Portal:Cloud VPS/Admin/Projects lifecycle
This page describes how Cloud VPS projects are supposed to be created and deleted, i.e, the lifecycle. In the OpenStack world, project is known as tenant.
Working with projects
Rather than adding yourself as a project admin for a project to visualize / work on it, add yourself as a domain admin:
$ sudo wmcs-openstack role add --user USERNAME --domain default --inherited admin
To see which projects you have a membership in see, https://openstack-browser.toolforge.org/user/USERNAME
Project Requests
New project requests are made by the users in Phabricator. These requests are reviewed and fulfilled by the current member on clinic duty.
Approval requires at least 2 members of the team.
Quota Upgrade Requests
Create a Phabricator ticket with the following information:
- Project name
- Type of quota increase requested: <cpu/ram/disk/instance count/floating ip>
- Amount of quota increase: <Something like: enough create one large instance>
- Reason: <Why is this quota increase required?>
Processing requests
- SSH to the corresponding control box (e.g. cloudcontrol1003.wikimedia.org, see deployments).
- Process the change per below and update the phabricator ticket
- Log the event in the project SAL (#wikimedia-cloud> !log PROJECTNAME Brief description of what you did (phabricator ticket#), e.g. #wikimedia-cloud> !log videocuttool bump quota to 26 core, 36G of RAM, 320GB Storage (T278605))
- Resolve the Phabricator task, letting requestors know
Requests
Creating a new project
Note, you should use the cookbook for this. TODO, update with cookbook commands.
Prerequisites:
- Project names should be all lower case, if not some errors will happen when requesting the puppet certificate
- Users have valid Developer accounts
- You have added the project to the list in Portal:Cloud VPS/Admin/Projects with the relevant contacts, tags, and link to the creation task.
- Make sure the users requesting the project exists in LDAP
$ sudo wmcs-openstack user list | grep -i user | user | User name |
- Create the project (in this example, we are creating a project called newp). It is helpful to include the phabricator ticket of the project creation request
$ sudo wmcs-openstack project create --enable --description "a dockerised wikibase infrastructure (TXXXXXX)" newp +-------------+--------------------------------------+ | Field | Value | +-------------+--------------------------------------+ | description | a dockerised wikibase infrastructure | | domain_id | default | | enabled | True | | id | newp | | is_domain | False | | name | newp | | parent_id | default | +-------------+--------------------------------------+
- Modify initial quotas if required (see section below)
- Add initial users to roles:
$ sudo wmcs-openstack role add --project newp --user requestinguser reader $ sudo wmcs-openstack role add --project newp --user requestinguser member $ sudo wmcs-openstack role assignment list --names --project newp +--------------+---------------------------------+-------+--------------+--------+-----------+ | Role | User | Group | Project | Domain | Inherited | +--------------+---------------------------------+-------+--------------+--------+-----------+ | member | Requestinguser@Default | | newp@Default | | False | | reader | Requestinguser@Default | | newp@Default | | False | +--------------+---------------------------------+-------+--------------+--------+-----------+
- Please make sure to instruct the user to join the cloud-announce mailing list.
Deleting a project
Project deletion tends to leave orphaned resources lying about. Eventually this should all be handled by Designate or Keystone hooks, but until then:
- Make sure there are no instances in the project. This can be done in Horizon or via the commandline:
$ sudo wmcs-openstack server list --project <project> $ sudo wmcs-openstack server delete <instance id>
- Note if a custom flavor is present (these should be standardized after September 2020), and remove if no longer used outside of project:
$ sudo wmcs-openstack flavor list $ sudo wmcs-openstack flavor delete <flavor name>
- Make sure the project is not configured for NFS modules/labstore/templates/nfs-mounts.yaml.erb.
- Make sure there are no dns zones allocated to the project. This can be done in Horizon Here (Be sure to select the right project using the dropdown) or via the commandline:
$ sudo wmcs-openstack zone list --sudo-project-id <project> $ sudo wmcs-openstack zone delete --sudo-project-id <project> <zone id>
- Delete any proxies the project may have via Horizon. Be sure to select the right project using the dropdown
- Delete any prefix- or project-wide puppet configurations via Horizon Here and Here. Be sure to select the right project using the dropdown
- Utilizing horizon, confirm no project specific config, rules, or resources remain.
- Finally, delete the project using Horizon or the commandline. If using Horizon, set your current project to 'Admin' and then delete the project using the Identity->Projects panel:
$ sudo wmcs-openstack project delete <project>
- Remove the project from the list at Portal:Cloud VPS/Admin/Projects
Manage project access
Note that project access should usually be self-managed by project admins on Horizon. Be careful to avoid phishing attacks if you're adjusting them via the CLI tools! The following commands are recorded here for reference.
Add access
There are essentially two roles that are interesting most of the times: user
(lets the user SSH in to any instances) and projectadmin
(lets the user manage project resources via Horizon). For more information, see: Help:Cloud services user roles and rights.
Using the preferred cookbook:
$ cookbook wmcs.vps.add_user_to_project \
--cluster-name eqiad1 \
--task-id sometask \
--project someproject \
--user someuser
Or, as a fallback, manually:
$ sudo wmcs-openstack role add --project someproject --user someuser projectadmin
$ sudo wmcs-openstack role assignment list --names --project someproject
Remove access
If you need to drop some user involvement with a project, using the preferred cookbook:
$ cookbook wmcs.vps.remove_user_from_project \
--cluster-name eqiad1 \
--task-id sometask \
--project someproject \
--user someuser
Or, as a fallback, manually:
$ sudo wmcs-openstack role assignment list --names --user someuser
:# OR
$ sudo wmcs-openstack role assignment list --names --project someproject
:# and then accordingly for all the roles
$ sudo wmcs-openstack role remove --user someuser --project someproject somerole
Modifying project quotas
You can use the following cookbook to increase a project's quotas:
dcaro@vulcanus$ cookbook wmcs.openstack.quota_increase -h
usage: cookbooks.wmcs.openstack.quota_increase [-h] [--project PROJECT] [--task-id TASK_ID] [--no-dologmsg] [--control-node-fqdn CONTROL_NODE_FQDN] [--gigabytes GIGABYTES] [--ram RAM] [--cores CORES] [--floating-ips FLOATING_IPS]
WMCS openstack - increase a project's quota by a given amount
Usage example: wmcs.openstack.quota_increase --project admin-monitoring --gigabytes 30G --instances 5
options:
-h, --help show this help message and exit
--project PROJECT Relevant Cloud VPS openstack project (for operations, dologmsg, etc). If this cookbook is for hardware, this only affects dologmsg calls. Default is 'admin'.
--task-id TASK_ID Id of the task related to this operation (ex. T123456). (default: None)
--no-dologmsg To disable dologmsg calls (no SAL messages on IRC). (default: False)
--control-node-fqdn CONTROL_NODE_FQDN
FQDN of the control node to orchestrate from. (default: cloudcontrol1003.wikimedia.org)
--gigabytes GIGABYTES
Amount to increase the cinder space by (in G, ex. 10G or 10). (default: None)
--ram RAM Amount to increase the ram by (in M or G, ex 10G, 250M, 250). (default: None)
--cores CORES Amount to increase the cores/vcpus by. (default: None)
--floating-ips FLOATING_IPS
Amount to increase the floating ips by. (default: None)
CPU, Memory, Storage
- CPU, Memory, Storage, and Instances can all be set as shown below.
$ sudo wmcs-openstack quota set --cores 26 --ram 36864 --gigabytes 320 --instances 8 videocuttool $ sudo wmcs-openstack quota show videocuttool +----------------------+-------------+ | Field | Value | +----------------------+-------------+ | backup-gigabytes | 1000 | | backups | 0 | | cores | 26 | | fixed-ips | -1 | | floating-ips | 0 | | gigabytes | 320 | | gigabytes_standard | -1 | | groups | 4 | | health_monitors | None | | injected-file-size | 10240 | | injected-files | 5 | | injected-path-size | 255 | | instances | 8 | | key-pairs | 100 | | l7_policies | None | | listeners | None | | load_balancers | None | | name | None | | networks | 100 | | per-volume-gigabytes | -1 | | pools | None | | ports | 500 | | project | videocuttool| | project_name | videocuttool| | properties | 128 | | ram | 36864 | | rbac_policies | 10 | | routers | 10 | | secgroup-rules | 100 | | secgroups | 40 | | server-group-members | 10 | | server-groups | 10 | | snapshots | 4 | | snapshots_standard | -1 | | subnet_pools | -1 | | subnets | 100 | | volumes | 8 | | volumes_standard | -1 | +----------------------+-------------+
Floating ip
- Set the number of floating ips
$ sudo wmcs-openstack quota set --floating-ips 1 devtools $ sudo wmcs-openstack quota show devtools +----------------------+----------+ | Field | Value | +----------------------+----------+ | cores | 16 | | fixed-ips | -1 | | floating-ips | 1 | | health_monitors | None | | injected-file-size | 10240 | | injected-files | 5 | | injected-path-size | 255 | | instances | 8 | | key-pairs | 100 | | l7_policies | None | | listeners | None | | load_balancers | None | | location | None | | name | None | | networks | 100 | | pools | None | | ports | 500 | | project | devtools | | project_name | devtools | | properties | 128 | | ram | 32768 | | rbac_policies | 10 | | routers | 10 | | secgroup-rules | 100 | | secgroups | 40 | | server-group-members | 10 | | server-groups | 10 | | subnet_pools | -1 | | subnets | 100 | +----------------------+----------+
Database / Trove
See Trove_quotas
History
In previous versions of Cloud VPS, the project lifecycle was handled via Wikitech itself, with some custom MediaWiki plugins to hook into the Openstack API. This was eventually replaced by Horizon, which can handle all the operations by itself.