Page MenuHomePhabricator

Request creation of wikisp VPS project
Closed, ResolvedPublic

Description

Project Name: wikisp
Wikitech Usernames of requestors: Galahad -I'd love if new volunteers join!-

Purpose: Actually, the WikiSP servers kindly paid by DigitalOcean through their program. However, new advances in technological capabilities, it can be concluded that current capabilities may be insufficient. In addition to this, we want a space in which, in a possible future in which the group ceases to exist, the tools that we host will serve for future groups or for use by third parties interested in our mission.

Brief description: The project will be used for testing MediaWiki and WordPress, beyond that, our plans are install LimeSurvey -yes, WMIT can provide it, but is better if we host our instance-, Moodle -for the project grant, like a learning tool for new volunteers to support small projects-, mail server -we actually use non-free provider, Zoho and would be used Mail-in-a-box- and ZNC -wikisp hosts its own bouncer service, adding another would be great and the volunteers would not depend on services such as IRCCloud and others-. Plans of help chapters (likely Wikimedia Venezuela) in setting up their own instances is planned too.

How soon you are hoping this can be fulfilled: As soon as possible. At the moment would be great if the moodle, limesurvey and mailserver can be under our domain *.wikisp.org ex: limesurvey.wikisp.org, education.wikisp.org, box.wikisp.org . The bouncer service require float IP too, but can be on cloud vps domain. The number of float IP it is up to you.

Thanks in advance

Event Timeline

Galahad updated the task description. (Show Details)

I have questions and comments here.
The first one that's most directly pertinent is that we don't offer DNS hosting for external domain names. Our DNS system is managed to provide wmcloud.org addresses for services. That seems like it would be an issue for you right away, and we don't directly support external domains in any way. Our proxy service only supports things under <projectname>.wmcloud.org or wmflabs.org. I think this will be quite tricky for setting up email services.

This would require you to install and maintain all of those services with little offered by us except access to spin up your virtual machines.

I also have some concerns about authentication. We generally recommend using something like oauth if you can and do not want you using LDAP for it directly (https://wikitech.wikimedia.org/wiki/Wikitech:Cloud_Services_Terms_of_use#What_uses_of_Cloud_Services_do_we_not_like?)

How many VMs, specifically are you imagining you will need?

Is it possible to scope this request to a single specific project ? The amount of ideas makes it hard to evaluate this request. Projects which have specific purposes and use cases applicable to all end are a better fit for WMCS, as well as being easier to invite other volunteers to join.

Have a look at https://wikitech.wikimedia.org/wiki/Help:Cloud_VPS_project#Guidelines_for_project_requests.

Hi @Bstorm thanks for your questions:

1.- Actually I'm using CloudFlare as dns service, so isn't a problem if you just provide the public IP, I'll deactivate the orange cloud. About the mail, I can move that on the server provided by DigitalOcean without problem and, in exchange, put Zammad here.

2.- No problem with using oauth for limesurvey and moodle instances. Zammad and ZNC instances isn't possible. Zammad is for our ticket system and ZNC requires an unique account.

3.- If my math are right, just need 5. The rules permits 8, I think.

4.- About the question of @nskaggs: I think it is just a project "to host the necessary tools for WikiSP and some that could support the mission of small projects". If you consider that any tool is unnecessary or that it should be focused on only one tool, I am open to suggestion, after all, it is you who decide :)

I think it makes maintaining the project easier to be more focused. But if you're comfortable with this setup, a project can be created.

Can you restate how many floating IPs you are requesting? You expect to need 5 VM's now running which services?

I recalculated and I'll need just 3 VM: One for Zammad + Elasticsearch (1) , Moodle + Limesurvey (2), ZNC (IRC bouncer) + Test enviroment (3).

Two floating IP would be needed for the two first VM.

In T286695#7231440, @White-Master wrote:

I recalculated and I'll need just 3 VM: One for Zammad + Elasticsearch (1) , Moodle + Limesurvey (2), ZNC + Test enviroment (3).

Hosting IRC bouncers (ZNC) in Cloud VPS for use by humans has not historically been an allowed activity. Can you explain why your project requires this?

wikisp provides IRC bouncer for Wikimedia volunteers and members of the group if they want to use to stay on IRC 24/7. Actually, we've strict rules about giving new access and limit about the accounts number, so I think isn't problem to put here the bouncer service.

However, as I stated before: My request isn't carved in stone, so if you think that is not permissible, I can accommodate.

In T286695#7231469, @White-Master wrote:

wikisp provides IRC bouncer for Wikimedia volunteers and members of the group if they want to use to stay on IRC 24/7. Actually, we've strict rules about giving new access and limit about the accounts number, so I think isn't problem to put here the bouncer service.

However, as I stated before: My request isn't carved in stone, so if you think that is not permissible, I can accommodate.

Historically, the prohibition against using WMCS as a network proxy listed at https://wikitech.wikimedia.org/wiki/Wikitech:Cloud_Services_Terms_of_use#What_uses_of_Cloud_Services_do_we_not_like? has excluded BNC services for use by humans. There are irc bots operating inside the Cloud VPS space which use some form of BNC as part of their operation, but allowing arbitrary humans to proxy their IRC usage through the Cloud VPS network is a proxy activity that potentially puts all irc clients running in our network space at risk of a k-line action by the upstream irc network operators. This risk is present even for approved irc bots which is why a few folks (myself included) are promoting T278584: Promote use of SASL for Cloud VPS/Toolforge hosted Libera.chat / Freenode IRC bots.

In our particular case, we stated the use of SASL because is required to access to Libera from DigitalOcean and I can set the mandatory access via sasl.

However, if are no exceptions the bnc service will stay on wikisp servers.

So: Zammad + Elasticsearch (1) , Moodle (2) + Limesurvey, Test enviroment (3). and two Floating IP for the two first VM

I have two main concerns with setting up a project with the scope roughly of "a bunch of different services for this specific group of people" (please correct me if I've misunderstood something):

  1. duplication: given both human/volunteer time and computing resources are limited, I'd much rather like to see the resources being spent maintaining services that can be used by other than just some chapter or other group, if the software design permits it. For example, from a very quick look Zammad looks fairly similar to Znuny, so I'm curious why you want to maintain that separately from the already-existing infrastructure.
  2. ownership, which is explained in more detail in https://phabricator.wikimedia.org/project/view/2875/ (see section "Project scope") but roughly my concern is that having separate resources services possibly maintained by separate group of people make our (WMCS admins) life much harder when trying to get maintenance done (such as operating system deprecations, VMs causing issues, so on).

So my main question essentially why should the general guideline of "Cloud VPS projects should be scoped based around concrete products or software projects, rather than the team working on them" not apply here? I'm happy to make reasonable exceptions to the guideline, but I would like it to be explicitely addressed. Thanks!

In T286695#7231514, @White-Master wrote:

In our particular case, we stated the use of SASL because is required to access to Libera from DigitalOcean and I can set the mandatory access via sasl.

However, if are no exceptions the bnc service will stay on wikisp servers.

So: Zammad + Elasticsearch (1) , Moodle (2) + Limesurvey, Test enviroment (3). and two Floating IP for the two first VM

Thanks for providing updated guidance on the request!

I have two main concerns with setting up a project with the scope roughly of "a bunch of different services for this specific group of people" (please correct me if I've misunderstood something):

While zammad and the testing area is for group-specific use, moodle and limesurvey are for community use.

  1. duplication: given both human/volunteer time and computing resources are limited, I'd much rather like to see the resources being spent maintaining services that can be used by other than just some chapter or other group, if the software design permits it. For example, from a very quick look Zammad looks fairly similar to Znuny, so I'm curious why you want to maintain that separately from the already-existing infrastructure.

While it is true that both platforms have similarities, Zammad has many integrations (twitter, facebook, even telegram). Of course, this is for the initial use of the group, but in the future when it ceased to exist for some reason and another group wanted to "take it over", at least it would be up and running.

  1. ownership, which is explained in more detail in https://phabricator.wikimedia.org/project/view/2875/ (see section "Project scope") but roughly my concern is that having separate resources services possibly maintained by separate group of people make our (WMCS admins) life much harder when trying to get maintenance done (such as operating system deprecations, VMs causing issues, so on).

If you are referring to delays in response times when cloud admins request changes, I don't see that as a problem. I regularly watch the mailing list and if I need to do something, I do it as soon as possible.

So my main question essentially why should the general guideline of "Cloud VPS projects should be scoped based around concrete products or software projects, rather than the team working on them" not apply here? I'm happy to make reasonable exceptions to the guideline, but I would like it to be explicitely addressed. Thanks!

Generally I can take care of the routine maintenance of this project as I would be doing with the wikisp servers, but I left the question open in case someone else wanted to join the team. It's not exactly closed to a particular team.

@Majavah Did that address your concerns? I think that not hosting the bouncer would make sense just for the proxy restriction.

@Majavah Did that address your concerns? I think that not hosting the bouncer would make sense just for the proxy restriction.

Mostly yes. Thanks!

This is now approved and will be created shortly.

Done, the new project name is "wikisp".

dcaro@cloudcontrol1003:~$ sudo wmcs-openstack project create --enable --description "This project is be used for testing MediaWiki and WordPress." wikisp
+-------------+--------------------------------------------------------------+
| Field       | Value                                                        |
+-------------+--------------------------------------------------------------+
| description | This project is be used for testing MediaWiki and WordPress. |
| domain_id   | default                                                      |
| enabled     | True                                                         |
| id          | wikisp                                                       |
| is_domain   | False                                                        |
| name        | wikisp                                                       |
| options     | {}                                                           |
| parent_id   | default                                                      |
| tags        | []                                                           |
+-------------+--------------------------------------------------------------+
                                                                           |
dcaro@cloudcontrol1003:~$ sudo wmcs-openstack role add --project wikisp --user galahad projectadmin
dcaro@cloudcontrol1003:~$ sudo wmcs-openstack role add --project wikisp --user galahad user

dcaro@cloudcontrol1003:~$ sudo wmcs-openstack quota set --floating-ips 2 wikisp
dcaro@cloudcontrol1003:~$ sudo wmcs-openstack quota show wikisp | grep floating-ips
| floating-ips          | 2

@Galahad make sure to join the list https://lists.wikimedia.org/mailman/listinfo/cloud-announce if you are not already there :), enjoy!
Once you have your instances up, you can follow https://wikitech.wikimedia.org/wiki/Help:Manage_floating_IP_addresses_assigned_to_Cloud_VPS_instances to get the floating ips setup on them.

Hello @Galahad and others! I'm noticing that the ceres.wikisp.eqiad1.wikimedia.cloud VM is in a sad state; I think you're a victim of a brief, weird issue we had with the VM creation process. If you don't have work invested in that VM I encourage you to just delete it and start over; if that's going to cause you trouble let me know and I can investigate ways to rescue it.

Mentioned in SAL (#wikimedia-cloud) [2021-08-27T02:03:51Z] <DeusExMachina> Mars instance, destroyed. Per T286695