Page MenuHomePhabricator
Create Task
Maniphest T131796

Convert most top level tool and bastion dns records to CNAMEs
Closed, ResolvedPublic
Actions

Description

Since the switch to Horizon, project admins can only easily manipulate records under *.<projectname>.wmflabs.org rather than just *.wmflabs.org. The latter is in a special org that requires commandline access on labcontrol1001 to manipulate. This makes it unusable for tools admins.

Solution:

  1. Deprecate use of tools-login.wmflabs.org, tools-dev.wmflabs.org, switch to login.tools.wmflabs.org and dev.tools.wmflabs.org
  2. Find other things that need deprecation, and deprecate them in all our docs as well
  3. Set them to be CNAMEs - so tools-login.wmflabs.org points to login.tools.wmflabs.org, etc. This way, projectadmins can control which target IP the target hostname points to.

We should probably do this for the tools proxy as well (at tools.wmflabs.org -> proxy.tools.wmflabs.org), but need to investigate possible performance implications of CNAMEs for web requests.

Details

SubjectRepoBranchLines +/-
tools: s/tools-checker.wmflabs.org/checker.tools.wmflabs.org/operations/puppetproduction+2 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

yuvipanda created this task.Apr 4 2016, 7:56 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 4 2016, 7:56 PM
chasemp triaged this task as High priority.Apr 4 2016, 7:56 PM
yuvipanda added a comment.Apr 4 2016, 8:00 PM

Tools domains this applies to:

  1. tools.wmflabs.org
  2. tools-login.wmflabs.org
  3. tools-static.wmflabs.org
  4. tools-dev.wmflabs.org
  5. tools-trusty.wmflabs.org
Andrew subscribed.Apr 4 2016, 8:01 PM

Using cnames sounds like a great solution. I'm making two changes to the bug title

  • Adding bastions, as that's the same problem
  • changing 'domain' to 'record' because I'm trying to train people to be pedantic about using the same distinction that designate/horizon uses.
Andrew renamed this task from Convert most top level tools domains to CNAMEs to Convert most top level tool and bastion dns redcords to CNAMEs.Apr 4 2016, 8:01 PM
yuvipanda claimed this task.Apr 8 2016, 9:27 PM

I just tested it, and it works. Going to convert a bunch of 'em now.

yuvipanda added a comment.Apr 8 2016, 9:53 PM

I have cleaned up some bastion-* that were pointing to things redundantly.

yuvipanda added a comment.Apr 8 2016, 10:00 PM

There's only three bastion domains left:

  1. bastion.wmflabs.org
  2. bastion2.wmflabs.org
  3. bastion-restricted.wmflabs.org

These should CNAME to primary.bastion.wmflabs.org, secondary.bastion.wmflabs.org and restricted.bastion.wmflabs.org once those three exist.

yuvipanda reassigned this task from yuvipanda to Andrew.Apr 8 2016, 10:27 PM

After talking with @Andrew, this requires the following steps:

  1. Remove current bastion.wmflabs.org record from wmflabsdotorg project
  2. Create a bastion.wmflabs.org domain in the bastion project
  3. Add an A Record to it, pointing it to the same place it's pointing at

I think we can kill bastion2 and bastion-restricted - only ops uses the latter, and I'll send out a deprecation notice soon.

yuvipanda closed this task as Resolved.Apr 8 2016, 10:45 PM
yuvipanda claimed this task.

Ok, andrew has setup the changes. I've sent out email about bastion-restricted being deprecated to the ops list. I've also created primary.bastion.wmflabs.org and secondary.bastion.wmflabs.org.

I'm going to update docs to point directly at these.

yuvipanda reopened this task as Open.Apr 8 2016, 10:47 PM
yuvipanda added a comment.Apr 8 2016, 11:11 PM

It turns out you can't CNAME bastion.wmflabs.org while having A records for subdomains, so we'll leave it as is for now. We'll email about the change from bastion.wmflabs.org to primary.bastion.wmflabs.org along with tools bastion changes if/when they happen.

yuvipanda added a comment.Apr 8 2016, 11:40 PM

List of domains leftover on wmflabsdotorg:

huggle-rc.wmflabs.org.
tools-checker.wmflabs.org.
tools-bastion-mtemp.wmflabs.org.
tools-dev.wmflabs.org.
tools-trusty.wmflabs.org.
bastion-restricted.wmflabs.org.
tools-static.wmflabs.org.
beta.wmflabs.org.
telnet.wmflabs.org.
tools-login.wmflabs.org.

We can convert tools-checker to checker.tools.wmflabs.org, and delete mtemp bastion at some point. Rest can probably be CNAME'd.

yuvipanda added a comment.Apr 8 2016, 11:41 PM

That was after I deleted a bunch of domains - mwds-proxy (mwds is long over), matterirc (RIP) and tools-docker-registry.wmflabs.org (is docker-registry.tools.wmflabs.org)

gerritbot subscribed.Apr 8 2016, 11:52 PM

Change 282442 had a related patch set uploaded (by Yuvipanda):
tools: s/tools-checker.wmflabs.org/checker.tools.wmflabs.org/

https://gerrit.wikimedia.org/r/282442

gerritbot added a project: Patch-For-Review.Apr 8 2016, 11:52 PM
gerritbot added a comment.Apr 8 2016, 11:54 PM

Change 282442 merged by Yuvipanda:
tools: s/tools-checker.wmflabs.org/checker.tools.wmflabs.org/

https://gerrit.wikimedia.org/r/282442

yuvipanda created subtask T132233: Make catchpoint hit checker.tools.wmflabs.org not tools-checker.wmflabs.org.Apr 8 2016, 11:55 PM
yuvipanda removed yuvipanda as the assignee of this task.Apr 18 2016, 11:40 PM

Uh, should do another round later.

AlexMonk-WMF subscribed.EditedJul 23 2016, 2:22 PM

The latter is in a special org that requires commandline access on labcontrol1001 to manipulate. This makes it unusable for tools admins.

Actually *.wmflabs.org domains can be administered through horizon by administrators of the 'wmflabsdotorg' project.

AlexMonk-WMF added a comment.EditedAug 4 2016, 12:21 AM

@Andrew, @yuvipanda: I suggest that, instead of doing this, we briefly remove the records, create domains for each, recreate the records, and then transfer the domains out of wmflabsdotorg into the appropriate projects. And in future, create domains for people (and transfer the domains to the appropriate projects) instead of putting records directly under wmflabs.org where only small number of administrators can do anything. I'd also prefer to move the proxy system towards making domains and transferring them instead of maintaining records under wmflabs.org.

(With your approval I'll go ahead and do that)

AlexMonk-WMF added a comment.Aug 4 2016, 12:25 AM

Proposed new domains and owning project:

  • huggle-rc.wmflabs.org - huggle
  • tools-checker.wmflabs.org - tools
  • tools-dev.wmflabs.org - tools
  • tools-login.wmflabs.org - tools
  • tools-trusty.wmflabs.org - tools
  • tools-static.wmflabs.org - tools
  • beta.wmflabs.org - deployment-prep
  • bastion-restricted.wmflabs.org - bastion
  • bastion-eqiad.wmflabs.org - bastion (CNAME to bastion.wmflabs.org)
tom29739 renamed this task from Convert most top level tool and bastion dns redcords to CNAMEs to Convert most top level tool and bastion dns records to CNAMEs.Aug 4 2016, 12:51 AM
tom29739 updated the task description. (Show Details)
tom29739 subscribed.
scfc removed a project: Patch-For-Review.Nov 27 2016, 12:36 AM
scfc moved this task from Backlog to Ready to be worked on on the Toolforge board.
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:43 PM
GTirloni closed subtask T132233: Make catchpoint hit checker.tools.wmflabs.org not tools-checker.wmflabs.org as Declined.Mar 22 2019, 1:56 PM
Krenair subscribed.Sep 26 2019, 12:05 AM
dcaro closed this task as Resolved.Jan 24 2024, 1:33 PM
dcaro claimed this task.
Restricted Application added a comment. · View Herald TranscriptJan 24 2024, 1:33 PM

The Cloud-Services project tag is not intended to have any tasks. Please check the list on https://phabricator.wikimedia.org/project/profile/832/ and replace it with a more specific project tag to this task. Thanks!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits