User Details
- User Since
- Jan 7 2019, 1:06 PM (175 w, 3 d)
- Availability
- Available
- IRC Nick
- jbond
- LDAP User
- Jbond
- MediaWiki User
- JBond (WMF) [ Global Accounts ]
Today
confirmed that the addtional_gropups parameter is not compatible with groups managed by the admin module. this is because the admin module use an exec to check on group permissions. It doesn't know about the groups managed by the systemd::user (or user) type and thus removes them. then the systemd::sysuser/user resources adds them back causing a puppet change on every run
Yesterday
There is already an group named sre-admins (used for SRE's without root), that gives the same SSO access to web service ops the ops group, but doesn't have +2 on the operations repos. We could either use this group or copy it. To avoid confusion i would vote to create a new group but use sre-admins as an reference when assigning permissions in the puppet repo.
Not directly because of the datacenter-ops group but you get it from the LDAP ops group and John is in that group. So that should work
For me the access to puppet-merge and +2 on the puppet repo needs more information as to what tasks need to be preformed. As mentioned the combination of theses two privileges allows one to the same amount of control as global root.
Wed, May 18
its probably more related to load order so slightly different issue on production but i think that the same fix wil solve both. however feel free to assign the task to me once WMCS is happy and i can double check production :)
production host
This issue is also affecting production reimages see P27926
@BTullis thanks and yes i agree any new migrations should go directly to pki.discovery.wmnet. Happy to help
Mon, May 16
This was approved will create the CR tomorrow
This is working now. I had to fix up api redirect in "[LOCAL HACK] Attempt to secure Puppet DB better" on the deployment prep puppetmaster. please reopen if there are still issues
Fri, May 13
We have now disabled sending and accepting LANG and LC environment variables in production, closing
Thu, May 12
Wed, May 11
$ git log [11:24:20]
commit 542f2c5b55fd7a6035f0aff2d0896fb0dd89c6b4 (HEAD, tag: v3.0.12-wmf)
Author: John Bond <github@johnbond.org>
Date: Thu Jun 3 21:16:42 2021 +0200
Tue, May 10
Mon, May 9
My reading of https://seclists.org/oss-sec/2017/q4/324 suggests that if a BDAT command is issued after the mail or RCPT command then exim will respond with this error message. Looking at the log line above we see the commands issued where C=EHLO,STARTTLS,EHLO,MAIL,RCPT,BDAT,RSET,NOOP,MAIL,RCPT,BDAT) i.e. we do see a BDAT after RCPT
demonstrating the we support chunking
I have looked in our logs and the following is an example of what we see on our side
@jhathaway wonder if anything may have changed recently
Also see
Fri, May 6
Further to this on the passive node we get an error on every puppet run due to the following
We have had a response from leagle which state3s that it is fine to licence all *@wikimedia.org contributions under the Apache licence. As such i think we can start to do this with some module that we know have been developed completly internaly e.g. apereo_cas (which almost exclusively developed by myself). In order to move a module to this new licenced model i propose that we update modules to:
- add an spdx-licence header to each file in the module
- add the apache licence file to the route of the module
- create and spdx file in the module directory root
Ill create a change to convert apereo_cas to demonstrated and critice the list above.
Wed, May 4
puppetdb package is not currently available in bullseye
Tue, May 3
this is likely related to https://wikitech.wikimedia.org/wiki/Performance/Graphite/Synthetic_Instance
As for the puppet-merge on the puppetmasters, does the datacenter-ops have +2 on the operations/puppet repository on Gerrit?
To be explicit +2 on gerrit and sudo puppet-merge allows one to promote them self to global root, which seems undesirable. what exactly is puppet-merge access required for. perhaps we can work on migrating this functionality elsewhere?
Thu, Apr 28
Wed, Apr 27
I think the best option is to use OIDC, however that comes with a couple of caveats.
- We don't currently have OIDC support enabled in CAS so there could be some teething issues enabling this first services
- We are currently planning to upgrade CAS and would want to have that bed in before adding OIDC support (we hope to have idp-test working within ~2 weeks)
Tue, Apr 26
This shouldn't be required as we allready have code to install ssacli based on the value of the raid fact. We should revert all the changes here and investigate why machines dont have the correct fact value. What machine where you seeing issues on?
The following also seems to work, however the functionality is not documented on the puppetdb api pages so it may not always work
use cumin to ask "what is the kernel version of all machines owned by $subteam" or "which hosts owned by $subteam are still on buster"
As we pass this value as a paramter to profile::contacts we can allready use cumin to preform theses searches. e.g.
As per an offline conversation with @Volans. newer versions of netbox allow us to preform custom data validations as such i'm going to set this ticket to stalled until we upgrade netbox to at least version 3.0
Im not sure i understand this response. The value entered which caused an error was ns-recursor0.openstack.codfw1dev.wikimediacloud.org. instead of ns-recursor0.openstack.codfw1dev.wikimediacloud.org both are valid FQDN and strictly speaking the one with the terminating period is the more correct form.
Mon, Apr 25
indeed it seems that the data is no longer in gsuite. ill take a new look at https://gerrit.wikimedia.org/r/c/operations/puppet/+/761029
Mar 25 2022
moritz suggested we should just add all software we maintain so ill create a cr to do that
Im not too familiar with code search so not sure wht does and doesn't make senses but tagging a few project owners
@Joe pcc
@Volans anything extra you can think of e.g. cumin, debmonitor, debdeploy, homer
@CDanis klaxon, statograph?
@ssingh censorship monitoring?
@RLazarus httpbb?
@JMeybohm cfssl-issuer?
@TheDJ Access has been granted you should be able to access the requested resources now, please let me know if yu have any issues
Mar 24 2022
This has been completed
Mar 23 2022
either of theses should work, ping me if you need a hand.
@Sgs access has now been set up you shuld have recived an email indicating how to configure kerberos, please re-open if you are still having issues