Page MenuHomePhabricator
Create Task
Maniphest T87848

Puppet failures on deployment-mx: can't find puppet://private/dkim/wikimedia.org-wiki-mail.key
Closed, InvalidPublic
Actions

Description

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: secret(): invalid secret dkim/wikimedia.org-wiki-mail.key at /etc/puppet/manifests/role/mail.pp:79 on node deployment-mx.deployment-prep.eqiad.wmflabs
Notice: Using cached catalog
Info: Applying configuration version '1438006858'
Error: /Stage[main]/Role::Labs::Instance/File[/usr/local/sbin/reboot-if-idmap]: Could not evaluate: Could not retrieve information from environment production source(s) puppet:///files/nfs/reboot-if-idmap
Error: /Stage[main]/Exim::Roled::Mail_relay/Exim4::Dkim[wikimedia.org]/File[/etc/exim4/dkim/wikimedia.org-wikimedia.key]: Could not evaluate: Could not retrieve information from environment production source(s) puppet:///private/dkim/wikimedia.org-wikimedia.key
Error: /Stage[main]/Exim::Roled/Exim4::Dkim[wiki-mail]/File[/etc/exim4/dkim/wikimedia.org-wiki-mail.key]: Could not evaluate: Could not retrieve information from environment production source(s) puppet:///private/dkim/wikimedia.org-wiki-mail.key
Notice: /Stage[main]/Exim4/Service[exim4]: Dependency File[/etc/exim4/dkim/wikimedia.org-wiki-mail.key] has failures: true
Notice: /Stage[main]/Exim4/Service[exim4]: Dependency File[/etc/exim4/dkim/wikimedia.org-wikimedia.key] has failures: true
Warning: /Stage[main]/Exim4/Service[exim4]: Skipping because of failed dependencies
Notice: /Stage[main]/Exim::Roled/File[/etc/exim4/defer_domains]: Dependency File[/etc/exim4/dkim/wikimedia.org-wiki-mail.key] has failures: true
Notice: /Stage[main]/Exim::Roled/File[/etc/exim4/defer_domains]: Dependency File[/etc/exim4/dkim/wikimedia.org-wikimedia.key] has failures: true
Warning: /Stage[main]/Exim::Roled/File[/etc/exim4/defer_domains]: Skipping because of failed dependencies
Notice: /Stage[main]/Exim::Roled/File[/etc/exim4/legacy_mailing_lists]: Dependency File[/etc/exim4/dkim/wikimedia.org-wiki-mail.key] has failures: true
Notice: /Stage[main]/Exim::Roled/File[/etc/exim4/legacy_mailing_lists]: Dependency File[/etc/exim4/dkim/wikimedia.org-wikimedia.key] has failures: true
Warning: /Stage[main]/Exim::Roled/File[/etc/exim4/legacy_mailing_lists]: Skipping because of failed dependencies
Notice: /Stage[main]/Exim::Roled/File[/etc/exim4/wikimedia_domains]: Dependency File[/etc/exim4/dkim/wikimedia.org-wiki-mail.key] has failures: true
Notice: /Stage[main]/Exim::Roled/File[/etc/exim4/wikimedia_domains]: Dependency File[/etc/exim4/dkim/wikimedia.org-wikimedia.key] has failures: true
Warning: /Stage[main]/Exim::Roled/File[/etc/exim4/wikimedia_domains]: Skipping because of failed dependencies
Notice: Finished catalog run in 15.34 seconds

Details

SubjectRepoBranchLines +/-
Add blank mx secretslabs/privatemaster+1 -0
Customize query in gerrit

Related Objects

Event Timeline

yuvipanda created this task.Jan 29 2015, 8:47 AM
yuvipanda raised the priority of this task from to Needs Triage.
yuvipanda updated the task description. (Show Details)
yuvipanda added projects: Beta-Cluster-Infrastructure, Puppet.
yuvipanda subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 29 2015, 8:47 AM
yuvipanda mentioned this in T86575: deployment-mx is its own puppetmaster.Jan 29 2015, 8:58 AM
greg triaged this task as Medium priority.Jan 29 2015, 5:32 PM
greg moved this task from To Triage to Next: Maintenance on the Beta-Cluster-Infrastructure board.
Liuxinyu970226 subscribed.Apr 15 2015, 3:14 AM
hashar renamed this task from Puppet failures on deployment-mx to Puppet failures on deployment-mx: can't find puppet://private/dkim/wikimedia.org-wiki-mail.key.Jun 8 2015, 9:08 AM
hashar set Security to None.
hashar added subscribers: hashar, 01tonythomas.Jun 8 2015, 9:13 AM

Puppet can't find puppet://private/dkim/wikimedia.org-wiki-mail.key . The instance has the puppet class role::mail::mx and I guess we need to add the private material on the puppetmaster.

On deployment-salt we have a clone of labs/private.git (which is public) under /var/lib/git/labs/private . There is already a local cherry pick there to provide deployment private keys.

scfc subscribed.Jun 8 2015, 6:38 PM

(Ah! *lightbulb* I never thought about local commits to labs/private. That's a very useful way to deploy "secrets" in Labs projects while keeping in line with the patterns used in production.)

mmodell merged a task: T106660: puppet fail on deployment-mx.Aug 3 2015, 7:20 PM
mmodell added subscribers: Luke081515, Matanya.
hashar updated the task description. (Show Details)Aug 24 2015, 10:32 AM

Still occurring. I have refreshed the puppet error output since we are now using secret().

Krenair subscribed.Sep 4 2015, 4:57 PM
gerritbot subscribed.Oct 11 2015, 5:04 PM

Change 245139 had a related patch set uploaded (by Alex Monk):
Add blank mx secrets

https://gerrit.wikimedia.org/r/245139

gerritbot added a project: Patch-For-Review.Oct 11 2015, 5:04 PM
gerritbot added a comment.Apr 9 2016, 4:47 PM

Change 245139 abandoned by Alex Monk:
Add blank mx secrets

Reason:
puppet is no longer failing on that host

https://gerrit.wikimedia.org/r/245139

Krenair closed this task as Invalid.Apr 9 2016, 4:48 PM

puppet is no longer failing on that host

Restricted Application removed a subscriber: Liuxinyu970226. · View Herald TranscriptApr 9 2016, 4:48 PM
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:55 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits