Page MenuHomePhabricator
Create Task
Maniphest T418521

setup 2 contint machines for jenkins
Closed, ResolvedPublic
Actions

Description

We are going to setup 2 contint machines on physical hardware as a stop gap for T418109 and migrate jenkins to them.

host names: contint1003.wikimedia.org, contint2003.wikimedia.org

In another step a "zuul-legacy" site will be added to the existing contint machines.

https://gerrit.wikimedia.org/r/q/topic:%22contint-split%22

  • add jenkins to APT repo for trixie
  • create puppet role/profile to install only jenkins without other CI role
  • create jenkins.discovery.wmnet
  • install envoy on contint1003/2003
  • make puppet changes to allow configuring jenkins proxy config to a new host
  • upload change to make the actual switch to new jenkins
  • setup rsync in puppet to allow syncing /var/lib/jenkins
  • pre-sync /var/lib/jenkins
  • empty out /var/lib/jenkins/jobs
  • edit firewall to allow existing contint manager to connect to port 1443 (envoy) on new machines
  • verify connection to cloud VPS works
  • verify connecting from the Internet is not allowed by firewall
  • patch puppet to enable jenkins service on contint1003 (and not contint2003)
  • remove httpd again
  • fix firewalling to connect to envoy in front of jenkins from legacy hosts
  • startup jenkins manually the first time, use an ssh tunnel to open the web UI from home and go through the setup
  • make jenkins service actually start with systemd
  • make envoy listen on IPv6 ----
    contint1002 (Manager)                                      contint1003 (New)
    [ Debian 11 Bullseye ]                                     [ Debian 13 Trixie ]
+---------------------------+                              +---------------------------+

|                           |                              |                           |
|  [ Zuul Manager ] --------|== jenkins.discovery.wmnet:1443 (HTTPS) ==> [ FIREWALL ]  |
|         |                 |                              |                |          |
|         v                 |                              |                v          |
|  [ Envoy (1443) ]         |                              |         [ Envoy (1443) ]  |
|         |                 |                              |                |          |
|         v                 |                              |                v          |
|  [ Apache (80) ]          |                              |         [ Jenkins (8080)] |
|         |                 |                              |            (Java 21)      |
|         v                 |                              +---------------------------+
|  [ Jenkins (8080) ]       |
|      (Java 17)            |
+---------------------------+

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
ci::docker: also install docker-cli when installing docker.iooperations/puppetproduction+1 -1
jenkins: switch firewall provider to fermoperations/puppetproduction+1 -1
jenkins: add profile::ci::docker to roleoperations/puppetproduction+4 -0
jenkins: include docker, add commentsoperations/puppetproduction+4 -0
ci: switch jenkins proxy target to new discovery nameoperations/puppetproduction+1 -1
jenkins: allow rsyncing of data for migrating a jenkins serveroperations/puppetproduction+20 -1
jenkins: let envoy listen on IPv6operations/puppetproduction+1 -0
jenkins: include firewall and set provider for new roleoperations/puppetproduction+3 -0
jenkins: ensure /srv/jenkins/builds existsoperations/puppetproduction+7 -0
jenkins: remove httpd profile from roleoperations/puppetproduction+0 -1
ci::jenkins: add dependency of jenkins service on firewalloperations/puppetproduction+3 -0
jenkins: pass srange as an array to firewall::serviceoperations/puppetproduction+1 -1
ci::jenkins: add firewall rule to allow legacy machines to new jenkinsoperations/puppetproduction+8 -0
jenkins: define contint1003 as the manager_host for the jenkins roleoperations/puppetproduction+1 -1
jenkins: add envoy and config for jenkins.discovery.wmnetoperations/puppetproduction+14 -0
contint/jenkins: make the jenkins host name configurableoperations/puppetproduction+5 -3
jenkins: enable the jenkins service if using new roleoperations/puppetproduction+13 -5
create a discovery name for new jenkins on contint machinesoperations/dnsmaster+3 -1
jenkins: add proxy_jenkins profile to roleoperations/puppetproduction+5 -1
jenkins: add ci::httpd profile to roleoperations/puppetproduction+1 -0
profile::ci: add support for trixie / PHP8.4operations/puppetproduction+1 -0
trafficserver/contint: add zuul-legacy siteoperations/puppetproduction+5 -0
add zuul-legacy to point at old zuuloperations/dnsmaster+1 -0
ci::website/ci::httpd: move monitoring to website, not httpdoperations/puppetproduction+14 -12
ci::website: support 2 different websites, integration vs zuul-legacyoperations/puppetproduction+29 -8
site/jenkins: apply jenkins role on contint1003operations/puppetproduction+3 -5
aptrepo: add jenkins for trixieoperations/puppetproduction+2 -0
jenkins: set the CI manager host in Hieraoperations/puppetproduction+2 -0
site: apply jenkins stub role on contint2003operations/puppetproduction+5 -1
create role skeleton for jenkinsoperations/puppetproduction+21 -0
installserver: add contint[1-2]003 to preseed regexoperations/puppetproduction+1 -1
site: add contint1003/2003 with insetup collab roleoperations/puppetproduction+4 -0
Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
gerritbot added a comment.Mar 4 2026, 7:27 PM

Change #1248083 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] installserver: add contint[1-2]003 to preseed regex

https://gerrit.wikimedia.org/r/1248083

gerritbot added a comment.Mar 4 2026, 7:32 PM

Change #1248083 merged by Dzahn:

[operations/puppet@production] installserver: add contint[1-2]003 to preseed regex

https://gerrit.wikimedia.org/r/1248083

gerritbot added a comment.Mar 4 2026, 10:10 PM

Change #1248118 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] ci::website: support 2 different websites, integration vs zuul-legacy

https://gerrit.wikimedia.org/r/1248118

gerritbot added a comment.Mar 4 2026, 10:50 PM

Change #1248127 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] ci::website/ci::httpd: move monitoring to website, not httpd

https://gerrit.wikimedia.org/r/1248127

Dzahn closed subtask T418545: codfw: request for a decom'ed R440 - Config C as Resolved.Mar 5 2026, 6:43 PM
Dzahn mentioned this in T418545: codfw: request for a decom'ed R440 - Config C.
Dzahn renamed this task from setup 2 contint machines for zuul or jenkins to setup 2 contint machines for jenkins.Mar 5 2026, 11:02 PM
Dzahn updated the task description. (Show Details)
ops-monitoring-bot added a comment.Mar 5 2026, 11:09 PM

Cookbook cookbooks.sre.hosts.reimage was started by dzahn@cumin2002 for host contint2003.wikimedia.org with OS trixie

gerritbot added a comment.Mar 5 2026, 11:35 PM

Change #1248082 merged by Dzahn:

[operations/puppet@production] create role skeleton for jenkins

https://gerrit.wikimedia.org/r/1248082

gerritbot added a comment.Mar 5 2026, 11:39 PM

Change #1248635 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] site: apply jenkins stub role on contint2003

https://gerrit.wikimedia.org/r/1248635

ops-monitoring-bot added a comment.Mar 5 2026, 11:52 PM

Cookbook cookbooks.sre.hosts.reimage started by dzahn@cumin2002 for host contint2003.wikimedia.org with OS trixie completed:

  • contint2003 (PASS)
    • Downtimed on Icinga/Alertmanager
    • Disabled Puppet
    • Removed from Puppet and PuppetDB if present and deleted any certificates
    • Removed from Debmonitor if present
    • Forced PXE for next reboot
    • Host rebooted via IPMI
    • Host up (Debian installer)
    • Checked BIOS boot parameters are back to normal
    • Host up (new fresh trixie OS)
    • Generated Puppet certificate
    • Signed new Puppet certificate
    • Run Puppet in NOOP mode to populate exported resources in PuppetDB
    • Found Nagios_host resource for this host in PuppetDB
    • Downtimed the new host on Icinga/Alertmanager
    • Removed previous downtime on Alertmanager (old OS)
    • First Puppet run completed and logged in /var/log/spicerack/sre/hosts/reimage/202603052333_dzahn_4003818_contint2003.out
    • configmaster.wikimedia.org updated with the host new SSH public key for wmf-update-known-hosts-production
    • Rebooted
    • Automatic Puppet run was successful
    • Forced a re-check of all Icinga services for the host
    • Icinga status is optimal
    • Icinga downtime removed
    • Updated Netbox data from PuppetDB
gerritbot added a comment.Mar 6 2026, 12:14 AM

Change #1248641 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] aptrepo: add jenkins for trixie

https://gerrit.wikimedia.org/r/1248641

ABran-WMF subscribed.Mar 6 2026, 6:53 AM
gerritbot added a comment.Mar 6 2026, 4:48 PM

Change #1248641 merged by Dzahn:

[operations/puppet@production] aptrepo: add jenkins for trixie

https://gerrit.wikimedia.org/r/1248641

gerritbot added a comment.Mar 6 2026, 4:55 PM

Change #1248635 merged by Dzahn:

[operations/puppet@production] site: apply jenkins stub role on contint2003

https://gerrit.wikimedia.org/r/1248635

gerritbot added a comment.Mar 6 2026, 5:29 PM

Change #1248892 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] jenkins: set the CI manager host in Hiera

https://gerrit.wikimedia.org/r/1248892

gerritbot added a comment.Mar 6 2026, 5:30 PM

Change #1248892 merged by Dzahn:

[operations/puppet@production] jenkins: set the CI manager host in Hiera

https://gerrit.wikimedia.org/r/1248892

Dzahn added a comment.Mar 6 2026, 7:12 PM

Imported jenkins into trixie-wikimedia.

[apt1002:/srv/wikimedia] $ sudo -i reprepro -C thirdparty/jenkins checkupdate trixie-wikimedia
Calculating packages to get...
Updates needed for 'trixie-wikimedia|thirdparty/jenkins|amd64':
'jenkins': newly installed as '2.541.2' (from 'jenkins-bookworm'):
 files needed: pool/thirdparty/jenkins/j/jenkins/jenkins_2.541.2_all.deb

--

[apt1002:/srv/wikimedia] $ sudo -i reprepro -C thirdparty/jenkins update trixie-wikimedia
Calculating packages to get...
Getting packages...
Installing (and possibly deleting) packages...
Exporting indices...
Dzahn added a comment.Mar 6 2026, 7:16 PM

contint2003 now the basic jenkins installed via the new stub role "jenkins".

Notice: /Stage[main]/Jenkins/Systemd::Service[jenkins]/Systemd::Unit[jenkins]/Exec[systemd daemon-reload for jenkins.service (jenkins)]: Triggered 'refresh' from 1 event
Notice: /Stage[main]/Jenkins/Systemd::Service[jenkins]/Service[jenkins]/ensure: ensure changed 'running' to 'stopped'
Notice: Applied catalog in 33.11 seconds
[contint2003:~]

It gets masked as puppet code tells it to because this is not the main/active contint server.

[contint2003:~] $ systemctl status jenkins
○ jenkins.service
     Loaded: masked (Reason: Unit jenkins.service is masked.)

Java 21 has been installed straight from Debian.

[contint2003:~] $ dpkg -l | grep jre
ii  openjdk-21-jre:amd64                 21.0.10+7-1~deb13u1                  amd64        OpenJDK Java runtime, using Hotspot JIT
ii  openjdk-21-jre-headless:amd64        21.0.10+7-1~deb13u1                  amd64        OpenJDK Java runtime, using Hotspot JIT (headless)
Dzahn added a subtask: T419280: PuppetFailure - contint2003.Mar 6 2026, 9:20 PM
Dzahn mentioned this in T419280: PuppetFailure - contint2003.
Dzahn closed subtask T419280: PuppetFailure - contint2003 as Resolved.
Dzahn closed subtask T418520: reserve 2 new public IPs for contint machines as Resolved.Mar 6 2026, 11:54 PM
Dzahn closed subtask T418544: eqiad: request for a decom'ed R440 - Config C as Resolved.Mar 11 2026, 10:56 PM
gerritbot added a comment.Mar 11 2026, 11:04 PM

Change #1250743 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] site/jenkins: apply jenkins role on contint1003

https://gerrit.wikimedia.org/r/1250743

gerritbot added a comment.Mar 11 2026, 11:07 PM

Change #1250743 merged by Dzahn:

[operations/puppet@production] site/jenkins: apply jenkins role on contint1003

https://gerrit.wikimedia.org/r/1250743

gerritbot added a comment.Wed, Mar 11, 11:33 PM

Change #1250748 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] jenkins: add proxy_jenkins profile to role

https://gerrit.wikimedia.org/r/1250748

gerritbot added a comment.Wed, Mar 11, 11:58 PM

Change #1248118 merged by Dzahn:

[operations/puppet@production] ci::website: support 2 different websites, integration vs zuul-legacy

https://gerrit.wikimedia.org/r/1248118

gerritbot added a comment.Thu, Mar 12, 12:02 AM

Change #1248127 merged by Dzahn:

[operations/puppet@production] ci::website/ci::httpd: move monitoring to website, not httpd

https://gerrit.wikimedia.org/r/1248127

gerritbot added a comment.Thu, Mar 12, 12:31 AM

Change #1250752 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] jenkins: add ci::httpd profile to role

https://gerrit.wikimedia.org/r/1250752

gerritbot added a comment.Thu, Mar 12, 12:40 AM

Change #1250755 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] profile::ci: add support for trixie / PHP8.4

https://gerrit.wikimedia.org/r/1250755

gerritbot added a comment.Thu, Mar 12, 12:49 AM

Change #1250756 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/dns@master] add zuul-legacy to point at old zuul

https://gerrit.wikimedia.org/r/1250756

gerritbot added a comment.Thu, Mar 12, 1:00 AM

Change #1250757 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] trafficserver/contint: add zuul-legacy site

https://gerrit.wikimedia.org/r/1250757

gerritbot added a comment.Thu, Mar 12, 6:44 PM

Change #1250756 abandoned by Dzahn:

[operations/dns@master] add zuul-legacy to point at old zuul

Reason:

we probably don't need this after all

https://gerrit.wikimedia.org/r/1250756

gerritbot added a comment.Thu, Mar 12, 6:44 PM

Change #1250757 abandoned by Dzahn:

[operations/puppet@production] trafficserver/contint: add zuul-legacy site

Reason:

not needed

https://gerrit.wikimedia.org/r/1250757

gerritbot added a comment.Thu, Mar 12, 6:48 PM

Change #1250755 merged by Dzahn:

[operations/puppet@production] profile::ci: add support for trixie / PHP8.4

https://gerrit.wikimedia.org/r/1250755

gerritbot added a comment.Fri, Mar 13, 1:18 AM

Change #1250752 merged by Dzahn:

[operations/puppet@production] jenkins: add ci::httpd profile to role

https://gerrit.wikimedia.org/r/1250752

Stashbot added a comment.Fri, Mar 13, 1:26 AM

Mentioned in SAL (#wikimedia-operations) [2026-03-13T01:26:39Z] <dzahn@cumin2002> DONE (PASS) - Cookbook sre.hosts.downtime (exit_code=0) for 5 days, 0:00:00 on contint2003.wikimedia.org with reason: T418521

Stashbot added a comment.Fri, Mar 13, 1:26 AM

Mentioned in SAL (#wikimedia-operations) [2026-03-13T01:26:53Z] <dzahn@cumin2002> DONE (PASS) - Cookbook sre.hosts.downtime (exit_code=0) for 5 days, 0:00:00 on contint1003.wikimedia.org with reason: T418521

Stashbot added a comment.Fri, Mar 13, 1:37 AM

Mentioned in SAL (#wikimedia-operations) [2026-03-13T01:37:20Z] <mutante> contint1003/contint2003 - every time(?) we setup machines with puppet using our httpd module and PHP - and puppet runs for the first time we run into the same old issue with "Exec[ensure_present_mod_php" failing and "Considering conflict mpm_worker for mpm_prefork"sudo a2dismod mpm_event". The fix is: 'sudo a2dismod mpm_event' and run puppet again. T418521

Dzahn added a comment.Fri, Mar 13, 1:41 AM

The following is a known issue that we have when puppet runs for the very first time on a machine using our httpd module and PHP.

Notice: /Stage[main]/Httpd/Httpd::Mod_conf[php8.4]/Exec[ensure_present_mod_php8.4]/returns: Considering conflict mpm_worker for mpm_prefork:

Error: '/usr/sbin/a2enmod php8.4' returned 1 instead of one of [0]
Error: /Stage[main]/Httpd/Httpd::Mod_conf[php8.4]/Exec[ensure_present_mod_php8.4]/returns: change from 'notrun' to ['0'] failed: '/usr/sbin/a2enmod php8.4' returned 1 instead of one of [0]

The fix for this is:

root@contint1003:/home/dzahn# a2dismod mpm_event
Module mpm_event disabled.

and run puppet a second time.

From there on puppet recovers and there is no manual step needed.

gerritbot added a comment.Fri, Mar 13, 2:15 AM

Change #1251205 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] jenkins: add envoy and config for jenkins.discovery.wmnet (WIP)

https://gerrit.wikimedia.org/r/1251205

gerritbot added a comment.Fri, Mar 13, 3:16 AM

Change #1251208 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] jenkins: enable the jenkins service if using new role

https://gerrit.wikimedia.org/r/1251208

gerritbot added a comment.Tue, Mar 17, 5:39 PM

Change #1250748 abandoned by Dzahn:

[operations/puppet@production] jenkins: add proxy_jenkins profile to role

Reason:

not needed - proxy config stays on old host

https://gerrit.wikimedia.org/r/1250748

gerritbot added a comment.Tue, Mar 17, 7:05 PM

Change #1254292 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/dns@master] create a discovery name for new jenkins on contint machines

https://gerrit.wikimedia.org/r/1254292

gerritbot added a comment.Tue, Mar 17, 7:07 PM

Change #1254292 merged by Dzahn:

[operations/dns@master] create a discovery name for new jenkins on contint machines

https://gerrit.wikimedia.org/r/1254292

Dzahn added a comment.Tue, Mar 17, 7:09 PM

name to talk to the new jenkins:

[dns1004:~] $ host jenkins.discovery.wmnet
jenkins.discovery.wmnet is an alias for contint1003.wikimedia.org.
contint1003.wikimedia.org has address 208.80.154.137
contint1003.wikimedia.org has IPv6 address 2620:0:861:2:208:80:154:137
gerritbot added a comment.Tue, Mar 17, 7:12 PM

Change #1254295 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] jenkins: define contint1003 as the manager_host for the jenkins role

https://gerrit.wikimedia.org/r/1254295

gerritbot added a comment.Tue, Mar 17, 7:39 PM

Change #1251208 abandoned by Dzahn:

[operations/puppet@production] jenkins: enable the jenkins service if using new role

Reason:

replaced by https://gerrit.wikimedia.org/r/c/operations/puppet/+/1254295

https://gerrit.wikimedia.org/r/1251208

gerritbot added a comment.Tue, Mar 17, 7:47 PM

Change #1254307 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] contint/jenkins: make the jenkins host name configurable

https://gerrit.wikimedia.org/r/1254307

gerritbot added a comment.Tue, Mar 17, 7:50 PM

Change #1254308 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] ci: switch jenkins proxy target to new discovery name

https://gerrit.wikimedia.org/r/1254308

gerritbot added a comment.Tue, Mar 17, 8:56 PM

Change #1254307 merged by Dzahn:

[operations/puppet@production] contint/jenkins: make the jenkins host name configurable

https://gerrit.wikimedia.org/r/1254307

gerritbot added a comment.Thu, Mar 19, 12:20 AM

Change #1251205 merged by Dzahn:

[operations/puppet@production] jenkins: add envoy and config for jenkins.discovery.wmnet

https://gerrit.wikimedia.org/r/1251205

gerritbot added a comment.Thu, Mar 19, 12:25 AM

Change #1254295 merged by Dzahn:

[operations/puppet@production] jenkins: define contint1003 as the manager_host for the jenkins role

https://gerrit.wikimedia.org/r/1254295

Dzahn updated the task description. (Show Details)Thu, Mar 19, 12:34 AM
Dzahn moved this task from Awaiting Input to Work in Progress on the collaboration-services board.
gerritbot added a comment.Thu, Mar 19, 12:54 AM

Change #1255136 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] jenkins: allow rsyncing of data for migrating a jenkins server

https://gerrit.wikimedia.org/r/1255136

gerritbot added a comment.Thu, Mar 19, 1:00 AM

Change #1255144 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] ci::jenkins: add firewall rule to allow legacy machines to new jenkins

https://gerrit.wikimedia.org/r/1255144

gerritbot added a comment.Thu, Mar 19, 3:48 PM

Change #1255136 merged by Dzahn:

[operations/puppet@production] jenkins: allow rsyncing of data for migrating a jenkins server

https://gerrit.wikimedia.org/r/1255136

gerritbot added a comment.Thu, Mar 19, 4:48 PM

Change #1255144 merged by Dzahn:

[operations/puppet@production] ci::jenkins: add firewall rule to allow legacy machines to new jenkins

https://gerrit.wikimedia.org/r/1255144

gerritbot added a comment.Thu, Mar 19, 5:03 PM

Change #1255797 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] jenkins: pass srange as an array to firewall::service

https://gerrit.wikimedia.org/r/1255797

gerritbot added a comment.Thu, Mar 19, 5:06 PM

Change #1255797 merged by Dzahn:

[operations/puppet@production] jenkins: pass srange as an array to firewall::service

https://gerrit.wikimedia.org/r/1255797

Dzahn updated the task description. (Show Details)Thu, Mar 19, 5:19 PM
Dzahn updated the task description. (Show Details)Thu, Mar 19, 6:20 PM
gerritbot added a comment.Fri, Mar 20, 6:45 PM

Change #1256485 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] ci::jenkins: add dependency of jenkins service on firewall

https://gerrit.wikimedia.org/r/1256485

gerritbot added a comment.Fri, Mar 20, 6:49 PM

Change #1256485 merged by Dzahn:

[operations/puppet@production] ci::jenkins: add dependency of jenkins service on firewall

https://gerrit.wikimedia.org/r/1256485

gerritbot added a comment.Fri, Mar 20, 7:50 PM

Change #1256508 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] jenkins: ensure /srv/jenkins/builds exists

https://gerrit.wikimedia.org/r/1256508

gerritbot added a comment.Fri, Mar 20, 8:11 PM

Change #1255139 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] jenkins: remove httpd profile from role

https://gerrit.wikimedia.org/r/1255139

gerritbot added a comment.Fri, Mar 20, 8:38 PM

Change #1255139 merged by Dzahn:

[operations/puppet@production] jenkins: remove httpd profile from role

https://gerrit.wikimedia.org/r/1255139

Dzahn updated the task description. (Show Details)Fri, Mar 20, 8:43 PM
Stashbot added a comment.Fri, Mar 20, 8:45 PM

Mentioned in SAL (#wikimedia-operations) [2026-03-20T20:45:08Z] <mutante> contint1003/2003 apt remove --purge apache2* ; apt remove --purge php* | T418521

gerritbot added a comment.Fri, Mar 20, 9:01 PM

Change #1256508 merged by Dzahn:

[operations/puppet@production] jenkins: ensure /srv/jenkins/builds exists

https://gerrit.wikimedia.org/r/1256508

Dzahn updated the task description. (Show Details)Sat, Mar 21, 12:26 AM
    contint1002 (Manager)                                      contint1003 (New)
    [ Debian 11 Bullseye ]                                     [ Debian 13 Trixie ]
+---------------------------+                              +---------------------------+

|                           |                              |                           |
|  [ Zuul Manager ] --------|== jenkins.discovery.wmnet:1443 (HTTPS) ==> [ FIREWALL ]  |
|         |                 |                              |                |          |
|         v                 |                              |                v          |
|  [ Envoy (1443) ]         |                              |         [ Envoy (1443) ]  |
|         |                 |                              |                |          |
|         v                 |                              |                v          |
|  [ Apache (80) ]          |                              |         [ Jenkins (8080)] |
|         |                 |                              |            (Java 21)      |
|         v                 |                              +---------------------------+
|  [ Jenkins (8080) ]       |
|      (Java 17)            |
+---------------------------+
gerritbot added a comment.Sat, Mar 21, 12:52 AM

Change #1256614 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] jenkins: include firewall and set provider for new role

https://gerrit.wikimedia.org/r/1256614

gerritbot added a comment.Sat, Mar 21, 12:54 AM

Change #1256614 merged by Dzahn:

[operations/puppet@production] jenkins: include firewall and set provider for new role

https://gerrit.wikimedia.org/r/1256614

gerritbot added a comment.Sat, Mar 21, 1:05 AM

Change #1256642 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] jenkins: let envoy listen on IPv6

https://gerrit.wikimedia.org/r/1256642

gerritbot added a comment.Sat, Mar 21, 1:09 AM

Change #1256642 merged by Dzahn:

[operations/puppet@production] jenkins: let envoy listen on IPv6

https://gerrit.wikimedia.org/r/1256642

Dzahn added subscribers: LSobanski, Muehlenhoff.EditedSat, Mar 21, 1:44 AM

@thcipriani @hashar @LSobanski @Muehlenhoff

This is resolved.

We now have 2 new machines, contint1003 and contint2003, with:

  • Debian trixie
  • Java 21
  • envoy
  • Jenkins

using the new puppet role::jenkins which sets up envoy and jenkins.

We removed the Apache httpd proxy between them.

The name jenkins.discovery.wmnet has been created and envoy listens there on port 1443 and proxies to jenkins on 8080.

Only legacy contint machines are allowed to connect to it.

We are using nftables as firewall and it also works via IPv6 since envoy now listens on it.

A couple puppet issues have been fixed.

rsyncing the /var/lib/jenkins data is possible via the rsync::quickdatacopy class which sets up rsyncd and the firewall rules for it plus the file /usr/local/sbin/sync-var-lib-jenkins-contint with the actual sync command.

Automatic syncing is disabled.

The profile::ci::manager_host (active contint machine) is set to legacy contint1002 for role::ci and to contint1003 for role::jenkins.

This is what decides if jenkins runs or is masked. Therefore we have exactly one old and one new jenkins with jenkins masked on both codfw machines.

[contint1002:~] $ telnet -6 jenkins.discovery.wmnet 1443
Trying 2620:0:861:2:208:80:154:137...
Connected to contint1003.wikimedia.org.
Escape character is '^]'.

Screenshot at 2026-03-20 18-27-27.png (588×1 px, 48 KB)

On first start jenkins wants to go through the initial admin setup. I have done this twice.

Once with the default plugins and now another time after syncing data. This makes it "preselect" the plugins we have installed in prod, but let's double check that together.

The current password is /var/lib/jenkins/secrets/initialAdminPassword.

The setup process can be restarted by deleting the contents of /var/lib/jenkins and restarting the service.

After syncing data I deleted the contents of /var/lib/jenkins/jobs so that it does not start doing anything on existing jobs.

To configure it, use a ssh tunnel:

ssh -D 8080 contint1002.wikimedia.org

configure browser to use SOCKS5 proxy on localhost:8080

open https://jenkins.discovery.wmnet:1443/ci/ in your browser  (accept warning)

(The need to add /ci/ is because we used that in apache config on the legacy servers.)

Dzahn closed this task as Resolved.Sat, Mar 21, 1:45 AM
Dzahn updated the task description. (Show Details)Sat, Mar 21, 1:50 AM
Dzahn added a comment.Sat, Mar 21, 2:12 AM

The switch to the new server (planned for Monday): https://gerrit.wikimedia.org/r/c/operations/puppet/+/1254308

ABran-WMF added a subtask: T420914: SystemdUnitFailed - wmf_auto_restart_apache2.service on contint2003:9100.Mon, Mar 23, 12:46 PM
ABran-WMF changed the status of subtask T420914: SystemdUnitFailed - wmf_auto_restart_apache2.service on contint2003:9100 from Open to In Progress.
ABran-WMF mentioned this in T420914: SystemdUnitFailed - wmf_auto_restart_apache2.service on contint2003:9100.Mon, Mar 23, 12:48 PM
ABran-WMF closed subtask T420914: SystemdUnitFailed - wmf_auto_restart_apache2.service on contint2003:9100 as Resolved.Mon, Mar 23, 12:56 PM
gerritbot added a comment.Wed, Mar 25, 9:27 PM

Change #1260816 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] jenkins: include docker, add comments

https://gerrit.wikimedia.org/r/1260816

gerritbot added a comment.Fri, Apr 3, 4:54 PM

Change #1260816 abandoned by Dzahn:

[operations/puppet@production] jenkins: include docker, add comments

Reason:

replaced by https://gerrit.wikimedia.org/r/c/operations/puppet/+/1267173

https://gerrit.wikimedia.org/r/1260816

gerritbot added a comment.Fri, Apr 3, 4:55 PM

Change #1267173 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] jenkins: add profile::ci::docker to role

https://gerrit.wikimedia.org/r/1267173

gerritbot added a comment.Fri, Apr 3, 6:07 PM

Change #1267173 merged by Dzahn:

[operations/puppet@production] jenkins: add profile::ci::docker to role

https://gerrit.wikimedia.org/r/1267173

Dzahn added a comment.Fri, Apr 3, 6:11 PM

after https://gerrit.wikimedia.org/r/c/operations/puppet/+/1267173 the new contint1003/2003 hosts have docker(.io) installed now.

gerritbot added a comment.Mon, Apr 6, 5:53 PM

Change #1268258 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] jenkins: switch firewall provider to ferm

https://gerrit.wikimedia.org/r/1268258

gerritbot added a comment.Mon, Apr 6, 5:57 PM

Change #1268258 merged by Dzahn:

[operations/puppet@production] jenkins: switch firewall provider to ferm

https://gerrit.wikimedia.org/r/1268258

gerritbot added a comment.Mon, Apr 6, 6:19 PM

Change #1268262 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] ci::docker: also install docker-cli when installing docker.io

https://gerrit.wikimedia.org/r/1268262

gerritbot added a comment.Mon, Apr 6, 6:23 PM

Change #1268262 merged by Dzahn:

[operations/puppet@production] ci::docker: also install docker-cli when installing docker.io

https://gerrit.wikimedia.org/r/1268262

jnuche subscribed.Fri, Apr 10, 8:34 AM

@Dzahn Would it make sense to wait until @hashar is back from his vacation before we do the switch? He's the only one who really knows the Jenkins contint setup

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits