Page MenuHomePhabricator

Enable access to relforge clusters from virtual machines running on labs
Closed, ResolvedPublic


Relforge cluster is up and running, but cannot be accessed from labs VM:

gehel@cirrus-browser-bot:~$ telnet relforge1001.eqiad.wmnet 9243
[...] => timeout

Looking at ferm rules on relforge1001 I see that port 9243 is opened from $INTERNAL, which maps to ( 2620:0:860:100::/56 2620:0:861:100::/56 2620:0:862:100::/56 2620:0:863:100::/56), so from relforge1001 point of view, things should be good.

I guess there is something else filtering network traffic, but I'm unsure what and how to configure it. @chasemp can you point me in the right direction?

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Could someone in netops open traffic from labs-instance to the 2 relforge servers on port 9243?

  • source: labs-instances
  • destination:
    • port: 9243/TCP
    • IP:
      • relforge1001.eqiad.wmnet (
      • relforge1001.eqiad.wmnet (

I realize that some context is probably missing here. The detailed discussion about the relforge cluster can be found in T131184. In short:

relforge is an elasticsearch cluster used to validate hypothesis to improve search relevancy. As such it is used in a labs context (clients of relforge are VM isntances in labs). This cluster is meant to also be used by anyone who want to test things around search.

We don't in general open firewall holes between prod and labs like that. This may need re-thinking.

My comment above was under the false assumption that relforge100[12] were in private prod networks (they're not, as clearly stated above). I've added firewalls terms on cr[12]-eqiad for this and it seems to work.

Thanks to @BBlack, routers are now configured. I tested from cirrus-browser-bot and connection is working.