Closed Bug 1048383 Opened 10 years ago Closed 10 years ago

Hosting for Terminology Management System

Categories

(Infrastructure & Operations Graveyard :: WebOps: Other, task)

x86
macOS
task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: gueroJeff, Unassigned)

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/195] [vm-create:1][vm-delete:1])

We need a VM set up for a web-hosted terminology management system that internal staff can access externally. This is part of the necessary steps to evaluate the system's usefulness in the localization practices of Firefox OS and other projects. I'd prefer it to be a Windows machine with 4GB ram and 50GB free disk space. Please let me know if I can provide any additional info.
Alright - Externally - do you mean that this will need an externally accessible IP address to the world, or is VPN access sufficient? Depending on answers, further questions may be asked. Also, as always, need some details around hostname/vlan (if known) and access needs. Hostname: ??.??.scl3.mozilla.com OS: Windows CPU 4GB HDD: 50GB Access: which VPN accounts will need access to RDP into this machine?
(In reply to Chris Knowles [:cknowles] from comment #1) > Alright - Externally - do you mean that this will need an externally > accessible IP address to the world, or is VPN access sufficient? Depending > on answers, further questions may be asked. VPN is sufficient for now. > > Also, as always, need some details around hostname/vlan (if known) and > access needs. > > Hostname: terminator.private.scl3.mozilla.com > OS: Windows > CPU 4GB > HDD: 50GB > Access: which VPN accounts will need access to RDP into this machine? Mine, Axel, Stephany. Anyone else Stephany?
Flags: needinfo?(swilkes)
Actually... I'm wondering about the VPN set-up. Does it need to be a VPN vs. a password URL? We have a few contractors who need to use this and who don't have Mozilla LDAP accounts.
(In reply to Stephany Wilkes from comment #3) > Actually... I'm wondering about the VPN set-up. Does it need to be a VPN vs. > a password URL? We have a few contractors who need to use this and who don't > have Mozilla LDAP accounts. Personally, I don't think it *needs* to be VPN. I would prefer LDAP-based password URL.
But if it's LDAP, contractors can't use it. :(
Sorry, I misread. Doesn't have to be LDAP based in my book. Plus, the purpose of this is primarily to allow the UX & l10n teams to evaluate the tool for implementation into the copy and l10n workflows. So if we need to change things later to begin implementing our own public instance of Terminator, that's fine.
Well, being Windows, as far as I know, it will at best be AD authenticated, and at worst be local windows authenticated. Default is local authentication. If AD authentication is a requirement, I can investigate what that would need. If it's internal, it will need VPN access for anyone to RDP into. Also, noticed you haven't mentioned a required version of Windows. I've currently got templates for 2k8r2, 2k12 and windows 8.
Hey Chris, Let's actually go with ubuntu 12.04 for this one too. Sorry for switching gears.
That grinding noise is me stripping out my clutch. So, just to reiterate: Hostname: terminator1.private.scl3.mozilla.com OS: Ubuntu12.04 CPU 1 ?? <- sound OK? RAM 4GB ?? <- sound OK? HDD: 50GB Access: Jeff, Axel, Stephany <- which of these needs superuser rights? Let me know the answers, and we'll get moving on this.
I need access, don't need superuser. Is there a way to give our contractors access? I do not want to be the gateway/middleware for contractors needing to access this system. :) Thanks!
Flags: needinfo?(swilkes)
OK, in addition to the CPU and RAM questions which are still outstanding, let's talk about access. Working with a linux box, we have two main paths for authentication. Usual method when dealing with employees or people with LDAP accounts is to submit a bug for the VPN access and access to the specific host - which is managed with puppet, allowing those configuration changes to be centrally managed. The other option, if dealing with people who are not LDAP enabled would be to either a) place it in the community vlan - if you wanted to have complete control over it, or b) the dmz vlan where IT would still be involved. Let me know what direction you would like to go in.
CPU and RAM specs are great for what we're trying to do with this. Thanks! I would like to still have IT involved, in case of any serious issues. My vote is for the dmz vlan.
Are you alright with the dmz vlan?
Flags: needinfo?(swilkes)
At this point, I've spun the VM in the DMZ, and was about to file the bug for you all to get the access you need, but seeing this, I'll hold off until I have a final answer with regards to VLAN. Let me know.
I don't feel like I know enough to make a call here. :) I know what a VLAN is, technically, but not how or if that helps our use cases. The use cases that are true of the people using this are: * There are a lot of non-Mozilla contractors who will need access. * Everyone is a Mac user, with rare exception. If those cases are covered, I'm fine with whatever solution gets us there. :)
Flags: needinfo?(swilkes)
Alright - I'm going to need a second opinion here so that I don't accidentally put your machine in the wrong place. :limed - do you have an opinion here, specifically if the dmz vlan is the right spot for them, and how they would go about getting access to their non-moz contractors going forward? Or, if not that, who I might approach next?
Flags: needinfo?(limed)
Can we have it in the community Vlan for now? I understand it's a PoC which will be used for a while and its future is yet to be decided. We can give access for contractors using our Global VPN on a per destination host basis, that's easy. How do we handle authentication? We still use ssh keys, but I'd like to have it managed.
Well, in community, it won't be puppetized - so we'd have to (as I understand it) manually manage the SSH keys rather than the usual puppetization - though limed could likely speak better to that than I could.
Has anyone discussed this with limed through other channels and can provide an update?
Poked Michal in IRC just now to verify he's seen my update - limed and I are on a work week right now, so I will ask for his opinion. We are discussing longer term handling of community VMs - but that's likely not very helpful to *this* request.
Alright, spoke with limed - per opsec, we need to place this in the community vlan - however, at this time, as I stated, there isn't puppet support. I'm happy to place initial SSH keys for root access - you just need to provide them - however, after that the VM would be entirely under your control. We're currently discussing giving some rudimetary puppet config capabilities to community, but that's not a soon kind of thing. So --- do you have concerns with this model, and can you provide some ssh public keys for me to place on this VM?
I'm concerned about administrating it on our own, but I suppose it's something everyone's gotta learn sometime. Is there any internal reference material that I can turn to? I'll attach my ssh key here
Flags: needinfo?(limed)
Actually, I'll just paste it here: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDT9YwoZe34+r7gd2TlccS/Q+40Rq7Ko7/Nd9CMApIz63jIDQVw2M+LBV20cSXreJ70PfpmgPDmZVTsKBN/gC/SBT7yL7C3oEBSBoFkevJUuWsHB3NT1evunU15SH865mV495Sg7sjY08Cx5NWQHeGqNVUko7/CVfuUM15xiKR9UdLNiFZW14Fkl24CMVpqLai5hGRANn6+2ga2RKKKdWc/cybJU7azafODQXX+C/hyvTdbZiVMbnL6qKfN48J7UK4F0K/QHK21yNDqOJRYImagiI4MBD0OJbIyhxliKxP51iiYcDTPUHzppPP29x2mFo27XFIrhcagPL7gHsWUWoDJ gueroJeff@MacBook-Pro-de-Jeff.local
I'll bring it at OpSec weekly at Monday and provide an update.
Needinfo-ing cshields to approve it, but we'd rather have this system separated from production infrastructure.
Flags: needinfo?(cshields)
Jeff, Don't want to derail by asking this - but what app exactly will be running on this system? Maybe there's a better way we can help than just handing over an unmanaged VM.
Flags: needinfo?(jbeatty)
(In reply to Corey Shields [:cshields] from comment #26) > Jeff, > > Don't want to derail by asking this - but what app exactly will be running > on this system? Maybe there's a better way we can help than just handing > over an unmanaged VM. An open terminology management system called Terminator. https://github.com/translate/terminator
Flags: needinfo?(jbeatty)
in an email thread, webops is going to introduce Jeff to the Stackato PaaS for this app.
Assignee: server-ops-virtualization → server-ops-webops
Component: Server Operations: Virtualization → WebOps: Other
Flags: needinfo?(cshields)
Product: mozilla.org → Infrastructure & Operations
QA Contact: cshields → nmaul
Summary: VM for Terminology Management System → Hosting for Terminology Management System
Whiteboard: [kanban:https://kanbanize.com/ctrl_board/4/1209]
Was reminded of this, and that the terminator1.dmz vm still exists - no one's logged into it of course. I'm turning it off and will destroy in 1 week unless there's screaming to leave it on.
Whiteboard: [kanban:https://kanbanize.com/ctrl_board/4/1209] → [kanban:https://kanbanize.com/ctrl_board/4/1209] [vm-create:1]
I didn't remember a VM actually being created for this, as we'd determined to use paas instead. Feel free to delete.
VM removed, things cleaned up. Thanks for letting me know.
Whiteboard: [kanban:https://kanbanize.com/ctrl_board/4/1209] [vm-create:1] → [kanban:https://kanbanize.com/ctrl_board/4/1209] [vm-create:1][vm-delete:1]
Whiteboard: [kanban:https://kanbanize.com/ctrl_board/4/1209] [vm-create:1][vm-delete:1] → [kanban:https://webops.kanbanize.com/ctrl_board/2/195] [vm-create:1][vm-delete:1]
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.