Page MenuHomePhabricator
Create Task
Maniphest T134809

App servers <=> mariadb SSL/TLS for cross-datacenter writes
Closed, ResolvedPublic
Actions

Description

Unless we can somehow entirely avoid writes on GET/HEAD (which might be hard for CentralAuth and a few other things), these will still happen on occasion, mostly as post-send writes in DeferredUpdates.

Such updates should use encryption, instead of just sending passwords and data over the wire.

Scope: All app servers, including job runners and maintenance servers.

Plan:

  • Use the ultimate primary DB server as the top entry in $wgLBFactoryConf['sectionLoads'] on the secondary DC. Similarly for writable clusters in externalLoads.
  • Add those servers to $wgLBFactoryConf['hostsByName']
  • Add the DBO_SSL flag to those servers, probably using $wgLBFactoryConf['templateOverridesByServer']

Details

SubjectRepoBranchLines +/-
Add the master from the primary DC to the secondary DC load arraysoperations/mediawiki-configmaster+62 -13
Enable SSL for master DB connections in the secondary datacenteroperations/mediawiki-configmaster+3 -1
rdbms: Deprecate DBO_SSLmediawiki/coremaster+21 -10
Customize query in gerrit

Related Objects
Search...

Event Timeline

aaron created this task.May 9 2016, 8:21 PM
Restricted Application added subscribers: Zppix, Aklapper. · View Herald TranscriptMay 9 2016, 8:21 PM
aaron removed aaron as the assignee of this task.May 16 2016, 6:54 PM
aaron moved this task from Inbox, needs triage to Backlog: Maintenance, non-prioritized on the Performance-Team board.
aaron created subtask T136218: Audit mysql database class and hhvm binding support of SSL.May 25 2016, 4:37 PM
jcrespo added a subtask: T111654: Set up TLS for MariaDB replication.May 25 2016, 4:45 PM
jcrespo subscribed.May 25 2016, 4:48 PM

I've put T111654 as a blocker, but in reality, cross datacenter writes using SSL should be already possible in all cases, as I can guarantee already that *all masters are already using TLS 1.2*. Only some slaves within the datacenter are still using plain text and only need to be rebooted.

We need to coordinate the certificate handling, the current system may not be the most adequate method.

jcrespo added a comment.May 28 2016, 9:37 AM

I've been playing around with some open source SQL proxies lately.
These support persistent connections. I wonder how much of the
overhead of MySQL for a remote server is establishing connection and
TLS negotiation, and how much is real extra latency (e.g
cross-datacenter replication seems to not be that great, but it is a
single connection with low bandwidth requirements).

A test could be done to evaluate the overhead in both cases to help
plan the architecture.

aaron added a project: Wikimedia-Multiple-active-datacenters.Aug 12 2016, 4:50 AM
aaron moved this task from Backlog to Next-up on the Wikimedia-Multiple-active-datacenters board.Aug 12 2016, 5:15 AM
jcrespo added projects: DBA, Traffic.Aug 12 2016, 7:14 AM
aaron closed subtask T136218: Audit mysql database class and hhvm binding support of SSL as Resolved.Sep 1 2016, 7:25 PM
aaron moved this task from Next-up to Backlog on the Wikimedia-Multiple-active-datacenters board.Sep 15 2016, 4:20 PM
BBlack moved this task from Backlog to Radar/Not for service by Traffic on the Traffic board.Oct 4 2016, 12:44 PM
BBlack removed a project: Traffic.Oct 4 2016, 1:28 PM
fgiunchedi subscribed.Nov 23 2016, 5:09 PM

re: certificate handling that @jcrespo mentioned, see also T150822: Internal PKI for secure communication - Barcelona Ops offsite 2016 for the related discussion we had at the Ops offsite 2016

Gilles moved this task from Backlog: Maintenance, non-prioritized to Blocked (old) on the Performance-Team board.Dec 7 2016, 6:46 PM
jcrespo closed subtask T111654: Set up TLS for MariaDB replication as Resolved.Feb 9 2017, 5:08 PM
jcrespo added a comment.Feb 9 2017, 5:23 PM

TLS is deployed on all core MySQLs (s*, x2, es*, pc* shards)- although for obvious reasons, it is not enforced, I think this was the largest blocker for this task and is no more.

Krinkle edited projects, added Multiple-active-datacenters archived; removed Wikimedia-Multiple-active-datacenters, Sustainability.May 3 2017, 7:37 PM
Krinkle edited projects, added Sustainability (MediaWiki-MultiDC); removed Multiple-active-datacenters archived.May 3 2017, 7:58 PM
aaron added a comment.Jul 14 2017, 11:22 PM

Reading things like https://www.percona.com/blog/2013/10/10/mysql-ssl-performance-overhead/ I think this may only make sense for DB_MASTER (also index 0) connections.

I suppose I can do some testing in script/eval.php to gauge serial connection and query rate differences.

aaron created subtask T171071: Perform testing for TLS effect on connection rate.Jul 19 2017, 4:51 PM
aaron added a comment.Jul 19 2017, 5:04 PM

Roll-out should probably be something like:
a) DB_MASTER connections for testwiki/mediawikiwiki (group 0)
b) DB_MASTER connections for S3 (25%, 50%, then 100% of connections)
c) DB_MASTER connections for external stores (25%, 50%, then 100% of connections)
d) All DB_MASTER connections remaining shards (25%, 50%, then 100% of connections)

That would take care of any cross-DC write scenario (without having to check which DC is active) and fulfill this task.

If it's acceptable, this can be expanded to all connections (e.g. DB_REPLICA), preferably if proxying is setup IMO. That would be a separate task though.

jcrespo mentioned this in T154658: Prepare and improve the datacenter switchover procedure.Jul 25 2017, 4:44 PM
Krinkle moved this task from Later to Blocked on the Sustainability (MediaWiki-MultiDC) board.Sep 28 2017, 6:02 PM
1978Gage2001 moved this task from Triage to In progress on the DBA board.Dec 11 2017, 9:45 AM
Marostegui moved this task from In progress to Triage on the DBA board.Dec 11 2017, 10:59 AM
Imarlier moved this task from Blocked (old) to Backlog: Maintenance, non-prioritized on the Performance-Team board.Jan 18 2018, 5:29 PM
chasemp subscribed.May 29 2018, 10:11 PM
jcrespo closed subtask T171071: Perform testing for TLS effect on connection rate as Resolved.Jun 4 2018, 3:21 PM
jcrespo added a subtask: T196378: Investigate solutions for MySQL connection pooling.Jun 4 2018, 3:25 PM
Krinkle moved this task from Backlog: Maintenance, non-prioritized to To-do: Goals, prioritized next 4 Quarters on the Performance-Team board.Jun 21 2018, 9:39 AM
Krinkle moved this task from To-do: Goals, prioritized next 4 Quarters to Blocked (old) on the Performance-Team board.
jcrespo moved this task from Triage to Meta/Epic on the DBA board.Sep 14 2018, 1:02 PM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 8:40 PM
Krinkle changed the task status from Open to Stalled.EditedJul 1 2019, 8:28 PM
Krinkle subscribed.

Blocked on: The required work for this seems mostly tracked now between T175672: Evaluate proxysql and native php-mysql client for TLS connection between Apache and mariadb or T196378: Investigate solutions for MySQL connection pooling.

jcrespo mentioned this in T240991: Does an eqiad Mediawiki need to have codfw DB servers in its hostsByName? and vice versa.Dec 18 2019, 4:42 PM
Krinkle moved this task from Blocked to Later on the Sustainability (MediaWiki-MultiDC) board.Jun 23 2020, 8:52 PM
Krinkle moved this task from Later to Discuss next on the Sustainability (MediaWiki-MultiDC) board.Jul 2 2020, 3:47 PM
RhinosF1 subscribed.Jan 12 2021, 11:26 AM
Krinkle moved this task from Blocked (old) to Radar on the Performance-Team board.Mar 1 2021, 8:23 PM
Krinkle edited projects, added Performance-Team (Radar); removed Performance-Team.
Krinkle moved this task from Limbo to Perf recommendation on the Performance-Team (Radar) board.
Krinkle moved this task from Radar to To-do: Goals prioritized current Quarter on the Performance-Team board.Mar 2 2021, 9:11 PM
Krinkle edited projects, added Performance-Team; removed Performance-Team (Radar).
Krinkle edited projects, added Performance-Team (Radar); removed Performance-Team.
Krinkle mentioned this in T277539: maintenance/mysql.php does not support ssl.Apr 5 2021, 8:37 PM
Krinkle moved this task from Perf recommendation to Watching on the Performance-Team (Radar) board.Jul 12 2021, 6:14 PM
Krinkle renamed this task from Apache <=> mariadb SSL/TLS for cross-datacenter writes to App servers <=> mariadb SSL/TLS for cross-datacenter writes.May 25 2022, 12:16 AM
Krinkle updated the task description. (Show Details)
tstarling subscribed.May 25 2022, 1:29 AM

TLS connections from MediaWiki app servers to MariaDB appear to work just fine. You just pass flags=DBO_SSL and it connects with TLS 1.3, no certificate path configuration is needed. I timed it at 180-200ms cross-DC.

Ladsgroup subscribed.May 25 2022, 1:49 PM
tstarling closed subtask T196378: Investigate solutions for MySQL connection pooling as Resolved.May 25 2022, 11:54 PM
tstarling updated the task description. (Show Details)May 26 2022, 12:08 AM

Task description edit: added plan for direct TLS, no connection pooling or tunnel.

tstarling changed the task status from Stalled to Open.May 26 2022, 4:32 AM
gerritbot added a comment.May 26 2022, 4:41 AM

Change 799436 had a related patch set uploaded (by Tim Starling; author: Tim Starling):

[mediawiki/core@master] Deprecate DBO_SSL

https://gerrit.wikimedia.org/r/799436

gerritbot added a project: Patch-For-Review.May 26 2022, 4:41 AM
tstarling claimed this task.May 26 2022, 4:41 AM
gerritbot added a comment.May 26 2022, 4:56 AM

Change 799437 had a related patch set uploaded (by Tim Starling; author: Tim Starling):

[operations/mediawiki-config@master] Enable SSL for master DB connections in the secondary datacenter

https://gerrit.wikimedia.org/r/799437

gerritbot added a comment.May 26 2022, 6:32 AM

Change 799685 had a related patch set uploaded (by Tim Starling; author: Tim Starling):

[operations/mediawiki-config@master] Add the master from the primary DC to the secondary DC load arrays

https://gerrit.wikimedia.org/r/799685

gerritbot added a comment.May 27 2022, 3:16 PM

Change 799436 merged by jenkins-bot:

[mediawiki/core@master] rdbms: Deprecate DBO_SSL

https://gerrit.wikimedia.org/r/799436

ReleaseTaggerBot added a project: MW-1.39-notes (1.39.0-wmf.14; 2022-05-30).May 27 2022, 4:00 PM
Krinkle added a parent task: T270223: FY2021-2022: Enable basic Multi-DC operations for read traffic (tracking).May 31 2022, 11:40 PM
Krinkle mentioned this in T157702: Followup for TLS MariaDB server roll-out.
gerritbot added a comment.Jun 6 2022, 4:27 AM

Change 799437 merged by jenkins-bot:

[operations/mediawiki-config@master] Enable SSL for master DB connections in the secondary datacenter

https://gerrit.wikimedia.org/r/799437

gerritbot added a comment.Jun 13 2022, 11:25 PM

Change 799685 merged by jenkins-bot:

[operations/mediawiki-config@master] Add the master from the primary DC to the secondary DC load arrays

https://gerrit.wikimedia.org/r/799685

Maintenance_bot removed a project: Patch-For-Review.Jun 13 2022, 11:30 PM
Stashbot added a comment.Jun 13 2022, 11:30 PM

Mentioned in SAL (#wikimedia-operations) [2022-06-13T23:30:54Z] <tstarling@deploy1002> Synchronized wmf-config/CommonSettings.php: T134809 g 799685 codfw master DBs (duration: 03m 30s)

Stashbot added a comment.Jun 13 2022, 11:35 PM

Mentioned in SAL (#wikimedia-operations) [2022-06-13T23:35:11Z] <tstarling@deploy1002> Synchronized wmf-config/etcd.php: T134809 g 799685 codfw master DBs (duration: 03m 36s)

Stashbot added a comment.Jun 13 2022, 11:45 PM

Mentioned in SAL (#wikimedia-operations) [2022-06-13T23:45:26Z] <tstarling@deploy1002> Synchronized wmf-config/CommonSettings.php: T134809 g 801836 remove variable wmgDbconfigFromEtcd (duration: 03m 26s)

tstarling closed this task as Resolved.Jun 14 2022, 12:00 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL