[MediaWiki-commits] [Gerrit] beta: properly connect to parsoid instance - change (operations/puppet)

Hashar (Code Review) Fri, 06 Dec 2013 07:35:10 -0800

Hashar has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/99659



Change subject: beta: properly connect to parsoid instance
......................................................................

beta: properly connect to parsoid instance

The wmf-beta-autoupdate.py script runs as the mwdeploy user. Thus the
ssh commands to the parsoid instance would fail because that user does
not have any ssh credential to connect there (jenkins-deploy has).

This patch introduce a new tiny shell wrapper to let us execute the
parsoid init script on deployment-parsoid2. It must be run as the
mwdeploy user (like wmf-beta-autoupdate.py) and will sudo as
jenkins-deploy to have the proper credentials.

A new sudo policy is added to let mwdeploy execute the shell wrapper as
jenkins-deploy.

bug: 57233
Change-Id: I0fa1beba0f7e91b0999d6820b20a7569eb735087
---
M files/misc/beta/wmf-beta-autoupdate.py
A files/misc/beta/wmf-beta-parsoid-remote.sh
M manifests/misc/beta.pp
3 files changed, 39 insertions(+), 12 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/59/99659/1

diff --git a/files/misc/beta/wmf-beta-autoupdate.py 
b/files/misc/beta/wmf-beta-autoupdate.py
index 9acaf8c..d31ed09 100755
--- a/files/misc/beta/wmf-beta-autoupdate.py
+++ b/files/misc/beta/wmf-beta-autoupdate.py
@@ -20,9 +20,6 @@
 PATH_MWCORE = '/home/wikipedia/common/php-master'
 PATH_MWEXT = '/home/wikipedia/common/php-master/extensions'
 
-# Beta cluster instance used to run Parsoid daemon
-PARSOID_INSTANCE = 'deployment-parsoid2.pmtpa.wmflabs'
-
 
 def main():
     """
@@ -147,14 +144,11 @@
 def restart_parsoid():
     """Restart parsoid daemon via ssh"""
     logger = logging.getLogger(__name__)
-    logger.info("restarting parsoid on %s", PARSOID_INSTANCE)
+    logger.info("restarting parsoid")
 
-    parsoid_restart_cmd = [
-        'ssh', PARSOID_INSTANCE,
-        'sudo -u root /etc/init.d/parsoid restart']
-    logger.info("Executing %s", parsoid_restart_cmd)
+    parsoid_init_cmd = '/usr/local/bin/wmf-beta-parsoid-remote.sh'
     try:
-        cmd = subprocess.Popen(args=parsoid_restart_cmd)
+        cmd = subprocess.Popen(args=[parsoid_init_cmd, 'restart'])
     except OSError, exception:
         logger.error(exception)
         return False
@@ -164,9 +158,7 @@
     logger.info('Checking parsoid is running...')
 
     try:
-        cmd = subprocess.Popen([
-            'ssh', PARSOID_INSTANCE,
-            '/etc/init.d/parsoid', 'status'])
+        cmd = subprocess.Popen(args=[parsoid_init_cmd, 'status'])
         status_exit_code = cmd.wait()
     except OSError, exception:
         logger.error(exception)
diff --git a/files/misc/beta/wmf-beta-parsoid-remote.sh 
b/files/misc/beta/wmf-beta-parsoid-remote.sh
new file mode 100755
index 0000000..921510c
--- /dev/null
+++ b/files/misc/beta/wmf-beta-parsoid-remote.sh
@@ -0,0 +1,21 @@
+#!/bin/bash -x
+#######################################################################
+# WARNING: this file is managed by Puppet
+# puppet:///files/misc/beta/wmf-beta-parsoid-restart.sh
+#######################################################################
+
+if [ "$USER" != 'mwdeploy' ]
+then
+    echo "Script MUST be run as mwdeploy user"
+    echo "Additionally the user needs sudo right for ssh as jenkins-deploy"
+    exit 1
+fi
+
+PARSOID_INSTANCE="deployment-parsoid2.pmtpa.wmflabs"
+
+# The beta autoupdater runs as mwdeploy. We need jenkins-deploy ssh credentials
+# to be able to connect to the parsoid instance. On there, we restart Parsoid
+# as root.
+sudo -H -u jenkins-deploy \
+    ssh $PARSOID_INSTANCE \
+        sudo -u root /etc/init.d/parsoid $1
diff --git a/manifests/misc/beta.pp b/manifests/misc/beta.pp
index 5655583..ee38fe0 100644
--- a/manifests/misc/beta.pp
+++ b/manifests/misc/beta.pp
@@ -26,6 +26,15 @@
                        ensure => absent;
        }
 
+       $beta_parsoid_remote_script = 
'/usr/local/bin/wmf-beta-parsoid-remote.sh'
+
+       file { $beta_parsoid_remote_script:
+               ensure => present,
+               owner  => root,
+               group  => root,
+               mode   => 0555,
+       }
+
        # Make sure wmf-beta-autoupdate can run the l10n updater as l10nupdate
        sudo_user { "mwdeploy" : privileges => [
                'ALL = (l10nupdate) NOPASSWD:/usr/local/bin/mw-update-l10n',
@@ -36,6 +45,11 @@
                # it tries to identify as mwdeploy.
                'ALL = (mwdeploy) NOPASSWD: ALL',
 
+               # The Parsoid restart script needs jenkins-deploy ssh 
credentials
+               # to connect to the beta parsoid instance
+               "ALL = (jenkins-deploy) NOPASSD: $beta_parsoid_remote_script 
restart",
+               "ALL = (jenkins-deploy) NOPASSD: $beta_parsoid_remote_script 
status",
+
                # mergeMessageFileList.php is run by mw-update-l10n as the 
apache user
                # since https://gerrit.wikimedia.org/r/#/c/44548/
                # Let it runs mwscript and others as apache user.

-- 
To view, visit https://gerrit.wikimedia.org/r/99659
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I0fa1beba0f7e91b0999d6820b20a7569eb735087
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Hashar <has...@free.fr>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] beta: properly connect to parsoid instance - change (operations/puppet)

Reply via email to