#5363 Request for an experimental compose box in staging.
Closed: Fixed None Opened 4 years ago by ralph.

This is kind of an oddball situation.

For modularity, we need to do some development on a tool that needs read-only access to staging /mnt/koji.

Ideally, we would create a cloud node for development tasks like this, but we can't mount the staging version of /mnt/koji in the cloud, right?

If we can't do that, can we create a staging machine for this development? We would need to grant access to it for some non-sysadmin users, notably lkocman and psabata.


Sure. Could we just reuse composer.stg ?

If not, I guess we could make a composer02.stg or something?

We should ask @lsedlar and @ausil about re-using composer.stg. It may be that they are trying to test stable releases of pungi there before moving them to prod, and we wouldn't want to disrupt it.. (we're doing some crazy off-branch pungi experiments that might collide).

All the tests I did there were using a git checkout of pungi and the composes went to /mnt/koji/compose.

While I don't know how crazy you want to go, I don't think using the existing composer box would be a problem.

It looks like we have to be apache or root to write back to /mnt/koji on that box.

If we give some developers access so they can hack in their homedirs, they should be able to read /mnt/koji but not write to it, so long as we don't give them sudo.

If they don't have sudo, they can't mess anything up that would prevent lsedlar and ausil from testing pungi changes pre-production.. and that's our main concern, right?

I think the following commit should give them access to the box.

https://infrastructure.fedoraproject.org/cgit/ansible.git/commit/?id=2cee24619cc1559195bbc10739186038cc9e50d0

They shouldn't have sudo rights.

It is expected that they'll be able to share the box with fedora-releng and the primary purpose of the box is to be able to test changes to the production compose toolchain before deployment. If the modularity-wg members need more control than that, then we'll double back on this and create them their own box.

For the record, we had to also allow them on bastion here:

https://infrastructure.fedoraproject.org/cgit/ansible.git/commit/?id=6efc52cda6724375717f70e48076e9510ce12d4c

At some point in the future, we'll want to roll this back and remove the access rights granted to the modularity-wg.

Login to comment on this ticket.

Metadata