Help:Accessing Cloud VPS instances

If someone has made an account for you, you'll need to do the following for initial log in:

1. Go to the login page and enter your username. This will probably be your "wallet name" (first and last name).
2. Click "Forgotten your login details?"
   • If the "Forgotten your login details?" link does not appear, click "Log in"
3. Go through the process of resetting your password ( https://labsconsole.wikimedia.org/wiki/Special:PasswordReset is the link)
4. After logging in, you should upload an ssh key to Labs
5. Now log into gerrit using the same username and password. It'll ask you to upload an ssh key. Upload your public key here as well.

Using agent forwarding

Labs has a bastion instance that can be used to access all other instances called bastion.wmflabs.org. To reach nodes from the bastion instance, you'll need to use an SSH agent, and forward that agent when connecting to the bastion instance. For example:

• On your local system:

eval `ssh-agent`
ssh-add
ssh -A <username>@bastion.wmflabs.org

• On bastion:

ssh <your-instance>.pmtpa.wmflabs

The above would let you ssh into your instance. Notice that FQDN isn't completely necessary. You can also just use "ssh <your-instance>".

Using ProxyCommand ssh option

Using this configuration, it's possible to directly connect to your instances.

Add this to the bottom of your ~/.ssh/config on your local system:

Host bastion1.pmtpa.wmflabs
Hostname bastion.wmflabs.org
ProxyCommand none

Host bastion1.eqiad.wmflabs
Hostname bastion2.wmflabs.org
ProxyCommand none

Host *.pmtpa.wmflabs
ProxyCommand ssh -e none bastion1.pmtpa.wmflabs exec nc -w 3600 %h %p

Host *.eqiad.wmflabs
ProxyCommand ssh -e none bastion1.eqiad.wmflabs exec nc -w 3600 %h %p

Host *.wmflabs
User <labs-shell-name>
## If you are using a non-default key, you should uncomment the next two lines, and enter
## your key's filename
#IdentityFile <key-filename>
#IdentitiesOnly yes

Now you should be able to run the following directly from your local system (even without agent forwarding):

ssh <your-instance>.pmtpa.wmflabs

Accessing services using port forwarding

If your instance doesn't have a public IP address, but you need to access a service on it, you can use port forwarding. For instance, here's how you would access a web service:

• On your local system:

ssh <username>@bastion.wmflabs.org -L 8080:<your-instance>:80

You can then connect to it via http://localhost:8080.

Accessing web services using a SOCKS proxy

If you only need to access web services on an instance that doesn't have a public IP address, it's easiest to use a SOCKS proxy:

1. On your local system:
   

   ssh <username>@bastion.wmflabs.org -D 8080

2. After doing so, you have set configuration so your browser will use localhost:8080 as a SOCKS proxy (which makes it possible to connect directly to your node from the addressbar, e.g. ''http://<your-instance>.pmtpa.wmflabs.
   You can configure this in a few different ways (whichever fits you best):
   • On a Mac, in the System Preferences > Network > Advanced > Proxies. Tick "Socks Proxy" and enter 'localhost' and '8080'. After saving and applying this you can use 'http://<your-instance>.pmtpa.wmflabs:8080 in the browser.
   • If you use foxy proxy (a Firefox, IE or Chrome add-on), you can use the pre-defined url pattern defined here.

Anonymous users

You'll need to have an account created for you. If you currently have SVN access, then you have an account, but need to have it linked to Labs (how-to for admins: !add-labs-user). We are still working out the account activation process, but hope to have it done soon.

Logged-in users

After creating an account, you can:

• Add and manage your public SSH keys

Once you add a key, you'll be able to log into the instance of any project you are a member of. Have a current project member, or an admin user add you to a project.

To create instances within a project, you'll need to have a sysadmin on the project, or an admin add you to the sysadmin role for that project.

You can make queries for nova resources; currently only Nova instances have semantic properties enabled.

After logging in, you can also access Gerrit; if you wish to do git checkouts of the puppet repositories, you'll need to log into Gerrit, and add your SSH key there as well. Note: it would be nice if Gerrit could use LDAP for its SSH keystore, instead of its database; I've opened a bug for this, if you'd like to help, please add that feature to Gerrit!

Admins

Wiki Admin

If you are a wiki admin, you can:

• Create/delete Nova projects and manage project and project role membership
• Manage global role membership.
• Manage sudo policies.

Net Admins

If you are a NetAdmin, you can:

• Allocate and associate public IP addresses, and add public DNS entries to instances
• Manage security groups and rules.

Sys Admins

If you are a sysadmin, you can:

• Create or manage instances.
• Create or manage volumes.

After creating an instance, you'll get an email notifying you that it is ready to be logged into.

Cloud Admins

In addition to all actions that sysadmins and netadmins, you can:

• Create or manage DNS domains.

Labs instance run from the operations/puppet repository and branch 'test'.

To trigger a puppet update, run: sudo puppetd -tv

The cron job that updates the master puppet repo in the labs cluster runs every minute. So your change got merged in, you will have to wait a bit.

Q: Who can give out Labsconsole accounts, and how do they do it?

A: User accounts on the wiki (which is also shared credentials for gerrit and nova) can be created by a wiki admin. Requests for access can be made via:

• Ryan Lane (on IRC: Ryan_Lane) (talk page)
• Sara Smollett
• Sumana Harihareswara (sumanah) (talk page)
• Chad Horohoe (^demon) (talk page)
• Rob Lanphier (robla)
• Sam Reed (Reedy) (talk page)
• Tim Starling (TimStarling) (talk page)
• Daniel Zahn (mutante)

and anyone in Wikimedia Foundation's Technical Operations group. They will say yes to everyone who asks, except for known malicious persons. There is no other publicly available list that's better, so this is the list of people newbies can ping to ask for accounts. If you want to contact them, you may want to try the IRC channels #mediawiki or #wikimedia-dev.

If you are applying for access, you should give them the following information:

• Your preferred wiki username - also your git username
• Your preferred email address
• Your svn account name

Do not give them your password! They don't need it and you'll set your own password up anyway. If you do, it will not be a pretty sight and you will have to flock to local Oversights and Special:PasswordReset.

Q: I just want git access; I don't care about labsconsole. How do I get Git access?

A: You should care about labsconsole! However, that doesn't matter. Labsconsole access and Git access are currently given using the same mechanism.

Q: I was added to a group that gives me access to something in git, but it isn't working, what's wrong?

A: Once you have been added to the group, you need to log out of gerrit, then back in. Gerrit pulls its groups from LDAP, but caches them. Logging out, then back in re-synchronizes your groups, and thus clears the cache.

Giving users Labs access, if they already have an SVN account

Collect the following information from the user:

• Preferred wiki username. This will also be the user's git username, so legal name would be reasonable
• Preferred email address
• Their svn account name

On formey, run the following command:

add-labs-user --wikiname="<wikiusername>" --mail="<email address>" <svnusername>

If the user specifically requests Labs access, also go to Special:NovaProject and add the user, by wiki username, to the bastion project. But if they just need an account so they can log into Gerrit etc. then you don't need to do this.

Then the user must do the following:

1. Go to the password reset form at labs console
2. Use the temporary password to set a password
3. Log into gerrit
4. Add their SSH key

Then, if they are an ops team member, add them to the ops group:

modify-ldap-group --addmembers=<svnusername> ops

If they are WMF staff, add them to the wmf group:

modify-ldap-group --addmembers=<svnusername> wmf

Giving users Labs access, if they don't already have SVN access

Ask for:

• Preferred wiki username. This will also be the user's git username, so legal name would be reasonable
• Preferred email address
• Their preferred shell account name (1 to 17 numbers and lower case ASCII letters, as well as the . (full stop), - (hyphen-minus) and _ (low line) characters)

Then either:

• just get the accountcreators power from Ryan Lane or Sara Smollett or Daniel Zahn (Mutante) and then create the user's account using Special:CreateAccount and choose "By email" to send the user a password
• Make an LDAP user on formey and then follow the instructions for people who have SVN accounts (above)