Page MenuHomePhabricator
Create Task
Maniphest T133150

Move gallium to an internal host?
Closed, DeclinedPublic
Actions

Description

During an audit of HTTPS-related things (cf T132521#2202245), it was noted that gallium.wikimedia.org appears to only host two HTTP sites (doc.wikimedia.org and integration.wikimedia.org), both of which are currently revproxied through the cache_misc cluster. If gallium has no other reason that it needs to be on a public subnet, we should move it to an internal-subnet host to reduce its exposure to the wild Internet.

Details

SubjectRepoBranchLines +/-
cache_misc: change doc/integration.wm.o backendoperations/puppetproduction+2 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

BBlack created this task.Apr 20 2016, 1:59 PM
Restricted Application added a project: SRE. · View Herald TranscriptApr 20 2016, 1:59 PM
Restricted Application added subscribers: TerraCodes, Aklapper. · View Herald Transcript
MoritzMuehlenhoff subscribed.Apr 20 2016, 2:00 PM
Dzahn added a subscriber: hashar.Apr 20 2016, 3:05 PM

it's also running Jenkins. added Hashar to answer if it need the public IP. also see T95757

hashar added a comment.Apr 20 2016, 4:03 PM

gallium has been setup in 2011 and is still on Precise. It received a public IP to serves the Jenkins web interface. With time, all the http entry points have been migrated to be behind the misc varnish.

Beside doc/integration.wikimedia.org, the server host Jenkins, Zuul scheduler and Zuul merger. There are network flow from/to labnodepool1001 and scandium in the labs support network as well as flow to/from labs instances.

We have a tracking task to get rid of gallium T95757. There is not much cycles to work on it though, but a first step is to update the CI architecture documentation, specially to keep track of all the network flows: T102137. The outdated doc being at https://www.mediawiki.org/wiki/Continuous_integration/Architecture/Isolation

Maybe we can assign a private IP to gallium, then migrate network flows / update firewalls rules. Once everything is migrated phase out the public IP and rename the host to gallium.eqiad.wmnet.

hashar moved this task from Untriaged to Backlog on the Continuous-Integration-Infrastructure board.Apr 20 2016, 4:03 PM
hashar added a parent task: T95757: Phase out gallium.wikimedia.org.
Krenair subscribed.Apr 20 2016, 4:10 PM
hashar edited projects, added Continuous-Integration-Infrastructure (phase-out-gallium); removed Continuous-Integration-Infrastructure.Apr 21 2016, 3:51 PM
hashar added a comment.Apr 21 2016, 4:06 PM

We have created a sub project in Phabricator https://phabricator.wikimedia.org/project/view/1966/

First step is for Release-Engineering-Team to agree on an architecture via T133300 and propose it to SRE for validation.

Paladox subscribed.Apr 26 2016, 11:56 AM
fgiunchedi changed the task status from Open to Stalled.Apr 28 2016, 9:55 AM
fgiunchedi triaged this task as Medium priority.
fgiunchedi added a subtask: T133300: Target architecture without gallium.wikimedia.org.
hashar added a comment.Jun 2 2016, 7:47 AM

I have drawn a summary of web services that ends up on gallium. One is on doc.wikimedia.org the three others are on integration.wikimedia.org. They all pass through misc varnish and the path based routing is done on the Apache on gallium via mod_proxy.

CI Apache routes - v20160421.1.png (368×684 px, 33 KB)

None of that needs a public IP for sure.

As I have mentioned earlier on this task, the Gearman daemon is reached by hosts in labs support network: labnodepool1001.eqiad.wmnet and scandium.eqiad.wmnet . I dont think we can make them to reach a private IP in prod, so we need to dispatch gallium services to different hosts/network. Going to be discussed on T133300.

hashar removed a subtask: T133300: Target architecture without gallium.wikimedia.org.Jun 8 2016, 9:17 PM
hashar added a subtask: T137358: Migrate CI services from gallium to contint1001.

With gallium that lost a disk today, we had contint1001.eqiad.wmnet allocated (Jessie and private IP). Switching services to it is T137358.

gerritbot subscribed.Jun 8 2016, 9:20 PM

Change 293284 had a related patch set uploaded (by Hashar):
cache_misc: change doc/integration.wm.o backend

https://gerrit.wikimedia.org/r/293284

gerritbot added a project: Patch-For-Review.Jun 8 2016, 9:20 PM
demon closed subtask T137358: Migrate CI services from gallium to contint1001 as Declined.Jun 9 2016, 8:57 PM
gerritbot added a comment.Jun 9 2016, 9:45 PM

Change 293284 abandoned by Hashar:
cache_misc: change doc/integration.wm.o backend

Reason:
I have prepared this patch in case we had to switch the CI infra to contint if gallium proven to be lost.

That is nore more an urgency and we are considering a better long term plan via T133300

https://gerrit.wikimedia.org/r/293284

hashar removed a project: Patch-For-Review.Jun 10 2016, 8:24 AM
hashar added a subtask: T133300: Target architecture without gallium.wikimedia.org.
hashar removed a parent task: T95757: Phase out gallium.wikimedia.org.
JanZerebecki subscribed.Jun 11 2016, 6:03 PM
hashar mentioned this in rOPUP1f4342d1b53f: cache_misc: change doc/integration.wm.o backend.Jun 17 2016, 6:06 PM
hashar added a comment.EditedJul 11 2016, 1:19 PM

integration.wikimedia.org (with Zuul and Jenkins) is going to migrate to scandium.eqiad.wmnet

doc.wikimedia.org is looking for a new home. Potentially via T137890 or yet another task.

Dzahn added a comment.Jul 11 2016, 9:51 PM
In T133150#2447151, @hashar wrote:

doc.wikimedia.org is looking for a new home.

Ganeti VM ?

hashar added a comment.Jul 12 2016, 2:07 PM

doc.wikimedia.org home is tracked via T137890

faidon mentioned this in T140257: Allocate contint1001 to releng and allocate to a vlan.Jul 25 2016, 12:19 PM
hashar closed this task as Declined.Sep 8 2016, 9:11 AM

From T140257#2595926 and follow up response from ops, we are keeping the status quo of using a public IP.

hashar closed subtask T133300: Target architecture without gallium.wikimedia.org as Resolved.Sep 12 2016, 3:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits