Page MenuHomePhabricator
Create Task
Maniphest T324659

contint2002 service implementation tracking
Open, In Progress, MediumPublic
Actions

Description

This is to track the service implement of serviceops host contint2002 which is the primary CI server with Jenkins/Zuul etc. It is done independently from contint1002 which is simpler (T313832).

topic branch https://gerrit.wikimedia.org/r/q/topic:contint2002

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+2 -0jenkins: switch to fixed uid/gid 924
operations/puppetproduction+2 -0zuul: switch to fixed uid/gid 923
operations/puppetproduction+34 -0admin: reserve jenkins and zuul uid/gid
operations/puppetproduction+1 -1ci: in /srv only migrate /srv/jenkins
operations/puppetproduction+53 -67ci: indicate which server is the control server via a hiera param
operations/puppetproduction+14 -14ci: rename ci::master role to ci
operations/puppetproduction+181 -172ci: split contint hosts to different roles
operations/puppetproduction+3 -0scap: add contint2002 to ci-docroot, jenkins, zuul deploy
labs/privatemaster+16 -0ci: add secreats for ci::manager and ci::worker roles
operations/puppetproduction+17 -2zuul: disable monitoring for disabled merger service
operations/puppetproduction+16 -10ci::master: add parameter to enable/disable monitoring of jenkins/httpd
operations/puppetproduction+9 -1site: add contint2002 to ci::master role
operations/puppetproduction+0 -4site: remove superfluous insetup role for contint2002
operations/puppetproduction+32 -33zuul: fix up service enable and ensure
operations/puppetproduction+1 -1elasticsearch/relforge: add contint2002 to cirrus::ferm_srange
operations/puppetproduction+3 -1ci: add contint2002 to firewall, jenkins and zuul-merger
operations/puppetproduction+2 -2ci: add contint2002 to zuul_merger firewall, ferm_srange
operations/puppetproduction+1 -0ci: add contint2002 as a rsync destination host
operations/puppetproduction+1 -1ci/zuul: switch gearman server from contint2001 to contint2002
operations/puppetproduction+8 -0cloud: allow VMs to connect to contint1002 and contint2002
operations/puppetproduction+1 -0docker_registry_ha: add contint2002 to image builder hosts
operations/puppetproduction+1 -2ci: make contint2002 the new rsync source, remove contint2001
Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

hashar created this task.Dec 7 2022, 10:46 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 7 2022, 10:46 AM
hashar mentioned this in T294276: contint hardware refresh.Dec 7 2022, 10:47 AM
hashar added subtasks: Unknown Object (Task), T313830: Q1:rack/setup/install contint1002.Dec 7 2022, 10:49 AM
hashar added a parent task: T294276: contint hardware refresh.Dec 7 2022, 10:53 AM
hashar mentioned this in T256422: switch contint prod server back from contint2001 to contint1001.Dec 7 2022, 8:09 PM
LSobanski triaged this task as Medium priority.Dec 12 2022, 4:55 PM
LSobanski moved this task from Incoming to Backlog on the serviceops-collab board.
gerritbot added a comment.Dec 13 2022, 4:49 PM

Change 867670 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] scap: add contint2002 to ci-docroot, jenkins, zuul deploy

https://gerrit.wikimedia.org/r/867670

gerritbot added a project: Patch-For-Review.Dec 13 2022, 4:49 PM
gerritbot added a comment.Dec 13 2022, 4:55 PM

Change 867673 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] site: add contint2002 to ci::master role

https://gerrit.wikimedia.org/r/867673

gerritbot added a comment.Dec 13 2022, 8:12 PM

Change 867675 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] cloud: allow VMs to connect to contint1002 and contint2002

https://gerrit.wikimedia.org/r/867675

gerritbot added a comment.Dec 13 2022, 8:41 PM

Change 867703 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] ci: add contint2002 to firewall, jenkins and zuul-merger

https://gerrit.wikimedia.org/r/867703

gerritbot added a comment.Dec 13 2022, 8:44 PM

Change 867705 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] ci/zuul: switch gearman server from contint2001 to contint2002

https://gerrit.wikimedia.org/r/867705

Dzahn moved this task from Backlog to Work in Progress on the serviceops-collab board.Dec 13 2022, 8:47 PM
gerritbot added a comment.Dec 13 2022, 8:49 PM

Change 867708 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] docker_registry_ha: add contint2002 to image builder hosts

https://gerrit.wikimedia.org/r/867708

gerritbot added a comment.Dec 13 2022, 8:54 PM

Change 867710 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] ci: add contint2002 to zuul_merger firewall, ferm_srange

https://gerrit.wikimedia.org/r/867710

Dzahn added a subscriber: Dzahn.Dec 13 2022, 8:55 PM

one topic branch for an overview of these changes:

https://gerrit.wikimedia.org/r/q/topic:contint2002

Dzahn updated the task description. (Show Details)Dec 13 2022, 8:55 PM
gerritbot added a comment.Dec 13 2022, 8:58 PM

Change 867711 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] ci: add contint2002 as an migration rsync source host

https://gerrit.wikimedia.org/r/867711

gerritbot added a comment.Dec 13 2022, 9:05 PM

Change 867712 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] ci: make contint2002 the new rsync source, remove contint2001

https://gerrit.wikimedia.org/r/867712

gerritbot added a comment.Dec 13 2022, 9:06 PM

Change 867714 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] elasticsearch/relforge: add contint2002 to cirrus::ferm_srange

https://gerrit.wikimedia.org/r/867714

gerritbot added a comment.Dec 15 2022, 8:06 PM

Change 867708 merged by Dzahn:

[operations/puppet@production] docker_registry_ha: add contint2002 to image builder hosts

https://gerrit.wikimedia.org/r/867708

gerritbot added a comment.Dec 15 2022, 9:38 PM

Change 867675 merged by Dzahn:

[operations/puppet@production] cloud: allow VMs to connect to contint1002 and contint2002

https://gerrit.wikimedia.org/r/867675

LSobanski assigned this task to Dzahn.Jan 17 2023, 4:45 PM
gerritbot added a comment.Jan 20 2023, 6:55 PM

Change 867711 merged by Dzahn:

[operations/puppet@production] ci: add contint2002 as a rsync destination host

https://gerrit.wikimedia.org/r/867711

gerritbot added a comment.Jan 20 2023, 7:28 PM

Change 867710 merged by Dzahn:

[operations/puppet@production] ci: add contint2002 to zuul_merger firewall, ferm_srange

https://gerrit.wikimedia.org/r/867710

gerritbot added a comment.Jan 20 2023, 7:31 PM

Change 867703 merged by Dzahn:

[operations/puppet@production] ci: add contint2002 to firewall, jenkins and zuul-merger

https://gerrit.wikimedia.org/r/867703

LSobanski moved this task from Work in Progress to Backlog on the serviceops-collab board.Feb 6 2023, 4:40 PM
gerritbot added a comment.Feb 8 2023, 6:59 PM

Change 867714 merged by Dzahn:

[operations/puppet@production] elasticsearch/relforge: add contint2002 to cirrus::ferm_srange

https://gerrit.wikimedia.org/r/867714

gerritbot added a comment.Mar 21 2023, 1:04 PM

Change 901576 had a related patch set uploaded (by Hashar; author: Hashar):

[operations/puppet@production] zuul: fix up service enable and ensure

https://gerrit.wikimedia.org/r/901576

gerritbot added a comment.Mar 27 2023, 7:11 PM

Change 901576 merged by Dzahn:

[operations/puppet@production] zuul: fix up service enable and ensure

https://gerrit.wikimedia.org/r/901576

gerritbot added a comment.Mar 29 2023, 11:27 PM

Change 867673 merged by Dzahn:

[operations/puppet@production] site: add contint2002 to ci::master role

https://gerrit.wikimedia.org/r/867673

gerritbot added a comment.Mar 29 2023, 11:40 PM

Change 904370 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] site: remove superfluous insetup role for contint2002

https://gerrit.wikimedia.org/r/904370

gerritbot added a comment.Mar 29 2023, 11:44 PM

Change 904370 merged by Dzahn:

[operations/puppet@production] site: remove superfluous insetup role for contint2002

https://gerrit.wikimedia.org/r/904370

Stashbot added a comment.Mar 29 2023, 11:48 PM

Mentioned in SAL (#wikimedia-operations) [2023-03-29T23:48:45Z] <mutante> contint2002 - a2dismod mpm_event (ONCE AGAIN this year old issue when applying roles with apache for the first time) - running puppet - now it can actually install PHP 7.3 and start apache T324659

gerritbot added a comment.Mar 30 2023, 12:00 AM

Change 904374 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] ci::master: add parameter to enable/disable monitoring of jenkins/httpd

https://gerrit.wikimedia.org/r/904374

gerritbot added a comment.Mar 30 2023, 12:04 AM

Change 904374 merged by Dzahn:

[operations/puppet@production] ci::master: add parameter to enable/disable monitoring of jenkins/httpd

https://gerrit.wikimedia.org/r/904374

Dzahn added a comment.EditedMar 30 2023, 1:36 AM

The production role for ci::master is now applied on contint2002.

Some minor follow-ups were needed:

  • run puppet multiple times due to dependencies (not a big deal, only on first run)
  • add ability to disable new monitoring on the new host to avoid false alerts because https://integration.wikimedia.org does not work on it yet (monitoring we just added recently)
  • manually run "a2dismod mpm_event" and run puppet to unblock installing PHP) (old and known but still pretty annoying issue that we can potentially fix)

Previously @hashar had fixed the situation with masking zuul, zuul-merger and jenkins.

I confirmed zuul, zuul-merger and jenkins are all masked on the new host.

Puppet runs now without errors or warnings.

releng now has shell access to the new machine which came with the role.

Dzahn changed the task status from Open to In Progress.Mar 30 2023, 1:37 AM
Dzahn moved this task from Backlog to Work in Progress on the serviceops-collab board.
hashar added a comment.Apr 6 2023, 6:17 AM

I don't know what has happened over the night but the zuul-merger service started alarming over night:

Notification Type: PROBLEM

Service: Check systemd state
Host: contint2002
Address: 208.80.153.39
State: CRITICAL

Date/Time: Wed Apr 5 23:54:18 UTC 2023

Notes URLs: https://wikitech.wikimedia.org/wiki/Monitoring/check_systemd_state

Acknowledged by : 

Additional Info:

CRITICAL - degraded: The following units failed: wmf_auto_restart_zuul-merger.service

Even though the zuul-merger has always been masked on contint2002... It is a mystery.

gerritbot added a comment.Apr 6 2023, 6:19 AM

Change 906307 had a related patch set uploaded (by Hashar; author: Hashar):

[operations/puppet@production] zuul: disable monitoring for disabled merger service

https://gerrit.wikimedia.org/r/906307

gerritbot added a comment.Apr 6 2023, 7:25 AM

Change 906307 merged by Elukey:

[operations/puppet@production] zuul: disable monitoring for disabled merger service

https://gerrit.wikimedia.org/r/906307

gerritbot added a comment.Apr 11 2023, 1:48 PM

Change 907885 had a related patch set uploaded (by Hashar; author: Hashar):

[operations/puppet@production] ci: rename ci::master role to ci::manager

https://gerrit.wikimedia.org/r/907885

gerritbot added a comment.Apr 11 2023, 1:48 PM

Change 907886 had a related patch set uploaded (by Hashar; author: Hashar):

[operations/puppet@production] ci: split contint hosts to different roles

https://gerrit.wikimedia.org/r/907886

gerritbot added a comment.Apr 11 2023, 2:29 PM

Change 907898 had a related patch set uploaded (by Hashar; author: Hashar):

[labs/private@master] ci: add secreats for ci::manager and ci::worker roles

https://gerrit.wikimedia.org/r/907898

gerritbot added a comment.Apr 11 2023, 2:30 PM

Change 907898 merged by Hashar:

[labs/private@master] ci: add secreats for ci::manager and ci::worker roles

https://gerrit.wikimedia.org/r/907898

hashar mentioned this in rLPRIa6c587f710d9: ci: add secreats for ci::manager and ci::worker roles.Apr 11 2023, 2:31 PM
Dzahn mentioned this in T327068: Bullseye upgrade for remaining Collab hosts.Apr 11 2023, 7:56 PM
Dzahn mentioned this in T334517: upgrade contint servers to bullseye.Apr 11 2023, 8:05 PM
gerritbot added a comment.Apr 12 2023, 10:55 AM

Change 867670 abandoned by Hashar:

[operations/puppet@production] scap: add contint2002 to ci-docroot, jenkins, zuul deploy

Reason:

I have made the list of scap target to be populated from the Puppet DB with https://gerrit.wikimedia.org/r/c/operations/puppet/+/893483/ .

This change triggered me to get the pending change deployed and verified (I ran dummy deployment for the new hosts).

https://gerrit.wikimedia.org/r/867670

gerritbot added a comment.Apr 12 2023, 1:34 PM

Change 908232 had a related patch set uploaded (by Jbond; author: Hashar):

[operations/puppet@production] ci: indicate which server is the control server via a hiera param

https://gerrit.wikimedia.org/r/908232

Dzahn added a comment.Apr 12 2023, 5:02 PM

Hashar did "contint: manage dsh target from Puppet DB" -> https://gerrit.wikimedia.org/r/c/operations/puppet/+/893483

gerritbot added a comment.Apr 13 2023, 7:06 AM

Change 907886 abandoned by Hashar:

[operations/puppet@production] ci: split contint hosts to different roles

Reason:

Abandoning in favor of a single role for all hosts and using a hiera setting to define which one is the primary: https://gerrit.wikimedia.org/r/c/operations/puppet/+/908232/

https://gerrit.wikimedia.org/r/907886

gerritbot added a comment.Apr 13 2023, 2:12 PM

Change 907885 merged by Jbond:

[operations/puppet@production] ci: rename ci::master role to ci

https://gerrit.wikimedia.org/r/907885

gerritbot added a comment.Apr 13 2023, 2:12 PM

Change 908232 merged by Jbond:

[operations/puppet@production] ci: indicate which server is the control server via a hiera param

https://gerrit.wikimedia.org/r/908232

LSobanski moved this task from Work in Progress to Backlog on the serviceops-collab board.Apr 24 2023, 3:05 PM
hashar added a comment.Tue, May 9, 2:42 PM

The process to migrate involves a rsync running a chroot which is thus unable to do user/group id mapping between the host. Short of removing the use_chroot clause, all users and groups need id to be reserved in Puppet.

The transferred directories are:

hieradata/role/common/ci.yaml
profile::ci::migration::rsync_data_dirs:
  - "/var/lib/jenkins/"
  - "/var/lib/zuul/"
  - "/srv/"

On the current primary I went with a brute force approach to find all used user/groups:

sudo find /var/lib/jenkins /var/lib/zuul /srv -printf '| %u | %U | %g | %G\n'|uniq > uid_gid.txt

Which gives me:

UserUID
6553365533
900900
_apt100
brennen20958
dancy25006
deploy-ci-docroot492
deploy-jenkins491
deploy-service494
deploy-zuul493
hashar1010
jenkins499
jenkins-slave498
jforrester2417
root0
slyngshede39083
thcipriani11634
zuul497
GroupGID
6553365533
900900
adm4
bacula118
deploy-ci-docroot494
deploy-jenkins493
deploy-service496
deploy-zuul495
jenkins499
jenkins-slave1001
mail8
nogroup65534
root0
shadow42
staff50
tty5
ulog119
utmp43
wikidev500
zuul498
hashar added a comment.Tue, May 9, 3:12 PM

Some are human users that have uid reserved via modules/admin/data/data.yaml. The deploy-* users are created by Puppet for the scap::target. I guess it is sufficient to NOT rsync /srv/deployment.
There are unknown such as _apt (100), 65533, 900 which apparently come from /srv/docker which we do not need to rsync (the images will be downloaded from the Docker registry when they are missing).

Further inspecting what is in /srv we only need to rsync /srv/jenkins which has:

sudo find /srv/jenkins -printf '| %u | %U | %g | %G\n'|uniq|sort|uniq

UserUIDGroupGID
jenkins499jenkins499
root0root0

And for /var/lib/jenkins and /var/lib/zuul:

sudo find /var/lib/jenkins /var/lib/zuul -printf '| %u | %U | %g | %G\n'|uniq|sort|uniq

UserUIDGroupGID
jenkins499adm4
jenkins499jenkins499
jenkins499nogroup65534
root0bacula118
root0jenkins499
root0root0
zuul497zuul498

The adm group comes from /var/lib/jenkins/logs and is set to Puppet. Debian might have hardcoded it to be GID=4.

/var/lib/jenkins/.gitignore is owned by root:bacula which I believe is from a restore from backup we did when gallium had a disk crash. We no more use git to manage that directory so I went ahead and deleted it contint2001 (it was not on the others).

We thus need to reserve UID/GID for jenkins and zuul then migrate the files to the new UID (which will take a while since there are a lot of files owned by jenkins under /srv/jenkins).

The alternative is to set use chroot = no (which implies numeric ids = no which lets rsync do the name mapping).

gerritbot added a comment.Tue, May 9, 3:27 PM

Change 917908 had a related patch set uploaded (by Hashar; author: Hashar):

[operations/puppet@production] ci: in /srv only migrate /srv/jenkins

https://gerrit.wikimedia.org/r/917908

hashar added a subscriber: jnuche.Tue, May 9, 3:30 PM

+ @jnuche who co manages our Jenkins nowadays. This task is to migrate the Jenkins/Zuul/integration website services from contint2001.wikimedia.org to contint2002.wikimedia.org.

gerritbot added a comment.Tue, May 9, 3:57 PM

Change 917916 had a related patch set uploaded (by Hashar; author: Hashar):

[operations/puppet@production] admin: reserve jenkins and zuul uid/gid

https://gerrit.wikimedia.org/r/917916

gerritbot added a comment.Tue, May 9, 4:12 PM

Change 917918 had a related patch set uploaded (by Hashar; author: Hashar):

[operations/puppet@production] zuul: switch to fixed uid/gid 923

https://gerrit.wikimedia.org/r/917918

gerritbot added a comment.Tue, May 9, 4:22 PM

Change 917919 had a related patch set uploaded (by Hashar; author: Hashar):

[operations/puppet@production] jenkins: switch to fixed uid/gid 924

https://gerrit.wikimedia.org/r/917919

gerritbot added a comment.Tue, May 9, 5:40 PM

Change 917908 merged by Dzahn:

[operations/puppet@production] ci: in /srv only migrate /srv/jenkins

https://gerrit.wikimedia.org/r/917908

gerritbot added a comment.Tue, May 9, 11:35 PM

Change 917916 merged by Dzahn:

[operations/puppet@production] admin: reserve jenkins and zuul uid/gid

https://gerrit.wikimedia.org/r/917916

gerritbot added a comment.Thu, May 18, 10:08 PM

Change 917918 merged by Dzahn:

[operations/puppet@production] zuul: switch to fixed uid/gid 923

https://gerrit.wikimedia.org/r/917918

Dzahn added a comment.Thu, May 18, 11:42 PM

after deploying the change above carefully on all 3 contint* servers, stopping services, running manual chown commands , starting services, verifying etc.. now the zuul user is using uid:gid 923:923 instead of the old 497:498. this is good for several reasons.

[contint2002:~] $ id zuul
uid=923(zuul) gid=923(zuul) groups=923(zuul)

[contint2001:~] $ id zuul
uid=923(zuul) gid=923(zuul) groups=923(zuul)

[contint2001:~] $ id zuul
uid=923(zuul) gid=923(zuul) groups=923(zuul)

A find / -uid 497 and find / -gid 498 on all hosts also showed there were no files owned left the old UID.

Monitoring alerted and recovered. Triggering a "recheck" on Gerrit worked and got jenkins vote.

Dzahn added a comment.Thu, May 18, 11:46 PM
  • disable puppet
  • stop services
  • chown -R 923:923 /srv/zuul/git /var/lib/zuul
  • chown -R 923:923 /var/log/zuul_repack/ /var/log/zuul/
  • chown -R 923:923 /etc/zuul/
  • sudo chown root:root /var/lib/zuul/{.gitconfig,git-template*}
  • re-enable puppet, it corrects /var/log/zuul to zuul:adm
  • puppet does the actual change for zuul user name to point to 923 instead of 497 (and 923 instead og 498 for gid)
  • id zuul (to verify)
  • start service
  • find / -uid 497 (to verify)
  • find / -gid 498 (to verify)
Dzahn moved this task from Backlog to Work in Progress on the serviceops-collab board.Mon, May 22, 3:26 PM
Stashbot added a comment.Tue, May 23, 11:30 PM

Mentioned in SAL (#wikimedia-operations) [2023-05-23T23:30:05Z] <mutante> contint*, releases* - maintenance - changing UID of jenkins user - jenkins will be stopped for a little bit, releases-jenkins is first though - T324659

gerritbot added a comment.Tue, May 23, 11:30 PM

Change 917919 merged by Dzahn:

[operations/puppet@production] jenkins: switch to fixed uid/gid 924

https://gerrit.wikimedia.org/r/917919

Dzahn added a comment.Wed, May 24, 1:35 AM

after carefully deploying the patch above to change jenkins UID/GID, following the instructions, changing file ownership etc (details on gerrit comments), we now have:

[contint2001:~] $ id jenkins
uid=924(jenkins) gid=924(jenkins) groups=924(jenkins)

[contint2002:~] $ id jenkins
uid=924(jenkins) gid=924(jenkins) groups=924(jenkins)

[contint1002:/tmp] $ id jenkins
uid=924(jenkins) gid=924(jenkins) groups=924(jenkins)

[releases1002:~] $ id jenkins
uid=924(jenkins) gid=924(jenkins) groups=924(jenkins)

[releases2002:~] $ id jenkins
uid=924(jenkins) gid=924(jenkins) groups=924(jenkins)

so no more worrying about rsync and file ownership when migrating. yay!

jnuche awarded a token.Wed, May 24, 8:43 AM
RhinosF1 added a subscriber: RhinosF1.Tue, May 30, 3:32 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL