[OOTB-infra] Virtual Hackathon - Capability of hosting integration/demo environments?

Heiko Robert heiko.orderofthebee.info at ecm4u.de
Wed Jul 13 18:41:47 BST 2016 

Hi Axel,

this wouldn't be too hard to manage. One question would be how to avoid
abuse / missusage. The owner of the servers and the domain will be
responsable for any damage if they can't proof the real actor!

Today cloning / setting up is a manual job taking ~ 1 hour.
Bottleneck would be DNS (INFRA team has no access to DNS)

Everything could be easily automated to create a running VM in minutes
except DNS (this could be fixed / worked around by a separate wildcard
domain):
* instanciating a new VM can be automated by ovatool command line
running anywhere having access to the vm network
* same for management (start/stop/kill/delete/monitor)
* where do you see any licensing issue? all tools are public available
or open source.
* simple HTTP(S) automation is easy since we already have only one
single reverse proxy (apache-proxy) with an makro to allow new targets
to be configured with one line of config
* simple firewall config (for ssh access) should be discussed (see below)

TODO:
* define master VM for cloning / save OVA as master
* create script for cloning (e.g. createnewVM source target)
* create script for loading different alfresco version (e.g. any subrelease)
* create script for vm network config (easiest would be static config
and default image will start with dhcp and hostname 'imagename')
* create script for adding virtual host to reverse proxy

At the end only one script/command should control all required use cases
(create/remove/stop/start/status/list).

Another aproach would be to configure only one VM to be set up with
containers / OpenVZ / vserver running in a separate subnet but I couln't
assist in this because this would consume much more work/time to get
this done automated.

Open:
* What would be an an adequate console access?
** Real names / registered, verified users should be required to get ssh
access
** all testing / public VMs should run in a separate subnet with no
connection to the OOTB production systems inside the VM network
** either public key auth or VPN should be forced. I would prefer VPN
because then we don't need to configre the firewall for any new vm. We
use pfsense. For now there is only UPnP or NAT-PMP as remote API
available. REST is announced for next major release (3.0) to automate
new firewall rules in case we don't go the vpn route. Anyway to
_automate_ VPN / firewall config we need either to create a curl based
script à la alf-shell-tool or wait for version 3.0. On the other hand if
a participant has only to be created once this may be acceptable to
create them by hand.

Heiko


Am 12.07.2016 um 17:57 schrieb Axel Faust:
> Hello INFRA,
> 
> During the BeeCon hackathon and afterwards various members of the Order
> (incl Richard) discussed continueing with the tradition of doing global,
> virtual hackathons in the Alfresco community. We tentatively have agreed
> to aim for a Friday within September to have the hackathon and that it
> would be an Alfresco event (in terms of announcements / general
> organisation). But that doesn't exclude us from thinking about options
> for the Order to support such an event, and the community members that
> participate.
> 
>  
> 
> One idea I had revolves around providing (short-term / temporary)
> hosting of integration or demo environments for hackathon project teams.
> Apart from potentially simplifying the setup / startup effort for new
> members of the community that participate, having a publicly accessible
> integration / demo environment for a hackathon project can also make it
> easier for other teams as well as Alfresco / Order "hackathon support
> staff" to check a project's progress; or act as a tester and provide
> suggestions for potential improvements.
> 
>  
> 
> Now, before I spend any more time fantasizing about project build /
> server restart automation, the more immediate question on my mind is:
> 
> *Could we as the Order with our current infrastructure support such a
> use case?*
> 
> Forget for a moment the financial issues that obviously will need to be
> addressed at some time as well. Can we (with our current infratstructure
> and processes):
> 
>  
> 
>   * Add VM(s) or host(s) to our domain within a few days (or with some
>     kind of self-service for a small set of authorised members in a few
>     hours) - same for tear-down after the event
>   * Support automation of instance setup / tear down, e.g. via command
>     line tooling either by agents on a host or via SSH
>   * Use open technologies / tools to avoid licensing issues when an
>     arbitrary number of users (from different backgrounds) use an
>     environment we temporarily provide / host
>   * Support simple update to any firewall configuration to forward
>     (dynamic) ports to the environments
>   * Support simple update to any proxy configuration to provide a
>     central HTTP(S) entry point
> 
> ?
> 
>  
> 
> A potential setup in my mind at this time is the following:
> 
>   * a separate host or resource-constrained VM is used to bundle all
>     demo environment
> 
> (a decent amount of memory, CPU and I/O needs to be provisioned, which
> is why I tend towards a separate host)
> 
>   * Within that host / VM, container-based virtualization is used to
>     provide standardized installs for the environments
>   * Each environment is publicly accessible when using HTTP(S)-based
>     protocols using a host name like
>     <projectName>.hackathon.orderofthebee.org
>     <http://hackathon.orderofthebee.org> (ideally we use only HTTPS
>     which a proxy terminates using a common certificate of the Order,
>     and internally use HTTP/AJP)
>   * A port forward for SSH should be done for each environment (if the
>     environment will actually provide SSH, which a container might not)
>   * If host / VM is not publicly accessibe itself, a port forward for
>     SSH needs to be done
>   * Host / VM polls GitHub of defined project for an environment, builds
>     project (Maven-based) and stops/starts container with updated WARs
>   * Automation is in place to quickly (re-)initialize an environment as
>     project teams are formed / when a data reset is required (automation
>     would likely need to update DNS / host or VM firewall settings)
> 
> I would exclude most (if not all) of the trickier protocols / Alfresco
> interfaces for the time being, and only consider HTTP-based access.
> 
>  
> 
> Even if we don't end up doing something in that direction for the
> hackathon (for cost/time/resource reasons), I would like to see us able
> to dynamically provide short-term integration / demo environments some
> day in the (near?) future, e.g. to support similar needs for conferences
> / local meetups. So if we can't currently provide this for technical /
> conceptual reasons or limitations, I hope we can derive a strategy for
> (or at least a list of) items that we woulud need to address.
> 
>  
> 
> So, what do you think? Are we currently in a situation that we could do
> something like this? And without excessive effort in terms of
> coordination / work, or too much reliance on the availability of a
> single or a few people?
> 
>  
> 
> Again, this is just an idea of mine at the moment that I would like some
> input / discussion on. This has not yet been discussed on the board or
> with Richard / Ole, as it may be irrelevant if you tell me that I am
> "out of my mind"...
> 
>  
> 
> Regards
> 
> Axel
> 
>  
> 
> 
> 
> _______________________________________________
> OOTB-infra mailing list
> OOTB-infra at xtreamlab.net
> http://www.xtreamlab.net/mailman/listinfo/ootb-infra
>

More information about the OOTB-infra mailing list