Page MenuHomePhabricator

wikimedia.cloud: setup new domain
Closed, ResolvedPublic

Description

Quoting @bd808 :

The whois for wikimedia.cloud shows the current top level NS being pointed
to ns{1,2,3}.wikimedia.org, so getting the basics for it going in
Designate should be something like:

* Create 'eqiad1.wikimedia.cloud.' zone in eqiad1's Designate
* Create 'wikimedia.cloud.' zone in operations/dns.git
* Delegate NS for 'eqiad1.wikimedia.cloud.' to
cloud-ns{0,1}.wikimedia.org in operations/dns.git
* Repeat for Designate and delegation steps for 'codfw1dev.wikimedia.cloud.'

And the whois:

$ whois wikimedia.cloud | grep "Name Server"
Name Server: ns1.wikimedia.org
Name Server: ns2.wikimedia.org
Name Server: ns0.wikimedia.org

Our domain name plans: https://wikitech.wikimedia.org/wiki/Wikimedia_Cloud_Services_team/EnhancementProposals/DNS_domain_usage#Resolution

Event Timeline

aborrero triaged this task as Medium priority.Oct 18 2019, 11:03 AM
aborrero moved this task from Inbox to Soon! on the cloud-services-team (Kanban) board.

Change 544175 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/dns@master] wikimedia.cloud: add initial zone file

https://gerrit.wikimedia.org/r/544175

It is not clear to me which project should own the eqiad1.wikimedia.cloud subdomain. The admin project? The wmflabsdotorg project? a new one?
I remember there was a special case for domains with no project association, I guess that's the case of the current eqiad.wmflabs:

root@cloudcontrol1004:~# designate domain-get 114f1333-c2c1-44d3-beb4-ebed1a91742b --all-tenants
+-------------+--------------------------------------+
| Field       | Value                                |
+-------------+--------------------------------------+
| description | None                                 |
| created_at  | 2015-03-26T21:04:20.000000           |
| updated_at  | 2019-10-18T11:21:14.000000           |
| email       | root@wmflabs.org                     |
| ttl         | 60                                   |
| serial      | 1571397670                           |
| id          | 114f1333-c2c1-44d3-beb4-ebed1a91742b |
| name        | eqiad.wmflabs.                       |
+-------------+--------------------------------------+

So we could probably do the same. I don't remember how to do that though. @Andrew could you please help us here?

the eqiad.wmflabs domain was created before designate supported project ownership of domains. So it's ownerless, but that's probably a bug and not a feature. It works fine though, and having eqiad1.wikimedia.cloud ownerless would involve the fewest coding changes.

So... I'm not sure. Designate already has and uses the novaadmin account, so having it owned by 'admin' is probably the next-easiest thing. That probably has my vote but I'm open to alternative suggestions.

+1 for the admin project! Will try creating it now.

Mentioned in SAL (#wikimedia-cloud) [2019-10-18T16:01:47Z] <arturo> created the eqiad1.wikimedia.cloud DNS zone (T235846)

Change 544223 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] openstack: wmcs-makedomain: allow transfers on domains owned by admin project

https://gerrit.wikimedia.org/r/544223

Copying from the patch for visibility: Let's please not put anything in the admin project that doesn't strictly need to be there - IIRC it has some special meaning/purpose, novaobserver's rights don't apply there, and it may cause difficulty splitting up permissions later on if we wanted to.
We can just make an empty project (in terms of instances) to hold a DNS zone or two.

Change 544223 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] openstack: wmcs-makedomain: allow transfers on domains owned by admin project

https://gerrit.wikimedia.org/r/544223

Copying from the patch for visibility: Let's please not put anything in the admin project that doesn't strictly need to be there - IIRC it has some special meaning/purpose, novaobserver's rights don't apply there, and it may cause difficulty splitting up permissions later on if we wanted to.
We can just make an empty project (in terms of instances) to hold a DNS zone or two.

I don't have any strong opinion on this. I leave this to @Andrew.

Change 544175 merged by Arturo Borrero Gonzalez:
[operations/dns@master] wikimedia.cloud: add initial zone file

https://gerrit.wikimedia.org/r/544175

This is now done, everything is working. Leaving task open for a few days in case there is follow-up discussion on the admin project topic.

aborrero claimed this task.

Closing task. Feel free to reopen if any follow-up is required.