From Fedora Project Wiki

(→‎Description: add some basic information about groups)
(update sysadmin-releng info)
Line 6: Line 6:
* ''sysadmin-cvs'': Allows shell access to pkgs01 (pkgs.fedoraproject.org)
* ''sysadmin-cvs'': Allows shell access to pkgs01 (pkgs.fedoraproject.org)
* ''gitreleng'': Allows write access to release engineering git repo
* ''gitreleng'': Allows write access to release engineering git repo
* ''sysadmin-releng'': Allows SSH access to FIXME systems, requires FIXME group membership (if there is some group required to access bastion?)
* ''sysadmin-releng'': Allows SSH access to releng04 relepel01 koji03 koji04 sysadmin-releng requires sysadmin group membership, which grants access to bastion, the gateway to phx2.


== Action ==
== Action ==

Revision as of 13:35, 30 May 2014

Description

People volunteer (or get assigned) to doing Fedora release engineering from time to time. This SOP seeks to describe the process to add a new release engineer so that they have the rights to accomplish their tasks, know where to find the tasks, and are introduced to the existing members. There are several groups that manage access to the respective systems:


  • cvsadmin: Admin group for pkgdb2 (allows to retire/orphan all packages etc), allows git write access via SSH to all packages in dist-git
  • sysadmin-cvs: Allows shell access to pkgs01 (pkgs.fedoraproject.org)
  • gitreleng: Allows write access to release engineering git repo
  • sysadmin-releng: Allows SSH access to releng04 relepel01 koji03 koji04 sysadmin-releng requires sysadmin group membership, which grants access to bastion, the gateway to phx2.

Action

A new release engineer will access rights in a variety of systems, as well as be introduced to the releng group.

Git

Fedora Release Engineering maintains a git repo of scripts. This can be found at ssh://git.fedorahosted.org/git/releng . Write access to this group is controlled by access to the 'gitreleng' FAS group. The new member's FAS username will need to be added to this group.

https://git.fedorahosted.org/cgit/releng


FIXME: walkthrough group addition

FAS

There is a releng group in FAS that release engineers are added to in order to grant them various rights within the Fedora infrastructure. The new member's FAS username will need to be added to this group.

FIXME: walkthrough group addition

Koji

In order to perform certain (un)tagging actions a release engineer must be an admin in koji. To grant a user admin rights one uses the grant-permission command in koji.

$ koji grant-permission --help
Usage: koji grant-permission <permission> <user> [<user> ...]
(Specify the --help global option for a list of other help options)

Options:
  -h, --help  show this help message and exit

For example if we wanted to grant npetrov admin rights we would issue:

$ koji grant-permission admin npetrov

Sigul

Sigul is our signing server system. They need to bet setup as a signer if they are going to be signing packages for a release.

FIXME: link to sigul SOP

Wiki Page

The new release engineer should be added to the Release Engineering membership list

rel-eng email list

Release engineering ticket spam and discussion happens on our Mailing List. New releng people need to subscribe.

IRC

We ask that release engineers idle in #fedora-releng on Freenode to be available for queries by other infrastructure admins. Idling on #fedora-admin on Freenode is optional. It is noisy little bit but people sometimes ask releng stuff.

New member announcement

When a new releng member starts, we announce it to the email list. This lets the other admins know to expect a new name to show up in tickets and on IRC.

Verification

Git

You can verify group membership by sshing to a system that is setup with FAS and using getent to verify membership in the gitreleng group:

$ ssh fedorapeople.org getent group gitreleng
gitreleng:x:101647:ausil,dwa,jwboyer,kevin,notting,pbabinca,sharkcz,skvidal,spot

You can verify that the new user is in the above list.

FAS

You can verify group membership by sshing to a system that is setup with FAS and using getent to verify membership in the releng group:

$ ssh fedorapeople.org getent group releng
releng:x:101737:atowns,ausil,dwa,jwboyer,kevin,lmacken,notting,pbabinca,spot

You can verify that the new user is in the above list.

Koji

To verify that the releng member is an admin koji use the list-permissions koji command:

$ koji list-permissions --user npetrov
admin

This shows that npetrov is an admin.

Sigul

  • FIXME

Wiki Page

Verification is easy. Just look at the page.

releng mailing list

Verify by asking the user if they got the announcement email

Announcement email

See above

Consider Before Running

  • Make sure the releng person has a solid grasp of the tasks we do and where to get help if stuck