[MediaWiki-commits] [Gerrit] l10nupdate: replace ssh key with new scap script - change (operations/puppet)

Sat, 28 Nov 2015 19:49:36 -0800 

BryanDavis has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/255916

Change subject: l10nupdate: replace ssh key with new scap script
......................................................................

l10nupdate: replace ssh key with new scap script

Change l10nupdate-1 to call the new scap sync-l10n script. This change
requires granting l10nupdate sudoer rights to call sync-l10n as the
mwdeploy user. That user has access to scap's shared ssh-agent and makes
the need for a specially provisioned ssh key for the l10nupdate user
obsolete. The sync-l10n script from scap is the equivalent of the prior
sync-dir + scap-rebuild-cdbs actions.

Once this is merged the ssh/tin/l10nupdate/id_rsa and
ssh/tin/l10nupdate/id_rsa.pub files can be removed from the private
Puppet repo. It also removes one of the few remaining dsh uses on the
production cluster.

Requires sync-l10n support in scap. See
https://phabricator.wikimedia.org/D65

Bug: T119746
Change-Id: Iaae908bd58b3452a2ab7614b842d1eef24e6618f
---
M modules/scap/files/l10nupdate-1
M modules/scap/manifests/l10nupdate.pp
2 files changed, 16 insertions(+), 27 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/16/255916/1

diff --git a/modules/scap/files/l10nupdate-1 b/modules/scap/files/l10nupdate-1
index 8e2ccfd..6c750b8 100755
--- a/modules/scap/files/l10nupdate-1
+++ b/modules/scap/files/l10nupdate-1
@@ -102,23 +102,12 @@
                refreshCdbJsonFiles 
--directory="$MEDIAWIKI_STAGING_DIR/php-$mwVerNum/cache/l10n"
 
                echo "Syncing to Apaches at `date --rfc-3339=seconds`"
-               SYNC_START=$(date +%s)
-               # FIXME: This should use the keyholder proxy so we can kill the
-               # l10nupdate private key.
-               NOLOGMSG=1 $BINDIR/sudo-withagent l10nupdate $SCAPDIR/sync-dir 
--no-shared-authsock -D ssh_user:l10nupdate "php-$mwVerNum/cache/l10n" 
"l10nupdate for $mwVerNum"
+               sudo -u mwdeploy -n -- $SCAPDIR/sync-l10n --verbose $mwVerNum
                if [[ $? -ne 0 ]]; then
-                       $BINDIR/dologmsg "!log $LOGNAME@$HOSTNAME 
LocalisationUpdate failed: Failed to sync-dir 'php-$mwVerNum/cache/l10n'"
-                       echo "Failed to sync-dir 'php-$mwVerNum/cache/l10n'"
+                       echo "Failed to sync-l10n '$mwVerNum'"
                        exit 1
                fi
-
-               # TODO: Add parameter to scap-rebuild-cdbs to only build 1 
version of MW
-               dsh -g mediawiki-installation -M -F 40 -- "sudo -u mwdeploy 
$SCAPDIR/scap-rebuild-cdbs"
-               SYNC_END=$(date +%s)
-
-               $BINDIR/dologmsg "!log $LOGNAME@$HOSTNAME LocalisationUpdate 
completed ($mwVerNum) at `date --rfc-3339=seconds`"
                echo "All done at `date --rfc-3339=seconds`"
-               $BINDIR/deploy2graphite l10nupdate-sync $((SYNC_END-SYNC_START))
        else
                $BINDIR/dologmsg "!log $LOGNAME@$HOSTNAME LocalisationUpdate 
failed ($mwVerNum) at `date --rfc-3339=seconds`"
                echo "FAILED"
diff --git a/modules/scap/manifests/l10nupdate.pp 
b/modules/scap/manifests/l10nupdate.pp
index 7a3881c..17df811 100644
--- a/modules/scap/manifests/l10nupdate.pp
+++ b/modules/scap/manifests/l10nupdate.pp
@@ -39,24 +39,24 @@
         source => 'puppet:///modules/scap/l10nupdate-1',
     }
 
-    # add ssh keypair for l10nupdate user from fenari for T82575
-    file { '/home/l10nupdate/.ssh':
-        ensure => 'directory',
-        owner  => 'root',
-        group  => 'root',
-        mode   => '0755',
+    # Allow l10nupdate user to call sync-l10n as the mwdeploy user.
+    # This command is equivalent to a restricted sync-dir call that only syncs
+    # l10n cache files followed by a scap-rebuild-cdbs call.
+    sudo::user { 'l10nupdate-sync':
+        user => 'l10nupdate',
+        privileges => [
+            'ALL = (mwdeploy) NOPASSWD: 
/srv/deployment/scap/scap/bin/sync-l10n',
+        ]
     }
+
+    # l10nupdate's ssh key is no longer needed due to the introduction of the
+    # sync-l10n scap script.
+    # TODO: remove after ssh key is removed from all hosts
     file { '/home/l10nupdate/.ssh/id_rsa':
-        owner   => 'l10nupdate',
-        group   => 'l10nupdate',
-        mode    => '0400',
-        content => secret('ssh/tin/l10nupdate/id_rsa'),
+        ensure => 'absent',
     }
     file { '/home/l10nupdate/.ssh/id_rsa.pub':
-        owner   => 'l10nupdate',
-        group   => 'l10nupdate',
-        mode    => '0444',
-        content => secret('ssh/tin/l10nupdate/id_rsa.pub'),
+        ensure => 'absent',
     }
 
     # Make sure the log directory exists and has adequate permissions.

-- 
To view, visit https://gerrit.wikimedia.org/r/255916
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Iaae908bd58b3452a2ab7614b842d1eef24e6618f
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BryanDavis <bda...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to