Closed
Bug 1048383
Opened 10 years ago
Closed 10 years ago
Hosting for Terminology Management System
Categories
(Infrastructure & Operations Graveyard :: WebOps: Other, task)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: gueroJeff, Unassigned)
Details
(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/195] [vm-create:1][vm-delete:1])
We need a VM set up for a web-hosted terminology management system that internal staff can access externally. This is part of the necessary steps to evaluate the system's usefulness in the localization practices of Firefox OS and other projects.
I'd prefer it to be a Windows machine with 4GB ram and 50GB free disk space.
Please let me know if I can provide any additional info.
Comment 1•10 years ago
|
||
Alright - Externally - do you mean that this will need an externally accessible IP address to the world, or is VPN access sufficient? Depending on answers, further questions may be asked.
Also, as always, need some details around hostname/vlan (if known) and access needs.
Hostname: ??.??.scl3.mozilla.com
OS: Windows
CPU 4GB
HDD: 50GB
Access: which VPN accounts will need access to RDP into this machine?
Reporter | ||
Comment 2•10 years ago
|
||
(In reply to Chris Knowles [:cknowles] from comment #1)
> Alright - Externally - do you mean that this will need an externally
> accessible IP address to the world, or is VPN access sufficient? Depending
> on answers, further questions may be asked.
VPN is sufficient for now.
>
> Also, as always, need some details around hostname/vlan (if known) and
> access needs.
>
> Hostname: terminator.private.scl3.mozilla.com
> OS: Windows
> CPU 4GB
> HDD: 50GB
> Access: which VPN accounts will need access to RDP into this machine?
Mine, Axel, Stephany. Anyone else Stephany?
Flags: needinfo?(swilkes)
Comment 3•10 years ago
|
||
Actually... I'm wondering about the VPN set-up. Does it need to be a VPN vs. a password URL? We have a few contractors who need to use this and who don't have Mozilla LDAP accounts.
Reporter | ||
Comment 4•10 years ago
|
||
(In reply to Stephany Wilkes from comment #3)
> Actually... I'm wondering about the VPN set-up. Does it need to be a VPN vs.
> a password URL? We have a few contractors who need to use this and who don't
> have Mozilla LDAP accounts.
Personally, I don't think it *needs* to be VPN. I would prefer LDAP-based password URL.
Comment 5•10 years ago
|
||
But if it's LDAP, contractors can't use it. :(
Reporter | ||
Comment 6•10 years ago
|
||
Sorry, I misread. Doesn't have to be LDAP based in my book.
Plus, the purpose of this is primarily to allow the UX & l10n teams to evaluate the tool for implementation into the copy and l10n workflows. So if we need to change things later to begin implementing our own public instance of Terminator, that's fine.
Comment 7•10 years ago
|
||
Well, being Windows, as far as I know, it will at best be AD authenticated, and at worst be local windows authenticated. Default is local authentication. If AD authentication is a requirement, I can investigate what that would need.
If it's internal, it will need VPN access for anyone to RDP into.
Also, noticed you haven't mentioned a required version of Windows. I've currently got templates for 2k8r2, 2k12 and windows 8.
Reporter | ||
Comment 8•10 years ago
|
||
Hey Chris,
Let's actually go with ubuntu 12.04 for this one too. Sorry for switching gears.
Comment 9•10 years ago
|
||
That grinding noise is me stripping out my clutch.
So, just to reiterate:
Hostname: terminator1.private.scl3.mozilla.com
OS: Ubuntu12.04
CPU 1 ?? <- sound OK?
RAM 4GB ?? <- sound OK?
HDD: 50GB
Access: Jeff, Axel, Stephany <- which of these needs superuser rights?
Let me know the answers, and we'll get moving on this.
Comment 10•10 years ago
|
||
I need access, don't need superuser. Is there a way to give our contractors access? I do not want to be the gateway/middleware for contractors needing to access this system. :) Thanks!
Flags: needinfo?(swilkes)
Comment 11•10 years ago
|
||
OK, in addition to the CPU and RAM questions which are still outstanding, let's talk about access.
Working with a linux box, we have two main paths for authentication. Usual method when dealing with employees or people with LDAP accounts is to submit a bug for the VPN access and access to the specific host - which is managed with puppet, allowing those configuration changes to be centrally managed.
The other option, if dealing with people who are not LDAP enabled would be to either a) place it in the community vlan - if you wanted to have complete control over it, or b) the dmz vlan where IT would still be involved.
Let me know what direction you would like to go in.
Reporter | ||
Comment 12•10 years ago
|
||
CPU and RAM specs are great for what we're trying to do with this. Thanks!
I would like to still have IT involved, in case of any serious issues. My vote is for the dmz vlan.
Comment 14•10 years ago
|
||
At this point, I've spun the VM in the DMZ, and was about to file the bug for you all to get the access you need, but seeing this, I'll hold off until I have a final answer with regards to VLAN. Let me know.
Comment 15•10 years ago
|
||
I don't feel like I know enough to make a call here. :) I know what a VLAN is, technically, but not how or if that helps our use cases.
The use cases that are true of the people using this are:
* There are a lot of non-Mozilla contractors who will need access.
* Everyone is a Mac user, with rare exception.
If those cases are covered, I'm fine with whatever solution gets us there. :)
Flags: needinfo?(swilkes)
Comment 16•10 years ago
|
||
Alright - I'm going to need a second opinion here so that I don't accidentally put your machine in the wrong place.
:limed - do you have an opinion here, specifically if the dmz vlan is the right spot for them, and how they would go about getting access to their non-moz contractors going forward? Or, if not that, who I might approach next?
Flags: needinfo?(limed)
Comment 17•10 years ago
|
||
Can we have it in the community Vlan for now? I understand it's a PoC which will be used for a while and its future is yet to be decided.
We can give access for contractors using our Global VPN on a per destination host basis, that's easy.
How do we handle authentication? We still use ssh keys, but I'd like to have it managed.
Comment 18•10 years ago
|
||
Well, in community, it won't be puppetized - so we'd have to (as I understand it) manually manage the SSH keys rather than the usual puppetization - though limed could likely speak better to that than I could.
Reporter | ||
Comment 19•10 years ago
|
||
Has anyone discussed this with limed through other channels and can provide an update?
Comment 20•10 years ago
|
||
Poked Michal in IRC just now to verify he's seen my update - limed and I are on a work week right now, so I will ask for his opinion. We are discussing longer term handling of community VMs - but that's likely not very helpful to *this* request.
Comment 21•10 years ago
|
||
Alright, spoke with limed - per opsec, we need to place this in the community vlan - however, at this time, as I stated, there isn't puppet support.
I'm happy to place initial SSH keys for root access - you just need to provide them - however, after that the VM would be entirely under your control. We're currently discussing giving some rudimetary puppet config capabilities to community, but that's not a soon kind of thing.
So --- do you have concerns with this model, and can you provide some ssh public keys for me to place on this VM?
Reporter | ||
Comment 22•10 years ago
|
||
I'm concerned about administrating it on our own, but I suppose it's something everyone's gotta learn sometime. Is there any internal reference material that I can turn to? I'll attach my ssh key here
Flags: needinfo?(limed)
Reporter | ||
Comment 23•10 years ago
|
||
Actually, I'll just paste it here:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDT9YwoZe34+r7gd2TlccS/Q+40Rq7Ko7/Nd9CMApIz63jIDQVw2M+LBV20cSXreJ70PfpmgPDmZVTsKBN/gC/SBT7yL7C3oEBSBoFkevJUuWsHB3NT1evunU15SH865mV495Sg7sjY08Cx5NWQHeGqNVUko7/CVfuUM15xiKR9UdLNiFZW14Fkl24CMVpqLai5hGRANn6+2ga2RKKKdWc/cybJU7azafODQXX+C/hyvTdbZiVMbnL6qKfN48J7UK4F0K/QHK21yNDqOJRYImagiI4MBD0OJbIyhxliKxP51iiYcDTPUHzppPP29x2mFo27XFIrhcagPL7gHsWUWoDJ gueroJeff@MacBook-Pro-de-Jeff.local
Comment 24•10 years ago
|
||
I'll bring it at OpSec weekly at Monday and provide an update.
Comment 25•10 years ago
|
||
Needinfo-ing cshields to approve it, but we'd rather have this system separated from production infrastructure.
Flags: needinfo?(cshields)
Comment 26•10 years ago
|
||
Jeff,
Don't want to derail by asking this - but what app exactly will be running on this system? Maybe there's a better way we can help than just handing over an unmanaged VM.
Updated•10 years ago
|
Flags: needinfo?(jbeatty)
Reporter | ||
Comment 27•10 years ago
|
||
(In reply to Corey Shields [:cshields] from comment #26)
> Jeff,
>
> Don't want to derail by asking this - but what app exactly will be running
> on this system? Maybe there's a better way we can help than just handing
> over an unmanaged VM.
An open terminology management system called Terminator.
https://github.com/translate/terminator
Flags: needinfo?(jbeatty)
Comment 28•10 years ago
|
||
in an email thread, webops is going to introduce Jeff to the Stackato PaaS for this app.
Assignee: server-ops-virtualization → server-ops-webops
Component: Server Operations: Virtualization → WebOps: Other
Flags: needinfo?(cshields)
Product: mozilla.org → Infrastructure & Operations
QA Contact: cshields → nmaul
Summary: VM for Terminology Management System → Hosting for Terminology Management System
Comment 29•10 years ago
|
||
Was reminded of this, and that the terminator1.dmz vm still exists - no one's logged into it of course. I'm turning it off and will destroy in 1 week unless there's screaming to leave it on.
Whiteboard: [kanban:https://kanbanize.com/ctrl_board/4/1209] → [kanban:https://kanbanize.com/ctrl_board/4/1209] [vm-create:1]
Reporter | ||
Comment 30•10 years ago
|
||
I didn't remember a VM actually being created for this, as we'd determined to use paas instead. Feel free to delete.
Comment 31•10 years ago
|
||
VM removed, things cleaned up. Thanks for letting me know.
Whiteboard: [kanban:https://kanbanize.com/ctrl_board/4/1209] [vm-create:1] → [kanban:https://kanbanize.com/ctrl_board/4/1209] [vm-create:1][vm-delete:1]
Whiteboard: [kanban:https://kanbanize.com/ctrl_board/4/1209] [vm-create:1][vm-delete:1] → [kanban:https://webops.kanbanize.com/ctrl_board/2/195] [vm-create:1][vm-delete:1]
Updated•6 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•