[Labs-l] IMPORTANT: ldap renaming -- possible interruptions to logins, sudo, dns
Andrew Bogott
abogott at wikimedia.org
Fri Sep 26 01:56:37 UTC 2014
Quick summary:
If you are only a tool labs user, you can ignore this email.
If you work in a non-tools project and all of your instances are happily
puppetized and talking to the central puppet server, you can probably
ignore this email.
If you work in a non-tools project and you have a local puppetmaster or
use role::puppet::self, you MUST apply the following patches to your
instance, or you may LOSE ALL ACCESS to your labs instances:
https://gerrit.wikimedia.org/r/#/c/159740
https://gerrit.wikimedia.org/r/#/c/162689
Full story:
As one of the final nails in the coffin of our old datacenter in tampa,
I'm about to shut down the old virt0.wikimedia.org server. Up until
today, virt0 has remained our steadfast-but-seldom-used ldap backup server.
As a part of replacing virt0 (with a backup in Dallas), we're renaming
both ldap services. It's very important that labs instances be notified
of this change, as ldap is used to manage (among other things) all user
accounts. Tomorrow morning I'll merge a puppet patch (162689) that
updates all actively puppetized servers to use the new service names.
If all goes well this will be a smooth, unnoticed transition. If all
doesn't go well there may be brief interruptions in access and/or dns.
Tampa is getting shut down next week, so we have just a few days to
catch up all the unpuppetized servers with this change. You'll need to
either update your puppet repo (following the instructions in the first
question here:
https://wikitech.wikimedia.org/wiki/Help:Self-hosted_puppetmaster#FAQ )
or cherry-pick the above two patches and ensure that they apply
properly. You may need to restart your puppetmaster as part of the
update -- puppet also relies on ldap.
For those servers still in danger on Monday I'll be logging in myself
and updating puppet by hand, which shouldn't result in outages but might
involve me mucking with your custom puppet config if there are conflicts.
A full step-by-step description of this process can be found here:
https://wikitech.wikimedia.org/wiki/Ldap_rename
Thanks for reading and updating!
-Andrew
More information about the Labs-l
mailing list