[09:41:45] !log tools T221225 disable puppet agent in the bastions [09:41:49] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL [09:41:49] T221225: sssd integration needs to be updated to include sudo config from LDAP support - https://phabricator.wikimedia.org/T221225 [09:43:20] !log tools T221225 use `profile::ldap::client::labs::client_stack: sssd` in the puppet bastion prefix [09:43:23] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL [09:49:22] !log tools T221225 run puppet agent in the bastions and reboot them with sssd [09:49:26] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL [09:49:27] T221225: sssd integration needs to be updated to include sudo config from LDAP support - https://phabricator.wikimedia.org/T221225 [10:10:09] arturo: Are there any such changes like last time ? :) [10:10:30] Eugene233: yes, is there anything not working for you? [10:10:36] I still get "sudo: a password is required" when i type 'become [10:10:45] sigh... [10:10:57] the problem is that I can't properly reproduce the issue [10:11:17] see https://phabricator.wikimedia.org/T221225#5129870 [10:12:09] what is your tool name Eugene233 ? [10:12:31] arturo: eugene233 [10:12:52] the tool name I mean, not your username [10:14:30] Eugene233: ? [10:14:33] arturo: isa [10:15:14] ok I can see the issue now [10:15:16] https://www.irccloud.com/pastebin/hTqmj4LX/ [10:16:32] !log tools T221225 disable puppet in tools-sgebastion-08 for sssd testing [10:16:34] ^^ could this be 'eugene233 is not in the sudoers file' [10:16:36] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL [10:16:36] T221225: sssd integration needs to be updated to include sudo config from LDAP support - https://phabricator.wikimedia.org/T221225 [10:17:24] Eugene233: ? [10:18:15] arturo: Could it be because user 'eugene233' is not in the sudoers file? [10:18:55] Eugene233: is likely because sssd is not properly configured to work with sudo in our environment [10:19:30] let's do something: I will switch tools-sgebastion-07 back to nscd/nslcd and leave tools-sgebastion-08 with sssd so we can do testing [10:19:47] arturo: ok nice [10:20:04] Is it set up to handle the servicegroups OU? [10:22:00] also, um: [10:22:01] $ ssh login.tools.wmflabs.org [10:22:01] krenair@login.tools.wmflabs.org: Permission denied (publickey,hostbased). [10:22:41] that's tools-sgebastion-07 [10:23:08] yes, I'm switching back to nscd/nslcd and is in an inconsistent state right now [10:26:24] actually forget the servicegroups OU, it should be this object which sssd should be picking up with that config... https://phabricator.wikimedia.org/P8428 [10:27:41] interesting that it appeared to pick up your tools.admin sudo abilities but not that [10:27:50] !log tools T221225 rebooting tools-sgebastion-07 to clean sssd confiuration [10:27:54] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL [10:27:55] T221225: sssd integration needs to be updated to include sudo config from LDAP support - https://phabricator.wikimedia.org/T221225 [10:28:02] !log tools T221225 use `profile::ldap::client::labs::client_stack: classic` in the puppet bastion prefix [10:28:05] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL [10:34:08] maybe it doesn't like the lack of sudoRunAsUser, maybe it doesn't like sudoUser being a group denoted by a percent sign [10:34:16] sorry [10:34:21] I mean maybe it doesn't like sudoRunAsUser* [10:42:07] I'm currently trying to investigate what this means [10:42:09] https://www.irccloud.com/pastebin/wP7zISdT/ [10:48:12] arturo, interesting, perhaps it fails to find the tools.isa group? [10:49:40] That would explain it allowing you to sudo as root but failing to become the tools user from Eugene233 [10:49:50] I tried to log into tools-sgebastion-08 to take a look but that fails now instead :/ [10:50:11] oh it's back [10:50:42] it finds the group for 'getent group tools.isa'... [10:50:44] I'm live hacing tools-sgebastion-08 [10:50:50] live hacking* [10:51:10] expect many changes in the sssd config and daemon restarts [10:51:28] ok [10:55:28] Krenair: do you know what `ou=servicegroups,dc=wikimedia,dc=org` is supposed to hold? [10:56:42] a servicegroup is basically a tool [10:57:11] it contains groups directly under the OU [10:57:12] e.g. [10:57:17] dn: cn=tools.isa,ou=servicegroups,dc=wikimedia,dc=org [10:57:26] gidNumber: 54010 [10:57:26] cn: tools.isa [10:57:26] member: uid=eugene233,ou=people,dc=wikimedia,dc=org [10:57:27] etc. [10:57:40] that is probably the missing bit in our sssd config [10:57:50] well I thought that [10:57:59] but then I went on sgebastion-08 and it found the group just fine [10:58:50] there's also ou=people,ou=servicegroups,dc=wikimedia,dc=org which holds the tools users themselves, e.g.: [10:58:52] dn: uid=tools.isa,ou=people,ou=servicegroups,dc=wikimedia,dc=org [10:59:10] homeDirectory: /data/project/isa [10:59:10] loginShell: /bin/bash [10:59:18] uidNumber: 54010 [10:59:23] cn: tools.isa [10:59:25] and so on [11:00:42] 'Service Groups' is a historical, broader idea than a tool - they could exist in any project but I don't think they get used outside tools anymore [11:03:34] anyway this is clearly a misconfiguration [11:03:51] for some reason the sssd config is not world-readable [11:04:20] Krenair: for some good reasons actually. sssd consider it to contain sensitive information [11:04:30] and will refuse to start if the file is world-readable [11:05:06] sssd has many many configuration options and our toolforge environment is not simple. Bad combination perhaps :-P [11:05:07] * Krenair eyeroll [11:05:35] I guess they assume our anonymous LDAP viewer password will be private? [11:06:00] you can configure sssd in many ways, not only with LDAP, but with kerberos, etc [11:06:09] you can check the template in puppet [11:07:39] the template looks ok, not that I know anything about sssd [11:08:24] maybe it needs ldap_group_search_base or something set [11:09:32] thing is though I'd expect `getent group tools.isa` to fail if it can't find that group? [11:17:23] * arturo nods [11:20:10] hi there [11:20:28] can somebody help me installing pywikibot in toolforge? [11:27:50] Paucabot: try this https://wikitech.wikimedia.org/wiki/Help:Toolforge/Pywikibot [11:28:52] Thanks Arturo [11:28:58] I've tried to follow [11:29:00] https://wikitech.wikimedia.org/wiki/Help:Toolforge/Pywikibot#Using_the_shared_Pywikibot_files_(recommended_setup) [11:29:07] but I'm stuck [11:29:25] (I'm a newbie) [11:30:18] I don't get the same output at step six [11:33:06] i must be going [11:33:17] I'll be back later [11:33:19] thanks [11:33:28] Krenair: it turns ou libsss-sudo wasn't installed [11:33:43] installing it doesn't solve the issue though [12:57:37] !log tools T221225 use `profile::ldap::client::labs::client_stack: sssd` in the puppet bastion prefix, try again with sssd in the bastions, reboot them [12:57:41] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL [12:57:41] T221225: sssd integration needs to be updated to include sudo config from LDAP support - https://phabricator.wikimedia.org/T221225 [13:06:00] !log tools T221225 use `profile::ldap::client::labs::client_stack: classic` in the puppet bastion prefix, again. Rollback again. [13:06:05] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL [13:06:05] T221225: sssd integration needs to be updated to include sudo config from LDAP support - https://phabricator.wikimedia.org/T221225 [14:30:12] !log mobile destroyed android-builder instance [14:30:14] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Mobile/SAL [14:32:03] !log wikifactmine rebooting elasticsearch-01, unreachable [14:32:04] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Wikifactmine/SAL [14:34:05] !log traffic rebooting all elasticsearch nodes as they are unreachable [14:34:06] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Traffic/SAL [14:34:43] !log wikifactmine rebooting all elasticsearch nodes as they are unreachable [14:34:43] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Wikifactmine/SAL [14:34:58] !log traffic ignore last log message — wrong project [14:34:58] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Traffic/SAL [14:44:04] !log mobile destroyed edit-counts instance [14:44:07] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Mobile/SAL [14:55:27] !log wikifactmine fixing ferm rules by hand on elasticsearch nodes. Ferm is installed but seems to not be puppetized :( [14:55:38] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Wikifactmine/SAL [14:58:46] hi, I get "sudo: a password is required" when I try to `become` one of my tools. Is this related to the scheduled K8s outage, or otherwise a known issue? [14:59:10] arturo, ^ [14:59:43] musikanimal, that is most likely related to the nslcd -> sssd migration that arturo has been working on today [15:00:05] okay, just making note of it. Thanks! [15:00:08] which is the thing that sits on our instances and makes them look up stuff like users, groups, and sudo rules against LDAP instead of just locally. [15:00:10] musikanimal: I think that things are messed up on stretch-dev.tools.wmflabs.org (tools-sgebastion-08). login.tools.wmflabs.org should work as expected [15:00:24] (sudo rules used by `become` to get into your tools are stored in LDAP) [15:00:39] ah. I was using tools-dev.wmflabs.org [15:01:30] login.tools.wmflabs.org works indeed, thank you :) [15:02:11] T221225 is the issue we are working through on tools-sgebastion-08 [15:02:36] T221225: sssd integration needs to be updated to include sudo config from LDAP support - https://phabricator.wikimedia.org/T221225 [15:19:17] !log tools T221225 creating tools-sgebastion-09 for testing sssd stuff [15:19:21] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL [15:19:24] T221225: sssd integration needs to be updated to include sudo config from LDAP support - https://phabricator.wikimedia.org/T221225 [15:21:35] !log tools.awmd-stats Restarting to use latest merged and deployed changes [15:21:36] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools.awmd-stats/SAL [15:26:47] !log tools T221225 rebooting tools-sgebastion-08 to cleanup sssd [15:26:57] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL [15:26:57] T221225: sssd integration needs to be updated to include sudo config from LDAP support - https://phabricator.wikimedia.org/T221225