WMCS cookbooks are currently run by the WMCS team from their own laptops. We would like to run them from a Cumin server in a similar way to production cookbooks.
This is a tracking task of the agreed work between the Cloud-Services team and the Infrastructure-Foundations one.
I've grouped the work based on affected areas. We can open subtasks as needed.
✅ Improve the laptop local environment
T319426 Add ssh socks5 proxy support (blocks removing duplication) (1 day)
✅ New WMCS cookbooks repository
- Create new repo or reuse wmcs-cookbooks (done! https://gerrit.wikimedia.org/r/admin/repos/cloud%2Fwmcs-cookbooks) (0 days :} )
T319436 Import into the new repo the code, splitting libs from cookbooks (½ day)
✅ Setup the production infrastructure
T323516, T323518 Create cloud cumin ganeti hosts, 2 VMs, one per DC (½ day)
- Setup dedicated SSH config for the double jump in cloud (½ day) (patch)
✅ Spicerack improvements
- Add module injection support (2 days) (patch)
- Add register of accessors support (2 days) (patch)
-
Add sudo everywhere (1w, might be less)[not needed for the current setup]
T325168 Load cookbooks from multiple directories (2 days)
✅ Setup the Cloud infrastructure
T323483 Define which SSH key to use to SSH from the new cloud-cumin to hosts
T323484 Fine tune the SSHd config of the restricted bastion for better performances (½ day)
✅ Misc
T325756 Allow wmcs cookbooks running on cloudcuminXXXX to write to the SAL (1~2w)
T325754 Update Spicerack documentation
Postponed to later
We could not complete the following tasks as part of this epic, and they can be postponed as they are not a blocker for the main goal of running WMCS cookbooks from the new cloudcumin hosts.
T319438 Remove code duplication (alertmanager) (1w)
T319450 Move the libs to spicerack modules (2w this might be really easy though, depending on the module solution)
T325067 Decide sudoers rules for users without global root
T325758 Spicerack: Add CI step to test with wmcs cookbooks (1w)
T322511 [spicerack][alertmanager] support silencing alerts without instance label