Operations grimoire/DevCentral: Difference between revisions
(Upgrade procedure) |
|||
Line 13: | Line 13: | ||
* Herald rules triggering job should check ''Author's projects include all of Trusted users'' | * Herald rules triggering job should check ''Author's projects include all of Trusted users'' | ||
* When creating a new build plan, it should only be visible to trusted users (it exposes a Jenkins token to trigger a new job) | * When creating a new build plan, it should only be visible to trusted users (it exposes a Jenkins token to trigger a new job) | ||
== Upgrade == | |||
First, upgrade the source code, pulling master for libphutil and rebasing production against origin/master for phabricator: | |||
<source lang="console"> | |||
$ cd /opt/libphutil | |||
$ git pull | |||
$ cd /opt/phabricator | |||
$ git fetch | |||
$ git rebase origin/master | |||
</source> | |||
If there is any issue, solve the merge conflict for the production branch. Don't panic, all is compiled through opcache, you can safely and calmly solve it without impacting the website. | |||
Now stop the services, apply database migrations and restart services: | |||
<source lang="console"> | |||
$ bin/phd status | |||
$ bin/phd stop <the processus of Xessife (PhabricatorBot)> | |||
$ bin/phd stop | |||
$ bin/storage upgrade -f | |||
… | |||
Done. | |||
Completed applying all schema adjustments. | |||
$ sv restart php-fpm | |||
ok: run: php-fpm: (pid 8297) 0s | |||
$ sv restart phd | |||
ok: run: phd: (pid 8415) 0s | |||
$ chpst -u app:app bin/phd launch PhabricatorBot /opt/phabricator/conf/xessife.json | |||
</source> | |||
Check https://devcentral.nasqueron.org/ for installation issues. | |||
If you aren't administrator, ask an admin to check (a yellow balloon popup appears with instructions where there is something to do). | |||
== Troubleshoot == | == Troubleshoot == |
Revision as of 12:18, 22 January 2017
DevCentral is the name of our Phabricator instance.
Security
CI access
Jenkins can deploy code. Only trusted users should get access to Jenkins.
Jenkinsfile script can arbitrarily request the node tag they want, so specify secure and non secure nodes isn't enough since the Jenkins 2.0 migration.
To open more our CI, we probably need two Jenkins master, one with access only its own group of non trusted nodes, isolated from the deploy Jenkins.
To secure the access to CI:
- we maintain a group Trusted users with users trusted not to send malicious code to CI
- Herald rules triggering job should check Author's projects include all of Trusted users
- When creating a new build plan, it should only be visible to trusted users (it exposes a Jenkins token to trigger a new job)
Upgrade
First, upgrade the source code, pulling master for libphutil and rebasing production against origin/master for phabricator:
$ cd /opt/libphutil
$ git pull
$ cd /opt/phabricator
$ git fetch
$ git rebase origin/master
If there is any issue, solve the merge conflict for the production branch. Don't panic, all is compiled through opcache, you can safely and calmly solve it without impacting the website.
Now stop the services, apply database migrations and restart services:
$ bin/phd status
$ bin/phd stop <the processus of Xessife (PhabricatorBot)>
$ bin/phd stop
$ bin/storage upgrade -f
…
Done.
Completed applying all schema adjustments.
$ sv restart php-fpm
ok: run: php-fpm: (pid 8297) 0s
$ sv restart phd
ok: run: phd: (pid 8415) 0s
$ chpst -u app:app bin/phd launch PhabricatorBot /opt/phabricator/conf/xessife.json
Check https://devcentral.nasqueron.org/ for installation issues.
If you aren't administrator, ask an admin to check (a yellow balloon popup appears with instructions where there is something to do).
Troubleshoot
devcentral.nasqueron.org port 5022: Connection refused
$ git push
ssh: connect to host devcentral.nasqueron.org port 5022: Connection refused
fatal: Could not read from remote repository.
That requires two things:
- a SSH server launched on the port 22 of the devcentral Docker container, to serve repositories (not a staging area): http://pad.wolfplex.be/p/DevCentral
- an iptables rule to forward ports:
iptables -t nat -I PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 5022 -j DNAT --to-destination 172.17.0.5:22
- if the IP changed, check with
iptables -t nat -L PREROUTING
an old entry (5022 is "mice"):- To remove the old:
iptables -t nat -D PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 5022 -j DNAT --to-destination 172.17.0.139:22
- To add the new:
iptables -t nat -I PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 5022 -j DNAT --to-destination 172.17.0.5:22
- To check the rules:
iptables -t nat -L PREROUTING | grep mice
- To remove the old:
Database flood
Some tables can be heavily flooded:
- phabricator_daemon.daemon_logevent — 7M lines
- phabricator_conduit.conduit_methodcalllog — 23M lines
Just truncate them.