[Labs-l] Community managed production environment

[Petr Bena]

Inserted labs list to copy, and clarify:

I only propose to split current labs to two parts: testing and
production (I don't propose to purchase whole new virtualization
cluster) and these parts should be completely separated (by firewall
at least)

On Mon, Mar 26, 2012 at 2:19 PM, Petr Bena <benapetr at gmail.com> wrote:
> Hi,
>
> I would like to propose the following idea
>
> We already started working on a new virtual cluster known as labs
> (wmflabs.org) which purpose is to allow people develop stuff and later
> move it to some production, some time ago. I believe it would be nice
> to have exactly same environment (probably we could just extend
> wmflabs for that) running probably on same platform (virtual cluster
> managed through some site, using nova extension) which would have
> exactly same possibilities but it would be supposed to run final
> products (not a testing environment as labs, but "production" where
> the stable version would live)
>
> Why do we need this?
>
> Wikimedia labs will offer cloned db of production in future which
> would allow it to run community managed tools like
> http://toolserver.org/~quentinv57/tools/sulinfo.php and similar. I
> think it would be best if such tools were developed using labs as a
> testing platform and stable version pushed to this "production" which
> should only run the stable code. In fact it doesn't even need to be
> physically another cluster, just another set of virtual instances
> isolated from testing environment on labs. The environment would have
> restrictions which we don't have on labs. People would need to use
> puppet and gerrit mostly for everything, and root would not be given
> to everyone in this environment (some projects might be restricted to
> wmf ops only), so that we could even move all stable bots, we
> currently host on wmflabs there, without being afraid of leaking the
> bot credentials and such (that's a reason why bots project is
> restricted atm). Also the applications which ask for wikimedia
> credentials could be allowed there, since the code living on this
> "production" would be subject of review, and such projects which could
> mean security risk could be managed by wmf ops only (the changes could
> be done by volunteers but would need to be submitted to gerrit).
>
> We could also move some parts of current production to this "community
> managed" environment. I talked to Roan Kattouw in past regarding
> moving the configuration of wikimedia sites to some git repository so
> that volunteers could submit some patches to gerrit or handle bugzilla
> reports without needing shell access. Changes to production config
> would be merged by operation enginners, so that it would be completely
> secure.
>
> In a nutshell:
>
> This environment could be set up on same platform as wmf labs (no
> extra costs, just hard work :)), stable products (bots, user scripts)
> would be living there, while labs would serve only for development and
> nothing else.
>
> The production version would live on another domain, like
> wikimedia-tools.org or wmtools.org
>
> Thanks for your comments and responses