Inserted labs list to copy, and clarify:
I only propose to split current labs to two parts: testing and production (I don't propose to purchase whole new virtualization cluster) and these parts should be completely separated (by firewall at least)
On Mon, Mar 26, 2012 at 2:19 PM, Petr Bena benapetr@gmail.com wrote:
Hi,
I would like to propose the following idea
We already started working on a new virtual cluster known as labs (wmflabs.org) which purpose is to allow people develop stuff and later move it to some production, some time ago. I believe it would be nice to have exactly same environment (probably we could just extend wmflabs for that) running probably on same platform (virtual cluster managed through some site, using nova extension) which would have exactly same possibilities but it would be supposed to run final products (not a testing environment as labs, but "production" where the stable version would live)
Why do we need this?
Wikimedia labs will offer cloned db of production in future which would allow it to run community managed tools like http://toolserver.org/~quentinv57/tools/sulinfo.php and similar. I think it would be best if such tools were developed using labs as a testing platform and stable version pushed to this "production" which should only run the stable code. In fact it doesn't even need to be physically another cluster, just another set of virtual instances isolated from testing environment on labs. The environment would have restrictions which we don't have on labs. People would need to use puppet and gerrit mostly for everything, and root would not be given to everyone in this environment (some projects might be restricted to wmf ops only), so that we could even move all stable bots, we currently host on wmflabs there, without being afraid of leaking the bot credentials and such (that's a reason why bots project is restricted atm). Also the applications which ask for wikimedia credentials could be allowed there, since the code living on this "production" would be subject of review, and such projects which could mean security risk could be managed by wmf ops only (the changes could be done by volunteers but would need to be submitted to gerrit).
We could also move some parts of current production to this "community managed" environment. I talked to Roan Kattouw in past regarding moving the configuration of wikimedia sites to some git repository so that volunteers could submit some patches to gerrit or handle bugzilla reports without needing shell access. Changes to production config would be merged by operation enginners, so that it would be completely secure.
In a nutshell:
This environment could be set up on same platform as wmf labs (no extra costs, just hard work :)), stable products (bots, user scripts) would be living there, while labs would serve only for development and nothing else.
The production version would live on another domain, like wikimedia-tools.org or wmtools.org
Thanks for your comments and responses