Page MenuHomeDevCentral

Asking access to rOPS in writing
Closed, ResolvedPublic

Related Objects

Event Timeline

DorianWinty triaged this task as Normal priority.Apr 12 2022, 17:42
DorianWinty created this task.

Nasqueron Operations tasks are discussed on IRC Libera #nasqueron-ops, could be interesting to join that one.

dereckson added a subscriber: Sandlayth.

The rOPS repository is pretty sensible, as code pushed there will be executed by Salt under extended root privileges.

ACL

Currently, the protection for this repository is who can push. We can extend push rights to groups interested to join operations in the future and learn for it, and simply check for Differential approval: for example @DorianWinty has submitted D2664 and I've approved it, so it's fine to merge, as far as ACL as concerned.

If that's the only concern we can technically do this:

PolicyCurrentProposed
Can push to rOPSNasqueron Operations SquadNasqueron Operations Squad Nasqueron Operations Apprentices
Commits need DifferentialNo, but flagged for auditPush is blocked
Commits need approvalNoApproval by Nasqueron Operations Squad

Created H27 to define the policy implementing that table.

Code in repository = code deployed to the servers

There is a second concern. Configuration in rOPS and in servers should be idempotent. As such, code should be merged only immediately before deployment (*).

I guess we can enforce that one socially.

(*) For SSH keys, it seems a divergent practice is to wait after user confirmation, but that led in the past to an account provisioned on Eglide but not documented in the repository, and an uid conflict, same uid assigned to two users. So probably best to merge it and revert/amend it afterwards if the key has been lost or whatever.

Dorian request

No objection from my side, beings are welcome to help with servers tasks, and with the notes above, which apply to anyone including current ops, we can move forward.

Would like feedback from @Sandlayth too on this matter.

Rule H27 works perfectly well.

With correct approval:

image.png (557×759 px, 87 KB)

Without correct technical approval (social approval was given):

image.png (185×644 px, 43 KB)

Ok, we've an agreement so :)

Welcome @DorianWinty 🥳🎉