Difference between revisions of "Proxy access to cluster"

From Wikitech-static
Jump to navigation Jump to search
imported>RobH
 
imported>Quiddity
m (fixes)
 
(8 intermediate revisions by 7 users not shown)
Line 1: Line 1:
Presently we do not have any kind of VPN access to our cluster (or labs).  The preferred method by many Ops folks for accessing the web interfaces on these is via SSH -D option and [https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/ FoxyProxy].
This page document how to '''access web services on private hosts'''.


Some parts of these instructions are already documented on [https://labsconsole.wikimedia.org/wiki/Main_Page Labsconsole].
Presently, there is no VPN access to Wikimedia Foundation's production cluster. [[Portal:Cloud VPS|Cloud VPS]] does not provide this either.


This document will outline how to setup this method of access. This method uses Firefox and the FoxyProxy addon linked above.
== Tunnel ==
The below example will expose a web service from <code>analytics1001.eqiad.wmnet:8088</code> at your localhost as https://localhost:9088.<syntaxhighlight lang="bash">
ssh -N bast1002.wikimedia.org -L 9088:analytics1001.eqiad.wmnet:8088
 
</syntaxhighlight>The management network being restricted to <code>cumin1001</code> and <code>sarin</code>, you can reach hosts with for example:
 
<code>ssh -L 8000:scs-eqsin.mgmt.eqsin.wmnet:443 cumin1001.eqiad.wmnet</code>
 
Pointing then your web browser to:


* Install FireFox and FoxyProxy.
https://localhost:8000, will actually show you (in this example) https://scs-eqsin.mgmt.eqsin.wmnet
:* Download the FoxyProxy ruleset [http://wikitech.wikimedia.org/files/wmf_foxyproxy_settings here].
:* In FoxyProxy settings, alternate click in the main window and select Import, then choose the wmf_foxyproxy_settings file you just downloaded.


* Setup your SSH -D sessions.
If you need to reach an http port (eg. 80), don't forget to use http://localhost:8000 instead and for example <code>:80</code> in the ssh command.
:* You will need a session for each instance you wish to access: eqiad/pmtpa/sdtpa all use a single connection, labs needs a connection, and esams needs a connection.
::* It is suggested you load up a screen session, create two new windows, and load each SSH session into its own window.  To do this run the following in terminal:
  screen
  ssh-add <path to your key for main cluster / esams>
  ssh fenari.wikimedia.org -D 8080 (or bast1001)
  Ctrl+a c (creates new screen window)
  ssh-add <path to your key for labs>
  ssh bastion-restricted1 -D 8081
  Ctrl+a c (creates new screen window)
  ssh-add <path to your key for main cluster / esams>
  ssh lily.esams.wikimedia.org -D 8082
  Ctrl+a d (disconnects you from the screen sessions, allowing you to close or otherwise use terminal)


* Now when you load up the url patterns in the FoxyProxy settings, it will direct those URLs via your SSH tunnel to the correct cluster over the specified ports.
== FoxyProxy ==
* Please note that if you use OS X, you may want to 'exec ssh-agent bash' in your terminal screen sessions before adding your ssh key to ensure they are independently keyed and not shared across sessions.
The preferred method by Ops for accessing the web interfaces on private nodes is via the <code>-D</code> option of SSH in combination with [https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/ FoxyProxy].


The FoxyProxy URL patterns are listed below for ease of use, some are inclusive of others, but FoxyProxy in the past had some odd issues with them, so I find it best to just leave them all in the individual rulesets to eliminate potential issues.
This document will outline how to setup this method of access.  This method uses Firefox and the FoxyProxy addon linked above.


Some of the patterns I use are inclusive of the others, mostly because I happened to setup mgmt and didnt bother with non-mgmt for awhile.  So you could always clean it up and remove the stuff that is duplication due to pattern matching:
# Install FireFox and FoxyProxy.
# Setup an ssh -D session for the cluster(s) you need access to. (Repeat this as needed.)<syntaxhighlight lang="bash">
screen
ssh cumin1001.eqiad.wmnet -D 8080 #cumin hosts have full mgmt vlan access
# Ctrl+a c (creates new screen window)
# Ctrl+a d (disconnects you from the screen session, allowing you to close or otherwise use terminal)</syntaxhighlight>
# Now when you load up the url patterns in the FoxyProxy settings, it will direct those URLs via your SSH tunnel to the correct cluster over the specified ports.
# Please note that if you use OS X, you may want to 'exec ssh-agent bash' in your terminal screen sessions before adding your ssh key to ensure they are independently keyed and not shared across sessions.


eqiad mgmt = *.mgmt.eqiad.wmnet*
Patterns to route to localhost:8080:
  pmtpa mgmt = *.mgmt.pmtpa.wmnet*
  *.wmnet
  pmtpa local = *.pmtpa.wmnet*
  10.*
eqiad local = *.eqiad.wmnet*
esams mgmt = *.mgmt.esams.wmnet*
esams local = *.esams.wmnet*
labs = *.pmtpa.wmflabs*


== See also ==
* [[Production shell access#SSH configuration]]


[[Category:How-To]]
[[Category:How-To]]

Latest revision as of 19:02, 4 September 2021

This page document how to access web services on private hosts.

Presently, there is no VPN access to Wikimedia Foundation's production cluster. Cloud VPS does not provide this either.

Tunnel

The below example will expose a web service from analytics1001.eqiad.wmnet:8088 at your localhost as https://localhost:9088.

ssh -N bast1002.wikimedia.org -L 9088:analytics1001.eqiad.wmnet:8088

The management network being restricted to cumin1001 and sarin, you can reach hosts with for example:

ssh -L 8000:scs-eqsin.mgmt.eqsin.wmnet:443 cumin1001.eqiad.wmnet

Pointing then your web browser to:

https://localhost:8000, will actually show you (in this example) https://scs-eqsin.mgmt.eqsin.wmnet

If you need to reach an http port (eg. 80), don't forget to use http://localhost:8000 instead and for example :80 in the ssh command.

FoxyProxy

The preferred method by Ops for accessing the web interfaces on private nodes is via the -D option of SSH in combination with FoxyProxy.

This document will outline how to setup this method of access. This method uses Firefox and the FoxyProxy addon linked above.

  1. Install FireFox and FoxyProxy.
  2. Setup an ssh -D session for the cluster(s) you need access to. (Repeat this as needed.)
    screen
    ssh cumin1001.eqiad.wmnet -D 8080 #cumin hosts have full mgmt vlan access
    # Ctrl+a c (creates new screen window)
    # Ctrl+a d (disconnects you from the screen session, allowing you to close or otherwise use terminal)
    
  3. Now when you load up the url patterns in the FoxyProxy settings, it will direct those URLs via your SSH tunnel to the correct cluster over the specified ports.
  4. Please note that if you use OS X, you may want to 'exec ssh-agent bash' in your terminal screen sessions before adding your ssh key to ensure they are independently keyed and not shared across sessions.

Patterns to route to localhost:8080:

*.wmnet
10.*

See also