Page MenuHomePhabricator
Create Task
Maniphest T347977

cloudcumin: allow wmcs-admin to run wikireplicas cookbooks and scripts
Closed, DeclinedPublic
Actions

Description

The members of the group wmcs-admin can currently SSH to cumin1001 to run the following commands:

root@cumin1001:~# cat /etc/sudoers.d/wmcs-admin
# This file is managed by Puppet!

%wmcs-admin ALL = (ALL) NOPASSWD: /usr/local/bin/secure-cookbook sre.wikireplicas.*
%wmcs-admin ALL = (ALL) NOPASSWD: /usr/local/sbin/maintain-views
%wmcs-admin ALL = (ALL) NOPASSWD: /usr/local/sbin/maintain-meta_p
%wmcs-admin ALL = (ALL) NOPASSWD: /usr/local/sbin/maintain-replica-indexes

In T325067 I merged a patch that replicated those sudoers rule to the new cloudcumin hosts. This task is to ensure that all those scripts can be run successfully from the cloudcumin hosts. At a minimum, we have to add the secure-cookbook command that is not present right now, but there might be more things to fix.

Related Objects
Search...

Event Timeline

fnegri created this task.Oct 3 2023, 11:23 AM
fnegri claimed this task.
fnegri mentioned this in T347979: Remove wmcs-admin access from production cumin hosts.Oct 3 2023, 11:28 AM
fnegri added a parent task: T347979: Remove wmcs-admin access from production cumin hosts.
Volans added a comment.Oct 3 2023, 1:00 PM

@fnegri do you plan o move these cookbooks to the wmcs-cookbooks repository?
I'm also wondering if at this point it could make sense to move the spicerack's toolforge module/package into the wmcs_libs directory of the same repo.

fnegri triaged this task as Medium priority.Oct 3 2023, 1:31 PM

@Volans I didn't notice they were in the main cookbooks repository, I think it makes sense to move them but I'm not sure how easy it will be... I'll have a look later this week.

I'm also wondering if at this point it could make sense to move the spicerack's toolforge module/package into the wmcs_libs directory of the same repo.

I think it does, but I'm not familiar at all with that module. There's also T319450 which is vaguely related.

fnegri edited projects, added cloud-services-team (FY2023/2024-Q3-Q4); removed cloud-services-team (FY2023/2024-Q1-Q2).Feb 1 2024, 11:14 AM
fnegri mentioned this in T337848: WMCS-roots wiki replica access.Mar 28 2024, 4:21 PM
taavi moved this task from Unsorted to wmcs-cookbooks on the Cloud-VPS board.Jun 4 2024, 3:58 PM
taavi added a project: Data-Services.
fnegri moved this task from Backlog to Wiki replicas on the Data-Services board.Jun 17 2024, 3:56 PM
fnegri mentioned this in T344599: wikireplicas root access.Jul 2 2024, 3:41 PM
fnegri edited projects, added cloud-services-team (FY2024/2025-Q1-Q2); removed cloud-services-team (FY2023/2024-Q3-Q4).Aug 19 2024, 9:20 AM
fnegri closed this task as Declined.Sep 13 2024, 2:24 PM
fnegri moved this task from Backlog to Done on the cloud-services-team (FY2024/2025-Q1-Q2) board.

In T344599: wikireplicas root access it was decided members of wmcs-roots should not have root access to wiki replicas hosts (clouddbXXXX). Given wmcs-roots members have root access on cloudcumins, that means clouddb hosts should not be accessible from cloudcumins, but only from production cumins.

Without this access, the cookbooks sre.wikireplicas.* will not work from cloudcumins but only from production cumins.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits