Closed Bug 800409 Opened 13 years ago Closed 13 years ago

Fix always changing puppet resources on AWS machines

Categories

(Infrastructure & Operations Graveyard :: CIDuty, task)

Product:
Infrastructure & Operations Graveyard
Component:
CIDuty
Platform:
x86_64
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: rail, Assigned: rail)

Details

(Whiteboard: [puppet][aws])

Attachments

(3 files, 1 obsolete file)

fix v2
1.42 KB, patch
dustin
: review+
rail
: checked-in+
Details | Diff | Splinter Review
fix #2
1.45 KB, patch
dustin
: review+
rail
: checked-in+
Details | Diff | Splinter Review
fix #3
4.70 KB, patch
dustin
: review+
rail
: checked-in+
Details | Diff | Splinter Review
These are: * cpuspped shouldn't be touched /etc/init.d/cpuspeed status Frequency scaling not supported under xen kernels * /root/.ssh/authorized_keys: rc.local updates that file, should be disabled
Attached patch fix v1 (obsolete) — Splinter Review
I don't like hostname matching here... v2 incoming
Attachment #670432 - Flags: feedback?(dustin)
Attached patch fix v2Splinter Review
2 concerns: 1) cpuspeed may be running when we puppetize a new (or reimaged) slave for the first time. 2) not sure how service resource works with not existing services (rc.local is AWS specific).
Attachment #670433 - Flags: feedback?(dustin)
And facter thinks that the AWS machines are "physical".
Comment on attachment 670433 [details] [diff] [review] fix v2 rc.local seems fine in my testing. Arguably cpuspeed is broken if it exits with status '0' in that case. If it's not supported, it's status is stopped, or something nonzero anyway. And cpuspeed doesn't "run" at all - it's just a startup script to set governors, and it doesn't do anything on AWS. So nothing to worry about there. So, I don't think there's any cleaner solution, and this really is perfectly fine.
Attachment #670433 - Flags: feedback?(dustin) → review+
Attachment #670432 - Attachment is obsolete: true
Attachment #670432 - Flags: feedback?(dustin)
Seen a couple of unchanged slaves. \o/
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
It turned out that disabling rc.local is not enough because the script has no idea about the "stop" action (the script is still called by /etc/rc.d/rc).
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attached patch fix #2Splinter Review
Attachment #671250 - Flags: review?(dustin)
Comment on attachment 671250 [details] [diff] [review] fix #2 Review of attachment 671250 [details] [diff] [review]: ----------------------------------------------------------------- r+ with that adjustment ::: modules/disableservices/manifests/common.pp @@ +17,5 @@ > + } > + exec { > + "disable-rc.local": > + command => "/sbin/chkconfig --del rc.local", > + onlyif => "/bin/ls /etc/rc.d/rc*.d/*rc.local > /dev/null 2>&1"; Probably better to use "test -f $pathname" here - it has no output and gets you the exit status you want.
Attachment #671250 - Flags: review?(dustin) → review+
> Probably better to use "test -f $pathname" here - it has no output and gets > you the exit status you want. That was my first thought. In this case I would need very ugly command line to test all entries: $ ls -1 /etc/rc.d/rc*.d/*rc.local /etc/rc.d/rc0.d/K50rc.local /etc/rc.d/rc1.d/K50rc.local /etc/rc.d/rc2.d/K50rc.local /etc/rc.d/rc3.d/K50rc.local /etc/rc.d/rc4.d/K50rc.local /etc/rc.d/rc5.d/K50rc.local /etc/rc.d/rc6.d/K50rc.local K50 here may change in the future for other platforms, this is why I didn't want to harcode it.
Ah, I didn't realize the glob was matching multiple files. Ship it as-is, then!
This should be fixed now.
Status: REOPENED → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → FIXED
For some reason root's authorized keys file is still changing...
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Looks like chkconfig --del doesn't remove everything... On some machines I can find {K,S}*rc.local file in /etc/rc{0..6}.d/ directories. Sounds like we need some brute force here. :/
Not sure that killing rc.local is the best idea here...How about we modify rc.local to not update authorized_keys if the key being fetched by the EC2 API is already present?
Could we just add whatever key it's adding, but using puppet? So the two agree on the correct file content?
Attached patch fix #3Splinter Review
Let's manage it! It does nothing for now.
Attachment #677475 - Flags: review?(dustin)
Comment on attachment 677475 [details] [diff] [review] fix #3 Review of attachment 677475 [details] [diff] [review]: ----------------------------------------------------------------- Looks good with that small tweak. ::: modules/tweaks/manifests/rc_local.pp @@ +1,4 @@ > +class tweaks::rc_local { > + > + case $kernel { > + Linux: { This should probably be our usual $operatingsystem / CentOS combination (in case we use ubuntu or something).
Attachment #677475 - Flags: review?(dustin) → review+
(In reply to Dustin J. Mitchell [:dustin] from comment #19) > This should probably be our usual $operatingsystem / CentOS combination (in > case we use ubuntu or something). Makes sense. I thought about CentOS+Fedora, but probably it's safe to start with CentOS only.
Comment on attachment 677475 [details] [diff] [review] fix #3 pushed with a wrong commit message :/ http://hg.mozilla.org/build/puppet/rev/b1fa9c243677
Attachment #677475 - Flags: checked-in+
A lot of ec2 slaves are in unchanged state now. This is fixed for reals now! Phew...
Status: REOPENED → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → FIXED
Product: mozilla.org → Release Engineering
Product: Release Engineering → Infrastructure & Operations
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: