You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

Portal:Cloud VPS/Admin/Projects lifecycle

From Wikitech-static
< Portal:Cloud VPS‎ | Admin
Revision as of 17:19, 20 August 2018 by imported>Arturo Borrero Gonzalez (→‎using CLI: make project create region-aware)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

This page describes how Cloud VPS projects are supposed to be created and deleted, i.e, the lifecycle. In the OpenStack world, project is known as tenant.

Creating a new project

The operator/engineer in charge of creating a new project should follow these steps.

Prerequisites:

using horizon

Beware that horizon can be very slow.

  • get the admin role in OpenStack
  • jump to horizon https://horizon.wikimedia.org/
  • switch to the admin project (top left drop-down menu)
  • go to the identity zone https://horizon.wikimedia.org/identity/
  • press the 'New project' button and follow the steps.
  • amend quotas, if necessary (using the CLI or horizon?)
  • Communicate with the requestor in the pabricator task

using CLI

  • ssh to the corresponding control box (see deployments).
  • get root and source the novaenv.sh file
aborrero@labcontrol1001:~ $ sudo su
root@labcontrol1001:/home/aborrero# cd
root@labcontrol1001:~# source novaenv.sh
  • make sure the users requesting the project exists in LDAP
root@labcontrol1001:~# PYTHONIOENCODING=utf-8 openstack user list | grep -i user
| user                                   | User name                                                                                |
  • create the project:
root@labcontrol1001:~# openstack --os-region-name eqiad project create --enable --description "a dockerised wikibase infrastructure" newp
+-------------+--------------------------------------+
| Field       | Value                                |
+-------------+--------------------------------------+
| description | a dockerised wikibase infrastructure |
| domain_id   | default                              |
| enabled     | True                                 |
| id          | newp                                 |
| is_domain   | False                                |
| name        | newp                                 |
| parent_id   | default                              |
+-------------+--------------------------------------+
  • Modify quotas if required
  • Add users to roles:
root@labcontrol1001:~# openstack role add --user aborrero --project newp projectadmin
root@labcontrol1001:~# openstack role add --user aborrero --project newp user
root@labcontrol1001:~# openstack role add --user tarrow --project newp user
root@labcontrol1001:~# openstack role add --user tarrow --project newp projectadmin
root@labcontrol1001:~# openstack role assignment list --project newp --names
+--------------+---------------------------------+-------+--------------+--------+-----------+
| Role         | User                            | Group | Project      | Domain | Inherited |
+--------------+---------------------------------+-------+--------------+--------+-----------+
| projectadmin | Arturo Borrero Gonzalez@Default |       | newp@Default |        | False     |
| user         | Arturo Borrero Gonzalez@Default |       | newp@Default |        | False     |
| projectadmin | novaadmin@Default               |       | newp@Default |        | False     |
| user         | novaadmin@Default               |       | newp@Default |        | False     |
| observer     | Novaobserver@Default            |       | newp@Default |        | False     |
| projectadmin | Tarrow@Default                  |       | newp@Default |        | False     |
| user         | Tarrow@Default                  |       | newp@Default |        | False     |
+--------------+---------------------------------+-------+--------------+--------+-----------+
  • Communicate with the requester in the pabricator task

Deleting a project

Project deletion tends to leave orphaned resources lying about. Eventually this should all be handled by Designate or Keystone hooks, but until then:

  1. Make sure there are no instances in the project. This can be done in Horizon or via the commandline:
    $ OS_TENANT_NAME=<project> openstack server list
$ OS_TENANT_NAME=<project> openstack server delete <instance id>
  2. Make sure there are no dns zones allocated to the project. This can be done in Horizon or via the commandline:
    $ OS_TENANT_NAME=puppet openstack zone list
$ OS_TENANT_NAME=puppet openstack zone delete <zone id>
  3. Delete any proxies the project may have via Horizon
  4. Delete any prefix- or project-wide puppet configurations via Horizon
  5. Finally, delete the project using Horizon or the commandline. If using Horizon, set your current project to 'Admin' and then delete the project using the Identity->Projects panel.

History

In previous versions of Cloud VPS all the projects lifecyle was handled via Wikitech itself, with some custom MediaWiki plugins to hook the Openstack API. This was eventually replaced by Horizon, which can handle all the operations by itself.

See also

Retrieved from "https://wikitech-static.wikimedia.org/w/index.php?title=Portal:Cloud_VPS/Admin/Projects_lifecycle&oldid=296893"