Proxy access to cluster

From Wikitech
Jump to: navigation, search

Presently we do not have any kind of VPN access to our cluster (or labs). The preferred method by many Ops folks for accessing the web interfaces on these is via SSH -D option and FoxyProxy.

This document will outline how to setup this method of access. This method uses Firefox and the FoxyProxy addon linked above.

  • Install FireFox and FoxyProxy.
  • Download the FoxyProxy ruleset here.
  • In FoxyProxy settings, alternate click in the main window and select Import, then choose the wmf_foxyproxy_settings file you just downloaded.
  • Setup your SSH -D sessions.
  • You will need a session for each cluster you wish to access: production needs a connection, labs needs a connection
  • It is suggested you load up a screen session, create two new windows, and load each SSH session into its own window. To do this run the following in terminal:
 screen
 ssh-add <path to your key for main cluster>
 ssh bast1001.wikimedia.org -D 8080 # or another bastion
 # Ctrl+a c (creates new screen window)
 ssh-add <path to your key for labs>
 ssh primary.bastion.wmflabs.org -D 8081 # or restricted.bastion for ops
 # Ctrl+a d (disconnects you from the screen sessions, allowing you to close or otherwise use terminal)
  • Now when you load up the url patterns in the FoxyProxy settings, it will direct those URLs via your SSH tunnel to the correct cluster over the specified ports.
  • Please note that if you use OS X, you may want to 'exec ssh-agent bash' in your terminal screen sessions before adding your ssh key to ensure they are independently keyed and not shared across sessions.

The FoxyProxy URL patterns are listed below for ease of use, some are inclusive of others, but FoxyProxy in the past had some odd issues with them, so I find it best to just leave them all in the individual rulesets to eliminate potential issues.

Some of the patterns I use are inclusive of the others, mostly because I happened to setup mgmt and didn't bother with non-mgmt for awhile. So you could always clean it up and remove the stuff that is duplication due to pattern matching:

eqiad mgmt = *.mgmt.eqiad.wmnet*
eqiad local = *.eqiad.wmnet*
esams mgmt = *.mgmt.esams.wmnet*
esams local = *.esams.wmnet*
codfw mgmt = *.mgmt.codfw.wmnet*
codfw local = *.codfw.wmnet*
ulsfo mgmt = *.mgmt.ulsfo.wmnet*
ulsfo local = *.ulsfo.wmnet*
labs = *.eqiad.wmflabs*