Page MenuHomePhabricator
Create Task
Maniphest T344412

cloudcumin: support reimage and other operations
Open, MediumPublic
Actions

Description

The cloud-cumin hosts have been configured and in theory should allow users to run any-cookbook but be restricted to only running them on cloud hosts. however there are still some gaps this task intends to document those gaps and ideally try to fix them.

EDIT March 2024: to make this task more actionable, I'm adding the following Definition of Done: it should be possible to reimage a cloud server from a cloudcumin. Solving this will probably unlock other operations as well.

OOB access

From previous talks i think one of the biggest gaps relates to any cookbook that needs the management password, this would include the reimage, firmware-upgrade, provision, decommission, sel, and ipmi-password-reset cookbooks. It seems to me that one easy way to fix this is to have separate OOB passwords for wmcs servers?

Puppet CA access

The next issue is that some jobs interact with the puppet CA. The re-image, decommission and renew-certs cookbooks use this functionality. The cookbooks essentially use the puppet ca command line to destroy or renew the puppet agent certificate. One way we could fix this is to instead us the puppet CA api to manage certificates. On the puppetserver side we can update the auth rules so cloudcumin hosts are only able to perform actions on cloud hosts. This is not something we have done before however it should be doable but I'd recommend waiting until production has been migrated to puppet7.

Another option here would be for WMCS to have there own puppetservers/dbs.

Related Objects
Search...

Event Timeline

jbond triaged this task as Medium priority.Aug 17 2023, 9:02 AM
jbond created this task.
jbond updated the task description. (Show Details)
dr0ptp4kt subscribed.Aug 17 2023, 4:43 PM
fnegri added a parent task: T343330: WMCS cookbooks: provide shared hosts for people without global root privileges.Aug 21 2023, 2:17 PM
fnegri subscribed.
jbond mentioned this in T337848: WMCS-roots wiki replica access.Aug 25 2023, 11:59 AM
fnegri mentioned this in T343330: WMCS cookbooks: provide shared hosts for people without global root privileges.Aug 25 2023, 1:30 PM
fnegri added a subtask: T347490: [wmcs-cookbooks] Downtime alerts from cloudcumins.Sep 27 2023, 1:32 PM
fnegri renamed this task from Cloudcumin Gaps to cloudcumin: support reimage and other operations.Mar 28 2024, 4:40 PM
fnegri updated the task description. (Show Details)
fnegri added a comment.Mar 28 2024, 5:11 PM

Note that all sre.* cookbooks are no longer installed in cloudcumins (see the discussion in T343894).

After the problems described in the task description are solved, we will need to either create a separate wmcs.reimage cookbook, or revisit the idea (T343894) of creating a "shared" set of cookbooks that can be installed both in cuminXXXX and cloudcuminXXXX hosts.

taavi edited projects, added Cloud-VPS; removed Data-Services.Apr 10 2024, 8:22 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL