Closed Bug 569743 Opened 15 years ago Closed 15 years ago

Need a publicly accessible VM created for prototype message broker / event system (pulse.mozilla.[com|org])

Categories

(mozilla.org Graveyard :: Server Operations, task)

Product:
mozilla.org Graveyard
Component:
Server Operations
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: christian, Assigned: fox2mike)

References

Details

Some background about the system: Mozilla currently has a ton of different systems that are inter-connected via polling, screen scraping, email, and other brittle methods. Many systems don't even export important data for others to scrape and use. To make their lives easier community members often build tools on top of this house of cards, adding yet another level of scraping and polling. I have been prototyping a message broker / event system tentatively titled "Mozilla Pulse". The goal is to eliminate polling and add visibility into all aspects of Mozilla and its systems. This allows more robust, dynamic, and informative tools. I'll be doing a talk on the prototype at the summit and would the system to be publicly accessible so MoCo and community members can play around and give feedback. I'm not sure what the resource requirements will be. The actual system itself is just one daemon that uses little CPU. I do know memory is usually the bottleneck as it holds the message queues in memory, but I have been running it on my laptop fine. Also I am unsure what the network load will be, as it will vary with the amount of producers, consumers, and the messages that are pumped through. I don't anticipate the network load to be of any concern during this trial period though. VM Requirements: * Linux (w/ root access). I have the prototype running on OS X though, so no real hard requirement on Linux * Standard ports (80, etc) and ports 61613 (STOMP) and 5672 (AMQP) available to the world * (optional) hostname set up to pulse.mozilla.(com/org). I can just use the IP if this is an issue for now. Thanks!
Christian, Would you need this to be publicly accessible or within the VPN is okay? For the initial setup, I can put it on the VPN, but if it has to go public, it needs to be reviewed by infrasec.
Assignee: server-ops → shyam
I would need it to be publicly accessible to be useful to others. I can set it all up via VPN and test using local consumers initially though. Once it is up I'll get infrasec to review so others can use it. It should be a fairly trivial review as it'll pretty much be standard ports + 2 extra ports and really only two publicly-facing daemons (both of which are off-the-shelf/open source, apache and RabbitMQ).
On the off chance that it eases sec review - this needs to be publicly accessible, but doesn't need privileged access to other mozilla systems right now, does it? I mean, eventually it would be nice to live close to buildbot et al, but right now this could live in the outside world, as unprivileged as any third party site, no? Dunno if that helps with infrasec review, but it's worth noting regardless, I think!
If it doesn't depend on anything that's internal to MoCo, I can just put this on a Rackspace VM and open it up to the world.
I hoped as much! If Christian needs internal access, infrasec totally makes sense, but I think that can be round 2 - the stuff he's doing right now is all available from public systems.
Alright, cool. I'll setup something during my day tomorrow and update the bug.
(In reply to comment #3) > Dunno if that helps with infrasec review, but it's worth noting regardless, I > think! yes, this helps don't really need to review if it doesn't have a touch to the internal network.
I'd only advocate Rackspace if we need it fast and don't have time for a review. Otherwise, it's not worth the expense of off-site hosting when it's essentially free in-house. It'll likely go on Vlan74, the "dmz" on which are other machines.
Yes, I am not using any VPN connections to get the information the system requires. Eventually we might want to move it closer for bandwidth/latency reasons but for now everything the system relies on is public. Data I am currently using: * Bugzilla REST API (public) * hg RSS feed (public) * http://build.mozilla.org/builds/builds-4hr.js (public) * tinderbox (public) Eventually I'll want buildbot and such to be able to send information to this system directly. I'm not sure if the best way is to move the event system in or poke holes for existing systems out, but that can be decided later I'm sure.
*ping* Do you need any additional information from me?
Christian, apologies for the delay! I'm getting the VM installed as I write this...will update the bug with hostname and other details once that's done. I'm setting this up in MPT, as per comment #8. So your access for the time being is via the VPN.
Christian, dm-pulse01.mozilla.org is now up and running and you can login as root with your ssh keys. Setup what you need on the box and toss a bug over to infrasec for a review..after which we can make it public.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Ok, thanks!
I think I am ready for the infrasec review...
Assignee: shyam → clyon
(In reply to comment #14) > I think I am ready for the infrasec review... Adding in mcoates. Couple of questions: Shouldn't this host be listening on port 80? I am looking for the "publicly accessible" portion? Can you point us in that direction? Also, we might want to create a separate bug for the review.
Yes, please create a separate bug to request the security review. Within that new bug please answer the following questions: 1. A quick intro to what this app does. 2. Where is the source code located? 3. Is there a stage server running that I can also test against? If so, please let me know what machine the web server is running on. 4. Where would you like the bugs filed in bugzilla? I need to know the product, component and if anyone specific should be copied on the bugs. 5. Please describe if this app will be connecting to any internal or external services or if it is able to integrate with the OS. 6. Does this app support logins or multiple roles? If so, I'll need test accounts created for each available role. 7. There are two other security reviews ahead of this one in my queue. I won't be able to start until next week. Will this work with your schedule? When does this need to be completed?
(In reply to comment #14) > I think I am ready for the infrasec review... Just checking in, is this site still moving forward? Are you ready for the infrasec review? If so, please follow comment #16.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Yep, just getting my information together. I'll write another bug, we can close this out as the VM is set up.
Status: REOPENED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → FIXED
As a side note Christian, before this goes live (which will need a bug) I'll revoke your root access and setup LDAP based access on the box and give you sudo on it, so you can maintain it as needed.
Assignee: clyon → shyam
Blocks: 575727
Wrote bug 575727.
Thanks Shyam, that should be fine. Do I need to clear out root's home? I don't have anything I need in there I think.
Nah, that's alright. I'll take a look before it goes live.
Err, I guess I'll reopen this one now that the infrasec review passed. I'd like people not behind the VPN to be able to access the server. If that should be another bug, just let me know and I'll write it. Thanks!
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(In reply to comment #24) > ping? Infrasec review is completed per bug 575727. Adding in dmoore for the IT ops side, fox2mike is in Canada, unsure of his availability.
Assignee: shyam → dmoore
Any hope of getting this public today or tomorrow? Thanks!
Assignee: dmoore → shyam
What exactly is it that you want public here? As far as I can see, there is no webapp running on Apache? http://dm-pulse01.mozilla.org/ returns the apache test page... If you just wanted the specified ports open and accessible, I'm not sure if that'll be done before tomorrow. Most of IT will be in transit b/w SFO and Whistler. We can try, but please do tell me what you need public. Neither this bug nor the infrasec bug is clear about that and I can't do much without that info.
Sorry, ports 80 for webpage docs I am going to throw up there, 5672 & 5671 (amqp standard ports), 61613 (STOMP standard port)
Probably no hope for this by tomorrow, though if I could get this done by then it would be amazing.
Unfortunately, my knowledge of the Cisco ACE is fairly limited, so I'm punting this to Derek. He's around at the summit and (hopefully) will get to it before tomorrow.
Assignee: shyam → dmoore
mrz's helped, I'm doing this now.
Assignee: dmoore → shyam
Thanks so much! Once it's up I'll verify everything works as expected.
All done. You still have the apache test page up on 80 though, but the requested ports are open.
Status: REOPENED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → FIXED
Do I need to wait for DNS to update? It's been an hour and I don't see the apache test page on pulse.mozilla.(com|org), dm-pulse01.mozilla.(com|org), pulse01.mozilla.(com|org)... (unless I am VPNed in to mozilla MPT)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Bah, I fail. I didn't add it to the right zones, so it wasn't visible from the outside. Fixed now, give it 10 mins to propagate before you check.
Status: REOPENED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → FIXED
it's pulse.mozilla.org btw.
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.