Page MenuHomePhabricator
Create Task
Maniphest T364417

deploy1003 implementation tracking
Closed, ResolvedPublic
Actions

Description

deploy1003 implementation tracking

This task is to track the service implementation of deploy1003.

Once the linked racking task has been resolved, this task can be implemented.

This sub-task creation/update is per the request of serviceops; this task is assigned at creation to the 'Sub-team Technical Contact' provided in the initial ordering task.

Details

Related Changes in Gerrit:
Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 7 2024, 6:15 PM
RobH unsubscribed.May 7 2024, 6:15 PM
Dzahn mentioned this in T364656: replace production buster deployment servers.May 10 2024, 9:05 PM
Dzahn added a parent task: T364656: replace production buster deployment servers.
Dzahn subscribed.

@akosiaris I made T364656 and suggest seeing that either as a parent task or simply merging this in there.

Dzahn added a subtask: T363415: add bullseye support to deployment server puppet role - upgrade deployment server in devtools.May 10 2024, 9:08 PM
Dzahn added a parent task: T291916: Tracking task for Bullseye migrations in production.
Dzahn closed subtask T363415: add bullseye support to deployment server puppet role - upgrade deployment server in devtools as Resolved.May 10 2024, 9:22 PM
akosiaris added a subscriber: jijiki.May 13 2024, 5:40 PM

Thanks @Dzahn. It's fine as a parent task, thanks for adding it. T364416 already says bullseye for what is worth. Adding @jijiki for her information.

gerritbot added a comment.Jun 27 2024, 12:22 PM

Change #1050345 had a related patch set uploaded (by Clément Goubert; author: Clément Goubert):

[operations/puppet@production] Add deploy1003 to site.pp

https://gerrit.wikimedia.org/r/1050345

gerritbot added a project: Patch-For-Review.Jun 27 2024, 12:22 PM
gerritbot added a comment.Jun 28 2024, 10:21 AM

Change #1050345 merged by Alexandros Kosiaris:

[operations/puppet@production] Add deploy1003 to site.pp

https://gerrit.wikimedia.org/r/1050345

Maintenance_bot removed a project: Patch-For-Review.Jun 28 2024, 10:30 AM
ops-monitoring-bot added a comment.Jun 28 2024, 1:01 PM

Cookbook cookbooks.sre.hosts.reimage was started by akosiaris@cumin1002 for host deploy1003.eqiad.wmnet with OS bookworm

ops-monitoring-bot added a comment.Jun 28 2024, 1:41 PM

Cookbook cookbooks.sre.hosts.reimage started by akosiaris@cumin1002 for host deploy1003.eqiad.wmnet with OS bookworm completed:

  • deploy1003 (WARN)
    • Downtimed on Icinga/Alertmanager
    • Unable to disable Puppet, the host may have been unreachable
    • Removed from Puppet and PuppetDB if present and deleted any certificates
    • Removed from Debmonitor if present
    • Forced PXE for next reboot
    • Host rebooted via IPMI
    • Host up (Debian installer)
    • Add puppet_version metadata to Debian installer
    • Checked BIOS boot parameters are back to normal
    • Host up (new fresh bookworm OS)
    • Generated Puppet certificate
    • Signed new Puppet certificate
    • Run Puppet in NOOP mode to populate exported resources in PuppetDB
    • Found Nagios_host resource for this host in PuppetDB
    • Downtimed the new host on Icinga/Alertmanager
    • First Puppet run completed and logged in /var/log/spicerack/sre/hosts/reimage/202406281315_akosiaris_1591191_deploy1003.out
    • configmaster.wikimedia.org updated with the host new SSH public key for wmf-update-known-hosts-production
    • Rebooted
    • Automatic Puppet run was successful
    • Forced a re-check of all Icinga services for the host
    • Icinga status is optimal
    • Icinga downtime removed
    • Updated Netbox data from PuppetDB
    • Updated Netbox status planned -> active
    • The sre.puppet.sync-netbox-hiera cookbook was run successfully
ops-monitoring-bot added a comment.Jun 28 2024, 1:42 PM

Cookbook cookbooks.sre.hosts.reimage was started by akosiaris@cumin1002 for host deploy1003.eqiad.wmnet with OS bullseye

ops-monitoring-bot added a comment.Jun 28 2024, 2:10 PM

Cookbook cookbooks.sre.hosts.reimage started by akosiaris@cumin1002 for host deploy1003.eqiad.wmnet with OS bullseye completed:

  • deploy1003 (PASS)
    • Downtimed on Icinga/Alertmanager
    • Disabled Puppet
    • Removed from Puppet and PuppetDB if present and deleted any certificates
    • Removed from Debmonitor if present
    • Forced PXE for next reboot
    • Host rebooted via IPMI
    • Host up (Debian installer)
    • Add puppet_version metadata to Debian installer
    • Checked BIOS boot parameters are back to normal
    • Host up (new fresh bullseye OS)
    • Generated Puppet certificate
    • Signed new Puppet certificate
    • Run Puppet in NOOP mode to populate exported resources in PuppetDB
    • Found Nagios_host resource for this host in PuppetDB
    • Downtimed the new host on Icinga/Alertmanager
    • Removed previous downtime on Alertmanager (old OS)
    • First Puppet run completed and logged in /var/log/spicerack/sre/hosts/reimage/202406281356_akosiaris_1599616_deploy1003.out
    • configmaster.wikimedia.org updated with the host new SSH public key for wmf-update-known-hosts-production
    • Rebooted
    • Automatic Puppet run was successful
    • Forced a re-check of all Icinga services for the host
    • Icinga status is optimal
    • Icinga downtime removed
    • Updated Netbox data from PuppetDB
akosiaris added a comment.Jul 1 2024, 2:33 PM

I 've applied the role and now working through packaging python3-imagecatalog for bullseye

akosiaris mentioned this in T364416: Q4:rack/setup/install deploy1003.Jul 1 2024, 4:48 PM
  • python3-imagecatalog published and gerrit repo updated
  • php72 component made conditional
dancy subscribed.Jul 1 2024, 8:30 PM

Noting that having deploy1003.eqiad.wmnet in deploy1002:/etc/dsh/group/scap-masters before it is fully set up is causing problems for scap deployments. For example, I got the following when trying to update scap today:

$ scap install-world
...
16:33:58 Syncing masters
16:33:59 ['/usr/bin/rsync', '--archive', '--delay-updates', '--delete', '--delete-delay', '--compress', '--new-compress', '--exclude=*.swp', '--exclude=**/__pycache__', 'deploy1002.eqiad.wmnet::scap-install-staging', '/var/lib/scap'] (ran as scap@deploy1003.eqiad.wmnet) returned [1]: This account is currently not available.

16:34:00 scap-sync-to-masters: 100% (in-flight: 0; ok: 1; fail: 1; left: 0)
16:34:00 1 masters failed to sync scap installation
Aborting: Install failed

And a backport deployer got bogged down by it:

$ scap backport <xxxxx>
....
20:04:09 Started sync-masters
20:04:19 sync-masters:  50% (in-flight: 1; ok: 1; fail: 0; left: 0) /
20:22:07 sync-masters: 100% (in-flight: 0; ok: 2; fail: 0; left: 0)
20:22:07 Finished sync-masters (duration: 17m 57s)   <---- Too long!
gerritbot added a comment.Jul 2 2024, 3:12 PM

Change #1051392 had a related patch set uploaded (by Alexandros Kosiaris; author: Alexandros Kosiaris):

[operations/puppet@production] deploy1003: Comment them out from scap_masters

https://gerrit.wikimedia.org/r/1051392

gerritbot added a project: Patch-For-Review.Jul 2 2024, 3:12 PM
gerritbot added a comment.Jul 2 2024, 3:16 PM

Change #1051392 merged by Alexandros Kosiaris:

[operations/puppet@production] deploy1003: Comment them out from scap_masters

https://gerrit.wikimedia.org/r/1051392

Maintenance_bot removed a project: Patch-For-Review.Jul 2 2024, 3:30 PM
akosiaris added a comment.Jul 2 2024, 4:22 PM

Apologies, I failed to anticipate that consequence, I 've merged a change to remove deploy1003 from the list of scap masters.

gerritbot added a comment.Jul 3 2024, 2:46 PM

Change #1051772 had a related patch set uploaded (by Alexandros Kosiaris; author: Alexandros Kosiaris):

[operations/puppet@production] deployment::rsync: Remove long absented resources

https://gerrit.wikimedia.org/r/1051772

gerritbot added a project: Patch-For-Review.Jul 3 2024, 2:46 PM
gerritbot added a comment.Jul 3 2024, 3:02 PM

Change #1051782 had a related patch set uploaded (by Alexandros Kosiaris; author: Alexandros Kosiaris):

[operations/puppet@production] WIP deployment::rsync: Temporarily disable stunnel

https://gerrit.wikimedia.org/r/1051782

gerritbot added a comment.Jul 4 2024, 1:05 PM

Change #1052111 had a related patch set uploaded (by Alexandros Kosiaris; author: Alexandros Kosiaris):

[operations/puppet@production] deployment::rsync: Add support for PKI

https://gerrit.wikimedia.org/r/1052111

gerritbot added a comment.Jul 4 2024, 1:15 PM

Change #1051772 merged by Alexandros Kosiaris:

[operations/puppet@production] deployment::rsync: Remove long absented resources

https://gerrit.wikimedia.org/r/1051772

gerritbot added a comment.Jul 5 2024, 12:27 PM

Change #1051782 abandoned by Alexandros Kosiaris:

[operations/puppet@production] WIP deployment::rsync: Temporarily disable stunnel

Reason:

Better to move with PKI provisioned certs

https://gerrit.wikimedia.org/r/1051782

dancy unsubscribed.Jul 8 2024, 3:09 PM
gerritbot added a comment.Jul 11 2024, 1:37 PM

Change #1052111 merged by Alexandros Kosiaris:

[operations/puppet@production] deployment::rsync: Add support for PKI

https://gerrit.wikimedia.org/r/1052111

Maintenance_bot removed a project: Patch-For-Review.Jul 11 2024, 2:30 PM
gerritbot added a comment.Jul 11 2024, 3:26 PM

Change #1053718 had a related patch set uploaded (by Alexandros Kosiaris; author: Alexandros Kosiaris):

[operations/puppet@production] deploy1003: Undo the puppet 7 force

https://gerrit.wikimedia.org/r/1053718

gerritbot added a project: Patch-For-Review.Jul 11 2024, 3:26 PM
gerritbot added a comment.Jul 11 2024, 3:31 PM

Change #1053718 merged by Alexandros Kosiaris:

[operations/puppet@production] deploy1003: Undo the puppet 7 force

https://gerrit.wikimedia.org/r/1053718

ops-monitoring-bot added a comment.Jul 11 2024, 3:36 PM

Cookbook cookbooks.sre.hosts.reimage was started by akosiaris@cumin1002 for host deploy1003.eqiad.wmnet with OS bullseye

Maintenance_bot removed a project: Patch-For-Review.Jul 11 2024, 4:31 PM
ops-monitoring-bot added a comment.Jul 11 2024, 5:28 PM

Cookbook cookbooks.sre.hosts.reimage started by akosiaris@cumin1002 for host deploy1003.eqiad.wmnet with OS bullseye completed:

  • deploy1003 (PASS)
    • Downtimed on Icinga/Alertmanager
    • Disabled Puppet
    • Removed from Puppet and PuppetDB if present and deleted any certificates
    • Removed from Debmonitor if present
    • Forced PXE for next reboot
    • Host rebooted via IPMI
    • Host up (Debian installer)
    • Add puppet_version metadata to Debian installer
    • Checked BIOS boot parameters are back to normal
    • Host up (new fresh bullseye OS)
    • Generated Puppet certificate
    • Signed new Puppet certificate
    • Run Puppet in NOOP mode to populate exported resources in PuppetDB
    • Found Nagios_host resource for this host in PuppetDB
    • Downtimed the new host on Icinga/Alertmanager
    • Removed previous downtime on Alertmanager (old OS)
    • First Puppet run completed and logged in /var/log/spicerack/sre/hosts/reimage/202407111551_akosiaris_4099339_deploy1003.out
    • configmaster.wikimedia.org updated with the host new SSH public key for wmf-update-known-hosts-production
    • Rebooted
    • Automatic Puppet run was successful
    • Forced a re-check of all Icinga services for the host
    • Icinga status is optimal
    • Icinga downtime removed
    • Updated Netbox data from PuppetDB
gerritbot added a comment.Jul 23 2024, 12:04 PM

Change #1056144 had a related patch set uploaded (by Alexandros Kosiaris; author: Alexandros Kosiaris):

[operations/puppet@production] imagecatalog: Vary gunicorn package on Debian version

https://gerrit.wikimedia.org/r/1056144

gerritbot added a project: Patch-For-Review.Jul 23 2024, 12:04 PM
Ladsgroup awarded a token.Jul 23 2024, 12:11 PM
gerritbot added a comment.Jul 23 2024, 12:26 PM

Change #1056144 merged by Alexandros Kosiaris:

[operations/puppet@production] imagecatalog: Vary gunicorn package on Debian version

https://gerrit.wikimedia.org/r/1056144

Maintenance_bot removed a project: Patch-For-Review.Jul 23 2024, 12:30 PM
gerritbot added a comment.Jul 23 2024, 1:20 PM

Change #1056156 had a related patch set uploaded (by Alexandros Kosiaris; author: Alexandros Kosiaris):

[operations/puppet@production] imagecatalog: Force uid/gid for imagecatalog user

https://gerrit.wikimedia.org/r/1056156

gerritbot added a project: Patch-For-Review.Jul 23 2024, 1:20 PM
gerritbot added a comment.Jul 23 2024, 1:28 PM

Change #1056156 merged by Alexandros Kosiaris:

[operations/puppet@production] imagecatalog: Force uid/gid for imagecatalog user

https://gerrit.wikimedia.org/r/1056156

Maintenance_bot removed a project: Patch-For-Review.Jul 23 2024, 1:31 PM
gerritbot added a comment.Jul 23 2024, 1:31 PM

Change #1056157 had a related patch set uploaded (by Alexandros Kosiaris; author: Alexandros Kosiaris):

[operations/puppet@production] imagecatalog: Actually comment about the uid/gid

https://gerrit.wikimedia.org/r/1056157

gerritbot added a project: Patch-For-Review.Jul 23 2024, 1:31 PM

Change #1056157 merged by Alexandros Kosiaris:

[operations/puppet@production] imagecatalog: Actually comment about the uid/gid

https://gerrit.wikimedia.org/r/1056157

gerritbot added a comment.Jul 23 2024, 1:36 PM

Change #1056158 had a related patch set uploaded (by Alexandros Kosiaris; author: Alexandros Kosiaris):

[operations/puppet@production] imagecatalog: Remove require for data directory

https://gerrit.wikimedia.org/r/1056158

gerritbot added a comment.Jul 23 2024, 1:37 PM

Change #1056158 merged by Alexandros Kosiaris:

[operations/puppet@production] imagecatalog: Remove require for data directory

https://gerrit.wikimedia.org/r/1056158

ops-monitoring-bot added a comment.Jul 23 2024, 1:49 PM

Cookbook cookbooks.sre.hosts.reimage was started by akosiaris@cumin1002 for host deploy1003.eqiad.wmnet with OS bullseye

Maintenance_bot removed a project: Patch-For-Review.Jul 23 2024, 2:31 PM
ops-monitoring-bot added a comment.Jul 24 2024, 5:12 AM

Cookbook cookbooks.sre.hosts.reimage started by akosiaris@cumin1002 for host deploy1003.eqiad.wmnet with OS bullseye executed with errors:

  • deploy1003 (FAIL)
    • Downtimed on Icinga/Alertmanager
    • Disabled Puppet
    • Removed from Puppet and PuppetDB if present and deleted any certificates
    • Removed from Debmonitor if present
    • Forced PXE for next reboot
    • Host rebooted via IPMI
    • Host up (Debian installer)
    • Add puppet_version metadata to Debian installer
    • Checked BIOS boot parameters are back to normal
    • Host up (new fresh bullseye OS)
    • Generated Puppet certificate
    • Signed new Puppet certificate
    • Run Puppet in NOOP mode to populate exported resources in PuppetDB
    • Found Nagios_host resource for this host in PuppetDB
    • Downtimed the new host on Icinga/Alertmanager
    • Removed previous downtime on Alertmanager (old OS)
    • First Puppet run completed and logged in /var/log/spicerack/sre/hosts/reimage/202407231406_akosiaris_2085260_deploy1003.out
    • configmaster.wikimedia.org updated with the host new SSH public key for wmf-update-known-hosts-production
    • Rebooted
    • The reimage failed, see the cookbook logs for the details,You can also try typing "install-console" deploy1003.eqiad.wmnet to get a root shellbut depending on the failure this may not work.
ops-monitoring-bot added a comment.Jul 24 2024, 10:16 AM

Cookbook cookbooks.sre.hosts.reimage was started by akosiaris@cumin1002 for host deploy1003.eqiad.wmnet with OS bullseye

ops-monitoring-bot added a comment.Jul 24 2024, 12:39 PM

Cookbook cookbooks.sre.hosts.reimage started by akosiaris@cumin1002 for host deploy1003.eqiad.wmnet with OS bullseye completed:

  • deploy1003 (PASS)
    • Downtimed on Icinga/Alertmanager
    • Disabled Puppet
    • Removed from Puppet and PuppetDB if present and deleted any certificates
    • Removed from Debmonitor if present
    • Forced PXE for next reboot
    • Host rebooted via IPMI
    • Host up (Debian installer)
    • Add puppet_version metadata to Debian installer
    • Checked BIOS boot parameters are back to normal
    • Host up (new fresh bullseye OS)
    • Generated Puppet certificate
    • Signed new Puppet certificate
    • Run Puppet in NOOP mode to populate exported resources in PuppetDB
    • Found Nagios_host resource for this host in PuppetDB
    • Downtimed the new host on Icinga/Alertmanager
    • Removed previous downtime on Alertmanager (old OS)
    • First Puppet run completed and logged in /var/log/spicerack/sre/hosts/reimage/202407241033_akosiaris_2246523_deploy1003.out
    • configmaster.wikimedia.org updated with the host new SSH public key for wmf-update-known-hosts-production
    • Rebooted
    • Automatic Puppet run was successful
    • Forced a re-check of all Icinga services for the host
    • Icinga status is optimal
    • Icinga downtime removed
    • Updated Netbox data from PuppetDB
akosiaris added a comment.Jul 24 2024, 2:26 PM

Just armed keyholder, everything looks ok right now. I 'll send a notification to wikitech-l and engineering in slack for a deployment server move. Not much different from what we do for the switchover.

gerritbot added a comment.Jul 25 2024, 8:42 AM

Change #1056871 had a related patch set uploaded (by Alexandros Kosiaris; author: Alexandros Kosiaris):

[operations/puppet@production] Revert "deploy1003: Comment them out from scap_masters"

https://gerrit.wikimedia.org/r/1056871

gerritbot added a project: Patch-For-Review.Jul 25 2024, 8:42 AM
gerritbot added a comment.Jul 25 2024, 8:45 AM

Change #1056871 merged by Alexandros Kosiaris:

[operations/puppet@production] Revert "deploy1003: Comment them out from scap_masters"

https://gerrit.wikimedia.org/r/1056871

gerritbot added a comment.Jul 25 2024, 9:03 AM

Change #1056878 had a related patch set uploaded (by Alexandros Kosiaris; author: Alexandros Kosiaris):

[operations/puppet@production] deployment: Switch master deployment host to deploy1003

https://gerrit.wikimedia.org/r/1056878

akosiaris added a comment.Jul 25 2024, 2:41 PM

Move to this server from deploy1002 scheduled for Monday 2024-07-29 09:00 UTC

akosiaris added a comment.Jul 26 2024, 11:13 AM

I 've also performed a NOOP deployment from deploy1003 today, worked slowly (20minutes) due to having to build the images, but otherwise OK)

gerritbot added a comment.Jul 29 2024, 10:30 AM

Change #1056878 merged by Alexandros Kosiaris:

[operations/puppet@production] deployment: Switch master deployment host to deploy1003

https://gerrit.wikimedia.org/r/1056878

Maintenance_bot removed a project: Patch-For-Review.Jul 29 2024, 10:30 AM
gerritbot added a comment.Jul 29 2024, 10:33 AM

Change #1057833 had a related patch set uploaded (by Alexandros Kosiaris; author: Alexandros Kosiaris):

[operations/dns@master] Switch deployment.eqiad.wmnet to deploy1003

https://gerrit.wikimedia.org/r/1057833

gerritbot added a project: Patch-For-Review.Jul 29 2024, 10:33 AM

Change #1057833 merged by Alexandros Kosiaris:

[operations/dns@master] Switch deployment.eqiad.wmnet to deploy1003

https://gerrit.wikimedia.org/r/1057833

Maintenance_bot removed a project: Patch-For-Review.Jul 29 2024, 11:31 AM
akosiaris closed this task as Resolved.Jul 29 2024, 11:32 AM
jwang subscribed.Aug 23 2024, 11:54 PM

Hi, I failed to ssh deployment.eqiad.wmnet. The message I got is deployment.eqiad.wmnet: Permission denied (publickey). I was able to ssh a couple of months ago. Is this related to the deployment? Is there any update on my end that could fix it?

Clement_Goubert subscribed.Aug 26 2024, 9:51 AM
In T364417#10089240, @jwang wrote:

Hi, I failed to ssh deployment.eqiad.wmnet. The message I got is deployment.eqiad.wmnet: Permission denied (publickey). I was able to ssh a couple of months ago. Is this related to the deployment? Is there any update on my end that could fix it?

Hello, please open a new ticket and tag SRE SRE-Access-Requests to debug your issue. As far as I can see, you are not part of any group that has access to the deployment server. If this is a mistake and you should have access, please add the required information for an access request so the clinic duty SRE can help.

Dzahn added a comment.Aug 26 2024, 4:52 PM

Because users have been asking about the changed host key, I dumped the fingerprints for deploy1003 on https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/deploy1003.eqiad.wmnet

It didn't have the page that https://wikitech.wikimedia.org/wiki/Deploy1002 had and that just redirects now.

jwang added a comment.Aug 26 2024, 5:49 PM

Because users have been asking about the changed host key,

Hi @Dzahn, thanks for the reply. Is it something I need to update on my end? If so, could you provide more instructions on how to do that?

jwang mentioned this in T373379: Requesting access to airflow-analytics-product-admins group for jiawang.Aug 26 2024, 5:55 PM

@Clement_Goubert, thanks for the reply. I have created a ticket about it: T373379.

Dzahn added a comment.Aug 26 2024, 5:56 PM

@jwang My comment was a general comment about the new deployment server and the replacement process.

It shouldn't be related to your access question. It wouldn't manifest as "Permission denied (publickey)".

I can confirm what Clement said above. It seems like you simply aren't in the group that gets access to the deployment server. You have other groups like analytics-privatedata-users and analytics-product-users but not the one for deployments.

So if you are sure you used to have that access at some point in the past then we need to dig deeper into when and where you were removed.

But I also don't see a home directory for you there and these normally stay around forever, even for former users. So that would be strange even if you had access in the past.

The one thing that you can do to get this fixed is to create a new request and ask to be added to the deployment group. (https://wikitech.wikimedia.org/wiki/SRE/Production_access#Filing_the_request)

jwang added a comment.Aug 26 2024, 6:39 PM

Thanks @Dzahn, I guess I mixed up with the other servers. I will create a request for the deployment group.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits