Page MenuHomePhabricator

Convert most top level tool and bastion dns records to CNAMEs
Open, HighPublic

Description

Since the switch to Horizon, project admins can only easily manipulate records under *.<projectname>.wmflabs.org rather than just *.wmflabs.org. The latter is in a special org that requires commandline access on labcontrol1001 to manipulate. This makes it unusable for tools admins.

Solution:

  1. Deprecate use of tools-login.wmflabs.org, tools-dev.wmflabs.org, switch to login.tools.wmflabs.org and dev.tools.wmflabs.org
  2. Find other things that need deprecation, and deprecate them in all our docs as well
  3. Set them to be CNAMEs - so tools-login.wmflabs.org points to login.tools.wmflabs.org, etc. This way, projectadmins can control which target IP the target hostname points to.

We should probably do this for the tools proxy as well (at tools.wmflabs.org -> proxy.tools.wmflabs.org), but need to investigate possible performance implications of CNAMEs for web requests.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 4 2016, 7:56 PM
chasemp triaged this task as High priority.Apr 4 2016, 7:56 PM

Tools domains this applies to:

  1. tools.wmflabs.org
  2. tools-login.wmflabs.org
  3. tools-static.wmflabs.org
  4. tools-dev.wmflabs.org
  5. tools-trusty.wmflabs.org
Andrew added a subscriber: Andrew.Apr 4 2016, 8:01 PM

Using cnames sounds like a great solution. I'm making two changes to the bug title

  • Adding bastions, as that's the same problem
  • changing 'domain' to 'record' because I'm trying to train people to be pedantic about using the same distinction that designate/horizon uses.
Andrew renamed this task from Convert most top level tools domains to CNAMEs to Convert most top level tool and bastion dns redcords to CNAMEs.Apr 4 2016, 8:01 PM

I just tested it, and it works. Going to convert a bunch of 'em now.

I have cleaned up some bastion-* that were pointing to things redundantly.

There's only three bastion domains left:

  1. bastion.wmflabs.org
  2. bastion2.wmflabs.org
  3. bastion-restricted.wmflabs.org

These should CNAME to primary.bastion.wmflabs.org, secondary.bastion.wmflabs.org and restricted.bastion.wmflabs.org once those three exist.

After talking with @Andrew, this requires the following steps:

  1. Remove current bastion.wmflabs.org record from wmflabsdotorg project
  2. Create a bastion.wmflabs.org domain in the bastion project
  3. Add an A Record to it, pointing it to the same place it's pointing at

I think we can kill bastion2 and bastion-restricted - only ops uses the latter, and I'll send out a deprecation notice soon.

yuvipanda closed this task as Resolved.Apr 8 2016, 10:45 PM
yuvipanda claimed this task.

Ok, andrew has setup the changes. I've sent out email about bastion-restricted being deprecated to the ops list. I've also created primary.bastion.wmflabs.org and secondary.bastion.wmflabs.org.

I'm going to update docs to point directly at these.

yuvipanda reopened this task as Open.Apr 8 2016, 10:47 PM

It turns out you can't CNAME bastion.wmflabs.org while having A records for subdomains, so we'll leave it as is for now. We'll email about the change from bastion.wmflabs.org to primary.bastion.wmflabs.org along with tools bastion changes if/when they happen.

List of domains leftover on wmflabsdotorg:

huggle-rc.wmflabs.org.
tools-checker.wmflabs.org.
tools-bastion-mtemp.wmflabs.org.
tools-dev.wmflabs.org.
tools-trusty.wmflabs.org.
bastion-restricted.wmflabs.org.
tools-static.wmflabs.org.
beta.wmflabs.org.
telnet.wmflabs.org.
tools-login.wmflabs.org.

We can convert tools-checker to checker.tools.wmflabs.org, and delete mtemp bastion at some point. Rest can probably be CNAME'd.

That was after I deleted a bunch of domains - mwds-proxy (mwds is long over), matterirc (RIP) and tools-docker-registry.wmflabs.org (is docker-registry.tools.wmflabs.org)

Change 282442 had a related patch set uploaded (by Yuvipanda):
tools: s/tools-checker.wmflabs.org/checker.tools.wmflabs.org/

https://gerrit.wikimedia.org/r/282442

Change 282442 merged by Yuvipanda:
tools: s/tools-checker.wmflabs.org/checker.tools.wmflabs.org/

https://gerrit.wikimedia.org/r/282442

yuvipanda removed yuvipanda as the assignee of this task.Apr 18 2016, 11:40 PM

Uh, should do another round later.

The latter is in a special org that requires commandline access on labcontrol1001 to manipulate. This makes it unusable for tools admins.

Actually *.wmflabs.org domains can be administered through horizon by administrators of the 'wmflabsdotorg' project.

AlexMonk-WMF added a comment.EditedAug 4 2016, 12:21 AM

@Andrew, @yuvipanda: I suggest that, instead of doing this, we briefly remove the records, create domains for each, recreate the records, and then transfer the domains out of wmflabsdotorg into the appropriate projects. And in future, create domains for people (and transfer the domains to the appropriate projects) instead of putting records directly under wmflabs.org where only small number of administrators can do anything. I'd also prefer to move the proxy system towards making domains and transferring them instead of maintaining records under wmflabs.org.

(With your approval I'll go ahead and do that)

Proposed new domains and owning project:

  • huggle-rc.wmflabs.org - huggle
  • tools-checker.wmflabs.org - tools
  • tools-dev.wmflabs.org - tools
  • tools-login.wmflabs.org - tools
  • tools-trusty.wmflabs.org - tools
  • tools-static.wmflabs.org - tools
  • beta.wmflabs.org - deployment-prep
  • bastion-restricted.wmflabs.org - bastion
  • bastion-eqiad.wmflabs.org - bastion (CNAME to bastion.wmflabs.org)
tom29739 renamed this task from Convert most top level tool and bastion dns redcords to CNAMEs to Convert most top level tool and bastion dns records to CNAMEs.Aug 4 2016, 12:51 AM
tom29739 updated the task description. (Show Details)
tom29739 added a subscriber: tom29739.
scfc moved this task from Triage to Backlog on the Toolforge board.