- 1 What is Horizon?
- 2 Wait, isn't that what Wikitech is for?
- 3 Access and Login
- 3.1 Who has access to Horizon?
- 3.2 The Horizon login prompts me for a 'Totp token.' What's that? Can I just leave it blank?
- 3.3 What happens if I lose my phone and my backup codes?
- 3.4 I belong to so many projects that they don't all show up in the project menu. How can I view the 'zzzendofalphabet' project?
- 4 Proxies and DNS in Horizon
Frequently asked questions about horizon.wikimedia.org
What is Horizon?
Horizon.wikimedia.org is the web interface for creating and manipulating virtual machines ('Cloud VPS instances') and associated features within Cloud VPS. It is running a customized version of OpenStack Horizon, which is the official tool for managing OpenStack deploys.
Wait, isn't that what Wikitech is for?
Cloud VPS predates the OpenStack Horizon project. Wikitech.wikimedia.org runs the OpenStackManager extension which is an alternative WMF-written web interface for OpenStack. Now that the Horizon project has matured and begun to cover most of our use cases, we are gradually migrating away from OpenStackManager use and adopting Horizon for Cloud VPS project administration. Horizon is the preferred tool for the following uses:
- Creation/deletion of projects
- User management within Cloud VPS projects
- Creation, deletion, starting, stopping of instances
- Management of instance firewalls (aka 'security groups')
- Creation and assignment of web proxies for instances
- Assignment of floating IPs to instances
- Manipulation of DNS records associated with floating IPs
- Management of project Sudo policies
- Management of puppet and hiera configuration for instances
These actions current remain on Wikitech but may be moved to new custom web tools:
- Individual user management: Account creation, password & 2fa management, management of ssh keys for instance access
Access and Login
Who has access to Horizon?
Any Wikimedia developer account holder with the 'projectadmin' role in a project has login access to horizon.wikimedia.org. The username, password, and totp token are the ones associated with your developer account. Normal Toolforge and Cloud VPS project members can ignore Horizon for now, and possibly forever.
The Horizon login prompts me for a 'Totp token.' What's that? Can I just leave it blank?
Horizon login requires a password and a second factor, the totp token. These credentials are shared with your developer account. If you already have two-factor authentication (sometimes called 2fa) enabled for your developer account then you're all set; if not you will need to enable two-factor authentication on Wikitech by visiting 'Preferences->User Profile' and clicking 'Enable two-factor authentication'. Note that if you later disable 2fa on Wikitech, you will not be able to log into Horizon until you re-enable 2fa on Wikitech.
What happens if I lose my phone and my backup codes?
A member of the WMF Operations team can turn off 2fa for your developer account, at which point you can re-enable it and reset your code. To do this you will need to verify your identity, most likely by logging into a Cloud VPS instance with an ssh key and editing a file as requested by the Op who is helping you. Just in case, make sure you have a working ssh login to Cloud VPS before you enable 2fa.
This is a bug pending with the upstream developers. In the meantime, you can view a complete project list by selecting the 'Identity->Projects' tab. To view a specific project, click the 'Set as Active Project' button on the right-hand side of the table.
Proxies and DNS in Horizon
Can I create a new DNS domain/zone for my project, or records under the wmflabs.org domain?
Due to the ownership and security models in Horizon and OpenStack, creating a new subdomain of wmflabs.org requires cooperation between multiple projects (yours, and that project that owns wmflabs.org.) For this reason, domain creation is limited to Cloud VPS operators. Create a phabricator request and we'll get to it as soon as we can.