Ori.livneh has uploaded a new change for review. https://gerrit.wikimedia.org/r/136129
Change subject: dissolve mediawiki::pybal_check into mediawiki::users ...................................................................... dissolve mediawiki::pybal_check into mediawiki::users mediawiki::pybal_check sets up the user account and SSH key used by PyBal for its SSH-based server health check. Strictly speaking, it is only required on the web appservers that are behind LVS. By moving it to mediawiki::users, it will be applied on all app servers. I think this is a boon: simplicity / uniformity is desirable in this case. Change-Id: I05c3830fd0d8270bc8ef5356c5816be4b32647a8 --- M manifests/role/mediawiki.pp D modules/mediawiki/manifests/pybal_check.pp M modules/mediawiki/manifests/users.pp 3 files changed, 32 insertions(+), 29 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/29/136129/1 diff --git a/manifests/role/mediawiki.pp b/manifests/role/mediawiki.pp index c7ca75f..6aacc3c 100644 --- a/manifests/role/mediawiki.pp +++ b/manifests/role/mediawiki.pp @@ -87,7 +87,6 @@ # This class installs everything necessary for an apache webserver class webserver($maxclients="40") { include ::mediawiki, - ::mediawiki::pybal_check, role::mediawiki::common class { '::mediawiki::web': diff --git a/modules/mediawiki/manifests/pybal_check.pp b/modules/mediawiki/manifests/pybal_check.pp deleted file mode 100644 index 8c47ee0..0000000 --- a/modules/mediawiki/manifests/pybal_check.pp +++ /dev/null @@ -1,28 +0,0 @@ -class mediawiki::pybal_check { - group { 'pybal-check': - ensure => present, - } - - user { 'pybal-check': - ensure => present, - gid => 'pybal-check', - shell => '/bin/sh', - home => '/var/lib/pybal-check', - system => true, - managehome => true, - } - - file { '/var/lib/pybal-check/.ssh': - ensure => directory, - owner => 'pybal-check', - group => 'pybal-check', - mode => '0550', - } - - file { '/var/lib/pybal-check/.ssh/authorized_keys': - owner => 'pybal-check', - group => 'pybal-check', - mode => '0440', - source => 'puppet:///modules/mediawiki/pybal_key', - } -} diff --git a/modules/mediawiki/manifests/users.pp b/modules/mediawiki/manifests/users.pp index c33ccfb..7d920f1 100644 --- a/modules/mediawiki/manifests/users.pp +++ b/modules/mediawiki/manifests/users.pp @@ -26,6 +26,7 @@ managehome => false, } + # The mwdeploy account is used by various scripts in the MediaWiki # deployment process to run rsync. @@ -88,4 +89,35 @@ require => User['l10nupdate', 'mwdeploy'], privileges => ['ALL = (mwdeploy) NOPASSWD: ALL'], } + + + # The pybal-check account is used by PyBal to monitor server health + # See <https://wikitech.wikimedia.org/wiki/LVS#SSH_checking> + + group { 'pybal-check': + ensure => present, + } + + user { 'pybal-check': + ensure => present, + gid => 'pybal-check', + shell => '/bin/sh', + home => '/var/lib/pybal-check', + system => true, + managehome => true, + } + + file { '/var/lib/pybal-check/.ssh': + ensure => directory, + owner => 'pybal-check', + group => 'pybal-check', + mode => '0550', + } + + file { '/var/lib/pybal-check/.ssh/authorized_keys': + owner => 'pybal-check', + group => 'pybal-check', + mode => '0440', + source => 'puppet:///modules/mediawiki/pybal_key', + } } -- To view, visit https://gerrit.wikimedia.org/r/136129 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I05c3830fd0d8270bc8ef5356c5816be4b32647a8 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Ori.livneh <o...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits