Page MenuHomePhabricator
Create Task
Maniphest T343158

Support OpenStack projects where project name != project id
Closed, ResolvedPublic
Actions

Description

Since the early days of OpenStack we've used a model where project ids and project names are identical. This was the norm in early OpenStack releases.

Modern openstack assigns arbitrary UUIDs to new projects, allowing project names to be changed on the fly without breaking db relationships. Our current deployments skip the UUID issue via a 'wmfkeystonehooks' hack that resets the project id to the project name.

UUIDs are annoying, but diverging from the upstream is also getting ever more annoying. If we adopt the usptream UUID practice, we'll have to locate and fix all of our scripts and workflows that rely on project id and name being the same.

The good news is we can change these workflows incrementally without actually breaking anything in the meantime. The breakage will only come later when we remove the keystone hack.

  • Designate domain assignment (e.g. myinstance.myproject.eqiad1.wikimedia.cloud) uses project id rather than project name
  • Cumin, spicerack, and cookbooks take project ids rather than project names. Either users will have to start using UUIDs or something in the cumin code will need to do a lookup and take distinct --project-id or project-name arguments
  • mwopenstackclients.py needs an audit to confirm that arguments are properly named 'project_name' or 'project_id' and used accordingly.

Details

Related Changes in Gerrit:
Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

Andrew created this task.Jul 31 2023, 8:08 PM
Andrew updated the task description. (Show Details)
gerritbot added a comment.Sep 8 2023, 4:37 PM

Change 955973 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] wmf_sink: don't assume project_name == project_id

https://gerrit.wikimedia.org/r/955973

gerritbot added a project: Patch-For-Review.Sep 8 2023, 4:37 PM
gerritbot added a comment.Sep 11 2023, 1:21 AM

Change 956088 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] nova_fullstack_test: don't assume project_name == project_id

https://gerrit.wikimedia.org/r/956088

gerritbot added a comment.Sep 11 2023, 8:01 PM

Change 955973 merged by Andrew Bogott:

[operations/puppet@production] wmf_sink: don't assume project_name == project_id

https://gerrit.wikimedia.org/r/955973

gerritbot added a comment.Sep 11 2023, 8:01 PM

Change 956088 merged by Andrew Bogott:

[operations/puppet@production] nova_fullstack_test: don't assume project_name == project_id

https://gerrit.wikimedia.org/r/956088

Maintenance_bot removed a project: Patch-For-Review.Sep 11 2023, 8:11 PM
Andrew added a comment.Sep 11 2023, 10:38 PM

right now puppet cert names are the same as dns fqdns. It would be slightly less ambiguous for the puppet certname to include the project id instead... are there reasons why we depend on fqdn == cert name?

Andrew added a comment.Sep 11 2023, 10:57 PM
In T343158#9158752, @Andrew wrote:

right now puppet cert names are the same as dns fqdns. It would be slightly less ambiguous for the puppet certname to include the project id instead... are there reasons why we depend on fqdn == cert name?

On further thought, I believe the puppet literally uses the fqdn as the cert name. So one way or another they need to stay the same.

Andrew added a subscriber: fnegri.Sep 12 2023, 4:33 PM
In T343158#9158752, @Andrew wrote:

right now puppet cert names are the same as dns fqdns. It would be slightly less ambiguous for the puppet certname to include the project id instead... are there reasons why we depend on fqdn == cert name?

@fnegri suggests that we use project IDs on the VM and puppet, and have designate-sink create cnames with the project name.

gerritbot added a comment.Sep 12 2023, 5:21 PM

Change 956925 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] dynamicproxy: clarify that 'project name' was actually project_id all along

https://gerrit.wikimedia.org/r/956925

gerritbot added a project: Patch-For-Review.Sep 12 2023, 5:21 PM

Change 956927 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] mwopenstackclients: add methods to correlate project id with name

https://gerrit.wikimedia.org/r/956927

gerritbot added a comment.Sep 12 2023, 5:22 PM

Change 956928 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] wmcs-cold-migrate: remove instance_fqdn output hint

https://gerrit.wikimedia.org/r/956928

gerritbot added a comment.Sep 12 2023, 5:22 PM

Change 956929 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] wmcs-instance-fqdns: support cases where project_name != project_id

https://gerrit.wikimedia.org/r/956929

gerritbot added a comment.Sep 12 2023, 5:22 PM

Change 956930 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] wmcs-novastats-dnsleaks.py: Support project_id != project_name

https://gerrit.wikimedia.org/r/956930

gerritbot added a comment.Sep 13 2023, 8:24 PM

Change 956927 merged by Andrew Bogott:

[operations/puppet@production] mwopenstackclients: add methods to correlate project id with name

https://gerrit.wikimedia.org/r/956927

gerritbot added a comment.Sep 13 2023, 8:29 PM

Change 956928 merged by Andrew Bogott:

[operations/puppet@production] wmcs-cold-migrate: remove instance_fqdn output hint

https://gerrit.wikimedia.org/r/956928

gerritbot added a comment.Sep 13 2023, 8:37 PM

Change 956929 abandoned by Andrew Bogott:

[operations/puppet@production] wmcs-instance-fqdns: support cases where project_name != project_id

Reason:

Going to stick with project_id in the fqdn

https://gerrit.wikimedia.org/r/956929

gerritbot added a comment.Sep 13 2023, 11:10 PM

Change 957371 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] designate nova_fixed_multi: create A record using project_id and project_name

https://gerrit.wikimedia.org/r/957371

gerritbot added a comment.Sep 13 2023, 11:17 PM

Change 956930 merged by Andrew Bogott:

[operations/puppet@production] wmcs-novastats-dnsleaks.py: Support project_id != project_name

https://gerrit.wikimedia.org/r/956930

gerritbot added a comment.Oct 12 2023, 11:18 AM

Change 956925 merged by Majavah:

[operations/puppet@production] dynamicproxy: clarify that 'project name' was actually project_id all along

https://gerrit.wikimedia.org/r/956925

gerritbot added a comment.Jan 2 2024, 9:58 PM

Change 957371 merged by Andrew Bogott:

[operations/puppet@production] designate nova_fixed_multi: create A recs using project_id and project_name

https://gerrit.wikimedia.org/r/957371

Maintenance_bot removed a project: Patch-For-Review.Jan 2 2024, 10:30 PM
Andrew updated the task description. (Show Details)Jan 5 2024, 4:51 PM
Andrew updated the task description. (Show Details)Jan 5 2024, 6:00 PM
gerritbot added a comment.Jan 5 2024, 6:40 PM

Change 988047 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[cloud/wmcs-cookbooks@main] enc.py: rename project_name arg to project_id

https://gerrit.wikimedia.org/r/988047

gerritbot added a project: Patch-For-Review.Jan 5 2024, 6:40 PM
gerritbot added a comment.Jan 5 2024, 6:47 PM

Change 988050 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] mwopenstackclients.py: remove a use of project_name

https://gerrit.wikimedia.org/r/988050

gerritbot added a comment.Jan 5 2024, 6:47 PM

Change 988051 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] cloud-vps puppet encapi: use project_id instead of project_name for keystone

https://gerrit.wikimedia.org/r/988051

gerritbot added a comment.Jan 5 2024, 6:47 PM

Change 988052 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Keystone: remove hack ensuring that project_id == project_name

https://gerrit.wikimedia.org/r/988052

gerritbot added a comment.Jan 9 2024, 5:06 PM

Change 988050 merged by Andrew Bogott:

[operations/puppet@production] mwopenstackclients.py: remove a use of project_name

https://gerrit.wikimedia.org/r/988050

gerritbot added a comment.Jan 23 2024, 1:05 AM

Change 988051 merged by Andrew Bogott:

[operations/puppet@production] cloud-vps puppet encapi: use project_id instead of project_name for keystone

https://gerrit.wikimedia.org/r/988051

gerritbot added a comment.Jan 25 2024, 4:36 PM

Change 988047 merged by jenkins-bot:

[cloud/wmcs-cookbooks@main] enc.py: rename project_name arg to project_id

https://gerrit.wikimedia.org/r/988047

taavi mentioned this in rCCKBb171c1eac8b9: enc.py: rename project_name arg to project_id.Jan 25 2024, 4:36 PM
gerritbot added a comment.May 31 2024, 9:04 PM

Change #988052 merged by Andrew Bogott:

[operations/puppet@production] Keystone: remove hack ensuring that project_id == project_name

https://gerrit.wikimedia.org/r/988052

Maintenance_bot removed a project: Patch-For-Review.May 31 2024, 9:30 PM
Andrew closed this task as Resolved.May 31 2024, 9:32 PM
Andrew mentioned this in T366301: Document and enforce restrictions on openstack project names.

This is resolved for future projects. Existing hyphenated-project-names will remain forever broken.

gerritbot added a comment.Jun 4 2024, 9:42 PM

Change #1038907 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] wmfkeystonehooks: use project_id rather than project_name for auth

https://gerrit.wikimedia.org/r/1038907

gerritbot added a project: Patch-For-Review.Jun 4 2024, 9:42 PM

Change #1038907 merged by Andrew Bogott:

[operations/puppet@production] wmfkeystonehooks: use project_id rather than project_name for auth

https://gerrit.wikimedia.org/r/1038907

Andrew mentioned this in T366569: Request creation of web performance test VPS project.Jun 4 2024, 9:57 PM
Maintenance_bot removed a project: Patch-For-Review.Jun 4 2024, 10:30 PM
taavi added a parent task: T274268: Wind down use of project ID and project name equivalency in OpenStack.Jun 5 2024, 12:23 PM
taavi added a subtask: T366679: openstack-browser support for projects where id != name.
gerritbot added a comment.Jun 5 2024, 12:24 PM

Change #1039204 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] openstack: wmfkeystonehooks: Use project name for Wikitech page

https://gerrit.wikimedia.org/r/1039204

gerritbot added a project: Patch-For-Review.Jun 5 2024, 12:24 PM
gerritbot added a comment.Jun 5 2024, 1:30 PM

Change #1039204 merged by Majavah:

[operations/puppet@production] openstack: wmfkeystonehooks: Use project name for Wikitech page

https://gerrit.wikimedia.org/r/1039204

Maintenance_bot removed a project: Patch-For-Review.Jun 5 2024, 2:31 PM
gerritbot added a comment.Jun 5 2024, 2:50 PM

Change #1039231 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] openstack: wmfkeystonehooks: Use project name in created DNS zone names

https://gerrit.wikimedia.org/r/1039231

gerritbot added a project: Patch-For-Review.Jun 5 2024, 2:50 PM
gerritbot added a comment.Jun 5 2024, 3:57 PM

Change #1039231 merged by Majavah:

[operations/puppet@production] openstack: wmfkeystonehooks: Use project name in created DNS zone names

https://gerrit.wikimedia.org/r/1039231

Maintenance_bot removed a project: Patch-For-Review.Jun 5 2024, 4:30 PM
Andrew closed subtask T366679: openstack-browser support for projects where id != name as Resolved.Feb 26 2025, 12:54 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits