- Ensure that scap deploy works from deploy1002:/srv/deployment/phabricator/deployment
- systemctl stop phd prior to update, systemctl start phd afterwards. (Done in check script.)
- There are currently a /srv/phab/libphutil and /srv/phab/libext/security on phab1001. These are untracked and according to READMEs in both, I don't think they're doing anything, but we should make sure.
- Going to take READMEs and repo contents at face value here.
- Both have remote repos.
- Symlink /srv/phab/repos to /srv/repos
- Does anything actually use this? Config has "repository.default-local-path": "/srv/repos"... Seems like no.
- Run storage migrations after code updates with /usr/local/sbin/phab_deploy_finalize - this is puppetized and should already be available on phab2001.
- Check that migrations are actually being run
Description
Description
Details
Details
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Dzahn | T280597 move phabricator to new hardware generation | |||
| Resolved | brennen | T313259 Deploy Phabricator with scap | |||
| Resolved | dduvall | T313953 Scap3-ify Phabricator |
Event Timeline
Comment Actions
We were experimenting with something like this for managing services and migrations yesterday, in scap/checks.yaml:
checks: stop_services: type: command stage: fetch command: "systemctl stop phd && systemctl stop apache2 && systemctl stop php7.3-fpm" timeout: 120 finalize_deploy: type: script stage: promote command: "/usr/local/sbin/phab_deploy_finalize" timeout: 3600
Notes:
- checks are run after their specified stage
- My model of this is that using scap's builtin service_name to specify a service to restart after the promote stage won't work here, because what we want is to:
- stop services
- swap in new code
- make sure config is in place
- run any storage migrations
- restart services
- checks.yaml has to be committed to the repo to be run on deploy, since it's run from the target
- I'm not sure if the systemctl stop phd && systemctl stop apache2 && systemctl stop php7.3-fpm pattern will work since I don't know if the command actually hits a shell or what. If not, maybe that needs to be changed to a type: script check.
- /usr/local/sbin/phab_deploy_finalize is managed by Puppet, since it needs access to the MySQL password secret.
Comment Actions
Further experimented with checks.yaml and got PermissionErrors because there's a root-owned symlink in each checkout, put in place by puppet. We'll need to clear out everything puppet manages this way in order to make scap deployments viable.
Comment Actions
Change 818231 had a related patch set uploaded (by Brennen Bearnes; author: Brennen Bearnes):
[phabricator/deployment@wmf/stable] scap: stub out a checks.yaml
Comment Actions
Change 820213 had a related patch set uploaded (by Dduvall; author: Dduvall):
[operations/puppet@production] phabricator: Stop managing /srv/phab/repos
Comment Actions
Change 820213 merged by Dzahn:
[operations/puppet@production] phabricator: Stop managing /srv/phab/repos
Comment Actions
Change 818231 merged by Brennen Bearnes:
[phabricator/deployment@wmf/stable] scap: stub out a checks.yaml
Comment Actions
Change 822688 had a related patch set uploaded (by Brennen Bearnes; author: Brennen Bearnes):
[phabricator/deployment@wmf/stable] scap: add permission mangling, reorder checks
Comment Actions
Change 824547 had a related patch set uploaded (by Brennen Bearnes; author: Brennen Bearnes):
[operations/puppet@production] phabricator: remove phab_deploy_ensure_config_ownership.sh
Comment Actions
Change 824547 merged by Dzahn:
[operations/puppet@production] phabricator: remove phab_deploy_ensure_config_ownership.sh
Comment Actions
Mentioned in SAL (#wikimedia-operations) [2022-08-18T22:53:23Z] <mutante> phab1001, phab2001: sudo rm /usr/local/sbin/phab_deploy_ensure_config_ownership (follow-up gerrit:824547 T313953)
Comment Actions
Change 822688 merged by Brennen Bearnes:
[phabricator/deployment@wmf/stable] scap: add permission mangling, reorder checks
Comment Actions
Change 825911 had a related patch set uploaded (by Brennen Bearnes; author: Brennen Bearnes):
[phabricator/deployment@wmf/stable] scap: separate new rev perms from old rev perm cleanup
Comment Actions
Change 828654 had a related patch set uploaded (by Dduvall; author: Dduvall):
[operations/puppet@production] phabricator: Reintroduce script to ensure correct config ownership/perms
Comment Actions
Change 828655 had a related patch set uploaded (by Dduvall; author: Dduvall):
[phabricator/deployment@wmf/stable] Run all puppetized deploy scripts as checks
Comment Actions
Change 828654 merged by Dzahn:
[operations/puppet@production] phabricator: Reintroduce script to ensure correct config ownership/perms
Comment Actions
Change 829063 had a related patch set uploaded (by Dduvall; author: Dduvall):
[operations/puppet@production] phabricator: Deploy user should own everything under old rev directories
Comment Actions
Change 829063 merged by Dzahn:
[operations/puppet@production] phabricator: Deploy user should own everything under old rev directories
Comment Actions
Change 830234 had a related patch set uploaded (by Dduvall; author: Dduvall):
[operations/puppet@production] phabricator: Add missing line continuation to phab_deploy_promote
Comment Actions
Change 830234 merged by Dzahn:
[operations/puppet@production] phabricator: Add missing line continuation to phab_deploy_promote
Comment Actions
Change 830241 had a related patch set uploaded (by Dduvall; author: Dduvall):
[operations/puppet@production] phabricator: Include scap "done" rev in pre-finalize permissions reset
Comment Actions
Change 830241 merged by Dzahn:
[operations/puppet@production] phabricator: Include scap "done" rev in pre-finalize permissions reset
Comment Actions
Change 828655 merged by Dduvall:
[phabricator/deployment@wmf/stable] Run all puppetized deploy scripts as checks
Comment Actions
Change 831944 had a related patch set uploaded (by Dduvall; author: Dduvall):
[phabricator/deployment@wmf/stable] scap: Remove use of --preserve-env for sudo'd scripts
Comment Actions
Change 831944 merged by Dduvall:
[phabricator/deployment@wmf/stable] scap: Remove use of --preserve-env for sudo'd scripts
Comment Actions
Change 825911 abandoned by Brennen Bearnes:
[phabricator/deployment@wmf/stable] scap: separate new rev perms from old rev perm cleanup
Reason:
Superseded.
Comment Actions
Related commit fe89eda9 pushed by brennen (author: Brennen Bearnes):
[ repos/phabricator/deployment@wmf/stable ] scap: stub out a checks.yaml
Comment Actions
Related commit 53e8c5d7 pushed by brennen (author: Brennen Bearnes):
[ repos/phabricator/deployment@wmf/stable ] scap: add permission mangling, reorder checks
Comment Actions
Related commit a7616e67 pushed by brennen (author: Dan Duvall):
[ repos/phabricator/deployment@wmf/stable ] Run all puppetized deploy scripts as checks
Comment Actions
Related commit 9bcfc9e6 pushed by brennen (author: Dan Duvall):
[ repos/phabricator/deployment@wmf/stable ] scap: Remove use of --preserve-env for sudo'd scripts