wmnet

Jul 22 20:12:39 phab2001 sshd[27629]: Failed publickey for scap from 10.64.32.28

Dzahn added a comment.Jul 22 2022, 8:20 PM

For the scap user it would be: ssh -i /etc/keyholder.d/scap scap@phab2001.codfw.wmnet. scap key for scap user.

but that one has:

Load key "/etc/keyholder.d/scap": bad permissions..will be ignored.

if you do it as root

Dzahn added a comment.EditedJul 22 2022, 8:34 PM

This is how it actually works, using the AUTH_SOCK from keyholder, and using the correct "phab-deploy" user and not trying it as root:

[deploy1002:~] $ SSH_AUTH_SOCK=/run/keyholder/proxy.sock ssh -oIdentitiesOnly=yes -oIdentityFile=/etc/keyholder.d/phabricator phab-deploy@phab2001.codfw.wmnet

Linux phab2001 4.19.0-20-amd64 #1 SMP Debian 4.19.235-1 (2022-03-17) x86_64
Debian GNU/Linux 10 (buster)
phab2001 is a Phabricator (Main) Server (phabricator)
Backed up on this host: srv-repos

login as deployment user from deploy1002 to phab2001, with keyholder

Dzahn added a comment.Jul 22 2022, 8:38 PM

@brennen Seems to me the issue is it's trying to connect as "scap" but it should use "phab-deploy" user. Then it should work together with the AUTH_SOCK that is the loded /etc/keyholder.d/phabricator key.

gerritbot added a comment.Jul 22 2022, 9:13 PM

Change 816223 had a related patch set uploaded (by Brennen Bearnes; author: Brennen Bearnes):

[phabricator/deployment@wmf/stable] scap: set keyholder_key: phabricator

https://gerrit.wikimedia.org/r/816223

gerritbot added a project: Patch-For-Review.Jul 22 2022, 9:13 PM

Change 816223 merged by Brennen Bearnes:

[phabricator/deployment@wmf/stable] scap: set keyholder_key: phabricator

https://gerrit.wikimedia.org/r/816223

brennen mentioned this in rPHDEP8a7d4bf15d90: scap: set keyholder_key: phabricator.Jul 22 2022, 9:16 PM
brennen mentioned this in T313624: scap should have a better error message when it can't find keyholder key.Jul 22 2022, 9:22 PM
Maintenance_bot removed a project: Patch-For-Review.Jul 22 2022, 9:30 PM
brennen updated the task description. (Show Details)Jul 26 2022, 5:18 PM
brennen added a subscriber: jeena.Jul 26 2022, 11:14 PM

Paired with @jeena today experimenting with scap3 command checks for service restarts and database migrations, will try to finish bashing out a patch for that tomorrow, then I think it's mostly the config files to worry about.

dduvall updated the task description. (Show Details)Jul 27 2022, 4:42 PM
dduvall updated the task description. (Show Details)Jul 27 2022, 4:45 PM
dduvall updated the task description. (Show Details)Jul 27 2022, 4:55 PM
dduvall updated the task description. (Show Details)
dduvall updated the task description. (Show Details)Jul 27 2022, 4:58 PM
dduvall changed the status of subtask T313950: Move Phabricator configuration into deployment repo from Open to In Progress.Jul 27 2022, 5:02 PM
dduvall merged a task: T313951: Puppetize Phabricator config secrets.Jul 27 2022, 10:47 PM
dduvall reopened subtask T313951: Puppetize Phabricator config secrets as Open.
dduvall subscribed.
brennen updated the task description. (Show Details)Jul 29 2022, 7:36 PM
dduvall changed the status of subtask T314195: Configure keyholder on devtools deploy host for phabricator deployment from Open to In Progress.Aug 1 2022, 4:26 PM
thcipriani edited projects, added Release-Engineering-Team (Bonus Level ๐Ÿ•น๏ธ); removed Release-Engineering-Team (The Decommission Mission ๐Ÿ’€).Aug 16 2022, 7:57 PM
thcipriani moved this task from Backlog to In progress on the Release-Engineering-Team (Bonus Level ๐Ÿ•น๏ธ) board.Aug 16 2022, 7:58 PM
brennen closed subtask T314195: Configure keyholder on devtools deploy host for phabricator deployment as Resolved.Aug 22 2022, 4:14 PM
gerritbot added a comment.Aug 31 2022, 6:15 PM

Change 828619 had a related patch set uploaded (by Dduvall; author: Dduvall):

[mediawiki/tools/scap@master] checks: Define environment variables for current/done/revs dirs

https://gerrit.wikimedia.org/r/828619

gerritbot added a project: Patch-For-Review.Aug 31 2022, 6:15 PM
gerritbot added a comment.Aug 31 2022, 7:29 PM

Change 828619 merged by jenkins-bot:

[mediawiki/tools/scap@master] checks: Define environment variables for current/done/revs dirs

https://gerrit.wikimedia.org/r/828619

Maintenance_bot removed a project: Patch-For-Review.Aug 31 2022, 7:30 PM
dduvall closed subtask T313950: Move Phabricator configuration into deployment repo as Resolved.Sep 7 2022, 3:08 PM
gerritbot added a comment.Sep 7 2022, 7:31 PM

Change 830682 had a related patch set uploaded (by Dduvall; author: Dduvall):

[operations/puppet@production] phabricator: Allow deploy user to preserve environment when sudoing

https://gerrit.wikimedia.org/r/830682

gerritbot added a project: Patch-For-Review.Sep 7 2022, 7:31 PM
gerritbot added a comment.Sep 12 2022, 11:05 PM

Change 831634 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] phabricator: Allow deploy user to keep scap3 environment variables with sudo

https://gerrit.wikimedia.org/r/831634

gerritbot added a comment.Sep 12 2022, 11:14 PM

Change 831634 merged by Dzahn:

[operations/puppet@production] phabricator: Allow deploy user to keep scap3 environment variables with sudo

https://gerrit.wikimedia.org/r/831634

gerritbot added a comment.Sep 13 2022, 12:04 AM

Change 831637 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] phabricator: move scap user sudo defaults to file, fix puppet

https://gerrit.wikimedia.org/r/831637

gerritbot added a comment.Sep 13 2022, 12:11 AM

Change 831637 merged by Dzahn:

[operations/puppet@production] phabricator: move scap user sudo defaults to file, fix puppet

https://gerrit.wikimedia.org/r/831637

gerritbot added a comment.Sep 13 2022, 12:14 AM

Change 831638 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] phabricator: use content, not source with a plain file

https://gerrit.wikimedia.org/r/831638

gerritbot added a comment.Sep 13 2022, 12:15 AM

Change 831638 merged by Dzahn:

[operations/puppet@production] phabricator: use content, not source with a plain file

https://gerrit.wikimedia.org/r/831638

gerritbot added a comment.Sep 13 2022, 9:01 PM

Change 831965 had a related patch set uploaded (by Dduvall; author: Dduvall):

[operations/puppet@production] phabricator: Fix sudo env_keep format

https://gerrit.wikimedia.org/r/831965

gerritbot added a comment.Sep 13 2022, 10:41 PM

Change 831965 merged by Dzahn:

[operations/puppet@production] phabricator: Fix sudo env_keep format

https://gerrit.wikimedia.org/r/831965

Dzahn added a comment.Sep 13 2022, 11:59 PM

We now have the following sudo config on all Phabricator servers:

any command as phab-deploy:

cat /etc/sudoers.d/scap_phab-deploy 
# This file is managed by Puppet!

phab-deploy ALL=(phab-deploy) NOPASSWD: ALL

the deploy commands as root run by phab-deploy:

cat /etc/sudoers.d/scap_sudo_rules_phab-deploy_phabricator_deployment 
# This file is managed by Puppet!

phab-deploy ALL=(root) NOPASSWD: /usr/local/sbin/phab_deploy_config_deploy
phab-deploy ALL=(root) NOPASSWD: /usr/local/sbin/phab_deploy_promote
phab-deploy ALL=(root) NOPASSWD: /usr/local/sbin/phab_deploy_rollback
phab-deploy ALL=(root) NOPASSWD: /usr/local/sbin/phab_deploy_finalize

allow keeping the scap related env variables (but only those, not everything!)

cat /etc/sudoers.d/scap_sudo_defaults 
Defaults:phab-deploy env_keep+="SCAP_REVS_DIR SCAP_FINAL_PATH SCAP_REV_PATH SCAP_CURRENT_REV_DIR SCAP_DONE_REV_DIR"

Tested like this:

  • temp replaced content of /usr/local/sbin/phab_deploy_config_deploy with just 'echo $SCAP_REVS_DIR'
  • become phab-deploy and export $SCAP_REVS_DIR

phab-deploy@phab2001:/$ export SCAP_REVS_DIR="/tmp"

  • run the "fake deploy config" command with sudo:

phab-deploy@phab2001:/$ sudo /usr/local/sbin/phab_deploy_config_deploy

exported value is here:

/tmp
Dzahn mentioned this in T313953: Scap3-ify Phabricator.Sep 14 2022, 12:04 AM
Dzahn updated the task description. (Show Details)
Dzahn added a comment.Sep 14 2022, 12:08 AM

I edited the check boxes a bit (there is no phab1002, instead there is phab1004, phab2002 can be used for testing first, phab2001 you can skip unless you want more test hosts). I think we can:

  • ignore phab2001 (whatever, we could decom it now and wouldn't be a big difference)
  • deploy to phab2002 (nothing much can go wrong)
  • deploy to phab1004 (nothing much can go wrong)
  • double check everything
  • deploy to phab1001 (actual prod host, carefully)
dduvall closed subtask T313953: Scap3-ify Phabricator as Resolved.Sep 14 2022, 3:39 PM
dduvall added a comment.Sep 14 2022, 10:38 PM

Here's the result of a recent test deploy to phab2002:

[...]
returned [1]: Executing check 'finalize'
Check 'finalize' failed: 
   ->Running puppet...
Notice: Skipping run of Puppet configuration client; administratively disabled (Reason: 'phabricator deployment - phab-deploy');                                         
Use 'puppet agent --enable' to re-enable.

   ->Applying storage migrations
[2022-09-14 21:37:44] PHLOG: 'Retrying database connection to "m3-slave.codfw.wmnet" after connection failure (attempt 1; "AphrontConnectionQueryException"; error #2002):
 Attempt to connect to phabricatorphd@m3-slave.codfw.wmnet failed with error #2002: Connection timed out.' at [/srv/deployment/phabricator/deployment-cache/revs/3137c9217
337d2b6fd1312f328f7e366abbf0d75/phabricator/src/infrastructure/storage/connection/mysql/AphrontBaseMySQLDatabaseConnection.php:136]                                      
[2022-09-14 21:37:45] PHLOG: 'Retrying database connection to "m3-slave.codfw.wmnet" after connection failure (attempt 2; "AphrontConnectionQueryException"; error #2002):
 Attempt to connect to phabricatorphd@m3-slave.codfw.wmnet failed with error #2002: Connection timed out.' at [/srv/deployment/phabricator/deployment-cache/revs/3137c9217
337d2b6fd1312f328f7e366abbf0d75/phabricator/src/infrastructure/storage/connection/mysql/AphrontBaseMySQLDatabaseConnection.php:136]                                      
MySQL Credentials Not Configured

Unable to connect to MySQL using the configured credentials. You must
configure standard credentials before you can upgrade storage. Run these
commands to set up credentials:

  $ ./bin/config set mysql.host __host__
  $ ./bin/config set mysql.user __username__
  $ ./bin/config set mysql.pass __password__

These standard credentials are separate from any administrative credentials
provided to this command with __--user__ or __--password__, and must be
configured correctly before you can proceed.

Raw MySQL Error: Attempt to connect to phabricatorphd@m3-slave.codfw.wmnet
failed with error #2002: Connection timed out.

   ->Restarting PHD
Job for phd.service failed because the control process exited with error code.
See "systemctl status phd.service" and "journalctl -xe" for details.

   ->Reloading apache

   ->Enabling puppet agent

   ->Verifying database status

<13>Sep 14 21:38:51 phab-deploy: >>>ERROR: Phabricator storage is in a bad state.


phabricator/deployment: finalize stage(s): 100% (in-flight: 0; ok: 0; fail: 1; left: 0) |                                                                                
21:38:51 1 targets had deploy errors
21:38:51 1 targets failed
21:38:51 Finished deploy [phabricator/deployment@3137c92]: testing phabricator deployment to phab2002 (duration: 01m 48s)                                                
21:38:51 Finished deploy [phabricator/deployment@3137c92] (duration: 01m 48s)

I verified manually that this is indeed a timeout to m3-slave.codfw.wmnet and not invalid credentials (well, we don't know that yet).

Dzahn added a comment.Sep 14 2022, 10:47 PM
In T313259#8237860, @dduvall wrote:

I verified manually that this is indeed a timeout to m3-slave.codfw.wmnet and not invalid credentials (well, we don't know that yet).

Thanks for the report. We had been told to use -slave and that there should now be misc cluster in codfw, as opposed to the past when this did not exist.

I will go back to DBA and ask why that does not seem to be the case.

Dzahn added a comment.Sep 14 2022, 10:56 PM

It seems like we are not supposed to use default port 3306 but one of 3321 or 3322 (judging by the iptables rules on db2160). Now figuring out which one.

Dzahn added a parent task: T280597: move phabricator to new hardware generation.Sep 14 2022, 11:17 PM
Dzahn added a comment.EditedSep 14 2022, 11:20 PM

It's port 3323. Determined with ps aux and netstat (there are multiple mysql daemons per host).

reopening T315713 because I could confirm that this works:

mysql -h m3-slave.eqiad.wmnet -P 3323 -u phstats -D phabricator_project -p

but the equivalent in codfw does not:

mysql -h m3-slave.codfw.wmnet -P 3323 -u phstats -D phabricator_project -p

ERROR 1045 (28000): Access denied for user 'phstats'@'10.192.32.54' (using password: YES)

It does not work from phab2001 either.

Looks like we need to care about mysql GRANTS after all but only in codfw but not in eqiad. Because using m3-master means going via dbproxy* and using m3-slave means connecting directly to a db host.

Dzahn added a comment.Sep 14 2022, 11:41 PM

So modules/profile/templates/mariadb/grants/production-m3.sql.erb has 259 lines and basically all of it are phab related GRANTs.

Some for db some for dbproxy, multiple users, multiple databases.

All of that is needed but for the new IPs and we need to figure out which proxy to use if any.

Dzahn added a comment.Sep 16 2022, 10:14 PM

Please also see T315713#8243258 and try one more time.

Dzahn added a comment.Sep 16 2022, 10:30 PM

Nevermind, I don't think it's going to work yet, reopened T315713#8243271

gerritbot added a comment.Sep 23 2022, 5:27 PM

Change 830682 abandoned by Dduvall:

[operations/puppet@production] scap: Allow deploy user to keep scap3 environment variables with sudo

Reason:

Superseded by Ie44a16e6b6d883d67279f23ddf7adba7509c05b7

https://gerrit.wikimedia.org/r/830682

thcipriani edited projects, added Release-Engineering-Team (Priority Backlog ๐Ÿ“ฅ); removed Release-Engineering-Team (Bonus Level ๐Ÿ•น๏ธ).Nov 14 2022, 1:49 PM
brennen closed subtask T313954: Ensure phab1004/phab2002 are scap3 targets as Resolved.Nov 23 2022, 10:36 PM
brennen closed this task as Resolved.Nov 30 2022, 3:48 AM
brennen moved this task from Doing/Involved to Done or Declined on the User-brennen board.

phab1004 is now the production Phabricator instance, deployed from scap.

thcipriani awarded a token.Nov 30 2022, 4:17 PM
gerritbot added a comment.Dec 8 2022, 10:35 PM

Related commit f962d0eb pushed by brennen (author: Brennen Bearnes):

[ repos/phabricator/deployment@wmf/stable ] scap: remove tag plugin & asciitable dependency

gerritbot added a comment.Dec 8 2022, 10:35 PM

Related commit 8a7d4bf1 pushed by brennen (author: Brennen Bearnes):

[ repos/phabricator/deployment@wmf/stable ] scap: set keyholder_key: phabricator

Aklapper closed subtask T313956: Document scap3 deployment of Phabricator as Resolved.Oct 19 2023, 10:35 AM
Maintenance_bot removed a project: Patch-For-Review.Oct 19 2023, 11:10 AM
Dzahn awarded a token.Nov 3 2023, 5:24 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. ยท Wikimedia Foundation ยท Privacy Policy ยท Code of Conduct ยท Terms of Use ยท Disclaimer ยท CC-BY-SA ยท GPL ยท Credits