BryanDavis has uploaded a new change for review. https://gerrit.wikimedia.org/r/255916
Change subject: l10nupdate: replace ssh key with new scap script ...................................................................... l10nupdate: replace ssh key with new scap script Change l10nupdate-1 to call the new scap sync-l10n script. This change requires granting l10nupdate sudoer rights to call sync-l10n as the mwdeploy user. That user has access to scap's shared ssh-agent and makes the need for a specially provisioned ssh key for the l10nupdate user obsolete. The sync-l10n script from scap is the equivalent of the prior sync-dir + scap-rebuild-cdbs actions. Once this is merged the ssh/tin/l10nupdate/id_rsa and ssh/tin/l10nupdate/id_rsa.pub files can be removed from the private Puppet repo. It also removes one of the few remaining dsh uses on the production cluster. Requires sync-l10n support in scap. See https://phabricator.wikimedia.org/D65 Bug: T119746 Change-Id: Iaae908bd58b3452a2ab7614b842d1eef24e6618f --- M modules/scap/files/l10nupdate-1 M modules/scap/manifests/l10nupdate.pp 2 files changed, 16 insertions(+), 27 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/16/255916/1 diff --git a/modules/scap/files/l10nupdate-1 b/modules/scap/files/l10nupdate-1 index 8e2ccfd..6c750b8 100755 --- a/modules/scap/files/l10nupdate-1 +++ b/modules/scap/files/l10nupdate-1 @@ -102,23 +102,12 @@ refreshCdbJsonFiles --directory="$MEDIAWIKI_STAGING_DIR/php-$mwVerNum/cache/l10n" echo "Syncing to Apaches at `date --rfc-3339=seconds`" - SYNC_START=$(date +%s) - # FIXME: This should use the keyholder proxy so we can kill the - # l10nupdate private key. - NOLOGMSG=1 $BINDIR/sudo-withagent l10nupdate $SCAPDIR/sync-dir --no-shared-authsock -D ssh_user:l10nupdate "php-$mwVerNum/cache/l10n" "l10nupdate for $mwVerNum" + sudo -u mwdeploy -n -- $SCAPDIR/sync-l10n --verbose $mwVerNum if [[ $? -ne 0 ]]; then - $BINDIR/dologmsg "!log $LOGNAME@$HOSTNAME LocalisationUpdate failed: Failed to sync-dir 'php-$mwVerNum/cache/l10n'" - echo "Failed to sync-dir 'php-$mwVerNum/cache/l10n'" + echo "Failed to sync-l10n '$mwVerNum'" exit 1 fi - - # TODO: Add parameter to scap-rebuild-cdbs to only build 1 version of MW - dsh -g mediawiki-installation -M -F 40 -- "sudo -u mwdeploy $SCAPDIR/scap-rebuild-cdbs" - SYNC_END=$(date +%s) - - $BINDIR/dologmsg "!log $LOGNAME@$HOSTNAME LocalisationUpdate completed ($mwVerNum) at `date --rfc-3339=seconds`" echo "All done at `date --rfc-3339=seconds`" - $BINDIR/deploy2graphite l10nupdate-sync $((SYNC_END-SYNC_START)) else $BINDIR/dologmsg "!log $LOGNAME@$HOSTNAME LocalisationUpdate failed ($mwVerNum) at `date --rfc-3339=seconds`" echo "FAILED" diff --git a/modules/scap/manifests/l10nupdate.pp b/modules/scap/manifests/l10nupdate.pp index 7a3881c..17df811 100644 --- a/modules/scap/manifests/l10nupdate.pp +++ b/modules/scap/manifests/l10nupdate.pp @@ -39,24 +39,24 @@ source => 'puppet:///modules/scap/l10nupdate-1', } - # add ssh keypair for l10nupdate user from fenari for T82575 - file { '/home/l10nupdate/.ssh': - ensure => 'directory', - owner => 'root', - group => 'root', - mode => '0755', + # Allow l10nupdate user to call sync-l10n as the mwdeploy user. + # This command is equivalent to a restricted sync-dir call that only syncs + # l10n cache files followed by a scap-rebuild-cdbs call. + sudo::user { 'l10nupdate-sync': + user => 'l10nupdate', + privileges => [ + 'ALL = (mwdeploy) NOPASSWD: /srv/deployment/scap/scap/bin/sync-l10n', + ] } + + # l10nupdate's ssh key is no longer needed due to the introduction of the + # sync-l10n scap script. + # TODO: remove after ssh key is removed from all hosts file { '/home/l10nupdate/.ssh/id_rsa': - owner => 'l10nupdate', - group => 'l10nupdate', - mode => '0400', - content => secret('ssh/tin/l10nupdate/id_rsa'), + ensure => 'absent', } file { '/home/l10nupdate/.ssh/id_rsa.pub': - owner => 'l10nupdate', - group => 'l10nupdate', - mode => '0444', - content => secret('ssh/tin/l10nupdate/id_rsa.pub'), + ensure => 'absent', } # Make sure the log directory exists and has adequate permissions. -- To view, visit https://gerrit.wikimedia.org/r/255916 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Iaae908bd58b3452a2ab7614b842d1eef24e6618f Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: BryanDavis <bda...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits