ArielGlenn has submitted this change and it was merged.
Change subject: beta: properly connect to parsoid instance
......................................................................
beta: properly connect to parsoid instance
The wmf-beta-autoupdate.py script runs as the mwdeploy user. Thus the
ssh commands to the parsoid instance would fail because that user does
not have any ssh credential to connect there (jenkins-deploy has).
This patch introduce a new tiny shell wrapper to let us execute the
parsoid init script on deployment-parsoid2. It must be run as the
mwdeploy user (like wmf-beta-autoupdate.py) and will sudo as
jenkins-deploy to have the proper credentials.
A new sudo policy is added to let mwdeploy execute the shell wrapper as
jenkins-deploy.
bug: 57233
Change-Id: I0fa1beba0f7e91b0999d6820b20a7569eb735087
---
M files/misc/beta/wmf-beta-autoupdate.py
A files/misc/beta/wmf-beta-parsoid-remote.sh
M manifests/misc/beta.pp
3 files changed, 40 insertions(+), 12 deletions(-)
Approvals:
ArielGlenn: Looks good to me, approved
jenkins-bot: Verified
diff --git a/files/misc/beta/wmf-beta-autoupdate.py
b/files/misc/beta/wmf-beta-autoupdate.py
index 9acaf8c..d31ed09 100755
--- a/files/misc/beta/wmf-beta-autoupdate.py
+++ b/files/misc/beta/wmf-beta-autoupdate.py
@@ -20,9 +20,6 @@
PATH_MWCORE = '/home/wikipedia/common/php-master'
PATH_MWEXT = '/home/wikipedia/common/php-master/extensions'
-# Beta cluster instance used to run Parsoid daemon
-PARSOID_INSTANCE = 'deployment-parsoid2.pmtpa.wmflabs'
-
def main():
"""
@@ -147,14 +144,11 @@
def restart_parsoid():
"""Restart parsoid daemon via ssh"""
logger = logging.getLogger(__name__)
- logger.info("restarting parsoid on %s", PARSOID_INSTANCE)
+ logger.info("restarting parsoid")
- parsoid_restart_cmd = [
- 'ssh', PARSOID_INSTANCE,
- 'sudo -u root /etc/init.d/parsoid restart']
- logger.info("Executing %s", parsoid_restart_cmd)
+ parsoid_init_cmd = '/usr/local/bin/wmf-beta-parsoid-remote.sh'
try:
- cmd = subprocess.Popen(args=parsoid_restart_cmd)
+ cmd = subprocess.Popen(args=[parsoid_init_cmd, 'restart'])
except OSError, exception:
logger.error(exception)
return False
@@ -164,9 +158,7 @@
logger.info('Checking parsoid is running...')
try:
- cmd = subprocess.Popen([
- 'ssh', PARSOID_INSTANCE,
- '/etc/init.d/parsoid', 'status'])
+ cmd = subprocess.Popen(args=[parsoid_init_cmd, 'status'])
status_exit_code = cmd.wait()
except OSError, exception:
logger.error(exception)
diff --git a/files/misc/beta/wmf-beta-parsoid-remote.sh
b/files/misc/beta/wmf-beta-parsoid-remote.sh
new file mode 100755
index 0000000..921510c
--- /dev/null
+++ b/files/misc/beta/wmf-beta-parsoid-remote.sh
@@ -0,0 +1,21 @@
+#!/bin/bash -x
+#######################################################################
+# WARNING: this file is managed by Puppet
+# puppet:///files/misc/beta/wmf-beta-parsoid-restart.sh
+#######################################################################
+
+if [ "$USER" != 'mwdeploy' ]
+then
+ echo "Script MUST be run as mwdeploy user"
+ echo "Additionally the user needs sudo right for ssh as jenkins-deploy"
+ exit 1
+fi
+
+PARSOID_INSTANCE="deployment-parsoid2.pmtpa.wmflabs"
+
+# The beta autoupdater runs as mwdeploy. We need jenkins-deploy ssh credentials
+# to be able to connect to the parsoid instance. On there, we restart Parsoid
+# as root.
+sudo -H -u jenkins-deploy \
+ ssh $PARSOID_INSTANCE \
+ sudo -u root /etc/init.d/parsoid $1
diff --git a/manifests/misc/beta.pp b/manifests/misc/beta.pp
index 041850b..6e2af18 100644
--- a/manifests/misc/beta.pp
+++ b/manifests/misc/beta.pp
@@ -26,6 +26,16 @@
ensure => absent;
}
+ $beta_parsoid_remote_script =
'/usr/local/bin/wmf-beta-parsoid-remote.sh'
+
+ file { $beta_parsoid_remote_script:
+ ensure => present,
+ source =>
'puppet:///files/misc/beta/wmf-beta-parsoid-remote.sh',
+ owner => root,
+ group => root,
+ mode => 0555,
+ }
+
# Make sure wmf-beta-autoupdate can run the l10n updater as l10nupdate
sudo_user { "mwdeploy" : privileges => [
'ALL = (l10nupdate) NOPASSWD:/usr/local/bin/mw-update-l10n',
@@ -36,6 +46,11 @@
# it tries to identify as mwdeploy.
'ALL = (mwdeploy) NOPASSWD: ALL',
+ # The Parsoid restart script needs jenkins-deploy ssh
credentials
+ # to connect to the beta parsoid instance
+ "ALL = (jenkins-deploy) NOPASSD: $beta_parsoid_remote_script
restart",
+ "ALL = (jenkins-deploy) NOPASSD: $beta_parsoid_remote_script
status",
+
# mergeMessageFileList.php is run by mw-update-l10n as the
apache user
# since https://gerrit.wikimedia.org/r/#/c/44548/
# Let it runs mwscript and others as apache user.
--
To view, visit https://gerrit.wikimedia.org/r/99659
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I0fa1beba0f7e91b0999d6820b20a7569eb735087
Gerrit-PatchSet: 4
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Hashar <[email protected]>
Gerrit-Reviewer: ArielGlenn <[email protected]>
Gerrit-Reviewer: Hashar <[email protected]>
Gerrit-Reviewer: jenkins-bot
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
