Page MenuHomePhabricator
Create Task
Maniphest T137928

Deploy phabricator to phab2001.codfw.wmnet
Closed, ResolvedPublic
Actions

Description

Now that T137838: setup phab2001.codfw.wmnet (WMF6405) is done, it's time to get some redundancy in phabricator.

There are a lot of pieces to this and most of these will eventually split off as subtasks but I'm writing them here for now:

related courtesy link: Phabricator Clustering Introduction

Details

SubjectRepoBranchLines +/-
re-add phabricator-new to point to caching layeroperations/dnsmaster+2 -0
phabricator: use codfw db servers for codfw serveroperations/puppetproduction+2 -3
phabricator: cluster.addresses to whitelist iridium and phab2001operations/puppetproduction+4 -0
remove phabricator-new hostnameoperations/dnsmaster+0 -2
phab: dc failover behind the primary public nameoperations/puppetproduction+2 -8
phabricator: open firewall holes only on active_serveroperations/puppetproduction+10 -4
phabricator: Auto rsync phab1001 to phab2001 (codfw)operations/puppetproduction+1 -1
Phabricator: Migrate to base::service_unit for phdoperations/puppetproduction+12 -28
phabricator: monitor PHD service only on active serveroperations/puppetproduction+8 -6
Phabricator: Migrate to base::service_unit for ssh-phaboperations/puppetproduction+4 -20
phabricator: fix file names of systemd/upstart templatesoperations/puppetproduction+2 -2
varnish misc: add phab2001 as a backend for phab-newoperations/puppetproduction+5 -0
Phabricator: Set phabricator active server for iridium and phab2001operations/puppetproduction+4 -1
Phabricator: allow rsyncing /srv/repos from active to passive serveroperations/puppetproduction+27 -0
phab2001: allow rsync from iridium over IPv6 toooperations/puppetproduction+4 -2
phab2001: fix hosts_allowed in rsync configoperations/puppetproduction+3 -3
phabricator: use FQDN instead of short hostname in ferm rulesoperations/puppetproduction+5 -3
Phabricator: Set domain for phab2001 in codfwoperations/puppetproduction+3 -0
phab: fix systemd unit file name of ssh-phaboperations/puppetproduction+0 -0
phabricator: don't run phd on inactive server yetoperations/puppetproduction+9 -1
phabricator: allow ssh between servers for cluster supportoperations/puppetproduction+12 -0
phabricator: add systemd unit file for phd serviceoperations/puppetproduction+29 -1
let phab2001 use same role classes as iridiumoperations/puppetproduction+1 -1
Show related patches Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedJoeT154658 Prepare and improve the datacenter switchover procedure
 ResolvedLSobanskiT156937 Provide cross-dc redundancy (active-active or active-passive) to all important misc services
 InvalidNoneT164810 Switch phabricator production to codfw
 Resolved mmodellT182832 Apache on phab1001 is gradually leaking worker processes which are stuck in "Gracefully finishing" state
 ResolvedPaladoxT125357 /maniphest/report/project/ : Maximum execution time of 10 seconds exceeded
 ResolvedDzahnT151070 Move Phabricator from PHP 7.0 to PHP 7.2
 ResolvedDzahnT238956 switch prod Phabricator from phab1003 to phab1001
 ResolvedDzahnT190568 Reimage both phab1001 and phab2001 to stretch / buster
 Resolved mmodellT152129 reinstall iridium (phabricator) as phab1001 with jessie
 Resolved mmodellT137928 Deploy phabricator to phab2001.codfw.wmnet
 ResolvedRobHT137838 setup phab2001.codfw.wmnet (WMF6405)
 ResolvedMoritzMuehlenhoffT138689 upload php-mailparse and python-phabricator to jessie
 ResolvedDzahnT143363 networking: allow ssh between iridium and phab2001
 InvalidNoneT143370 build php5-mailparse for jessie?
 DeclinedDzahnT152132 Setup test domain for phab2001
 Resolved mmodellT168699 Verify that the codfw lvs is configured correctly for Phabricator
 DeclinedNoneT112776 Implement phabricator database clustering support
 Resolved mmodellT128009 Next Phabricator Upgrade | 2016-04-28
 Resolved mmodellT190572 Prepare a disaster recovery plan for failing over Phabricator
 Declined mmodellT232883 Make PHD run on the backup phabricator server (phab2001, currently)

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
jcrespo added a comment.Aug 7 2017, 7:49 AM

can I ask which database is phab2001 connecting to right now?

TerraCodes updated the task description. (Show Details)Aug 7 2017, 8:24 AM
Paladox added a comment.Aug 7 2017, 10:13 AM
In T137928#3505170, @jcrespo wrote:

can I ask which database is phab2001 connecting to right now?

I’m presuming that it’s connected to the same one as phab1001
as I see no configs changing the database.

Marostegui subscribed.Aug 7 2017, 12:29 PM
Dzahn added a comment.EditedAug 7 2017, 1:23 PM

The answer should be none, as the phd service isn't running there and nothing changed about phab2001 recently.

jcrespo added a comment.Aug 7 2017, 1:40 PM

@Dzahn, thanks- I saw paladox comment:

Is codfw ment to be slow? It feels slower then phab1001 when it had the phabricator-new domain.

And I was worring for a moment we were doing cross-dc queries and publicly facing. Thanks for the clarification.

Dzahn added a comment.Aug 7 2017, 2:28 PM

Yea, so the service isn't up, but the config is indeed like this:

hieradata/role/eqiad/phabricator_server.yaml:phabricator::mysql::master: "m3-master.eqiad.wmnet"
hieradata/role/codfw/phabricator_server.yaml:phabricator::mysql::master: "m3-master.eqiad.wmnet"

So we need to talk about the right one for codfw.. at some point. But nothing changed here since about February, the recent activity was all about migrating from iridium to phab1001 (within eqiad).

Paladox was looking at repos in the browser, but there should be no db connections as long as phd stays stopped afaict.

Dzahn added a comment.Aug 7 2017, 2:36 PM

Just to make sure, I checked with tcpdump port 3306 and there was nothing, even when Apache is up. (on phab1001 there is constant activity).

jcrespo added a comment.Aug 7 2017, 2:37 PM

I think we added m3-master.codfw.wmnet not a long time ago (maybe it was another misc server). If we failover the app, probably we should failover the db, too; while keeping the db in read only

Dzahn added a comment.Aug 7 2017, 2:42 PM

Thanks! @jcrespo. Unfortunately i was wrong, there would have been cross-dc queries when you accessed the URL https://phabricator-new.wikimedia.org/diffusion/ ,even without phd service. Jjust the / URL wasn't working. I stopped Apache and disabled puppet to prevent this from happening again. I will follow-up with a patch to make sure Apache is always stopped on the passive server.

Dzahn added a comment.Aug 7 2017, 5:01 PM
In T137928#3505993, @jcrespo wrote:

I think we added m3-master.codfw.wmnet not a long time ago (maybe it was another misc server)

It looks like we have m2 and m5 in codfw, but not m3 yet.

gerritbot added a comment.Aug 7 2017, 5:02 PM

Change 370498 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] phabricator: open firewall holes only on active_server

https://gerrit.wikimedia.org/r/370498

gerritbot added a comment.Aug 7 2017, 5:55 PM

Change 370498 merged by Dzahn:
[operations/puppet@production] phabricator: open firewall holes only on active_server

https://gerrit.wikimedia.org/r/370498

mmodell lowered the priority of this task from High to Medium.Aug 28 2017, 7:12 AM
mmodell changed the status of subtask T164810: Switch phabricator production to codfw from Open to Stalled.
gerritbot added a comment.Nov 7 2017, 9:14 PM

Change 389803 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/dns@master] remove phabricator-new hostname

https://gerrit.wikimedia.org/r/389803

gerritbot added a comment.Nov 7 2017, 9:15 PM

Change 389804 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] phab: dc failover behind the primary public name

https://gerrit.wikimedia.org/r/389804

gerritbot added a comment.Nov 7 2017, 9:20 PM

Change 389804 merged by BBlack:
[operations/puppet@production] phab: dc failover behind the primary public name

https://gerrit.wikimedia.org/r/389804

gerritbot added a comment.Nov 7 2017, 9:23 PM

Change 389803 merged by BBlack:
[operations/dns@master] remove phabricator-new hostname

https://gerrit.wikimedia.org/r/389803

mmodell changed the status of subtask T164810: Switch phabricator production to codfw from Stalled to Open.Nov 7 2017, 10:15 PM
mmodell added a subscriber: BBlack.Nov 7 2017, 10:38 PM

So BBlack and I went over this stuff today on IRC. I'll paste an excerpt from the transcript of that IRC conversation, for posterity:

@BBlack

right now git-ssh.wikimedia.org is in DNS and statically configured to the same IP address as git-ssh.eqiad.wikimedia.org
and behind that IP, we have all the LVS configuration/infrastructure in eqiad that forwards that traffic down into phab1001-vcs.eqiad.wmnet
right now in DNS, there's also IPs and hostnames for git-ssh.codfw.wikimedia.org, but apparently we haven't configured the LVS part of this to forward traffic
down into phab2001-vcs.codfw.wmnet yet (which is fairly straightforward)
what's missing is adding something like the entries in:
https://github.com/wikimedia/operations-dns/blob/master/geo-resources
which is what drives the public/global x-dc failover of our primary HTTPS entrypoints, out at the geodns level.
and then pointing git-ssh.wikimedia.org at that geodns stuff instead of mapping it directly and statically to eqiad

@mmodell

since phabricator in codfw is only 90% configured we definitely don't want to direct any traffic there yet

@BBlack

there's some quibbles to sort out on setting that up, because unlike our other services it only lives at the core DCs and not the edges, but nothing fundamental

@mmodell

that all sounds pretty acceptable

@BBlack

and then... for that kind of geodns routing/failover, the assumption is everything is active/active by default
when you want to disable a site due to some level of outage/failure, you make temporary commits to https://github.com/wikimedia/operations-dns/blob/master/admin_state
which mark a given site+service as DOWN and then resolve all lookups to the remaining one(s)
it's all doable, maybe not today, but it's not that far off
a few hours of digging around how to structure some things

@mmodell

ok so all I need is an ssh tunnel between codfw and eqiad for phabricator to use for proxying connections then it can support active/active git+ssh connections

@BBlack

and in the net there will be 3 different switches to flip to change the DC-routing (codfw-vs-eqiad-vs-active/active), which has its up- and down-sides
2 different hieradata switches in cache_misc for the main phab HTTP stuff + aphlict websockets (which you can move in the same commit)
and a different switch over in the DNS repo for git-ssh

BBlack added a subscriber: ayounsi.Nov 8 2017, 6:21 PM

Re: all of the above about git-ssh: I pushed https://gerrit.wikimedia.org/r/#/c/389871/ and @ayounsi fixed up the router ACLs, so the public entrypoint git-ssh.codfw.wikimedia.org into phab2001-vcs works now. Also pushed the TTL reduction for the real service hostname git-ssh.wikimedia.org in https://gerrit.wikimedia.org/r/#/c/389869/ .

So we're in an "ok" place on all failover-related things.

We can failover (or configure active/active) the basic HTTP+Aphlict stuff with hierdata commits around https://phabricator.wikimedia.org/source/operations-puppet/browse/production/hieradata/role/common/cache/misc.yaml;361fd6cb1d452047b1bbbfda0d29b6c43561a0dd$99 .

For git-ssh, presently it would be manual DNS failover (no active/active) by changing which of the git-ssh per-DC IPs are pointed to by git-ssh.wikimedia.org around https://phabricator.wikimedia.org/diffusion/ODNS/browse/master/templates/wikimedia.org;e52acadd3f9e506dbccc232e03462c92acc36949$307 .

There's remaining work to do to get active/active/failover capabilities for git-ssh at the GeoDNS level.

mmodell added a comment.Nov 9 2017, 1:37 AM

Thanks again to @BBlack for helping out here!

mmodell closed subtask T168699: Verify that the codfw lvs is configured correctly for Phabricator as Resolved.Nov 9 2017, 1:38 AM
Dzahn awarded a token.Nov 9 2017, 6:31 AM
Krinkle moved this task from Tag to Doing on the Sustainability board.Mar 17 2018, 12:38 AM
mmodell changed the task status from Stalled to Open.Mar 23 2018, 7:59 PM
mmodell added a parent task: T190568: Reimage both phab1001 and phab2001 to stretch / buster.
ayounsi unsubscribed.Mar 23 2018, 8:02 PM
mmodell updated the task description. (Show Details)Mar 23 2018, 8:16 PM

I sent a test mail from phab2001 to @Paladox, which was received.

mmodell removed a subtask: T112776: Implement phabricator database clustering support.Mar 23 2018, 8:19 PM
mmodell removed a subtask: T143175: Configure phabricator clustering for daemons and repositories.
mmodell removed a subtask: T164810: Switch phabricator production to codfw.
mmodell added a parent task: T164810: Switch phabricator production to codfw.
mmodell updated the task description. (Show Details)Mar 23 2018, 8:23 PM
mmodell mentioned this in T190572: Prepare a disaster recovery plan for failing over Phabricator.
Dzahn mentioned this in T195623: request to assign wmf6937 (mw1298, former imagescaler) (now: wmf4727) as phab1002.May 25 2018, 8:21 PM
Aklapper moved this task from Misc to Infrastructure on the Phabricator board.Aug 29 2018, 6:12 PM
mmodell added a project: User-MModell.Sep 10 2018, 4:51 PM
mmodell moved this task from Backlog to Blocked or Stalled on the User-MModell board.Sep 10 2018, 4:58 PM
mmodell added a subtask: T112776: Implement phabricator database clustering support.Jan 23 2019, 7:45 PM
mmodell added a subtask: T190572: Prepare a disaster recovery plan for failing over Phabricator.Jan 23 2019, 7:56 PM
Alroilim renamed this task from Deploy phabricator to phab2001.codfw.wmnet to https://phabricator.wikimedia.org/tag/user-mmodell/.Feb 2 2019, 7:11 PM
Alroilim renamed this task from https://phabricator.wikimedia.org/tag/user-mmodell/ to https://phabricator.wikimedia.org.
Alroilim closed this task as Declined.
Alroilim removed mmodell as the assignee of this task.
Alroilim lowered the priority of this task from Medium to Lowest.
Alroilim set Due Date to Feb 1 2019, 9:00 PM.
Alroilim removed projects: User-MModell, Release-Engineering-Team (Kanban), Patch-For-Review, OKR-Work, Sustainability, Phabricator.
Alroilim updated the task description. (Show Details)
Alroilim set Due Date to Feb 1 2019, 9:00 PM.
Alroilim removed subscribers: BBlack, Marostegui, Stashbot and 10 others.
Alroilim removed subscribers: BBlack, Marostegui, Stashbot and 10 others.
Restricted Application changed the subtype of this task from "Task" to "Deadline". · View Herald TranscriptFeb 2 2019, 7:11 PM
Alroilim closed subtask T190572: Prepare a disaster recovery plan for failing over Phabricator as Declined.Feb 2 2019, 7:17 PM
Paladox renamed this task from https://phabricator.wikimedia.org to Deploy phabricator to phab2001.codfw.wmnet.Feb 2 2019, 7:27 PM
Paladox reopened this task as Open.
Paladox assigned this task to mmodell.
Paladox raised the priority of this task from Lowest to Medium.
Paladox removed Due Date.
Paladox added projects: User-MModell, Release-Engineering-Team, OKR-Work, Sustainability, Phabricator.
Paladox updated the task description. (Show Details)
Paladox added subscribers: BBlack, Paladox, Marostegui and 8 others.
Restricted Application changed the subtype of this task from "Deadline" to "Task". · View Herald TranscriptFeb 2 2019, 7:27 PM
Paladox changed the task status from Open to Stalled.Feb 2 2019, 7:28 PM
Gopavasanth reopened subtask T190572: Prepare a disaster recovery plan for failing over Phabricator as Open.Feb 2 2019, 7:43 PM
greg moved this task from INBOX to Backlog on the Release-Engineering-Team board.Mar 5 2019, 12:42 AM
greg edited projects, added Release-Engineering-Team (Backlog); removed Release-Engineering-Team.
Dzahn mentioned this in T218570: DB planning: include a writeable (?) misc DB cluster in codfw for WMCS.Mar 18 2019, 1:37 PM

T218570 might unblock this

Phabricator_maintenance edited projects, added Release-Engineering-Team-TODO; removed Release-Engineering-Team (Backlog).Jun 12 2019, 11:52 PM
Phabricator_maintenance moved this task from Should be empty (use Release-Engineering-Team) to Later / Need volunteer on the Release-Engineering-Team-TODO board.Jun 12 2019, 11:56 PM
greg added a project: Release-Engineering-Team.Jun 21 2019, 10:35 PM
greg edited projects, added Release-Engineering-Team (Development services); removed Release-Engineering-Team.Jun 24 2019, 7:50 PM
greg moved this task from Later / Need volunteer to Soon-ish on the Release-Engineering-Team-TODO board.Jul 6 2019, 4:54 AM
gerritbot added a comment.Jul 16 2019, 8:40 PM

Change 324851 abandoned by 20after4:
phabricator: cluster.addresses to whitelist iridium and phab2001

Reason:
obsolete

https://gerrit.wikimedia.org/r/324851

Stashbot mentioned this in T190568: Reimage both phab1001 and phab2001 to stretch / buster.Jul 19 2019, 10:36 PM

Mentioned in SAL (#wikimedia-operations) [2019-07-19T22:36:01Z] <mutante> phab2001 - switching apache to php-fpm and worker instead of mpm-prefork (to match phab1001) (T190568 T137928 T190572)

mmodell closed subtask T112776: Implement phabricator database clustering support as Declined.Sep 13 2019, 7:08 PM
Dzahn changed the task status from Stalled to Open.Sep 13 2019, 7:22 PM
gerritbot added a comment.Nov 15 2019, 10:18 PM

Change 551284 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/dns@master] re-add phabricator-new to point to caching layer

https://gerrit.wikimedia.org/r/551284

gerritbot added a project: Patch-For-Review.Nov 15 2019, 10:18 PM
gerritbot added a comment.Nov 15 2019, 10:25 PM

Change 551285 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] phabricator: use codfw db servers for codfw server

https://gerrit.wikimedia.org/r/551285

gerritbot added a comment.Nov 19 2019, 4:06 PM

Change 551285 merged by Dzahn:
[operations/puppet@production] phabricator: use codfw db servers for codfw server

https://gerrit.wikimedia.org/r/551285

Dzahn added a subscriber: 20after4.Nov 19 2019, 11:16 PM
  • phab2001 has been upgraded to buster.
  • puppet run shows no errors (unless when i try to start phd, T232883#5676791)
  • /srv/deployment/phabricator are both over 500M but slightly different sizes.

@20after4 Could you deploy to make them the same version? I see:

phab2001: deployment -> deployment-cache/revs/e4e2b2271aad4bb9fb65a421952f7846dab59dc4

vs.

phab1003: deployment -> deployment-cache/revs/61f10999d8837a8c9dbeea12f67b2554daf057ab

gerritbot added a comment.Dec 4 2019, 5:01 AM

Change 551284 abandoned by Dzahn:
re-add phabricator-new to point to caching layer

Reason:
not needed anymore

https://gerrit.wikimedia.org/r/551284

mmodell closed this task as Resolved.Dec 4 2019, 7:46 PM
In T137928#5676819, @Dzahn wrote:
  • phab2001 has been upgraded to buster.
  • puppet run shows no errors (unless when i try to start phd, T232883#5676791)
  • /srv/deployment/phabricator are both over 500M but slightly different sizes.

@20after4 Could you deploy to make them the same version? I see:

phab2001: deployment -> deployment-cache/revs/e4e2b2271aad4bb9fb65a421952f7846dab59dc4

vs.

phab1003: deployment -> deployment-cache/revs/61f10999d8837a8c9dbeea12f67b2554daf057ab

done

Dzahn closed subtask T190572: Prepare a disaster recovery plan for failing over Phabricator as Resolved.Jan 8 2020, 5:57 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL