Page MenuHomePhabricator
Create Task
Maniphest T142211

Enable access to relforge clusters from virtual machines running on labs
Closed, ResolvedPublic
Actions

Description

Relforge cluster is up and running, but cannot be accessed from labs VM:

gehel@cirrus-browser-bot:~$ telnet relforge1001.eqiad.wmnet 9243
Trying 10.64.4.13...
[...] => timeout

Looking at ferm rules on relforge1001 I see that port 9243 is opened from $INTERNAL, which maps to (10.0.0.0/8 2620:0:860:100::/56 2620:0:861:100::/56 2620:0:862:100::/56 2620:0:863:100::/56), so from relforge1001 point of view, things should be good.

I guess there is something else filtering network traffic, but I'm unsure what and how to configure it. @chasemp can you point me in the right direction?

Related Objects
Search...

Event Timeline

Gehel created this task.Aug 5 2016, 2:46 PM
Restricted Application added a project: Discovery-Search. · View Herald TranscriptAug 5 2016, 2:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Gehel added a project: netops.Aug 8 2016, 12:03 PM

Could someone in netops open traffic from labs-instance to the 2 relforge servers on port 9243?

  • source: labs-instances
  • destination:
    • port: 9243/TCP
    • IP:
      • relforge1001.eqiad.wmnet (10.64.4.13)
      • relforge1001.eqiad.wmnet (10.64.37.21)
Gehel added a comment.Aug 8 2016, 12:28 PM

I realize that some context is probably missing here. The detailed discussion about the relforge cluster can be found in T131184. In short:

relforge is an elasticsearch cluster used to validate hypothesis to improve search relevancy. As such it is used in a labs context (clients of relforge are VM isntances in labs). This cluster is meant to also be used by anyone who want to test things around search.

BBlack subscribed.Aug 8 2016, 1:36 PM

We don't in general open firewall holes between prod and labs like that. This may need re-thinking.

ksmith removed a project: Discovery-Search.Aug 8 2016, 4:46 PM
BBlack closed this task as Resolved.Aug 9 2016, 8:13 PM

My comment above was under the false assumption that relforge100[12] were in private prod networks (they're not, as clearly stated above). I've added firewalls terms on cr[12]-eqiad for this and it seems to work.

Gehel added a comment.Aug 9 2016, 8:14 PM

Thanks to @BBlack, routers are now configured. I tested from cirrus-browser-bot and connection is working.

debt moved this task from Incoming to not in use - please delete on the Discovery-Search (Current work) board.Aug 9 2016, 11:26 PM
dcausse moved this task from not in use - please delete to Needs Reporting on the Discovery-Search (Current work) board.Aug 10 2016, 8:35 AM

Thanks!

EBernhardson mentioned this in T214921: Setup elasticsearch on cloudelastic100[1-4].Feb 19 2019, 11:02 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits