Page MenuHomePhabricator

Move californium to an internal host?
Closed, DeclinedPublic

Description

During an audit of HTTPS-related things (cf T132521#2202245), it was noted that californium.wikimedia.org appears to only host one HTTP site (horizon.wikimedia.org), which is currently revproxied through the cache_misc cluster. If californium has no other reason that it needs to be on a public subnet, we should move it to an internal-subnet host to reduce its exposure to the wild Internet.

Event Timeline

BBlack created this task.Apr 20 2016, 1:59 PM
Restricted Application added a project: Operations. · View Herald TranscriptApr 20 2016, 1:59 PM
Restricted Application added subscribers: TerraCodes, Aklapper. · View Herald Transcript
Dzahn added a subscriber: Andrew.
Restricted Application added a project: Cloud-Services. · View Herald TranscriptApr 20 2016, 3:07 PM
Dzahn added a comment.Apr 20 2016, 3:07 PM

@Andrew Does the horizon host need the public IP ?

@Dzahn as far as I know it does not, moving it to an internal IP would be fine.

chasemp triaged this task as Normal priority.May 31 2016, 3:29 PM
BBlack moved this task from Triage to Watching on the Traffic board.Oct 4 2016, 1:14 PM
Andrew closed this task as Declined.Mar 14 2018, 9:16 PM

This is moot, californium is moving into the spare pool.

It's slightly off topic with californium being decommed, but things that are allocated for Cloud Services infrastructure are generally being moved into the public vlan. The reason for this is that we want to kill off the confusing security posture of the labs-support vlan. Treating all things that directly talk to the Cloud VPS OpenStack tenant VMs and the infrastructure that powers them as "public" from the point of view of the core Wikimedia network is much easier to reason about. The new labweb1001 and labweb1002 servers that are replacing californium and silver as the hosts of wikitech, horizon, and striker are an example of this. These services are all behind the misc varnish cluster, but the hosts themselves are in the public vlan. This is largely an artifact of the cognitive load that having small number of hosts that are not like anything else cause.