Closed Bug 1336535 Opened 7 years ago Closed 6 years ago

Changing http://hg.mozilla.org to https:// everywhere (relops-puppet edition)

Categories

(Infrastructure & Operations :: RelOps: Puppet, task)

Product:
Infrastructure & Operations
Component:
RelOps: Puppet
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: Atoll, Assigned: dragrom)

References

Details

Attachments

(2 files, 2 obsolete files)

Bug_1336535_Change_http_to_https.patch
1.36 KB, patch
dividehex
: review-
Details | Diff | Splinter Review
Bug_1336535_Change_http_to_https.patch
2.08 KB, patch
dividehex
: review+
dhouse
: review+
dragrom
: checked-in+
Details | Diff | Splinter Review 
Hi, I'm working with Infosec to scan the site for all http://hg.mozilla.org/ and get them changed over to https://. These are some instances I found, and was encouraged to file in Relops: Puppet.


releng-puppetX.srv.releng.scl3.mozilla.com /etc/puppet/environments/ contains many instances of the string 'http://hg.mozilla.org' in what appears to be one HG checkout per environment.

aws-managerX.srv.releng.scl3.mozilla.com /home/buildduty/ has a few checkouts.

cruncher-aws.srv.releng.usw2.mozilla.com /tmp/*/buildbot-configs/.hg/hgrc has a couple hundred instances of http://hg.mozilla.org, but I haven't conclusively proven a source for that.

dev-master2.bb.releng.use1.mozilla.com /builds/buildbot/ and /home/*/ both have lots of .hg/hgrc files that reference http://hg.m.o/. Perhaps related to try builds or something?

slaveapi-dev1.srv.releng.scl3.mozilla.com /builds/slaveapi/dev/aws/cloud-tools.bak/ seems deprecated or something, but /home/*/ has a few checkouts for a few users that are relevant. Is this one that webops manages, or y'all, or ..?
Assignee: relops → dcrisan
Status: NEW → ASSIGNED
Attached file replace_http.sh (obsolete) — 
This script find the text 'http:' in hgrc files and replace it with 'https:'. the search path will be pass as script parameter.
Usage: ./replace_http.sh <search_path>
Exemple: ./replace_http.sh /

This script can be run only once on the servers, or can be run using an ansible playbook or fabric module.

If we will decide to run it using fabric (the same approach is used to run puppet on jumphosts), we can move this script to relops-infra repository.
If we will decide to run the script as cron job, we will need to create a puppet module, and store this script to puppet repository.

Personally, I prefer to use the same approach like for running puppet on jumphosts (use fabric to run the script on the servers), because in my opinion this script will be run only one time.

:dividehex, :fubar What do you think?
Attachment #8958109 - Flags: review?(jwatkins)
(In reply to Dragos Crisan [:dragrom] from comment #1)
> Created attachment 8958109 [details]
> replace_http.sh
> 
> This script find the text 'http:' in hgrc files and replace it with
> 'https:'. the search path will be pass as script parameter.
> Usage: ./replace_http.sh <search_path>
> Exemple: ./replace_http.sh /
> 
> This script can be run only once on the servers, or can be run using an
> ansible playbook or fabric module.
> 
> If we will decide to run it using fabric (the same approach is used to run
> puppet on jumphosts), we can move this script to relops-infra repository.
> If we will decide to run the script as cron job, we will need to create a
> puppet module, and store this script to puppet repository.
> 
> Personally, I prefer to use the same approach like for running puppet on
> jumphosts (use fabric to run the script on the servers), because in my
> opinion this script will be run only one time.
> 
> :dividehex, :fubar What do you think?


I think the simplest route would be to drop this into a misc puppet class.  You can then list an array of paths to search and replace.
Comment on attachment 8958109 [details]
replace_http.sh

This is really just a one liner that could fit into a puppet exec.  So I think that would be a natural place for this to live.  I would also like to see a puppet module/manifest that takes explicit paths to execute this on.
Attachment #8958109 - Flags: review?(jwatkins) → review-
Check for any occurance of 'default = http:' string in all hgrc file, starting the check from / directory and replace this string with 'default = https:' string
Attachment #8958109 - Attachment is obsolete: true
Attachment #8962719 - Flags: review?(jwatkins)
Check for any occurance of 'default = http:' string in all hgrc file, starting the check from / directory and replace this string with 'default = https:' string
Attachment #8962719 - Attachment is obsolete: true
Attachment #8962719 - Flags: review?(jwatkins)
Attachment #8962720 - Flags: review?(jwatkins)
Comment on attachment 8962720 [details] [diff] [review]
Bug_1336535_Change_http_to_https.patch

Review of attachment 8962720 [details] [diff] [review]:
-----------------------------------------------------------------

We really don't want to be executing 'find' on the entire file system.  This will cause a lot of unnecessary load on I/O and will once again increase the puppet run time.  The solution here is to make an explicit array of paths to search and then exec on that limited list.  You should also add a onlyif to check if the search path exists and make sure the sed and find are fully qualified paths (or add path attribute with a list of paths).  Last, but not least, make sure to test this.

eg.

search_paths = [ '/etc/puppet/environments/', '/home/buildduty/', ... ]
exec { search_paths:
  command => "sed -i -e 's/default = http:/default = https:/g' `find ${title} -name hgrc -exec grep -l 'default = http:' {} \\;`"
}
Attachment #8962720 - Flags: review?(jwatkins) → review-
EIS can use mig (comment 0) to find all current .hgrc files on all servers that contain "default = http:", in case hard-coding those paths as part of a one-time replace is simpler than doing a find.
Regarding mig command. On the server relops-patching1.srv.releng.mdc1.mozilla.com is installed mig-agent. I found this link with documentation in mig::agent::base class. I pulled the docker image and trying to run some mig query from mig docker container, but without success. So, lets use find on the path specified in Comment 0.
Testing the code to change hgrc files into relops-patching1 server

        Attachment #8964874 -
        Flags: review?(jwatkins)

    
    

    
  
Comment on attachment 8964874 [details] [diff] [review]
Bug_1336535_Change_http_to_https.patch

- Created a resource called change_file. This resource had as input an array of strings that represents the paths where you need to search hgrc file. The exec bloc will execute the command only inf the directory(ies) exist(s) and inside the directory(ies) is a hgrc file that contain default = http: string.

        Attachment #8964874 -
        Flags: review?(dhouse)

    
    

    
  
Comment on attachment 8964874 [details] [diff] [review]
Bug_1336535_Change_http_to_https.patch

Review of attachment 8964874 [details] [diff] [review]:
-----------------------------------------------------------------

r+ with changes noted inline

::: modules/mercurial/manifests/settings.pp
@@ +1,5 @@
>  # This Source Code Form is subject to the terms of the Mozilla Public
>  # License, v. 2.0. If a copy of the MPL was not distributed with this
>  # file, You can obtain one at http://mozilla.org/MPL/2.0/.
>  class mercurial::settings {
> +    # Bug 1336535 - Changing http://hg.mozilla.org to https:// everywhere (relops-puppet edition) 

Trailing white space

@@ +18,5 @@
>              $hgrc            = '/etc/mercurial/hgrc'
>              $hgrc_parentdirs = ['/etc/mercurial']
> +            $search_paths = ['/etc/puppet/environments/', '/home/buildduty/', '/tmp/*/buildbot-configs/.hg/hgr', '/builds/buildbot/', '/home/*/']
> +            # Bug 1336535 - Changing http://hg.mozilla.org to https:// everywhere (relops-puppet edition)
> +            # Check for any occurance of 'default = http:' string in all hgrc file, starting the check from / directory

You should probably update the comments to reflect the fact that this search is limited to the paths set forth in $search_paths

        Attachment #8964874 -
        Flags: review?(jwatkins) → review+

    
  

        Attachment #8964874 -
        Flags: review?(dhouse) → review+

    
  
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED

    
    

    
  
On dev-master2.bb.releng.use1.mozilla.com, I recive this error:

Thu Apr 05 09:29:40 -0700 2018 /Stage[main]/Mercurial::Settings/Mercurial::Settings::Change_file[/builds/buildbot/]/Exec[/builds/buildbot/]/onlyif (err): Check "test `find /builds/buildbot/ -name hgrc -exec grep -l 'default = http:' {} \\;|wc -l` -gt 0" exceeded timeout
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
  
Status: REOPENED → RESOLVED
Closed: 6 years ago6 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: