Page MenuHomePhabricator

Prompted for sudo password during deployment
Closed, ResolvedPublic


During a recent backport window, I was not able finish syncing during deployment as I was prompted for a sudo password.

Screen Shot 2022-11-23 at 2.13.20 PM.png (1×1 px, 253 KB)

This was also the case for another engineer with deployment privileges.

Affected users:

Event Timeline

brennen added a subscriber: brennen.

Confirming this is reproducible for the mentioned users. I was able to run scap backport without incident.

I'm guessing something like a missing group for sudo, although nothing here stands out to me as obvious:

21:38:13 brennen@deploy1002 ~ $ groups cjming
cjming : wikidev deployment
21:41:12 brennen@deploy1002 ~ $ groups brennen
brennen : wikidev deployment deploy-phabricator gerrit-deployers zuul-deployers contint-admins deployment-ci-admins

I'll poke around a bit.

The sudoer rule allowing 'ALL = (mwbuilder) NOPASSWD: /usr/local/bin/update-mediawiki-tools-release' is attached to the deployment-ci-admins group in ops/puppet.git:modules/admin/data/data.yaml.

Yep, that sure seems like it'd do it.

@jnuche I'm guessing this is a side effect of rOPUP77bcab706ae7: scap.cfg: enable image building in production cluster?

From #wikimedia-releng:

<bd808> that script looks pretty boring -- -- so I'd guess the sudoers rule can be attached to the deployers group without a lot of controversy

Seems reasonable...

Change 860121 had a related patch set uploaded (by Brennen Bearnes; author: Brennen Bearnes):

[operations/puppet@production] sudo: add update-mediawiki-tools release to deployers

Change 860121 merged by Giuseppe Lavagetto:

[operations/puppet@production] k8s builder: allow deployers to sudo update-mediawiki-tools-release

brennen claimed this task.

Seems like this ought to be fixed.