You are browsing a read-only backup copy of Wikitech. The primary site can be found at wikitech.wikimedia.org
UID: Difference between revisions
Jump to navigation
Jump to search
imported>Dzahn (trebuchet is 499 now on deploy1001/deploy2001) |
imported>Dzahn (add zuul, fix jenkins UID) |
||
| Line 2: | Line 2: | ||
This is most likely not the desired state yet, but just starting out with the current situation on <s>[[fenari]]</s>. Should be edited to reflect the desired situation, being equal on all servers. | This is most likely not the desired state yet, but just starting out with the current situation on <s>[[fenari]]</s>. Should be edited to reflect the desired situation, being equal on all servers. | ||
'''You can and should now reserve UIDs in the puppet admin module and use systemd-sysuser, like in [https://gerrit.wikimedia.org/r/c/operations/puppet/+/606286 this example].''' | |||
*(table columns are sortable) | *(table columns are sortable) | ||
| Line 25: | Line 27: | ||
|- | |- | ||
| 499 || 499 || trebuchet | | 499 || 499 || trebuchet | ||
|- | |||
| 903 || 903 || jenkins (defined in admin module!) | |||
|- | |||
| 904 || 904 || zuul (defined in admin module!) | |||
|- | |- | ||
| 10002 || 10002 || l10nupdate | | 10002 || 10002 || l10nupdate | ||
Revision as of 18:07, 25 June 2020
reserved UIDs & GIDs
This is most likely not the desired state yet, but just starting out with the current situation on fenari. Should be edited to reflect the desired situation, being equal on all servers.
You can and should now reserve UIDs in the puppet admin module and use systemd-sysuser, like in this example.
- (table columns are sortable)
| UID | GID | user name |
|---|---|---|
| 33 | 33 | www-data |
| 48 | 48 | apache |
| 107 | 112 | puppet |
| 110 | 115 | nagios |
| 111 | 116 | mwdeploy |
| 444 | 444 | gerrit2 |
| 445 | 445 | rancid |
| 498 | 498 | phd (phabricator) |
| 499 | 499 | trebuchet |
| 903 | 903 | jenkins (defined in admin module!) |
| 904 | 904 | zuul (defined in admin module!) |
| 10002 | 10002 | l10nupdate |
permission/security hierarchy
the security hierarchy looks as follows as decribed by TimStarling:
- root > wikidev > mwdeploy > www-data
- root can own wikidev but wikidev can't own root
- wikidev can own mwdeploy but mwdeploy can't own wikidev
- scripts owned by mwdeploy can only be run by www-data
- everything has to su to www-data before running maintenance scripts
also see: task T79786