You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

Difference between revisions of "Proxy access to cluster"

From Wikitech-static
Jump to navigation Jump to search
imported>RobH
 
imported>Alex Monk
Line 1: Line 1:
Presently we do not have any kind of VPN access to our cluster (or labs).  The preferred method by many Ops folks for accessing the web interfaces on these is via SSH -D option and [https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/ FoxyProxy].
Presently we do not have any kind of VPN access to our cluster (or labs).  The preferred method by many Ops folks for accessing the web interfaces on these is via SSH -D option and [https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/ FoxyProxy].
Some parts of these instructions are already documented on [https://labsconsole.wikimedia.org/wiki/Main_Page Labsconsole].


This document will outline how to setup this method of access.  This method uses Firefox and the FoxyProxy addon linked above.
This document will outline how to setup this method of access.  This method uses Firefox and the FoxyProxy addon linked above.
Line 10: Line 8:


* Setup your SSH -D sessions.
* Setup your SSH -D sessions.
:* You will need a session for each instance you wish to access: eqiad/pmtpa/sdtpa all use a single connection, labs needs a connection, and esams needs a connection.
:* You will need a session for each cluster you wish to access: production needs a connection, labs needs a connection
::* It is suggested you load up a screen session, create two new windows, and load each SSH session into its own window.  To do this run the following in terminal:
::* It is suggested you load up a screen session, create two new windows, and load each SSH session into its own window.  To do this run the following in terminal:
   screen
   screen
   ssh-add <path to your key for main cluster / esams>
   ssh-add <path to your key for main cluster>
   ssh fenari.wikimedia.org -D 8080 (or bast1001)
   ssh bast1001.wikimedia.org -D 8080 # or hooft, or for ops: iron, bast2001 or bast4001
   Ctrl+a c (creates new screen window)
   # Ctrl+a c (creates new screen window)
   ssh-add <path to your key for labs>
   ssh-add <path to your key for labs>
   ssh bastion-restricted1 -D 8081
   ssh bastion.wmflabs.org -D 8081 # or bastion-restricted for ops
  Ctrl+a c (creates new screen window)
   # Ctrl+a d (disconnects you from the screen sessions, allowing you to close or otherwise use terminal)
  ssh-add <path to your key for main cluster / esams>
  ssh lily.esams.wikimedia.org -D 8082
   Ctrl+a d (disconnects you from the screen sessions, allowing you to close or otherwise use terminal)


* Now when you load up the url patterns in the FoxyProxy settings, it will direct those URLs via your SSH tunnel to the correct cluster over the specified ports.
* Now when you load up the url patterns in the FoxyProxy settings, it will direct those URLs via your SSH tunnel to the correct cluster over the specified ports.
Line 28: Line 23:
The FoxyProxy URL patterns are listed below for ease of use, some are inclusive of others, but FoxyProxy in the past had some odd issues with them, so I find it best to just leave them all in the individual rulesets to eliminate potential issues.
The FoxyProxy URL patterns are listed below for ease of use, some are inclusive of others, but FoxyProxy in the past had some odd issues with them, so I find it best to just leave them all in the individual rulesets to eliminate potential issues.


Some of the patterns I use are inclusive of the others, mostly because I happened to setup mgmt and didnt bother with non-mgmt for awhile.  So you could always clean it up and remove the stuff that is duplication due to pattern matching:
Some of the patterns I use are inclusive of the others, mostly because I happened to setup mgmt and didn't bother with non-mgmt for awhile.  So you could always clean it up and remove the stuff that is duplication due to pattern matching:


  eqiad mgmt = *.mgmt.eqiad.wmnet*
  eqiad mgmt = *.mgmt.eqiad.wmnet*
pmtpa mgmt = *.mgmt.pmtpa.wmnet*
pmtpa local = *.pmtpa.wmnet*
  eqiad local = *.eqiad.wmnet*
  eqiad local = *.eqiad.wmnet*
  esams mgmt = *.mgmt.esams.wmnet*
  esams mgmt = *.mgmt.esams.wmnet*
  esams local = *.esams.wmnet*
  esams local = *.esams.wmnet*
  labs = *.pmtpa.wmflabs*
codfw mgmt = *.mgmt.codfw.wmnet*
 
codfw local = *.codfw.wmnet*
 
ulsfo mgmt = *.mgmt.ulsfo.wmnet*
[[Category:How-To]]
ulsfo local = *.ulsfo.wmnet*
  labs = *.eqiad.wmflabs*
[[Category:How-To]]

Revision as of 01:59, 4 July 2015

Presently we do not have any kind of VPN access to our cluster (or labs). The preferred method by many Ops folks for accessing the web interfaces on these is via SSH -D option and FoxyProxy.

This document will outline how to setup this method of access. This method uses Firefox and the FoxyProxy addon linked above.

  • Install FireFox and FoxyProxy.
  • Download the FoxyProxy ruleset here.
  • In FoxyProxy settings, alternate click in the main window and select Import, then choose the wmf_foxyproxy_settings file you just downloaded.
  • Setup your SSH -D sessions.
  • You will need a session for each cluster you wish to access: production needs a connection, labs needs a connection
  • It is suggested you load up a screen session, create two new windows, and load each SSH session into its own window. To do this run the following in terminal:
 screen
 ssh-add <path to your key for main cluster>
 ssh bast1001.wikimedia.org -D 8080 # or hooft, or for ops: iron, bast2001 or bast4001
 # Ctrl+a c (creates new screen window)
 ssh-add <path to your key for labs>
 ssh bastion.wmflabs.org -D 8081 # or bastion-restricted for ops
 # Ctrl+a d (disconnects you from the screen sessions, allowing you to close or otherwise use terminal)
  • Now when you load up the url patterns in the FoxyProxy settings, it will direct those URLs via your SSH tunnel to the correct cluster over the specified ports.
  • Please note that if you use OS X, you may want to 'exec ssh-agent bash' in your terminal screen sessions before adding your ssh key to ensure they are independently keyed and not shared across sessions.

The FoxyProxy URL patterns are listed below for ease of use, some are inclusive of others, but FoxyProxy in the past had some odd issues with them, so I find it best to just leave them all in the individual rulesets to eliminate potential issues.

Some of the patterns I use are inclusive of the others, mostly because I happened to setup mgmt and didn't bother with non-mgmt for awhile. So you could always clean it up and remove the stuff that is duplication due to pattern matching:

eqiad mgmt = *.mgmt.eqiad.wmnet*
eqiad local = *.eqiad.wmnet*
esams mgmt = *.mgmt.esams.wmnet*
esams local = *.esams.wmnet*
codfw mgmt = *.mgmt.codfw.wmnet*
codfw local = *.codfw.wmnet*
ulsfo mgmt = *.mgmt.ulsfo.wmnet*
ulsfo local = *.ulsfo.wmnet*
labs = *.eqiad.wmflabs*