Page MenuHomePhabricator

migrate policy.wikimedia.org from WMF cluster to Wordpress
Closed, ResolvedPublic

Description

This is the tracking task for @Slaporte's migration of policy.wikimedia.org from our cluster.

There are a few outstanding issues that have to be addressed before we should move forward:

  • T97329 is the setup of this site on our cluster.
    • It is months old, with no updates from Legal about questions addressed on that task.
    • Where is the content? Will any content on our cluster need to be migrated or maintained by operations?
    • If there is no content, we'll simply roll back out all the cluster configuarion that Daniel has previously done to support T97329 and resolve the old task.
  • DNS will need to change, please provide the wordpress server to point the DNS entry for policy.wikimedia.org towards. Please note we cannot assume this is the same as blog, this has to be confirmed with whoever is implementing the policy.wikimedia.org WP installation.
  • Bromine will have to have the configuration for this site removed.
  • removal of puppet configuration role::policysite
  • Items we need from @Slaporte/WP implementation
    • Timeline to change
      • Can this go as soon as the certificates are purchased?
      • Do we need to migrate any data?
      • Will the policy.wikimedia.org certificate cost be coming out of your departments budget? The current implementation uses our cluster wildcard, so there was no added certificate cost. We cannot share this wildcard with a third party vendor, so someone has to take the certificate cost onto their budget.

Event Timeline

RobH created this task.Aug 25 2015, 4:55 PM
RobH assigned this task to Slaporte.
RobH raised the priority of this task from to Medium.
RobH updated the task description. (Show Details)
RobH added a project: acl*sre-team.
RobH added subscribers: RobH, Yana, BBlack and 5 others.

I've added the two associated tasks as blocked by this one.

T97329 - initial setup task of policy.wikimedia.org, still not resolved
T110197 - request for certificate purchase (which has questions on this task that need to be addressed.)

Where is the content? Will any content on our cluster need to be migrated or maintained by operations?

No need to migrate any content. It's a new site under development.

DNS will need to change, please provide the wordpress server to point the DNS entry for policy.wikimedia.org towards.

I'll get back to you on this point. Does this block setting up the SSL certificate?

Timeline to change

The timeline for the site is the first week of September.

Do we need to migrate any data?

No.

Will the policy.wikimedia.org certificate cost be coming out of your departments budget? The current implementation uses our cluster wildcard, so there was no added certificate cost. We cannot share this wildcard with a third party vendor, so someone has to take the certificate cost onto their budget.

I'll follow up via email to clarify the budget.

Dzahn added a comment.Aug 25 2015, 5:11 PM

No need to migrate any content. It's a new site under development.

Well, we were told back in April it's gonna be static HTML content and since then we've been waiting to upload that. So at some point that has to be created?

The timeline for the site is the first week of September.

That's ambitious given that there is no content yet, it's not clear where it's hosted and whether we can support giving an SSL cert to a third party. We had asked for updates on this but have not received any until today.

No need to migrate any content. It's a new site under development.

Well, we were told back in April it's gonna be static HTML content and since then we've been waiting to upload that. So at some point that has to be created?

Apologies again for the confusion on this point. The site will be hosted on WordPress, so we have no static HTML content to migrate.

RobH added a comment.Aug 25 2015, 8:38 PM

@Slaporte has emailed me out of band for the discussion of the actual USD cost of the SSL certificate T110197.

So we know the following:

  • no data to migrate
  • legal will cover the cost of the ssl certificate
    • certificate will be a single ssl certificate/key (I'll generate the key) which once issued we can hand off to WordPress.

Things we need from @Slaporte/Wordpress:

  • Wordpress needs to provide a sercure drop box or server to upload the key file & certificate onto. THIS CANNOT BE VIA EMAIL.
    • The certificate doesn't need to be secure, but the key file does.
  • Wordpress needs to provide the IP address to forward all DNS requests for policy.wikimedia.org towards.
  • When can Wikimedia flip the switch to point @ wordpress? Right now we host a landing page, which is better than nothing.
    • I assume we don't want to flip to wordpress until they have things configured on their end, but since we aren't giving much useful info on our end it may not matter.
RobH added a comment.Aug 25 2015, 8:45 PM

Additionally, I've changed the TTL on the DNS entry for policy.wikimedia.org from 1 hour to 5 minutes. This will take up to an hour to propagate across the web, but once that is done any future IP change (to say, Wordpress) will take 5 minutes, not an hour to spread.

Once we've fully migrated to wordpress (and all dns records are updated), we can change the TTL back to an hour.

https://gerrit.wikimedia.org/r/#/c/233837/

RobH added a comment.Aug 26 2015, 8:52 PM

I've gotten the approvals for the certificate from @Slaporte and my out of band email discussion.

Additionally, WordPress support is now contacting me via email for the support of the migration, which has a target date of this Friday, 2015-08-28. The IP address that policy.wikimedia.org would then A record to is 192.0.66.2. However, the blog uses a cname to wikimediablog.wordpress.com, so I have a question back to them about that for clarification.

I've also requested they advise how they would prefer we securely transfer the key to them.

RobH added a comment.Aug 26 2015, 9:24 PM

Simon with WP support is advising he can do a skype session to personally ID his key. Since I don't really know him outside of the WP ticketing system, I requested info if his gpg public key is signed on any keyservers.

If it is (and tied to his corporate email), then we can confirm his identity and encrypt the policy.wikimedia.org.key (not yet generated, I'll do it when I place the order for the certificate shortly) and send it into the WP ticketing system without incident.

Aside comment about blog.w.o: Of course, we provided blog.wikimedia.org.key to the third party contractors doing the redesign. No clue how they securely gave it to WP (likey via insecure FTP but who knows.)

RobH claimed this task.Aug 27 2015, 3:38 PM
RobH added a comment.Aug 27 2015, 3:46 PM

https://gerrit.wikimedia.org/r/#/c/234296/ is the DNS change to move policy.wikimedia.org from a CNAME to our misc-web cluster to an A record on Wordpress side. I double-checked with them that this needs an A record, as our blog uses a cname to go to them (they advised blog is on a different cluster, so different routing for their dns, which sounds odd, so I'll just outline it here.)

RobH added a comment.Aug 27 2015, 4:01 PM

The certificate has been ordered, and the key put into our private repo.

RobH added a comment.Aug 27 2015, 8:48 PM

The certificate has been provided to Simon with WordPress support.

Additionally, the public key he provided today appears to be an SSH key, not a GPG key. I've requested that he correct and provide a GPG key to encrypt the policy.wikimedia.org.key file for email.

RobH added a comment.Aug 28 2015, 3:31 PM

I've had the questions back to Simon/Wordpress support now for over 24 hours, and no reply back advising how to send them the policy.wikimedia.org.key file securely. So far, I've suggested they provide a GPG public key of one of their support personnel (requesting that said key also have some kind of singing by third parties to verify identity) or providing a private server destination that we can SCP the file into. Simon provided me a public key file, but it was an SSH pub key file, not a GPG pub key file.

The email thread with support stressed that this had to be done by this Friday (This deadline was set by @Slaporte & Wordpress support.) While I've done everything needed on the WMF side for this migration, it may not be done today if not handled soon. (Simon@Wordpress advised he works in the UK timezone.)

RobH added a comment.Aug 31 2015, 8:49 PM

I've emailed back into the WordPress support thread and CC'd @Slaporte with the update. The email content is below:

Mark/Simon/Support,

Ok guys, I've attached the policy.wikimedia.org.key.gpg for Simon to decrypt with his GPG key. I'll note that I'm sending this with some degree of reservation.

I requested that Simon or someone @ Wordpress provide a GPG key that has been signed by third parties. (Example: My GPG key has been signed by multiple co-workers, so there is a larger web of trust to prove my identidy.) Simon's key is presumably his, as it was attached in an email from this ticketing system and referred to directly. However, at no point does Simon even list off his key fingerprint in the body of the email, it is simply a link to https://pgp.mit.edu/pks/lookup?search=simon.wheatley%40automattic.com&op=index which is simply a key search for his email address.

Nothing stops some third party from making this key and pretending to be Simon. They don't need his email address to create it. The key has no third party signers. So the ONLY affirmative we have that the key belongs to Simon, and that Simon on this email is who he says he is, is the email itself. (This is not a good practice.)

This is likely enough, but I'd like Simon to confirm back via email that his key fingerprint is indeed 7C0C DF69 1AB2 FE7C 4AD1 A533 AA89 78C8 9AE7 1367.

We are ready to move DNS to point at your cluster whenever you guys (Wordpress) give the word.

Slaporte closed this task as Resolved.Sep 3 2015, 12:30 AM

This is all set up: policy.wikimedia.org

Thanks for the awesome quick work, @RobH!

Change 235673 had a related patch set uploaded (by Dzahn):
policy.wikimedia: remove puppetization

https://gerrit.wikimedia.org/r/235673

Dzahn added a comment.EditedSep 3 2015, 5:40 AM

@RobH ^ the decom part (from T97329#1573134) is still open. i uploaded a patch to remove all the config from our servers again

Change 235673 merged by Dzahn:
policy.wikimedia: remove puppetization

https://gerrit.wikimedia.org/r/235673

RobH mentioned this in Unknown Object (Task).Jul 13 2016, 4:49 PM