To avoid sheriffs having to bother releng (and so things like bug 1015063 don't get caught in limbo), it would be great if sheriffs were able to deploy trychooser - either manually or via a red button 'Chief' approach similar to that used by TBPL. If it helps, there is an existing group for the sheriffs, 'vpn_sheriff'.
Over to relops, who manage the machine that does these deployments.
How do you folks typically push changes to things like tbpl? We'll try to make it look the same.
We use the Chief tool.
OK -- I don't know how that works, but it's a webops cluster so it should be possible. Over to you, fine folks of webops!
:relops, Per convo with coop/laura today we want to give employee-sheriffs this access now, rather than wait for time for Chief to be implemented (though that is the ideal solution). This access will be a bit broader than needed here, but is *ok* per same managers. The easy ability to grant access was designed/created in Bug 1055727 with relops made owners of the LDAP group. ACTION ITEM: Please grant vpn_releng_self_serve to: * email@example.com * firstname.lastname@example.org * email@example.com * firstname.lastname@example.org === For :sheriffs Instructions for deployment are at https://wiki.mozilla.org/ReleaseEngineering/How_To/Update_the_Try_Syntax All updates to that are logged at https://changelog.paas.allizom.org/#criticality=&hours_ago=1&until=-1&category=&description= as well (e.g. https://changelog.paas.allizom.org/#criticality=&hours_ago=1000&until=1409681465&category=&description=trychooser )
Can we add email@example.com to the sheriff list too please
(In reply to David Burns :automatedtester from comment #6) > Can we add firstname.lastname@example.org to the sheriff list too please a+=me, fwiw. (I mentally selected employee sheriffs, and he slipped my mind due to pure neglect on my part)
This was mistakenly moved to relops when it's still a webops service/controlled service.
(In reply to Amy Rich [:arich] [:arr] from comment #8) > This was mistakenly moved to relops when it's still a webops > service/controlled service. No not mistakenly... (In reply to Justin Wood (:Callek) from comment #5) > The easy ability to grant access was designed/created in Bug 1055727 with > relops made owners of the LDAP group. So, based on that discussion relops owns adding/removing users from that LDAP group, which is how we will solve this bug. Please perform that work.
That discussion apparently happened without relops. I've tracked back to the original bug and I've asked IT to give all releng access to modify that group, so you can self serve here.
All employed sheriffs should have access as soon as the ldap/puppet propagation happens. please feel encouraged to chat with releng for the first few deploys you do yourselves.
ssh and sudoers permissions confirmed working, thank you :-)