Help:Accessing Cloud VPS instances: Difference between revisions

This page explains how to gain access to labsconsole (this wiki) and our git repository, which is located at http://gerrit.wikimedia.org/.

If someone has made an account for you, you'll need to do the following for initial log in, or if you want to change your Labs (labsconsole) and gerrit password.

1. Go to the login page.
2. Enter your wiki username.
3. Check your mail, log in with your new temporary password, and set a permanent password.
4. After logging in, you should set up an SSH key if you do not already have one, then upload your ssh key to Labs.
5. Now log into gerrit using the same username and password. It'll ask you to upload an ssh key. Upload your public key here as well.

Basic instructions for what to do next: Git workflow, getting started on Labs.

In order to access instances (see Help:Terminology) you will need to be a member of the 'bastion' project. If you specifically requested a labs account then you may already be a member; otherwise you'll need to make an appearance on #wikimedia-labs ^connect IRC channel and ask someone to add you.

Which bastion do I use?

Unless you are ops, use bastion.wmflabs.org. If you are a member of the ops team, then use bastion-restricted.wmflabs.org.

Using agent forwarding

Labs has a bastion instance that can be used to access all other instances called bastion.wmflabs.org. To reach nodes from the bastion instance, you'll need to use an SSH agent, and forward that agent when connecting to the bastion instance. For example:

• On your local system:

eval `ssh-agent`
ssh-add ~/.ssh/your_key_file_for_labs
ssh -A <username>@bastion.wmflabs.org

• On bastion:

ssh <your-instance>.pmtpa.wmflabs

The above would let you ssh into your instance. Notice that FQDN isn't completely necessary. You can also just use "ssh <your-instance>".

If you already use an ssh agent to connect to other hosts, you should consider using a separate agent for your labs key to avoid exposing your other keys to the labs hosts.

Using ProxyCommand ssh option

Using this configuration, it's possible to directly connect to your instances.

Add this to the bottom of your ~/.ssh/config on your local system:

Host bastion1.pmtpa.wmflabs
Hostname bastion.wmflabs.org
ProxyCommand none

Host bastion1.eqiad.wmflabs
Hostname bastion2.wmflabs.org
ProxyCommand none

Host *.pmtpa.wmflabs
ProxyCommand ssh -a -W %h:%p bastion1.pmtpa.wmflabs

Host *.eqiad.wmflabs
ProxyCommand ssh -a -W %h:%p bastion1.eqiad.wmflabs 

Host *.wmflabs
User <labs-shell-name>

If you are using a non-default key, you should uncomment the next two lines, and enter your key's filename

IdentityFile <key-filename>
IdentitiesOnly yes

The ssh proxy command use -a to make sure you are never going to forward your ssh keys to the WMF labs. That is a security safeguard.

Now you should be able to run the following directly from your local system (even without agent forwarding):

ssh <your-instance>.pmtpa.wmflabs

Accessing services using port forwarding

If your instance doesn't have a public IP address, but you need to access a service on it, you can use port forwarding. For instance, here's how you would access a web service:

• On your local system:

ssh <username>@bastion.wmflabs.org -L 8080:<your-instance>:80

You can then connect to it via http://localhost:8080.

Accessing web services using a SOCKS proxy

Setting up the proxy

If you only need to access web services on an instance that doesn't have a public IP address, it's easiest to use a SOCKS proxy:

1. On your local system:
   

   ssh <username>@bastion.wmflabs.org -D 8080

2. After doing so, you have set configuration so your browser will use localhost:8080 as a SOCKS proxy (which makes it possible to connect directly to your node from the addressbar, e.g. ''http://<your-instance>.pmtpa.wmflabs.
   You can configure this in a few different ways (whichever fits you best):
   • On a Mac, in the System Preferences > Network > Advanced > Proxies. Tick "Socks Proxy" and enter 'localhost' and '8080'. After saving and applying this you can use 'http://<your-instance>.pmtpa.wmflabs:8080 in the browser.
   • If you use foxy proxy (a Firefox, IE or Chrome add-on), you can use the pre-defined url pattern defined here.

Troubleshooting the proxy

Test to see if the proxy is working:

• load http://whatismyipaddress.com/. If you see your own IP address, your browser is not sending traffic through the proxy. If you see 208.80.153.207, the browse is correctly sending traffic through the proxy.
• If you see a Server Not Found error when you browse to http://<your-instance>.pmtpa.wmflabs you may need to tell your browser to use remote DNS instead of local.
  • To do this on Firefox, point your browser at about:config and search for network.proxy.socks_remote_dns. If it is set to false double click on the row to set it to true.

Anonymous users

You'll need to have an account created for you. If you currently have SVN access, then you have an account, but need to have it linked to Labs (how-to for admins: !add-labs-user). We are still working out the account activation process, but hope to have it done soon.

Logged-in users

After creating an account, you can:

• Add and manage your public SSH keys

Once you add a key, you'll be able to log into the instance of any project you are a member of. Have a current project member, or an admin user add you to a project.

To create instances within a project, you'll need to have a sysadmin on the project, or an admin add you to the sysadmin role for that project.

You can make queries for nova resources; currently only Nova instances have semantic properties enabled.

After logging in, you can also access Gerrit; if you wish to do git checkouts of the puppet repositories, you'll need to log into Gerrit, and add your SSH key there as well. Note: it would be nice if Gerrit could use LDAP for its SSH keystore, instead of its database; I've opened a bug for this, if you'd like to help, please add that feature to Gerrit!

Admins

Wiki Admin

If you are a wiki admin, you can:

• Create/delete Nova projects and manage project and project role membership
• Manage global role membership.
• Manage sudo policies.

Net Admins

If you are a NetAdmin, you can:

• Allocate and associate public IP addresses, and add public DNS entries to instances
• Manage security groups and rules.

Sys Admins

If you are a sysadmin, you can:

• Create or manage instances.
• Create or manage volumes.

After creating an instance, you'll get an email notifying you that it is ready to be logged into.

Cloud Admins

In addition to all actions that sysadmins and netadmins, you can:

• Create or manage DNS domains.

Labs instance run from the operations/puppet repository and branch 'production'.

To trigger a puppet update, run: sudo puppetd -tv

The cron job that updates the master puppet repo in the labs cluster runs every minute. So your change got merged in, you will have to wait a bit.

Q: Who can give out Labsconsole accounts, and how do they do it?

A: User accounts on the wiki (which is also shared credentials for gerrit and nova) can be created by a wiki admin. Requests for access can be made via leaving a request on this page (MediaWiki.org) (this is recommended) or by asking one of these people:

User name	IRC user name	MediaWiki.org talk page
Ryan Lane	(Ryan_Lane)	(talk page)
Sara Smollett	(ssmollett)
Andrew Bogott	(andrewbogott)
Sumana Harihareswara	(sumanah)	(talk page)*
Chad Horohoe	(^demon)	(talk page)
Rob Lanphier	(robla)
Sam Reed	(Reedy)	(talk page)*
Tim Starling	(TimStarling)	(talk page)
Daniel Zahn	(mutante)
Faidon Liambotis	(paravoid)

(* = recommended contactee)

and anyone in Wikimedia Foundation's Technical Operations group. They will say yes to everyone who asks, except for known malicious persons. There is no other publicly available list that's better, so this is the list of people newbies can ping to ask for accounts. If you want to contact them, you may want to try the IRC channels #mediawiki or #wikimedia-dev.

If you are applying for access, you should give them the following information:

• Your preferred wiki username - also your git username
• Your preferred email address
• Your svn account name

Do not give them your password! They don't need it and you'll set your own password up anyway. If you do, it will not be a pretty sight and you will have to flock to local Oversights and Special:PasswordReset.

Q: I just want git access; I don't care about labsconsole. How do I get Git access?

A: You should care about labsconsole! However, that doesn't matter. Labsconsole access and Git access are currently given using the same mechanism, therefore it is a unified login.

Q: I was added to a group that gives me access to something in git, but it isn't working, what's wrong?

A: Once you have been added to the group, you need to log out of gerrit, then back in. Gerrit pulls its groups from LDAP, but caches them. Logging out, then back in re-synchronizes your groups, and thus clears the cache.

Giving users Labs access, if they already have an SVN account

Collect the following information from the user:

• Preferred wiki username. This will also be the user's git username, so legal name would be reasonable
• Preferred email address
• Their svn account name

On formey, run the following command:

add-labs-user --wikiname="<wikiusername>" --mail="<email address>" <svnusername>

If the user specifically requests Labs access, also go to Special:NovaProject and add the user, by wiki username, to the bastion project. But if they just need an account so they can log into Gerrit etc. then you don't need to do this.

Then the user must do the following:

1. Go to the password reset form at labs console
2. Use the temporary password to set a password
3. Log into gerrit
4. Add their SSH key

Then, if they are an ops team member, add them to the ops group:

sudo modify-ldap-group --addmembers=<svnusername> ops

If they are WMF staff, add them to the wmf group:

sudo modify-ldap-group --addmembers=<svnusername> wmf

Giving users Labs access, if they don't already have SVN access

Ask for:

• Preferred wiki username. This will also be the user's git username, so legal name would be reasonable
• Preferred email address
• Their preferred shell account name (1 to 17 numbers and lower case ASCII letters, as well as the . (full stop), - (hyphen-minus) and _ (low line) characters)

Then either:

• Recommended: just get the accountcreators power from Ryan Lane, Sara Smollett or Daniel Zahn (Mutante) and then create the user's account using Special:CreateAccount and choose "By email" to send the user a password
• Make an LDAP user on formey and then follow the instructions for people who have SVN accounts (above)