Page MenuHomePhabricator
Create Task
Maniphest T395938

puppetize setup of new zuul VMs
Open, HighPublic
Actions

Description

The 6 VMs created for new zuul in T393873 need further setup / puppetization.

To avoid amending to the VM request ticket forever but have something to link changes to, continue on this new ticket.

This ticket covers further setup for all 3 types of new zuul VMs, main, executor and trusted job runner.

all changes in topic branch: https://gerrit.wikimedia.org/r/q/topic:%22zuul-new%22

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
zuul: make gerrit ssh key configurable in Hiera and add itoperations/puppetproduction+14 -2
add fake keys for new zuul to connect to gerritlabs/privatemaster+2 -0
zuul: mount /var/ssh/zuul for zuul-scheduleroperations/puppetproduction+1 -0
zuul::executor: remove mounting of /etc/cfssloperations/puppetproduction+0 -1
zuul: break out mTLS setup into separate classoperations/puppetproduction+85 -84
zuul::executor: add TLS full chain needed for zookeeper configoperations/puppetproduction+33 -0
zuul::base: use wmflib::mkdir_p to ensure directoriesoperations/puppetproduction+13 -16
zuul::base: ensure /var/ssh/zuul existsoperations/puppetproduction+23 -4
zuul::main: add second zookeeper server to nodepool config (WIP)operations/puppetproduction+7 -2
zuul: specify charset=utf8mb4 in database connection configoperations/puppetproduction+1 -1
zuul: mariadb+pymysql instead of mysql+pymysql for DB connectionoperations/puppetproduction+1 -1
zuul: use full chain as zookeeper TLS CA bundleoperations/puppetproduction+2 -1
zuul: zuul scheduler needs to also have updated cert pathoperations/puppetproduction+1 -1
zuul::main: add zuul client cert to full chain of trustoperations/puppetproduction+8 -1
zuul::main: add extra Java opts to debug zookeeper TLSoperations/puppetproduction+3 -1
zookeeper: support TLS by loading Netty jars into class pathoperations/puppetproduction+13 -0
zuul::main: add debugging extra_java_opts: "-Djavax.net.debug=ssl,handshake"operations/puppetproduction+5 -0
zookeeper::server: if extra_java_opts are set, keep prometheus optsoperations/puppetproduction+1 -1
zookeeper::server: allow Hiera to override $extra_java_optsoperations/puppetproduction+8 -2
zuul::main: build full chain of trust for Java Netty TLSoperations/puppetproduction+30 -2
zuul::main: set tls_truststore for zookeeper to the copy it ownsoperations/puppetproduction+2 -1
zuul::executor: do not use /etc/zookeeper as cert diroperations/puppetproduction+1 -1
zuul: properly differentiate between zuul and zookeeper certsoperations/puppetproduction+15 -9
zuul::executor: add Hiera key for tls_config_diroperations/puppetproduction+2 -0
zuul-web: bind mount /etc/zookeeper/zuul-tlsoperations/puppetproduction+1 -1
zookeeper/zuul: use ssl.trustStore.password instead ssl.trustStore.passwordPathoperations/puppetproduction+6 -18
zuul: fix renamed password variablelabs/privatemaster+1 -1
zookeeper: add fake TLS password to match private repolabs/privatemaster+1 -0
zuul/zookeeper: use CA-only, not chained file, as truststoreoperations/puppetproduction+2 -2
zuul: parameterize and configure new config dir for zookeeper-zuuloperations/puppetproduction+10 -7
zuul: create shared config dir for zookeeper-zuul mTLSoperations/puppetproduction+9 -0
zookeeper: mTLS debugging, use TLSv.1.2, clientAuth=want, set alias to 1operations/puppetproduction+8 -2
zuul: use chained certificate incl CA for zookeeperoperations/puppetproduction+4 -2
zuul: move .p12 keystore file under the zookeeper config pathoperations/puppetproduction+4 -4
zookeeper: set keystore format to PKCS12 when enabling TLS (for zuul)operations/puppetproduction+2 -0
zookeeper/zuul: use standard port 2281 for TLS secureClientPortoperations/puppetproduction+4 -4
zookeeper: add ssl.keyStore.passwordPathoperations/puppetproduction+6 -0
zookeeper: add parameter and path to tls cert passphraseoperations/puppetproduction+6 -0
zuul: write TLS passphrase to a file for zookeeperoperations/puppetproduction+11 -0
zuul: add $service_ensure parameter for zuul services (WIP)operations/puppetproduction+15 -4
zookeeper: add support for TLSoperations/puppetproduction+21 -0
zuul::main: add firewall src sets CACHES to envoy Hiera keysoperations/puppetproduction+2 -0
zuul: still need TLS cert pathes in base classoperations/puppetproduction+5 -0
zuul: move zookeeper code from base to main profileoperations/puppetproduction+20 -20
zuul: move ssl_password to new parameter namelabs/privatemaster+1 -1
zuul: ensure /var/www existsoperations/puppetproduction+10 -3
zuul: create pkcs12 certs from x509 certs for zookeeperoperations/puppetproduction+14 -2
zuul: add fake password for zookeeper ssl certlabs/privatemaster+1 -0
zuul: fix srange in firewall rule, do not set host bitsoperations/puppetproduction+1 -1
zuul: add firewall rule to allow docker network to zookeeper portoperations/puppetproduction+7 -0
zuul: create class and systemd unit for new zuul-web serviceoperations/puppetproduction+33 -0
zuul: reduce code duplication for new zuul setupoperations/puppetproduction+71 -84
zuul: tighten file mode for new zuul config fileoperations/puppetproduction+2 -0
zuul: adjust config section for zuul auth operatoroperations/puppetproduction+9 -3
add fake secret for zuul auth operatorlabs/privatemaster+4 -0
zuul: use zuul_main_nodes to determine zookeeper serveroperations/puppetproduction+5 -7
zuul: fix typo in template, add zookeeper_server param to executor classoperations/puppetproduction+2 -1
zuul: adjust zookeeper hosts/port in new zuul configoperations/puppetproduction+1 -1
zuul: follow-up fix to moving nodepool config to own profileoperations/puppetproduction+7 -1
zuul: move new zuul nodepool setup to its own profileoperations/puppetproduction+57 -49
move zuul nodepool user token to new location for I745f8c87b4c57flabs/privatemaster+1 -1
zuul::executor: let executor connect to zookeeper on the host machineoperations/puppetproduction+2 -0
zuul::main: let nodepool connect to zookeeper on the host machineoperations/puppetproduction+2 -0
zuul (new): remove dependency on docker classoperations/puppetproduction+0 -1
zuul::main: add rsyslog logging config snippetoperations/puppetproduction+8 -0
zuul: use variables to set path to zookeeper TLS certs in configoperations/puppetproduction+3 -3
pki: create a new intermediate CA for zuuloperations/puppetproduction+2 -0
zuul: factor webserver/proxy out into its own profileoperations/puppetproduction+37 -31
zuul: load apache mod_proxy_wstunnel, add rewrite rulesoperations/puppetproduction+6 -1
zuul: define main and executor host names in common hiera dataoperations/puppetproduction+8 -0
zuul::main: use profile docker::engine to install dockeroperations/puppetproduction+9 -6
zuul::executor: add parameter for port and set it to 7100operations/puppetproduction+5 -1
httpbb: add test file for zuul.wikimedia.orgoperations/puppetproduction+13 -0
zuul::main: add website config with proxy settingsoperations/puppetproduction+48 -0
create zuul.discovery.wmnetoperations/dnsmaster+2 -0
zuul::main: allow deployment hosts to speak http to it for testingoperations/puppetproduction+7 -1
zuul::main: allow caching layer to connect to http backendoperations/puppetproduction+8 -0
zuul::main: add a httpd with proxy modules loadedoperations/puppetproduction+10 -0
zuul::main: add envoy for TLS terminationoperations/puppetproduction+21 -1
zuul::main: set a role descriptionoperations/puppetproduction+1 -0
create zuul.wikimedia.orgoperations/dnsmaster+2 -0
zuul::main: create /var/lib/zuul/.ssh/known_hostsoperations/puppetproduction+15 -0
zuul: create empty dir /var/lib/zuul on new zuul main hostsoperations/puppetproduction+6 -0
zuul/hieradata: fix typo in zuul1001 hostnameoperations/puppetproduction+1 -1
zuul: add zookeeper to new-zuul main prod VMsoperations/puppetproduction+14 -0
zuul: puppetize password for zuul->gerrit http connectionoperations/puppetproduction+7 -2
add passwords::zuul::gerrit with fake passwordlabs/privatemaster+5 -0
zuul: use mariadb connector and Hiera'ize mysql_host nameoperations/puppetproduction+5 -2
zuul: add mysql prod password in new zuul configoperations/puppetproduction+2 -4
zuul: add initial new-zuul config from templateoperations/puppetproduction+70 -0
add passwords::mysql::zuul with fake passwordlabs/privatemaster+5 -0
zuul::main: install apparmor-utils, needed for dockeroperations/puppetproduction+1 -1
secrets: add fake SSH private key for zuullabs/privatemaster+3 -0
zuul::executor: add zuul user and nodepool ssh private keyoperations/puppetproduction+13 -0
Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
gerritbot added a comment.Nov 21 2025, 8:37 PM

Change #1208441 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul: add $service_ensure parameter for zuul services (WIP)

https://gerrit.wikimedia.org/r/1208441

gerritbot added a comment.Nov 25 2025, 8:33 PM

Change #1208441 merged by Dzahn:

[operations/puppet@production] zuul: add $service_ensure parameter for zuul services (WIP)

https://gerrit.wikimedia.org/r/1208441

gerritbot added a comment.Jan 16 2026, 9:57 AM

Change #1224908 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zookeeper: add ssl.keyStore.passwordPath

https://gerrit.wikimedia.org/r/1224908

gerritbot added a comment.Jan 16 2026, 10:19 AM

Change #1227735 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul: write TLS passphrase to a file for zookeeper

https://gerrit.wikimedia.org/r/1227735

gerritbot added a comment.Jan 27 2026, 12:01 PM

Change #1227735 merged by Dzahn:

[operations/puppet@production] zuul: write TLS passphrase to a file for zookeeper

https://gerrit.wikimedia.org/r/1227735

gerritbot added a comment.Jan 27 2026, 1:07 PM

Change #1233697 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zookeeper: add parameter and path to tls cert passphrase

https://gerrit.wikimedia.org/r/1233697

gerritbot added a comment.Jan 28 2026, 12:52 PM

Change #1233697 abandoned by Dzahn:

[operations/puppet@production] zookeeper: add parameter and path to tls cert passphrase

Reason:

merge into https://gerrit.wikimedia.org/r/c/operations/puppet/+/1224908

https://gerrit.wikimedia.org/r/1233697

gerritbot added a comment.Jan 28 2026, 1:11 PM

Change #1224908 merged by Dzahn:

[operations/puppet@production] zookeeper: add ssl.keyStore.passwordPath

https://gerrit.wikimedia.org/r/1224908

gerritbot added a comment.Feb 4 2026, 1:19 PM

Change #1236730 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zookeeper/zuul: use standard port 2281 for TLS secureClientPort

https://gerrit.wikimedia.org/r/1236730

gerritbot added a comment.Feb 4 2026, 1:26 PM

Change #1236735 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zookeeper: set keystore format to PKCS12 when enabling TLS (for zuul)

https://gerrit.wikimedia.org/r/1236735

gerritbot added a comment.Feb 4 2026, 6:40 PM

Change #1236730 merged by Dzahn:

[operations/puppet@production] zookeeper/zuul: use standard port 2281 for TLS secureClientPort

https://gerrit.wikimedia.org/r/1236730

gerritbot added a comment.Feb 4 2026, 6:55 PM

Change #1236735 merged by Dzahn:

[operations/puppet@production] zookeeper: set keystore format to PKCS12 when enabling TLS (for zuul)

https://gerrit.wikimedia.org/r/1236735

gerritbot added a comment.Feb 4 2026, 7:19 PM

Change #1236809 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul: move .p12 keystore file under the zookeeper config path

https://gerrit.wikimedia.org/r/1236809

gerritbot added a comment.Feb 4 2026, 7:28 PM

Change #1236809 merged by Dzahn:

[operations/puppet@production] zuul: move .p12 keystore file under the zookeeper config path

https://gerrit.wikimedia.org/r/1236809

gerritbot added a comment.Feb 4 2026, 7:52 PM

Change #1236815 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul: use chained certificate incl CA for zookeeper

https://gerrit.wikimedia.org/r/1236815

gerritbot added a comment.Feb 4 2026, 8:13 PM

Change #1236815 merged by Dzahn:

[operations/puppet@production] zuul: use chained certificate incl CA for zookeeper

https://gerrit.wikimedia.org/r/1236815

gerritbot added a comment.Feb 5 2026, 3:26 PM

Change #1237253 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zookeeper: mTLS debugging, use TLSv.1.2, clientAuth=want, set alias to 1

https://gerrit.wikimedia.org/r/1237253

gerritbot added a comment.Feb 5 2026, 3:51 PM

Change #1237253 merged by Dzahn:

[operations/puppet@production] zookeeper: mTLS debugging, use TLSv.1.2, clientAuth=want, set alias to 1

https://gerrit.wikimedia.org/r/1237253

gerritbot added a comment.Feb 5 2026, 6:43 PM

Change #1237294 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul: create shared config dir for zookeeper-zuul mTLS

https://gerrit.wikimedia.org/r/1237294

gerritbot added a comment.Feb 5 2026, 6:51 PM

Change #1237294 merged by Dzahn:

[operations/puppet@production] zuul: create shared config dir for zookeeper-zuul mTLS

https://gerrit.wikimedia.org/r/1237294

gerritbot added a comment.Feb 5 2026, 8:30 PM

Change #1237327 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul: parameterize and configure new config dir for zookeeper-zuul

https://gerrit.wikimedia.org/r/1237327

gerritbot added a comment.Feb 5 2026, 8:46 PM

Change #1237327 merged by Dzahn:

[operations/puppet@production] zuul: parameterize and configure new config dir for zookeeper-zuul

https://gerrit.wikimedia.org/r/1237327

gerritbot added a comment.Feb 5 2026, 9:12 PM

Change #1237341 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul/zookeeper: use CA-only, not chained file, as truststore

https://gerrit.wikimedia.org/r/1237341

gerritbot added a comment.Feb 5 2026, 9:15 PM

Change #1237341 merged by Dzahn:

[operations/puppet@production] zuul/zookeeper: use CA-only, not chained file, as truststore

https://gerrit.wikimedia.org/r/1237341

gerritbot added a comment.Feb 5 2026, 9:47 PM

Change #1237342 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zookeeper/zuul: use ssl.trustStore.password instead ssl.trustStore.passwordPath

https://gerrit.wikimedia.org/r/1237342

gerritbot added a comment.Feb 5 2026, 9:49 PM

Change #1237343 had a related patch set uploaded (by Dzahn; author: Dzahn):

[labs/private@master] zookeeper: add fake TLS password to match private repo

https://gerrit.wikimedia.org/r/1237343

gerritbot added a comment.Feb 5 2026, 9:51 PM

Change #1237343 merged by Dzahn:

[labs/private@master] zookeeper: add fake TLS password to match private repo

https://gerrit.wikimedia.org/r/1237343

gerritbot added a comment.Feb 5 2026, 9:57 PM

Change #1237345 had a related patch set uploaded (by Dzahn; author: Dzahn):

[labs/private@master] zuul: fix renamed password variable

https://gerrit.wikimedia.org/r/1237345

gerritbot added a comment.Feb 5 2026, 10:01 PM

Change #1237345 merged by Dzahn:

[labs/private@master] zuul: fix renamed password variable

https://gerrit.wikimedia.org/r/1237345

gerritbot added a comment.Feb 5 2026, 10:13 PM

Change #1237342 merged by Dzahn:

[operations/puppet@production] zookeeper/zuul: use ssl.trustStore.password instead ssl.trustStore.passwordPath

https://gerrit.wikimedia.org/r/1237342

gerritbot added a comment.Feb 6 2026, 5:31 PM

Change #1237354 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul-web: bind mount /etc/zookeeper/zuul-tls

https://gerrit.wikimedia.org/r/1237354

gerritbot added a comment.Feb 6 2026, 5:38 PM

Change #1237354 merged by Dzahn:

[operations/puppet@production] zuul-web: bind mount /etc/zookeeper/zuul-tls

https://gerrit.wikimedia.org/r/1237354

gerritbot added a comment.Feb 6 2026, 6:52 PM

Change #1237543 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul: properly differentiate between zuul and zookeeper certs

https://gerrit.wikimedia.org/r/1237543

gerritbot added a comment.Feb 6 2026, 8:34 PM

Change #1237543 merged by Dzahn:

[operations/puppet@production] zuul: properly differentiate between zuul and zookeeper certs

https://gerrit.wikimedia.org/r/1237543

gerritbot added a comment.Feb 9 2026, 7:13 PM

Change #1237983 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul::executor: add Hiera key for tls_config_dir

https://gerrit.wikimedia.org/r/1237983

gerritbot added a comment.Feb 9 2026, 7:25 PM

Change #1237983 merged by Dzahn:

[operations/puppet@production] zuul::executor: add Hiera key for tls_config_dir

https://gerrit.wikimedia.org/r/1237983

gerritbot added a comment.Feb 25 2026, 10:10 PM

Change #1243984 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul::executor: do not use /etc/zookeeper as cert dir

https://gerrit.wikimedia.org/r/1243984

gerritbot added a comment.Feb 25 2026, 10:12 PM

Change #1243984 merged by Dzahn:

[operations/puppet@production] zuul::executor: do not use /etc/zookeeper as cert dir

https://gerrit.wikimedia.org/r/1243984

Dzahn added a subtask: T416920: SystemdUnitFailed - zuul-executor.service.Feb 25 2026, 10:20 PM
gerritbot added a comment.Feb 26 2026, 12:03 AM

Change #1244021 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul::main: set tls_truststore for zookeeper to the copy it owns

https://gerrit.wikimedia.org/r/1244021

gerritbot added a comment.Feb 26 2026, 12:05 AM

Change #1244021 merged by Dzahn:

[operations/puppet@production] zuul::main: set tls_truststore for zookeeper to the copy it owns

https://gerrit.wikimedia.org/r/1244021

gerritbot added a comment.Feb 26 2026, 12:20 AM

Change #1244033 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul::main: add extra Java opts to debug zookeeper TLS

https://gerrit.wikimedia.org/r/1244033

gerritbot added a comment.Feb 27 2026, 12:03 AM

Change #1244927 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zookeeper: support TLS by loading Netty jars into class path

https://gerrit.wikimedia.org/r/1244927

gerritbot added a comment.Feb 27 2026, 12:13 AM

Change #1244939 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zookeeper::server: allow Hiera to override $extra_java_opts

https://gerrit.wikimedia.org/r/1244939

gerritbot added a comment.Feb 27 2026, 12:18 AM

Change #1244944 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul::main: add debugging extra_java_opts: "-Djavax.net.debug=ssl,handshake"

https://gerrit.wikimedia.org/r/1244944

gerritbot added a comment.Feb 27 2026, 12:49 AM

Change #1244969 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul::main: build full chain of trust for Java Netty TLS

https://gerrit.wikimedia.org/r/1244969

gerritbot added a comment.Mar 4 2026, 5:14 PM

Change #1244969 merged by Dzahn:

[operations/puppet@production] zuul::main: build full chain of trust for Java Netty TLS

https://gerrit.wikimedia.org/r/1244969

gerritbot added a comment.Mar 4 2026, 5:34 PM

Change #1244939 merged by Dzahn:

[operations/puppet@production] zookeeper::server: allow Hiera to override $extra_java_opts

https://gerrit.wikimedia.org/r/1244939

gerritbot added a comment.Mar 4 2026, 6:15 PM

Change #1248072 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zookeeper::server: if extra_java_opts are set, keep prometheus opts

https://gerrit.wikimedia.org/r/1248072

gerritbot added a comment.Mar 4 2026, 6:23 PM

Change #1248072 merged by Dzahn:

[operations/puppet@production] zookeeper::server: if extra_java_opts are set, keep prometheus opts

https://gerrit.wikimedia.org/r/1248072

gerritbot added a comment.Mar 4 2026, 6:28 PM

Change #1244944 merged by Dzahn:

[operations/puppet@production] zuul::main: add debugging extra_java_opts: "-Djavax.net.debug=ssl,handshake"

https://gerrit.wikimedia.org/r/1244944

gerritbot added a comment.Mar 4 2026, 7:04 PM

Change #1244927 merged by Dzahn:

[operations/puppet@production] zookeeper: support TLS by loading Netty jars into class path

https://gerrit.wikimedia.org/r/1244927

gerritbot added a comment.Mar 4 2026, 9:48 PM

Change #1244033 abandoned by Dzahn:

[operations/puppet@production] zuul::main: add extra Java opts to debug zookeeper TLS

Reason:

duplicate / replaced by other patches

https://gerrit.wikimedia.org/r/1244033

Maintenance_bot removed a project: Patch-For-Review.Mar 4 2026, 10:30 PM
gerritbot added a comment.Mar 4 2026, 11:50 PM

Change #1248137 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul::main: add zuul client cert to full chain of trust

https://gerrit.wikimedia.org/r/1248137

gerritbot added a project: Patch-For-Review.Mar 4 2026, 11:50 PM
gerritbot added a comment.Mar 5 2026, 12:26 AM

Change #1248137 merged by Dzahn:

[operations/puppet@production] zuul::main: add zuul client cert to full chain of trust

https://gerrit.wikimedia.org/r/1248137

Maintenance_bot removed a project: Patch-For-Review.Mar 5 2026, 12:30 AM
gerritbot added a comment.Mar 5 2026, 1:01 AM

Change #1248155 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul: zuul scheduler needs to also have updated cert path

https://gerrit.wikimedia.org/r/1248155

gerritbot added a project: Patch-For-Review.Mar 5 2026, 1:01 AM
gerritbot added a comment.Mar 5 2026, 1:03 AM

Change #1248155 merged by Dzahn:

[operations/puppet@production] zuul: zuul scheduler needs to also have updated cert path

https://gerrit.wikimedia.org/r/1248155

Maintenance_bot removed a project: Patch-For-Review.Mar 5 2026, 1:30 AM
gerritbot added a comment.Wed, Mar 25, 10:43 PM

Change #1260833 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul: use full chain as zookeeper TLS CA bundle

https://gerrit.wikimedia.org/r/1260833

gerritbot added a project: Patch-For-Review.Wed, Mar 25, 10:43 PM
gerritbot added a comment.Wed, Mar 25, 11:08 PM

Change #1260833 merged by Dzahn:

[operations/puppet@production] zuul: use full chain as zookeeper TLS CA bundle

https://gerrit.wikimedia.org/r/1260833

Maintenance_bot removed a project: Patch-For-Review.Wed, Mar 25, 11:31 PM
Dzahn closed subtask T405119: Set up zuul web on zuul1001/zuul2001 as Resolved.Wed, Mar 25, 11:36 PM
Dzahn added a comment.Wed, Mar 25, 11:50 PM

zuul-web now works (details in subtask!) :)

We have a new issue with zuul-scheduler (T421330).

It's similar to T405119#11752163

This appears to happen when multiple zuul services perform database migrations at the same time.

It seems we are supposed to:

  • (truncate the alembic_version table in mysql one more time)
  • stop all services
  • start only zuul-scheduler - let it finish all it's stuff
  • only now start zuul-web
Dzahn mentioned this in T421330: SystemdUnitFailed - zuul-scheduler.Wed, Mar 25, 11:50 PM
gerritbot added a comment.Thu, Mar 26, 11:16 PM

Change #1261567 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul: mariadb+pymysql instead of mysql+pymysql for DB connection

https://gerrit.wikimedia.org/r/1261567

gerritbot added a project: Patch-For-Review.Thu, Mar 26, 11:16 PM
gerritbot added a comment.Thu, Mar 26, 11:20 PM

Change #1261567 merged by Dzahn:

[operations/puppet@production] zuul: mariadb+pymysql instead of mysql+pymysql for DB connection

https://gerrit.wikimedia.org/r/1261567

Maintenance_bot removed a project: Patch-For-Review.Thu, Mar 26, 11:31 PM
Dzahn added a comment.Thu, Mar 26, 11:49 PM

Debugging the following issue we see on any zuul-related service that starts as the second service after the first one has connected to mariadb.

Mar 26 23:41:56 zuul1001 docker[2350294]: 2026-03-26 23:41:56,910 ERROR zuul.WebServer:              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Mar 26 23:41:56 zuul1001 docker[2350294]: 2026-03-26 23:41:56,910 ERROR zuul.WebServer:     File "/usr/local/lib/python3.11/dist-packages/alembic/script/base.py", line 415, in _upgr>
Mar 26 23:41:56 zuul1001 docker[2350294]: 2026-03-26 23:41:56,910 ERROR zuul.WebServer:       with self._catch_revision_errors(
Mar 26 23:41:56 zuul1001 docker[2350294]: 2026-03-26 23:41:56,910 ERROR zuul.WebServer:     File "/usr/lib/python3.11/contextlib.py", line 155, in __exit__
Mar 26 23:41:56 zuul1001 docker[2350294]: 2026-03-26 23:41:56,910 ERROR zuul.WebServer:       self.gen.throw(typ, value, traceback)
Mar 26 23:41:56 zuul1001 docker[2350294]: 2026-03-26 23:41:56,910 ERROR zuul.WebServer:     File "/usr/local/lib/python3.11/dist-packages/alembic/script/base.py", line 253, in _catc>
Mar 26 23:41:56 zuul1001 docker[2350294]: 2026-03-26 23:41:56,910 ERROR zuul.WebServer:       raise util.CommandError(err.args[0]) from err
Mar 26 23:41:56 zuul1001 docker[2350294]: 2026-03-26 23:41:56,910 ERROR zuul.WebServer:   alembic.util.exc.CommandError: revision identifier b'6c1582c1d08c' is not a string; ensure >
Mar 26 23:41:57 zuul1001 systemd[1]: zuul-web.service: Main process exited, code=exited, status=1/FAILURE

revision identifier b'6c1582c1d08c' is not a string

MariaDB [zuul]> describe alembic_version;
+-------------+---------------+------+-----+---------+-------+
| Field       | Type          | Null | Key | Default | Extra |
+-------------+---------------+------+-----+---------+-------+
| version_num | varbinary(32) | NO   | PRI | NULL    |       |
+-------------+---------------+------+-----+---------+-------+
1 row in set (0.003 sec)
Dzahn added a comment.Fri, Mar 27, 12:09 AM

So if i DROP that table and let zuul-web restart, it creates it again and again with varbinary type.

Then I tried adding ?charset=utf8mb4 to the dburi in the zuul config file.

Then tried altering the table to a varchar type. Without specifying a charset this was silently ignored.

But if you also set the charset you can ALTER it.

MariaDB [zuul]> ALTER TABLE alembic_version 
    -> MODIFY COLUMN version_num VARCHAR(32) NOT NULL;
Query OK, 0 rows affected (0.005 sec)
Records: 0  Duplicates: 0  Warnings: 0

MariaDB [zuul]> describe alembic_version;
+-------------+---------------+------+-----+---------+-------+
| Field       | Type          | Null | Key | Default | Extra |
+-------------+---------------+------+-----+---------+-------+
| version_num | varbinary(32) | NO   | PRI | NULL    |       |
+-------------+---------------+------+-----+---------+-------+
1 row in set (0.003 sec)


MariaDB [zuul]> ALTER TABLE alembic_version 
    -> MODIFY COLUMN version_num VARCHAR(32) CHARACTER SET utf8mb4 NOT NULL;
Query OK, 1 row affected (0.009 sec)               
Records: 1  Duplicates: 0  Warnings: 0

MariaDB [zuul]> describe alembic_version;
+-------------+-------------+------+-----+---------+-------+
| Field       | Type        | Null | Key | Default | Extra |
+-------------+-------------+------+-----+---------+-------+
| version_num | varchar(32) | NO   | PRI | NULL    |       |
+-------------+-------------+------+-----+---------+-------+
1 row in set (0.003 sec)

Now both zuul-scheduler and zuul-web could start.

gerritbot added a comment.Fri, Mar 27, 12:19 AM

Change #1261670 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul: specify charset=utf8mb4 in database connection config

https://gerrit.wikimedia.org/r/1261670

gerritbot added a project: Patch-For-Review.Fri, Mar 27, 12:19 AM
gerritbot added a comment.Fri, Mar 27, 12:32 AM

Change #1261670 merged by Dzahn:

[operations/puppet@production] zuul: specify charset=utf8mb4 in database connection config

https://gerrit.wikimedia.org/r/1261670

gerritbot added a comment.Fri, Mar 27, 12:55 AM

Change #1261690 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul: break out mTLS setup into separate class

https://gerrit.wikimedia.org/r/1261690

dduvall created subtask T422207: Connect zuul-nodepool to zookeeper and zuul WMCS cluster.Thu, Apr 2, 6:53 PM
dduvall changed the status of subtask T422207: Connect zuul-nodepool to zookeeper and zuul WMCS cluster from Open to In Progress.Thu, Apr 2, 7:36 PM
Dzahn added a comment.EditedFri, Apr 3, 7:15 PM

regarding zuul-web: the service is running:

[zuul1001:~] $ systemctl status zuul-web
● zuul-web.service - zuul-web service
     Loaded: loaded (/usr/lib/systemd/system/zuul-web.service; enabled; preset: enabled)
     Active: active (running) since Sat 2026-03-28 14:36:54 UTC; 6 days ago
..
Apr 03 17:45:11 zuul1001 docker[2782311]: 2026-04-03 17:45:11,684 INFO zuul.ComponentRegistry: Noticed new scheduler component eca59e1df0bb0000000313
Apr 03 17:45:11 zuul1001 docker[2782311]: 2026-04-03 17:45:11,687 INFO zuul.ComponentRegistry: Component scheduler eca59e1df0bb0000000313 updated: {'hostname': 'eca59e1df0bb', 'kind': 'sche>

I can connect to port 80 with curl to Apache httpd which is also running:

[zuul1001:~] $ curl zuul.discovery.wmnet
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<title>502 Proxy Error</title>
</head><body>
<h1>Proxy Error</h1>
<p>The proxy server received an invalid
response from an upstream server.<br />
The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p>
</body></html>

I can also connect directly to port 9000 where httpd proxies to:

telnet zuul.discovery.wmnet 9000
Trying 2620:0:861:103:10:64:32:104...
Connected to zuul.discovery.wmnet.
Escape character is '^]'.
Connection closed by foreign host.

Still have to debug from there.

gerritbot added a comment.Fri, Apr 3, 7:16 PM

Change #1193142 abandoned by Dzahn:

[operations/puppet@production] zuul::main: add second zookeeper server to nodepool config (WIP)

Reason:

https://phabricator.wikimedia.org/T422207#11786389

https://gerrit.wikimedia.org/r/1193142

gerritbot added a comment.Wed, Apr 8, 7:02 PM

Change #1260847 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul::base: ensure /var/ssh/zuul exists

https://gerrit.wikimedia.org/r/1260847

gerritbot added a comment.Wed, Apr 8, 7:26 PM

Change #1260847 merged by Dzahn:

[operations/puppet@production] zuul::base: ensure /var/ssh/zuul exists

https://gerrit.wikimedia.org/r/1260847

gerritbot added a comment.Wed, Apr 8, 8:07 PM

Change #1269053 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul::base: use wmflib::mkdir_p to ensure directories

https://gerrit.wikimedia.org/r/1269053

gerritbot added a comment.Wed, Apr 8, 11:01 PM

Change #1269053 merged by Dzahn:

[operations/puppet@production] zuul::base: use wmflib::mkdir_p to ensure directories

https://gerrit.wikimedia.org/r/1269053

gerritbot added a comment.Wed, Apr 8, 11:22 PM

Change #1269073 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul::executor: add TLS full chain needed for zookeeper config

https://gerrit.wikimedia.org/r/1269073

gerritbot added a comment.Wed, Apr 8, 11:25 PM

Change #1269073 merged by Dzahn:

[operations/puppet@production] zuul::executor: add TLS full chain needed for zookeeper config

https://gerrit.wikimedia.org/r/1269073

gerritbot added a comment.Wed, Apr 8, 11:32 PM

Change #1261690 abandoned by Dzahn:

[operations/puppet@production] zuul: break out mTLS setup into separate class

Reason:

solved in another way

https://gerrit.wikimedia.org/r/1261690

gerritbot added a comment.Thu, Apr 9, 12:21 AM

Change #1269082 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul::executor: remove mounting of /etc/cfssl

https://gerrit.wikimedia.org/r/1269082

gerritbot added a comment.Thu, Apr 9, 4:48 PM

Change #1269082 merged by Dzahn:

[operations/puppet@production] zuul::executor: remove mounting of /etc/cfssl

https://gerrit.wikimedia.org/r/1269082

gerritbot added a comment.Fri, Apr 10, 11:33 PM

Change #1270103 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul: mount /var/ssh/zuul for zuul-scheduler

https://gerrit.wikimedia.org/r/1270103

gerritbot added a comment.Fri, Apr 10, 11:55 PM

Change #1270103 merged by Dzahn:

[operations/puppet@production] zuul: mount /var/ssh/zuul for zuul-scheduler

https://gerrit.wikimedia.org/r/1270103

Dzahn added a comment.Mon, Apr 13, 10:00 PM

Created a new ed25519 key pair for new zuul to connect to Gerrit (in the future).

[Ops] [puppet-private] (3334cf48f) (dzahn) add new ed25519 keypair for new zuul to connect to gerrit (T395938)

It lives under secrets/gerrit/zuul_gerrit_ed25519(.pub). Has NOT been added on the Gerrit side yet.

gerritbot added a comment.Mon, Apr 13, 10:02 PM

Change #1270577 had a related patch set uploaded (by Dzahn; author: Dzahn):

[labs/private@master] add fake keys for new zuul to connect to gerrit

https://gerrit.wikimedia.org/r/1270577

gerritbot added a comment.Mon, Apr 13, 10:04 PM

Change #1270577 merged by Dzahn:

[labs/private@master] add fake keys for new zuul to connect to gerrit

https://gerrit.wikimedia.org/r/1270577

gerritbot added a comment.Mon, Apr 13, 10:24 PM

Change #1270580 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] zuul: make gerrit ssh key configurable in Hiera and add it

https://gerrit.wikimedia.org/r/1270580

gerritbot added a comment.Fri, Apr 17, 7:28 PM

Change #1270580 merged by Dzahn:

[operations/puppet@production] zuul: make gerrit ssh key configurable in Hiera and add it

https://gerrit.wikimedia.org/r/1270580

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits