Page MenuHomePhabricator
Create Task
Maniphest T164810

Switch phabricator production to codfw
Closed, InvalidPublic
Actions

Description

To finish up with T152129: reinstall iridium (phabricator) as phab1001 with jessie, @Dzahn and I came up with this plan:

  • Switch Phabricator production to phab2001 (in codfw)
    • verify that git-ssh is working on phab2001
    • shut down phd on phab1001
    • manually rsync the git data from phab1001 to phab2001 (this is already rsync'd periodically, just need a one-time refresh)
    • verify that phd works on phab2001
    • switch phabricator_active_server to phab2001 in hiera, role/common/phabricator/main.yaml
    • test phabricator's web interface by locally overriding dns records to point to phab2001
    • update dns / redirect traffic to phab2001
  • Make phab1001 a warm standby for phab2001
    • verifying that everything is installed correctly
    • manually rsync the git repositories.
    • make sure the rsync cron job is set up correctly to sync from phab2001

Details

SubjectRepoBranchLines +/-
phab@codfw - add git-ssh public IPs to vcs configoperations/puppetproduction+2 -0
LVS/phabricator: add git-ssh in codfwoperations/puppetproduction+11 -0
git-ssh.wm.o: reduce to 10m TTL for failoveroperations/dnsmaster+2 -2
LVS/phabricator: add git-ssh in codfwoperations/puppetproduction+3 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

mmodell created this task.May 8 2017, 11:42 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 8 2017, 11:42 PM
mmodell added a parent task: T137928: Deploy phabricator to phab2001.codfw.wmnet.May 8 2017, 11:43 PM
Dzahn mentioned this in T152129: reinstall iridium (phabricator) as phab1001 with jessie.May 9 2017, 1:39 AM
Paladox subscribed.May 9 2017, 6:37 AM
mmodell triaged this task as Medium priority.May 12 2017, 12:56 AM
greg added a project: Release-Engineering-Team (Kanban).May 16 2017, 3:54 PM
mmodell added a comment.May 24 2017, 5:40 PM

So we need a proxy set up for phab2001-vcs, I'm not sure how to test it currently.

mmodell updated the task description. (Show Details)May 24 2017, 5:46 PM
mmodell moved this task from To Triage to Administration (UI) on the Phabricator board.May 24 2017, 7:36 PM
Framawiki subscribed.May 24 2017, 9:00 PM
mmodell added a comment.May 26 2017, 10:30 PM

@Dzahn tells me that we can set up temporary DNS records like phabricator-new.wikimedia.org in order to test the varnish config in codfw.

Dzahn added a comment.May 26 2017, 10:35 PM

I saw we already have git-ssh in both eqiad and codfw, like so:

git-ssh.codfw.wikimedia.org has address 208.80.153.250
git-ssh.codfw.wikimedia.org has IPv6 address 2620:0:860:ed1a::3:fa

git-ssh.eqiad.wikimedia.org has address 208.80.154.250
git-ssh.eqiad.wikimedia.org has IPv6 address 2620:0:861:ed1a::3:16

git-ssh.wikimedia.org has address 208.80.154.250
git-ssh.wikimedia.org has IPv6 address 2620:0:861:ed1a::3:16

So since git-ssh without a suffix is equal to git-ssh.eqiad and git-ssh.codfw isn't used yet but also in wikimedia.org we can simply use that and don't need a temp -new name (which is what we did for Gerrit once)

gerritbot subscribed.May 26 2017, 11:06 PM

Change 355869 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] LVS/phabricator: add git-ssh in codfw

https://gerrit.wikimedia.org/r/355869

gerritbot added a project: Patch-For-Review.May 26 2017, 11:06 PM
mmodell moved this task from Backlog to In-progress on the Release-Engineering-Team (Kanban) board.May 31 2017, 4:58 PM
mmodell moved this task from In-progress to Blocked (externally) on the Release-Engineering-Team (Kanban) board.Jun 6 2017, 8:58 AM
mmodell added a parent task: T163938: setup/install phab1001.eqiad.wmnet.Jun 6 2017, 9:02 AM
mmodell mentioned this in T163938: setup/install phab1001.eqiad.wmnet.Jun 6 2017, 9:07 AM
Krinkle subscribed.Jul 7 2017, 1:15 AM
Krinkle mentioned this in T156937: Provide cross-dc redundancy (active-active or active-passive) to all important misc services.Jul 25 2017, 6:09 PM
mmodell updated the task description. (Show Details)Aug 4 2017, 7:30 AM
TerraCodes subscribed.Aug 4 2017, 7:31 AM
mmodell added a subtask: T168699: Verify that the codfw lvs is configured correctly for Phabricator.Aug 8 2017, 12:56 AM
Krinkle unsubscribed.Aug 8 2017, 2:56 AM
mmodell changed the task status from Open to Stalled.Aug 28 2017, 7:12 AM
gerritbot added a comment.Oct 27 2017, 3:37 AM

Change 355869 abandoned by Dzahn:
LVS/phabricator: add git-ssh in codfw

https://gerrit.wikimedia.org/r/355869

gerritbot added a comment.Nov 7 2017, 10:03 PM

Change 389869 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/dns@master] git-ssh.wm.o: reduce to 10m TTL for failover

https://gerrit.wikimedia.org/r/389869

gerritbot added a comment.Nov 7 2017, 10:12 PM

Change 389871 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] LVS/phabricator: add git-ssh in codfw

https://gerrit.wikimedia.org/r/389871

mmodell changed the task status from Stalled to Open.Nov 7 2017, 10:15 PM
mmodell moved this task from Blocked (externally) to In-progress on the Release-Engineering-Team (Kanban) board.
gerritbot added a comment.Nov 8 2017, 12:35 PM

Change 389869 merged by BBlack:
[operations/dns@master] git-ssh.wm.o: reduce to 10m TTL for failover

https://gerrit.wikimedia.org/r/389869

gerritbot added a comment.Nov 8 2017, 12:47 PM

Change 389871 merged by BBlack:
[operations/puppet@production] LVS/phabricator: add git-ssh in codfw

https://gerrit.wikimedia.org/r/389871

gerritbot added a comment.Nov 8 2017, 1:04 PM

Change 389968 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] phab@codfw - add git-ssh public IPs to vcs config

https://gerrit.wikimedia.org/r/389968

gerritbot added a comment.Nov 8 2017, 1:05 PM

Change 389968 merged by BBlack:
[operations/puppet@production] phab@codfw - add git-ssh public IPs to vcs config

https://gerrit.wikimedia.org/r/389968

mmodell closed subtask T168699: Verify that the codfw lvs is configured correctly for Phabricator as Resolved.Nov 9 2017, 1:38 AM
mmodell lowered the priority of this task from Medium to Low.Nov 27 2017, 5:57 PM

This is probably going on the back burner while I work on Scap (Tech Debt Sprint FY201718-Q2) for the remainder of the quarter.

mmodell removed mmodell as the assignee of this task.Jan 22 2018, 5:45 PM
mmodell edited projects, added Release-Engineering-Team (Next); removed Release-Engineering-Team (Kanban).

Moved to represent that this is still happening but not currently a priority.

mmodell edited parent tasks, added: T156937: Provide cross-dc redundancy (active-active or active-passive) to all important misc services; removed: T163938: setup/install phab1001.eqiad.wmnet, T137928: Deploy phabricator to phab2001.codfw.wmnet.Mar 23 2018, 8:21 PM
mmodell added a subtask: T137928: Deploy phabricator to phab2001.codfw.wmnet.
Paladox raised the priority of this task from Low to Medium.Mar 23 2018, 8:26 PM

Changing priority to match the other tasks

mmodell mentioned this in T190572: Prepare a disaster recovery plan for failing over Phabricator.Mar 23 2018, 8:31 PM
mmodell added a subscriber: Marostegui.Mar 23 2018, 10:45 PM

@Marostegui: Can you comment on how we should handle cross-dc queries for phabricator? More specifically, will there be problems when we switch phabricator to run on phab2001.codfw.wmnet with the masters running in eqiad? Is this simply transparent to the application or do we need to do some configuration changes to tell phab to use different proxies?

Paladox added a subscriber: jcrespo.Mar 23 2018, 10:48 PM

or @jcrespo ^^ please?

mmodell edited projects, added DBA; removed Patch-For-Review.Mar 23 2018, 10:49 PM
jcrespo added a comment.EditedMar 24 2018, 5:40 PM

how we should handle cross-dc queries for phabricator

You don't want to do cross-dc queries in a normal state-only in an emergency- phabricator does connection pooling, so it would be possible, but you need to configure the client driver to use TLS (something that is available for a few weeks now on misc hosts).

Other than that, if you want active-passive, the idea is to switch the traffic to go to the right (active for phabricator) datacenter, and connect only to the local mysql instance- make sure only one database is in read-write mode "active master", and make sure the replication is flowing in the right direction. How to do that depends on how much you can trust the application (e.g. you can have a master-master setup with everthing in write mode, in which everything is automatic- but if the application writes to the wrong master, you have a split brain.

If you want an active-active scenario, in which you connect to a single database server on both datacenters, the application should be ok with that (multiple app servers, distributed locking, etc.) you need TLS. There is some discussion to be had, for example, if we want to add m3-master to the certificates so that domain is validated to avoid a man in the middle attack, but that is a conversation we can have when we agree on the details. Talk to me on IRC (if possible, on April) and you can decide what is best- once you have the whole picture of possibilties.

One last thing- like gerrit, we are lacking several proxy on codfw right now (we have the eqiad ones only)- those should be bought between now and the end of the natural year. We also have data redundancy but not a 100% redundant database system yet- in this last case, we have only 1 server per misc host, and we would like to have at least 2 per datacenter. We should have the hardware for that already, but it is not yet in a production state.

jcrespo moved this task from Triage to Blocked external/Not db team on the DBA board.Jun 15 2018, 12:22 PM

@mmodell To clarify, this is blocked on a decision of what you want to do architecture-wise, and I think the best way to move forward is for us to meet at some point a discuss options (it is actually very simple but text is too verbose :-))

Aklapper moved this task from Administration (UI) to Infrastructure on the Phabricator board.Aug 29 2018, 6:02 PM
Alroilim closed subtask T137928: Deploy phabricator to phab2001.codfw.wmnet as Declined.Feb 2 2019, 7:11 PM
Paladox reopened subtask T137928: Deploy phabricator to phab2001.codfw.wmnet as Open.Feb 2 2019, 7:27 PM
Paladox changed the status of subtask T137928: Deploy phabricator to phab2001.codfw.wmnet from Open to Stalled.
Liuxinyu970226 subscribed.Mar 19 2019, 10:41 AM
Phabricator_maintenance edited projects, added Release-Engineering-Team-TODO; removed Release-Engineering-Team (Next).Jun 14 2019, 9:45 PM
Phabricator_maintenance moved this task from Should be empty (use Release-Engineering-Team) to Soon-ish on the Release-Engineering-Team-TODO board.Jun 14 2019, 9:46 PM
greg added a project: Release-Engineering-Team.Jun 21 2019, 10:35 PM
greg edited projects, added Release-Engineering-Team (Development services); removed Release-Engineering-Team.Jun 24 2019, 7:50 PM
Dzahn changed the task status from Open to Stalled.Sep 13 2019, 7:11 PM
Dzahn changed the status of subtask T137928: Deploy phabricator to phab2001.codfw.wmnet from Stalled to Open.Sep 13 2019, 7:22 PM
mmodell closed subtask T137928: Deploy phabricator to phab2001.codfw.wmnet as Resolved.Dec 4 2019, 7:46 PM
LSobanski removed a project: DBA.Apr 6 2021, 5:18 PM
LSobanski subscribed.

Removing the DBA tag and subscribing myself instead. Once there are specific actions for DBA please re-add us and/or @mention me.

thcipriani removed a project: Release-Engineering-Team (Development services).Apr 20 2021, 1:22 AM
thcipriani edited projects, added Release-Engineering-Team (thcipriani-workboard-fiddling); removed Release-Engineering-Team-TODO.Apr 20 2021, 3:42 AM
thcipriani moved this task from thcipriani-workboard-fiddling to Seen (ARCHIVE) on the Release-Engineering-Team board.Apr 20 2021, 3:58 AM
thcipriani edited projects, added Release-Engineering-Team; removed Release-Engineering-Team (thcipriani-workboard-fiddling).
thcipriani edited projects, added Release-Engineering-Team (Seen); removed Release-Engineering-Team.Apr 20 2021, 3:23 PM
Legoktm mentioned this in T285339: Document and automate Phabricator failover process.Jun 22 2021, 5:53 PM
hashar mentioned this in T322250: decom phab2001 (service owner).Nov 3 2022, 11:15 AM
brennen closed this task as Invalid.Sep 26 2023, 4:32 PM
brennen subscribed.

Closing as 6 years out of date with reality.

Dzahn added a comment.EditedNov 3 2023, 9:56 PM

Regardless the plan still seems roughly accurate and we still want to be able to switch DCs if we have to.

Are we saying we never want to do a switch?

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits