Create Task
Maniphest T273950

Modernise memcached systemd unit / sync, and make it presentable
Open, In Progress, MediumPublic
Actions

Description

memcached currently runs as "nobody". Running services as nobody is an antipattern, since it allows one service running as nobody to run code with the same privileges as a different service running as nobody. The default unit in buster runs memcached as "memcached"

Also, memcached in buster ships a systemd-memcached-wrapper which simply points to /etc/memcached.conf, so it would also be an option to switch to that and possibly no longer customise the systemd unit at all.

  • update systemd related hacks/puppet code/whatever
  • ensure the service is run under the memcache user

The following roles/profiles need to be migrated to use memcached_user: 'memcache'

cloud

  • hieradata/cloud.yaml
  • hieradata/cloud/eqiad1/deployment-prep/common.yaml
  • hieradata/role/codfw/wmcs/openstack/codfw1dev/control.yaml
  • hieradata/role/eqiad/wmcs/openstack/eqiad1/control.yaml

idp

  • hieradata/role/common/idp_test.yaml
  • hieradata/common/profile/idp/memcached.yaml

rest

  • hieradata/common/profile/memcached.yaml (& role)

CCing cloud-services-team for the cloud related

Details

SubjectRepoBranchLines +/-
Configure memcached on idp hosts to run as 'memcache'operations/puppetproduction+1 -0
Fix Hiera option nameoperations/puppetproduction+1 -3
Configure memcached on idp-test hosts to run as 'memcache'operations/puppetproduction+2 -0
mediawiki::memcached: switch to running as user memcacheoperations/puppetproduction+2 -2
mediawiki::memcached: increase number of threads mcX050-mcX054operations/puppetproduction+3 -1
mediawiki::memcached: switch to running as user memcache mcX050-mcX054operations/puppetproduction+8 -0
memcached: run as user memcache on mc-gp2003operations/puppetproduction+1 -0
memcached: add memcached_user optionoperations/puppetproduction+56 -28
Customize query in gerrit

Related Objects
Search...

Event Timeline

MoritzMuehlenhoff created this task.Feb 5 2021, 8:21 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 5 2021, 8:21 AM
jijiki triaged this task as Medium priority.Feb 5 2021, 8:22 AM
jijiki added projects: User-jijiki, serviceops.
jijiki moved this task from Inbox 🐅 to In Progress 🏋️‍♀️ on the User-jijiki board.Feb 5 2021, 4:44 PM
jijiki moved this task from In Progress 🏋️‍♀️ to Next up 🥌 on the User-jijiki board.Feb 15 2021, 3:57 PM
elukey subscribed.Mar 3 2021, 3:15 PM
Joe subscribed.Mar 5 2021, 10:22 AM

systemd-memcached-wrapper is a perl script, an evolution of the old wrapper script debian always used and that caused me more headaches than it solved. I'd very much prefer we keep the approach we took with our systemd unit back in the day (while it might make sense to switch to use user memcached for the reasons above)

jijiki moved this task from Next up 🥌 to St on the User-jijiki board.May 19 2021, 10:56 AM
jijiki moved this task from Incoming 🐫 to 🙈🙉🙊Backlog on the serviceops board.Sep 28 2022, 2:23 PM
jijiki added a parent task: T352885: Enable extstore to a subset of memcached servers (experiment).Dec 6 2023, 4:56 PM
jijiki renamed this task from Modernise memcached systemd unit / sync to current buster setup to Modernise memcached systemd unit / sync, and make it presentable.Apr 11 2024, 6:50 PM
jijiki updated the task description. (Show Details)
gerritbot added a comment.May 2 2024, 4:09 PM

Change #1026609 had a related patch set uploaded (by Effie Mouzeli; author: Effie Mouzeli):

[operations/puppet@production] (WIP) memcached: make the service run under the memcache user

https://gerrit.wikimedia.org/r/1026609

gerritbot added a project: Patch-For-Review.May 2 2024, 4:09 PM
gerritbot added a comment.May 16 2024, 1:54 PM

Change #1032495 had a related patch set uploaded (by Effie Mouzeli; author: Effie Mouzeli):

[operations/puppet@production] memcached: run as user memcache on mc-gp2003

https://gerrit.wikimedia.org/r/1032495

gerritbot added a comment.May 21 2024, 9:31 AM

Change #1026609 merged by Effie Mouzeli:

[operations/puppet@production] memcached: add memcached_user option

https://gerrit.wikimedia.org/r/1026609

gerritbot added a comment.May 21 2024, 9:52 AM

Change #1032495 merged by Effie Mouzeli:

[operations/puppet@production] memcached: run as user memcache on mc-gp2003

https://gerrit.wikimedia.org/r/1032495

Maintenance_bot removed a project: Patch-For-Review.May 21 2024, 10:31 AM
gerritbot added a comment.May 22 2024, 7:41 AM

Change #1034839 had a related patch set uploaded (by Effie Mouzeli; author: Effie Mouzeli):

[operations/puppet@production] mediawiki::memcached: switch to running as user memcache

https://gerrit.wikimedia.org/r/1034839

gerritbot added a project: Patch-For-Review.May 22 2024, 7:41 AM
gerritbot added a comment.May 23 2024, 8:51 AM

Change #1035328 had a related patch set uploaded (by Effie Mouzeli; author: Effie Mouzeli):

[operations/puppet@production] mediawiki::memcached: switch to running as user memcache mcX050-mcX054

https://gerrit.wikimedia.org/r/1035328

gerritbot added a comment.May 23 2024, 8:56 AM

Change #1035328 merged by Effie Mouzeli:

[operations/puppet@production] mediawiki::memcached: switch to running as user memcache mcX050-mcX054

https://gerrit.wikimedia.org/r/1035328

gerritbot added a comment.May 23 2024, 10:13 AM

Change #1035349 had a related patch set uploaded (by Effie Mouzeli; author: Effie Mouzeli):

[operations/puppet@production] mediawiki::memcached: set number of memcached threads mcX050-mcX054

https://gerrit.wikimedia.org/r/1035349

gerritbot added a comment.May 23 2024, 10:38 AM

Change #1035349 merged by Effie Mouzeli:

[operations/puppet@production] mediawiki::memcached: increase number of threads mcX050-mcX054

https://gerrit.wikimedia.org/r/1035349

jijiki changed the task status from Open to In Progress.May 24 2024, 11:49 AM
jijiki claimed this task.
gerritbot added a comment.Jun 3 2024, 8:29 AM

Change #1034839 abandoned by Effie Mouzeli:

[operations/puppet@production] mediawiki::memcached: switch to running as user memcache

Reason:

already merged as I42325f5a906b5df37810b196b3e3cef67151cea3

https://gerrit.wikimedia.org/r/1034839

Maintenance_bot removed a project: Patch-For-Review.Jun 3 2024, 8:31 AM
jijiki changed the task status from In Progress to Open.Jun 4 2024, 8:42 AM
jijiki added a project: Cloud-Services.
jijiki updated the task description. (Show Details)
Restricted Application added a comment. · View Herald TranscriptJun 4 2024, 8:42 AM

The Cloud-Services project tag is not intended to have any tasks. Please check the list on https://phabricator.wikimedia.org/project/profile/832/ and replace it with a more specific project tag to this task. Thanks!

jijiki updated the task description. (Show Details)Jun 4 2024, 8:45 AM
jijiki updated the task description. (Show Details)Jun 4 2024, 9:03 AM
jijiki updated the task description. (Show Details)Jun 4 2024, 9:05 AM
jijiki updated the task description. (Show Details)Jun 4 2024, 9:18 AM
jijiki changed the task status from Open to In Progress.Jun 4 2024, 3:12 PM
jijiki updated the task description. (Show Details)
gerritbot added a comment.Jun 5 2024, 12:34 PM

Change #1039206 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Configure memcached on idp-test hosts to run as 'memcache'

https://gerrit.wikimedia.org/r/1039206

gerritbot added a project: Patch-For-Review.Jun 5 2024, 12:34 PM
gerritbot added a comment.Jun 5 2024, 1:56 PM

Change #1039206 merged by Muehlenhoff:

[operations/puppet@production] Configure memcached on idp-test hosts to run as 'memcache'

https://gerrit.wikimedia.org/r/1039206

gerritbot added a comment.Jun 5 2024, 2:15 PM

Change #1039226 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Fix Hiera option name

https://gerrit.wikimedia.org/r/1039226

gerritbot added a comment.Jun 5 2024, 2:21 PM

Change #1039226 merged by Muehlenhoff:

[operations/puppet@production] Fix Hiera option name

https://gerrit.wikimedia.org/r/1039226

gerritbot added a comment.Jun 5 2024, 2:31 PM

Change #1039229 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Configure memcached on idp hosts to run as 'memcache'

https://gerrit.wikimedia.org/r/1039229

MoritzMuehlenhoff updated the task description. (Show Details)Jun 5 2024, 2:33 PM
MoritzMuehlenhoff added a comment.Mon, Jun 24, 11:25 AM

CAS 7.0 (what we are currently migrating to) removed the memcached backend. As such, this change won't be needed anymore for the idp servers, I'll tick them off.

MoritzMuehlenhoff updated the task description. (Show Details)Mon, Jun 24, 11:25 AM
gerritbot added a comment.Mon, Jun 24, 11:25 AM

Change #1039229 abandoned by Muehlenhoff:

[operations/puppet@production] Configure memcached on idp hosts to run as 'memcache'

Reason:

CAS 7.0 removed the memcached backend, no longer needed

https://gerrit.wikimedia.org/r/1039229

Maintenance_bot removed a project: Patch-For-Review.Mon, Jun 24, 11:31 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits