During a recent backport window, I was not able finish syncing during deployment as I was prompted for a sudo password.
This was also the case for another engineer with deployment privileges.
Affected users:
cjming
jan_drewniak
During a recent backport window, I was not able finish syncing during deployment as I was prompted for a sudo password.
This was also the case for another engineer with deployment privileges.
Affected users:
cjming
jan_drewniak
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
k8s builder: allow deployers to sudo update-mediawiki-tools-release | operations/puppet | production | +6 -2 |
Confirming this is reproducible for the mentioned users. I was able to run scap backport without incident.
I'm guessing something like a missing group for sudo, although nothing here stands out to me as obvious:
21:38:13 brennen@deploy1002 ~ $ groups cjming cjming : wikidev deployment 21:41:12 brennen@deploy1002 ~ $ groups brennen brennen : wikidev deployment deploy-phabricator gerrit-deployers zuul-deployers contint-admins deployment-ci-admins
I'll poke around a bit.
The sudoer rule allowing 'ALL = (mwbuilder) NOPASSWD: /usr/local/bin/update-mediawiki-tools-release' is attached to the deployment-ci-admins group in ops/puppet.git:modules/admin/data/data.yaml.
Yep, that sure seems like it'd do it.
@jnuche I'm guessing this is a side effect of rOPUP77bcab706ae7: scap.cfg: enable image building in production cluster?
From #wikimedia-releng:
<bd808> that script looks pretty boring -- https://gerrit.wikimedia.org/g/operations/puppet/+/bb46a57262c553cf5822fd7bd06bffd9252d2399/modules/profile/manifests/kubernetes/deployment_server/mediawiki/builder.pp#34 -- so I'd guess the sudoers rule can be attached to the deployers group without a lot of controversy
Seems reasonable...
Change 860121 had a related patch set uploaded (by Brennen Bearnes; author: Brennen Bearnes):
[operations/puppet@production] sudo: add update-mediawiki-tools release to deployers
Change 860121 merged by Giuseppe Lavagetto:
[operations/puppet@production] k8s builder: allow deployers to sudo update-mediawiki-tools-release