Portal:Cloud VPS/Admin/Testing deployment

From Wikitech

This page describes the testing deployment for Cloud VPS, which consists in an OpenStack deployment currently called codfw1dev.

Infrastructure

See Portal:Cloud_VPS/Admin/Deployments for server allocations

Specific links:

How to join this deployment for the first time

Account creation is disabled in labtestwikitech by default, to prevent random people playing in the wiki. To briefly enable account creation, change the boolean permission in the settings. The change will be live with just writing to the file, no need to restart any service. Make sure the permission is true for as short time as possible.

root@cloudweb2002-dev:~# nano /srv/mediawiki/wmf-config/CommonSettings.php
[..]
        if ( $wgDBname === 'labtestwiki' ) {
                # We don't want random strangers playing on this wiki
                $wgGroupPermissions['*']['createaccount'] = false;
        }
[..]
  • Enable 2FA
  • Get your account added to some random project. Otherwise horizon won't let you pass the login page.

2FA Reset

If you need to reset your 2FA, try this:

user@cloudweb2002-dev:~$ mwscript extensions/OATHAuth/maintenance/disableOATHAuthForUser.php --wiki=labtestwiki SomeUser
OATHAuth disabled for SomeUser.

SSH access

Something like this is needed in your personal ssh config:

Host *.wmcloud.org
    User mycodfw1devuser
    IdentityFile ~/.ssh/wmf_cloud_user_codfw1dev
    IdentitiesOnly yes
    ForwardAgent no
    IdentityAgent /run/user/1000/ssh-wmf-cloud-codfw1dev.socket
    AddKeysToAgent yes

Match user root host *.wikimedia.cloud
    User root
    IdentityFile ~/.ssh/wmf_cloud_root_codfw1dev
    IdentitiesOnly yes
    ForwardAgent no
    IdentityAgent /run/user/1000/ssh-wmf-cloud-codfw1dev-root.socket
    AddKeysToAgent yes

Host *.wikimedia.cloud
    User mycodfw1devuser
    IdentityFile ~/.ssh/wmf_cloud_user_codfw1dev
    IdentitiesOnly yes
    ForwardAgent no
    IdentityAgent /run/user/1000/ssh-wmf-cloud-codfw1dev.socket
    AddKeysToAgent yes
    
Host *.codfw1dev.wikimedia.cloud
    ProxyCommand ssh -a -W %h:%p mycodfw1devuser@bastion.bastioninfra-codfw1dev.codfw1dev.wmcloud.org

The config uses IdentityAgent to avoid typing the key password over and over again.

If you have your SSH keys correctly set in the your account (in LDAP/labtestwikitech), then you can use ssh like in eqiad1:

user@laptop:~$ ssh root@cloudinfra-internal-puppetmaster-01.cloudinfra-codfw1dev.codfw1dev.wikimedia.cloud
[.. works ..]
user@laptop:~$ ssh cloudinfra-internal-puppetmaster-01.cloudinfra-codfw1dev.codfw1dev.wikimedia.cloud
[.. works ..]

LDAP

The LDAP server for codfw1dev is in cloudservices2002-dev.wikimedia.org (as of 2021-09-27).

Raw interactions with the LDAP tree are a bit different than described at SRE/LDAP because most of the wrappers and pre-made configs aren't there.

For reference, here is an example of a raw search:

root@cloudservices2002-dev:~# ldapsearch -x uid=manila-srv
dn: uid=manila-srv,ou=people,dc=wikimedia,dc=org
uid: manila-srv
sn: Manila
cn: Manila
objectClass: inetOrgPerson
objectClass: person
objectClass: ldapPublicKey
objectClass: posixAccount
objectClass: shadowAccount
uidNumber: 14023
gidNumber: 500
homeDirectory: /home/manila
loginShell: /bin/bash
mail: root@wmcloud.org

Example of renaming an entry. First get the admin password in a control server (or a puppetmaster private repo):

root@cloudcontrol2001-dev:~# grep OS_PASSWORD /etc/novaadmin.yaml 
OS_PASSWORD: "password"

Then use it when prompted like this:

root@cloudservices2002-dev:~# cat file.ldif 
dn: uid=manila,ou=people,dc=wikimedia,dc=org
changetype: modrdn
newrdn: uid=manila-srv
deleteoldrdn: 1

root@cloudservices2002-dev:~# ldapmodify -x -D 'uid=novaadmin,ou=people,dc=wikimedia,dc=org' -W -f file.ldif 
Enter LDAP Password: 
modifying rdn of entry "uid=manila,ou=people,dc=wikimedia,dc=org"

More information about raw operations can be found online.