Page MenuHomePhabricator
Create Task
Maniphest T390863

Migrate the KDCs to Bookworm
Closed, ResolvedPublic
Actions

Description

  • Setup krb1002 with Bookworm
  • Upgrade krb2002 to Bookworm
  • Move the kadmin server to krb1002
  • Decom krb1001

We can also make the switch to nftables as part of the migration.

Details

Related Changes in Gerrit:
Show related patches Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedMoritzMuehlenhoffT390863 Migrate the KDCs to Bookworm
 ResolvedRequestNoneT396007 decommission krb1001.eqiad.wmnet

Event Timeline

MoritzMuehlenhoff created this task.Apr 2 2025, 1:45 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 2 2025, 1:45 PM
gerritbot added a comment.Apr 2 2025, 1:46 PM

Change #1133406 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Setup the new KDC with nftables

https://gerrit.wikimedia.org/r/1133406

gerritbot added a project: Patch-For-Review.Apr 2 2025, 1:46 PM
MoritzMuehlenhoff triaged this task as Medium priority.Apr 14 2025, 1:59 PM
MoritzMuehlenhoff claimed this task.Apr 14 2025, 4:01 PM
gerritbot added a comment.Apr 23 2025, 12:49 PM

Change #1133406 merged by Muehlenhoff:

[operations/puppet@production] Setup the new KDC with nftables

https://gerrit.wikimedia.org/r/1133406

Maintenance_bot removed a project: Patch-For-Review.Apr 23 2025, 1:31 PM
gerritbot added a comment.Apr 23 2025, 2:28 PM

Change #1138377 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Make krb1002 a KDC

https://gerrit.wikimedia.org/r/1138377

gerritbot added a project: Patch-For-Review.Apr 23 2025, 2:28 PM
gerritbot added a comment.Apr 24 2025, 8:32 AM

Change #1138377 merged by Muehlenhoff:

[operations/puppet@production] Make krb1002 a KDC

https://gerrit.wikimedia.org/r/1138377

gerritbot added a comment.Apr 24 2025, 9:01 AM

Change #1138684 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Add krb1002 to kerberos_kdc_servers

https://gerrit.wikimedia.org/r/1138684

gerritbot added a comment.Apr 24 2025, 12:13 PM

Change #1138684 merged by Muehlenhoff:

[operations/puppet@production] Add krb1002 to kerberos_kdc_servers

https://gerrit.wikimedia.org/r/1138684

Maintenance_bot removed a project: Patch-For-Review.Apr 24 2025, 12:30 PM
gerritbot added a comment.Apr 29 2025, 1:15 PM

Change #1139850 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Add krb1002 to the list of KDCs presented to Kerberos clients

https://gerrit.wikimedia.org/r/1139850

gerritbot added a project: Patch-For-Review.Apr 29 2025, 1:15 PM
gerritbot added a comment.Apr 30 2025, 9:42 AM

Change #1139850 merged by Muehlenhoff:

[operations/puppet@production] Add krb1002 to the list of KDCs presented to Kerberos clients

https://gerrit.wikimedia.org/r/1139850

gerritbot added a comment.Apr 30 2025, 10:01 AM

Change #1140142 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Stop passing krb2002 to Kerberos clients

https://gerrit.wikimedia.org/r/1140142

gerritbot added a comment.Apr 30 2025, 10:01 AM

Change #1140143 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Switch krb2002 to nftables

https://gerrit.wikimedia.org/r/1140143

gerritbot added a comment.May 5 2025, 12:57 PM

Change #1140142 merged by Muehlenhoff:

[operations/puppet@production] Stop passing krb2002 to Kerberos clients

https://gerrit.wikimedia.org/r/1140142

gerritbot added a comment.May 7 2025, 8:45 AM

Change #1140143 merged by Muehlenhoff:

[operations/puppet@production] Switch krb2002 to nftables

https://gerrit.wikimedia.org/r/1140143

Maintenance_bot removed a project: Patch-For-Review.May 7 2025, 9:30 AM
MoritzMuehlenhoff updated the task description. (Show Details)May 7 2025, 10:10 AM
MoritzMuehlenhoff updated the task description. (Show Details)
ops-monitoring-bot added a comment.May 7 2025, 10:22 AM

Icinga downtime and Alertmanager silence (ID=3de6b492-82de-43f4-8903-cb18d7303b18) set by jmm@cumin2002 for 3:00:00 on 1 host(s) and their services with reason: update to Bookworm

krb2002.codfw.wmnet
Stashbot added a comment.May 7 2025, 10:27 AM

Mentioned in SAL (#wikimedia-operations) [2025-05-07T10:27:27Z] <moritzm> upgrading krb2002 to Bookworm T390863

gerritbot added a comment.May 7 2025, 11:37 AM

Change #1143063 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Pass krb2002 to Kerberos clients again

https://gerrit.wikimedia.org/r/1143063

gerritbot added a project: Patch-For-Review.May 7 2025, 11:37 AM
gerritbot added a comment.May 8 2025, 7:29 AM

Change #1143063 merged by Muehlenhoff:

[operations/puppet@production] Pass krb2002 to Kerberos clients again

https://gerrit.wikimedia.org/r/1143063

Maintenance_bot removed a project: Patch-For-Review.May 8 2025, 7:30 AM
MoritzMuehlenhoff updated the task description. (Show Details)May 8 2025, 1:24 PM
gerritbot added a comment.May 8 2025, 1:27 PM

Change #1143574 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Switch the kadmin server to krb1002

https://gerrit.wikimedia.org/r/1143574

gerritbot added a project: Patch-For-Review.May 8 2025, 1:27 PM
gerritbot added a comment.May 8 2025, 2:03 PM

Change #1143583 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Disable httbb k8s tests on cumin1003 for now

https://gerrit.wikimedia.org/r/1143583

gerritbot added a comment.May 8 2025, 2:40 PM

Change #1143583 merged by Muehlenhoff:

[operations/puppet@production] Disable httbb k8s tests on cumin1003 for now

https://gerrit.wikimedia.org/r/1143583

gerritbot added a comment.May 14 2025, 11:32 AM

Change #1143574 merged by Muehlenhoff:

[operations/puppet@production] Switch the kadmin server to krb1002

https://gerrit.wikimedia.org/r/1143574

Maintenance_bot removed a project: Patch-For-Review.May 14 2025, 12:31 PM
gerritbot added a comment.May 14 2025, 12:33 PM

Change #1145884 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Remove krb1001 from list of KDCs

https://gerrit.wikimedia.org/r/1145884

gerritbot added a project: Patch-For-Review.May 14 2025, 12:33 PM
MoritzMuehlenhoff updated the task description. (Show Details)May 14 2025, 12:42 PM
gerritbot added a comment.May 15 2025, 11:46 AM

Change #1146570 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Remove krb1001 from the list of KDCs presented to clients

https://gerrit.wikimedia.org/r/1146570

gerritbot added a comment.May 15 2025, 1:15 PM

Change #1146570 merged by Muehlenhoff:

[operations/puppet@production] Remove krb1001 from the list of KDCs presented to clients

https://gerrit.wikimedia.org/r/1146570

gerritbot added a comment.May 22 2025, 9:29 AM

Change #1149335 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Include profile::base::cuminunpriv in test_krb

https://gerrit.wikimedia.org/r/1149335

gerritbot added a comment.May 22 2025, 10:33 AM

Change #1149335 merged by Muehlenhoff:

[operations/puppet@production] Include profile::base::cuminunpriv in test_krb

https://gerrit.wikimedia.org/r/1149335

MoritzMuehlenhoff added a comment.May 22 2025, 10:45 AM

I created a new keytab for testvm2006 on krb1002 and everything worked fine.

gerritbot added a comment.May 22 2025, 11:31 AM

Change #1145884 merged by Muehlenhoff:

[operations/puppet@production] Remove krb1001 from list of KDCs

https://gerrit.wikimedia.org/r/1145884

Maintenance_bot removed a project: Patch-For-Review.May 22 2025, 11:31 AM
gerritbot added a comment.May 23 2025, 6:48 AM

Change #1149540 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Switch krb1001 to insetup role

https://gerrit.wikimedia.org/r/1149540

gerritbot added a project: Patch-For-Review.May 23 2025, 6:48 AM
gerritbot added a comment.May 23 2025, 7:00 AM

Change #1149540 merged by Muehlenhoff:

[operations/puppet@production] Switch krb1001 to insetup role

https://gerrit.wikimedia.org/r/1149540

Maintenance_bot removed a project: Patch-For-Review.May 23 2025, 7:30 AM
gerritbot added a comment.May 23 2025, 7:32 AM

Change #1149542 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Default the Kerberos role to nftables

https://gerrit.wikimedia.org/r/1149542

gerritbot added a project: Patch-For-Review.May 23 2025, 7:32 AM
gerritbot added a comment.May 26 2025, 11:47 AM

Change #1149542 merged by Muehlenhoff:

[operations/puppet@production] Default the Kerberos role to nftables

https://gerrit.wikimedia.org/r/1149542

Maintenance_bot removed a project: Patch-For-Review.May 26 2025, 12:31 PM
MoritzMuehlenhoff added a subtask: T396007: decommission krb1001.eqiad.wmnet.Jun 4 2025, 11:29 AM
MoritzMuehlenhoff updated the task description. (Show Details)Jun 4 2025, 12:17 PM

All done!

MoritzMuehlenhoff closed this task as Resolved.Jun 4 2025, 12:18 PM
VRiley-WMF closed subtask T396007: decommission krb1001.eqiad.wmnet as Resolved.Jun 4 2025, 8:37 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits