Portal:Cloud VPS/Admin/Projects lifecycle
This page describes how Cloud VPS projects are supposed to be created and deleted, i.e, the lifecycle. In the OpenStack world, project is known as tenant.
Working with projects
Rather than adding yourself as a project admin for a project to visualize / work on it, add yourself as a domain admin:
$ sudo wmcs-openstack role add --user USERNAME --domain default --inherited admin
To see which projects you have a membership in see, https://openstack-browser.toolforge.org/user/USERNAME
Requests
Requests for new projects or for increased quotas on existing projects are made by users in Phabricator. These requests are reviewed and fulfilled by the current member on clinic duty.
Before fulfilling the request, please ask a different member of the team to leave a "+1" comment in the Phabricator task. In this way we make sure that at least two people in the team review each request.
Creating a new project
Prerequisites:
- Project names should be all lower case, if not some errors will happen when requesting the puppet certificate
- Project names should not contain dashes, as there is a bug that will prevent project names with dashes from using Object Storage.
- Users must have valid Developer accounts
- You have added the project to the list in Portal:Cloud VPS/Admin/Projects with the relevant contacts, tags, and link to the creation task.
Steps:
- Make sure the project name does not clash with an existing DNS record (phab:T360294):
cloudcontrol1005:~$ sudo wmcs-openstack recordset list --all-projects wmcloud.org. |grep {NEW_PROJECT_NAME}.wmcloud.org
- Make sure the users requesting the project exists in LDAP
cloudcontrol1005:~$ sudo wmcs-openstack user list | grep -i {USERNAME}
- Create the project (in this example, we are creating a project called newp). It is helpful to include the phabricator ticket of the project creation request.
cloudcumin1001:~$ sudo cookbook wmcs.vps.create_project --project newp --description "Description of the new project" --task-id TXXXXXX
- Modify initial quotas if required (see section below)
- Add initial users to roles:
$ sudo cookbook wmcs.vps.add_user_to_project --project newp --user requestinguser --as-member --task-id TXXXXXX
- Please make sure to instruct the user to join the cloud-announce mailing list.
Deleting a project
Project deletion tends to leave orphaned resources lying about. Eventually this should all be handled by Designate or Keystone hooks, but until then:
- Make sure there are no instances in the project. This can be done in Horizon or via the commandline:
$ sudo wmcs-openstack server list --project <project> $ sudo wmcs-openstack server delete <instance id>
- Note if a custom flavor is present (these should be standardized after September 2020), and remove if no longer used outside of project:
$ sudo wmcs-openstack flavor list $ sudo wmcs-openstack flavor delete <flavor name>
- Make sure the project is not configured for NFS: modules/cloudnfs/data/projects.yaml.
- Make sure there are no dns zones allocated to the project. This can be done in Horizon Here (Be sure to select the right project using the dropdown) or via the commandline:
$ sudo wmcs-openstack zone list --sudo-project-id <project> $ sudo wmcs-openstack zone delete --sudo-project-id <project> <zone id>
- Delete any proxies the project may have via Horizon. Be sure to select the right project using the dropdown
- Delete any prefix- or project-wide puppet configurations via Horizon Here and Here. Be sure to select the right project using the dropdown
- Utilizing horizon, confirm no project specific config, rules, or resources remain.
- Finally, delete the project using Horizon or the commandline. If using Horizon, set your current project to 'Admin' and then delete the project using the Identity->Projects panel:
$ sudo wmcs-openstack project delete <project>
- Remove the project from the list at Portal:Cloud VPS/Admin/Projects
Manage project access
Note that project access should usually be self-managed by project admins on Horizon. Be careful to avoid phishing attacks if you're adjusting them via the CLI tools! The following commands are recorded here for reference.
Add access
There are essentially two roles that are interesting most of the times: reader (lets the user SSH in to any instances) and member (lets the user manage project resources via Horizon). For more information, see: Help:Cloud services user roles and rights.
Using the preferred cookbook (defaults to reader role, add --as-member for member role):
cloudcumin1001:~$ sudo cookbook wmcs.vps.add_user_to_project \
--task-id sometask \
--project someproject \
--user someuser
Or, as a fallback, manually:
cloudcontrol1005:~$ sudo wmcs-openstack role add --project someproject --user someuser member
Listing users and roles for a project:
cloudcontrol1005:~$ sudo wmcs-openstack role assignment list --names --project someproject
Remove access
If you need to drop some user involvement with a project, using the preferred cookbook:
$ cookbook wmcs.vps.remove_user_from_project \
--cluster-name eqiad1 \
--task-id sometask \
--project someproject \
--user someuser
Or, as a fallback, manually:
$ sudo wmcs-openstack role assignment list --names --user someuser
:# OR
$ sudo wmcs-openstack role assignment list --names --project someproject
:# and then accordingly for all the roles
$ sudo wmcs-openstack role remove --user someuser --project someproject somerole
Modifying project quotas
You can use the following cookbook to increase a project's quotas:
dcaro@vulcanus$ cookbook wmcs.openstack.quota_increase -h
usage: cookbooks.wmcs.openstack.quota_increase [-h] [--project PROJECT] [--task-id TASK_ID] [--no-dologmsg] [--control-node-fqdn CONTROL_NODE_FQDN] [--gigabytes GIGABYTES] [--ram RAM] [--cores CORES] [--floating-ips FLOATING_IPS]
WMCS openstack - increase a project's quota by a given amount
Usage example: wmcs.openstack.quota_increase --project admin-monitoring --gigabytes 30G --instances 5
options:
-h, --help show this help message and exit
--project PROJECT Relevant Cloud VPS openstack project (for operations, dologmsg, etc). If this cookbook is for hardware, this only affects dologmsg calls. Default is 'admin'.
--task-id TASK_ID Id of the task related to this operation (ex. T123456). (default: None)
--no-dologmsg To disable dologmsg calls (no SAL messages on IRC). (default: False)
--control-node-fqdn CONTROL_NODE_FQDN
FQDN of the control node to orchestrate from. (default: cloudcontrol1003.wikimedia.org)
--gigabytes GIGABYTES
Amount to increase the cinder space by (in G, ex. 10G or 10). (default: None)
--ram RAM Amount to increase the ram by (in M or G, ex 10G, 250M, 250). (default: None)
--cores CORES Amount to increase the cores/vcpus by. (default: None)
--floating-ips FLOATING_IPS
Amount to increase the floating ips by. (default: None)
CPU, Memory, Storage
- CPU, Memory, Storage, and Instances can all be set as shown below.
$ sudo wmcs-openstack quota set --cores 26 --ram 36864 --gigabytes 320 --instances 8 videocuttool $ sudo wmcs-openstack quota show videocuttool +----------------------+-------------+ | Field | Value | +----------------------+-------------+ | backup-gigabytes | 1000 | | backups | 0 | | cores | 26 | | fixed-ips | -1 | | floating-ips | 0 | | gigabytes | 320 | | gigabytes_standard | -1 | | groups | 4 | | health_monitors | None | | injected-file-size | 10240 | | injected-files | 5 | | injected-path-size | 255 | | instances | 8 | | key-pairs | 100 | | l7_policies | None | | listeners | None | | load_balancers | None | | name | None | | networks | 100 | | per-volume-gigabytes | -1 | | pools | None | | ports | 500 | | project | videocuttool| | project_name | videocuttool| | properties | 128 | | ram | 36864 | | rbac_policies | 10 | | routers | 10 | | secgroup-rules | 100 | | secgroups | 40 | | server-group-members | 10 | | server-groups | 10 | | snapshots | 4 | | snapshots_standard | -1 | | subnet_pools | -1 | | subnets | 100 | | volumes | 8 | | volumes_standard | -1 | +----------------------+-------------+
Floating ip
- Set the number of floating ips
$ sudo wmcs-openstack quota set --floating-ips 1 devtools $ sudo wmcs-openstack quota show devtools +----------------------+----------+ | Field | Value | +----------------------+----------+ | cores | 16 | | fixed-ips | -1 | | floating-ips | 1 | | health_monitors | None | | injected-file-size | 10240 | | injected-files | 5 | | injected-path-size | 255 | | instances | 8 | | key-pairs | 100 | | l7_policies | None | | listeners | None | | load_balancers | None | | location | None | | name | None | | networks | 100 | | pools | None | | ports | 500 | | project | devtools | | project_name | devtools | | properties | 128 | | ram | 32768 | | rbac_policies | 10 | | routers | 10 | | secgroup-rules | 100 | | secgroups | 40 | | server-group-members | 10 | | server-groups | 10 | | subnet_pools | -1 | | subnets | 100 | +----------------------+----------+
Database / Trove
See Trove_quotas
swift / S3 / radosgw / object storage
For setting object storage quotas, use the radosgw-admin tool.
Check the user list:
user@cloudcontrol1005:~ $ sudo radosgw-admin user list
[
"cloudinfra$cloudinfra",
"integration$integration",
"mwstake$mwstake",
"deployment-prep$deployment-prep",
"automation-framework$automation-framework",
"wikiapiary$wikiapiary",
"language$language",
"wikisp$wikisp",
"foundationmemory$foundationmemory",
"[..]",
"analytics$analytics"
]
Check the quota for a given user:
user@cloudcontrol1005:~ $ sudo radosgw-admin user info --uid qrank\$qrank
{
"user_id": "qrank$qrank",
"display_name": "qrank",
"email": "",
"suspended": 0,
"max_buckets": 1000,
"subusers": [],
"keys": [],
"swift_keys": [],
"caps": [],
"op_mask": "read, write, delete",
"default_placement": "",
"default_storage_class": "",
"placement_tags": [],
"bucket_quota": {
"enabled": false,
"check_on_raw": false,
"max_size": -1,
"max_size_kb": 0,
"max_objects": -1
},
"user_quota": {
"enabled": true,
"check_on_raw": false,
"max_size": 8589934592,
"max_size_kb": 8388608,
"max_objects": 4096
},
"temp_url_keys": [],
"type": "keystone",
"mfa_ids": []
}
Check user stats (used quota):
user@cloudcontrol1005:~ $ sudo radosgw-admin user stats --uid qrank\$qrank
{
"stats": {
"size": 8622484329,
"size_actual": 8622555136,
"size_kb": 8420395,
"size_kb_actual": 8420464,
"num_objects": 39
},
"last_stats_sync": "2024-03-14T15:35:48.996432Z",
"last_stats_update": "2024-03-15T07:25:32.330966Z"
}
Finally, modify quotas:
user@cloudcontrol1005:~ $ sudo radosgw-admin quota set --quota-scope=user --uid=qrank\$qrank --max-size=20G
See also upstream docs: https://docs.ceph.com/en/latest/radosgw/admin/#quota-management
History
In previous versions of Cloud VPS, the project lifecycle was handled via Wikitech itself, with some custom MediaWiki plugins to hook into the Openstack API. This was eventually replaced by Horizon, which can handle all the operations by itself.