Support 'unmanaged' projects in cloud-vps
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Andrew
	Jan 12 2023, 3:15 PM

Description

All VMs in cloud-vps currently include

Puppet
ldap/auth integration
cumin client
light admin supervision/support

Some users (especially internal WMF users) would like a more generic-public-cloud option. For example:

bring-your-own base image
custom userdata injection
ssh key injection
no puppet, no ldap, no cumin

It should be fairly easy to support special unmanaged projects with those features. The flip side is that there will be slightly greater risks involved as these projects can/will run unsupported OS versions, unsupported software, and if they gobble up CPU cycles we won't have any recourse. For supporting these projects I propose that projectadmins in such projects be limited to NDA users.

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
nova policy: add awareness of 'unmanaged' role	operations/puppet	production	+5 -1
Horizon: update build version in eqiad1	operations/puppet	production	+1 -1
Horizon: update build version in codfw1dev	operations/puppet	production	+1 -1
Revert "Horizon: allow image uploading via horizon for users with glance admin"	operations/puppet	production	+2 -2
launch-instance: add caption to keypair panel about puppet	openstack/horizon/horizon	2023.1	+4 -0
launch-instance workflow: allow keypair panel for all launches	openstack/horizon/horizon	2023.1	+2 -8
Horizon: backport 598bfa3aabe9cf2c1d09f58d4a0745462e80b1bc to 'zed'	operations/puppet	production	+2 -2
Horizon: update version in codfw1dev	operations/puppet	production	+1 -1
WMF Hacks create-instance workflow: add a missing comma	openstack/horizon/horizon	2023.1	+1 -1
nova: move the puppet cert cleanup from vendordata to wmcs-image-create	operations/puppet	production	+9 -4
vendordata: don't specify puppet server on first run	operations/puppet	production	+1 -1
nova vendor-data: more puppet-switching attempts	operations/puppet	production	+3 -1
nova vendor-data: 2nd attempt to read 'install_puppet' metadata	operations/puppet	production	+1 -1
nova vendor-data: 3rd attempt to read 'install_puppet' metadata	operations/puppet	production	+1 -1
vendordata: only wipe out puppet certs if we aren't building a base image	operations/puppet	production	+6 -3
cloud-init: make puppet optional	operations/puppet	production	+63 -44
Horizon: allow image uploading via horizon for users with glance admin	operations/puppet	production	+2 -2

Related Objects
Search...

Status	Assigned	Task
Resolved	Andrew	T326818 Support 'unmanaged' projects in cloud-vps
Open	Andrew	T353331 Hide + disable 'key pair' tab when creating puppetized VMs
Open	Andrew	T353332 Hide VM puppet tab for unpuppetized VMs
Resolved	Andrew	T355963 Gather feedback from users of the 'unmanaged' debian-12.0-nopuppet image

Event Timeline

Andrew created this task.Jan 12 2023, 3:15 PM

Restricted Application added a project: cloud-services-team (Kanban). · View Herald TranscriptJan 12 2023, 3:15 PM

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 6:22 PM

fnegri moved this task from Kanban to Inbox on the cloud-services-team board.

fnegri edited projects, added cloud-services-team (FY2022/2023-Q3); removed cloud-services-team.Jan 19 2023, 2:33 PM

fgiunchedi subscribed.Jan 23 2023, 5:32 PM

• nskaggs mentioned this in T329674: Explore exosphere as alternative user friendly UI for openstack.Feb 14 2023, 9:58 PM

• joanna_borun subscribed.Mar 28 2023, 2:19 PM

fnegri triaged this task as Medium priority.Apr 12 2023, 2:55 PM

fnegri moved this task from FY2022/2023-Q3 to FY2022/2023-Q4 on the cloud-services-team board.

fnegri edited projects, added cloud-services-team (FY2022/2023-Q4); removed cloud-services-team (FY2022/2023-Q3).

fnegri moved this task from Backlog to Planned Goals on the cloud-services-team (FY2022/2023-Q4) board.

fnegri added a project: Goal.Apr 19 2023, 2:29 PM

fnegri edited projects, added cloud-services-team (FY2023/2024-Q1-Q2); removed cloud-services-team (FY2022/2023-Q4).Aug 7 2023, 2:38 PM

fnegri moved this task from Backlog to Planned Goals on the cloud-services-team (FY2023/2024-Q1-Q2) board.

Notes:

'no puppet, no ldap, no cumin' is really just 'no puppet' since puppet sets up the other things.

This can be implemented by a new keystone role (or multiple roles). Let's say it's a single role called 'puppetfree'

If a user has that role on a project, they'll encounter two UI changes:

They can manage glance images
The 'create VM' workflow will display two new panels, one for ssh key management and one for metadata management
- The metadata panel will already include a default extra key, 'puppetfree=True'
  - TODO: can we reverse this logic so that puppetfree is the default?
  - We should do as little of this as possible in the UI so as not to break automation workflows

Implementing puppetfree VMs can be done by having the cloud-init script skip all the puppet bits based on a metadata flag.

Change 980021 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Horizon: allow image uploading via horizon for users with glance admin

https://gerrit.wikimedia.org/r/980021

gerritbot added a project: Patch-For-Review.Dec 4 2023, 6:39 PM

Implementing puppetfree VMs can be done by having the cloud-init script skip all the puppet bits based on a metadata flag.

Actually I think this should happen in the base image. We can set a special metadata flag when building new base images that sets up puppetized base images. The default at all other times will be for cloud-init to rely on the base image for cues about puppet or no puppet.

Change 980079 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] cloud-init: make puppet optional

https://gerrit.wikimedia.org/r/980079

Can we come up with a "support level" for these VMs and make sure it's clearly stated somewhere?

Given that they are completely unmanaged there's a lot of limitations on what we can troubleshoot/debug (essentially, besides starting up a new VM to which we have access and checking that it runs and network works, everything else happens inside the black-box VM).

In T326818#9381905, @dcaro wrote:

Can we come up with a "support level" for these VMs and make sure it's clearly stated somewhere?

Given that they are completely unmanaged there's a lot of limitations on what we can troubleshoot/debug (essentially, besides starting up a new VM to which we have access and checking that > it runs and network works, everything else happens inside the black-box VM).

My imagined support policy would be:

We'll help you with OpenStack issues (e.g. troubleshoot image upload issues)
WMCS staff provides zero official support for VMs once they're launched
VMs are subject to surprise reboots and up to X minutes downtime without advance notice
We will shut down any VMs that are producing disruptive traffic or are suspected of security compromise and may only notify project owners after the fact

In the near term, users will need to apply to have the 'glanceadmin' role added and/or to have an unpuppetized base image added to their project.

@dcaro does that sound about right?

In T326818#9383803, @Andrew wrote:

My imagined support policy would be:

We'll help you with OpenStack issues (e.g. troubleshoot image upload issues)

WMCS staff provides zero official support for VMs once they're launched

VMs are subject to surprise reboots and up to X minutes downtime without advance notice

We will shut down any VMs that are producing disruptive traffic or are suspected of security compromise and may only notify project owners after the fact

In the near term, users will need to apply to have the 'glanceadmin' role added and/or to have an unpuppetized base image added to their project.

@dcaro does that sound about right?

That sounds good yes 👍

Some questions arise (for us mostly, can be after starting the service):

How will we monitor that the images uploaded are open source only?
How will we monitor if the VMs are misbehaving? (besides randomly noticing something is weird while doing something else)

Some questions arise (for us mostly, can be after starting the service):

How will we monitor that the images uploaded are open source only?

How will we monitor if the VMs are misbehaving? (besides randomly noticing something is weird while doing something else)

Currently the policy for both of those things is pretty much "If we notice, we do something." I'm not sure that this case necessarily needs to be different, especially if we restrict the unmanaged feature to specific trusted users.

That said, we could monitor the total list of installed images (and assume they have honest naming) or we could maybe use cloud-init to generate reports about what images are being used to run VMs.

Change 980021 merged by Andrew Bogott:

[operations/puppet@production] Horizon: allow image uploading via horizon for users with glance admin

https://gerrit.wikimedia.org/r/980021

Change 980079 merged by Andrew Bogott:

[operations/puppet@production] cloud-init: make puppet optional

https://gerrit.wikimedia.org/r/980079

Maintenance_bot removed a project: Patch-For-Review.Dec 8 2023, 8:31 PM

Change 981620 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] nova vendor-data: 2nd attempt to read 'install_puppet' metadata

https://gerrit.wikimedia.org/r/981620

gerritbot added a project: Patch-For-Review.Dec 8 2023, 9:17 PM

Change 981620 merged by Andrew Bogott:

[operations/puppet@production] nova vendor-data: 2nd attempt to read 'install_puppet' metadata

https://gerrit.wikimedia.org/r/981620

Maintenance_bot removed a project: Patch-For-Review.Dec 8 2023, 9:30 PM

Change 981625 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] nova vendor-data: 3rd attempt to read 'install_puppet' metadata

https://gerrit.wikimedia.org/r/981625

Change 981625 merged by Andrew Bogott:

[operations/puppet@production] nova vendor-data: 3rd attempt to read 'install_puppet' metadata

https://gerrit.wikimedia.org/r/981625

Maintenance_bot removed a project: Patch-For-Review.Dec 8 2023, 10:30 PM

Change 981628 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] vendordata: only wipe out puppet certs if we aren't building a base image

https://gerrit.wikimedia.org/r/981628

Change 981628 merged by Andrew Bogott:

[operations/puppet@production] vendordata: only wipe out puppet certs if we aren't building a base image

https://gerrit.wikimedia.org/r/981628

Maintenance_bot removed a project: Patch-For-Review.Dec 8 2023, 11:30 PM

Change 981669 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] nova vendor-data: more puppet-switching attempts

https://gerrit.wikimedia.org/r/981669

gerritbot added a project: Patch-For-Review.Dec 10 2023, 5:08 PM

Change 981669 merged by Andrew Bogott:

[operations/puppet@production] nova vendor-data: more puppet-switching attempts

https://gerrit.wikimedia.org/r/981669

Maintenance_bot removed a project: Patch-For-Review.Dec 10 2023, 6:10 PM

Change 981676 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] vendordata: don't specify puppet server on first run

https://gerrit.wikimedia.org/r/981676

Change 981676 merged by Andrew Bogott:

[operations/puppet@production] vendordata: don't specify puppet server on first run

https://gerrit.wikimedia.org/r/981676

Maintenance_bot removed a project: Patch-For-Review.Dec 10 2023, 8:10 PM

Change 981677 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] nova: move the puppet cert cleanup from vendordata to wmcs-image-create

https://gerrit.wikimedia.org/r/981677

gerritbot added a project: Patch-For-Review.Dec 10 2023, 8:17 PM

Change 981677 merged by Andrew Bogott:

[operations/puppet@production] nova: move the puppet cert cleanup from vendordata to wmcs-image-create

https://gerrit.wikimedia.org/r/981677

Maintenance_bot removed a project: Patch-For-Review.Dec 10 2023, 8:30 PM

Change 981705 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[openstack/horizon/horizon@2023.1] WMF Hacks create-instance workflow: add a missing comma

https://gerrit.wikimedia.org/r/981705

Change 981705 merged by Andrew Bogott:

[openstack/horizon/horizon@2023.1] WMF Hacks create-instance workflow: add a missing comma

https://gerrit.wikimedia.org/r/981705

Maintenance_bot removed a project: Patch-For-Review.Dec 11 2023, 3:30 AM

Change 981706 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Horizon: update version in codfw1dev

https://gerrit.wikimedia.org/r/981706

gerritbot added a project: Patch-For-Review.Dec 11 2023, 3:33 AM

Change 981706 merged by Andrew Bogott:

[operations/puppet@production] Horizon: update version in codfw1dev

https://gerrit.wikimedia.org/r/981706

Maintenance_bot removed a project: Patch-For-Review.Dec 11 2023, 4:10 AM

Change 982111 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Horizon: backport 598bfa3aabe9cf2c1d09f58d4a0745462e80b1bc to 'zed'

https://gerrit.wikimedia.org/r/982111

Change 982111 merged by Andrew Bogott:

[operations/puppet@production] Horizon: backport 598bfa3aabe9cf2c1d09f58d4a0745462e80b1bc to 'zed'

https://gerrit.wikimedia.org/r/982111

Maintenance_bot removed a project: Patch-For-Review.Dec 11 2023, 3:30 PM

Andrew claimed this task.Dec 11 2023, 3:37 PM

fnegri subscribed.Dec 12 2023, 5:08 PM

Change 982453 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[openstack/horizon/horizon@2023.1] launch-instance workflow: allow keypair panel for all launches

https://gerrit.wikimedia.org/r/982453

gerritbot added a project: Patch-For-Review.Dec 12 2023, 7:03 PM

Change 982454 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[openstack/horizon/horizon@2023.1] launch-instance: add caption to keypair panel about puppet

https://gerrit.wikimedia.org/r/982454

Change 982454 merged by Andrew Bogott:

[openstack/horizon/horizon@2023.1] launch-instance: add caption to keypair panel about puppet

https://gerrit.wikimedia.org/r/982454

Change 982453 merged by Andrew Bogott:

[openstack/horizon/horizon@2023.1] launch-instance workflow: allow keypair panel for all launches

https://gerrit.wikimedia.org/r/982453

Maintenance_bot removed a project: Patch-For-Review.Dec 12 2023, 8:30 PM

Change 982470 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Revert "Horizon: allow image uploading via horizon for users with glance admin"

https://gerrit.wikimedia.org/r/982470

Change 982471 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Horizon: update build version in codfw1dev

https://gerrit.wikimedia.org/r/982471

Change 982472 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Horizon: update build version in eqiad1

https://gerrit.wikimedia.org/r/982472

Change 982470 merged by Andrew Bogott:

[operations/puppet@production] Revert "Horizon: allow image uploading via horizon for users with glance admin"

https://gerrit.wikimedia.org/r/982470

Change 982471 merged by Andrew Bogott:

[operations/puppet@production] Horizon: update build version in codfw1dev

https://gerrit.wikimedia.org/r/982471

Change 982472 merged by Andrew Bogott:

[operations/puppet@production] Horizon: update build version in eqiad1

https://gerrit.wikimedia.org/r/982472

bring-your-own base image

This is semi-implemented.

Users can be granted the 'glanceadmin' role on a project and then upload their own images.
Upload via CLI will work but the Horizon interface doesn't work.
Because this is a user role, it's a property of a particular user in a particular project, /not/ a project-wide setting. And users can't currently transfer the role to other users.

custom userdata injection

This is available for all VMs, puppet or no.

ssh key injection

This is now available and works. The UI isn't perfect as it displays for puppetized VMs as well and then doesn't do anything but there's at least a warning on the dialog.

no puppet, no ldap, no cumin

Raw base images can be shared with any project, at which point members of that project can launch unpuppetized VMs and access them via not-in-ldap keypairs.

I'm opening subtasks for the UI issues but I declare this to be a Minimum Viable Product!

Maintenance_bot removed a project: Patch-For-Review.Dec 13 2023, 3:11 PM

fnegri closed this task as Resolved.Jan 23 2024, 4:36 PM

fnegri moved this task from Planned Goals to Done on the cloud-services-team (FY2023/2024-Q1-Q2) board.

Change 992543 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] nova policy: add awareness of 'unmanaged' role

https://gerrit.wikimedia.org/r/992543

gerritbot added a project: Patch-For-Review.Jan 23 2024, 10:51 PM

Change 992543 merged by Andrew Bogott:

[operations/puppet@production] nova policy: add awareness of 'unmanaged' role

https://gerrit.wikimedia.org/r/992543

Maintenance_bot removed a project: Patch-For-Review.Jan 24 2024, 3:30 AM