Page MenuHomePhabricator
Create Task
Maniphest T165631

move gerrit.wm.org SSH service to private/behind LVS like phab-vcs
Closed, DeclinedPublic
Actions

Description

Since recently both gerrit servers have a server and a service IP.

They are:

server cobalt.wikimedia.org with service gerrit.wikimedia.org and
server gerrit2001.wikimedia.org with service gerrit-replica.wikimedia.org

DNS change
Puppet change

@faidon said, " < paravoid> or let's add a service IP to gerrit2001, but also move them in private/behind LVS like phab[12]001-vcs, and also support port 22 for Gerrit
"

This ticket is for that, move it to private using the same tricks as we do for phab-*-vcs.

Related Objects

Event Timeline

Dzahn created this task.May 17 2017, 8:08 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 17 2017, 8:08 PM
Paladox moved this task from Bugs & stuff to WMF customizations on the Gerrit board.May 17 2017, 8:09 PM
Paladox subscribed.
Dzahn added a comment.May 17 2017, 8:11 PM

unrelatedly: yea, would also be nice to reinstall cobalt as gerrit1001, wouldn't it? subtask?

demon added a comment.May 18 2017, 10:08 AM

We can't move them behind LVS. Unlike Phabricator, which uses a separate hostname for the SSH service, Gerrit exposes them over the same domain. Last time we talked about this, LVS wasn't able to support multiple ports per the same host. I also once brought up the idea of SRV records, but AIUI they're not super well supported by all clients.

I'm not opposed to this, I'm just genuinely curious how it can be done.

fgiunchedi subscribed.Jul 21 2017, 10:39 AM
In T165631#3272935, @demon wrote:

We can't move them behind LVS. Unlike Phabricator, which uses a separate hostname for the SSH service, Gerrit exposes them over the same domain. Last time we talked about this, LVS wasn't able to support multiple ports per the same host. I also once brought up the idea of SRV records, but AIUI they're not super well supported by all clients.

I'm not opposed to this, I'm just genuinely curious how it can be done.

I believe it can, we're doing multiple ports for the same service ip for e.g. logstash, unless I misunderstood the problem

fgiunchedi triaged this task as Medium priority.Jul 21 2017, 10:40 AM
fgiunchedi added a comment.Jul 21 2017, 11:15 AM

Also in a master/slave configuration are the ssh host keys exposed by gerrit the same on both machines? Only slightly related to lvs but it just occurred to me

demon added a comment.Jul 21 2017, 3:28 PM

I was under the impression we couldn't do port-based LVS to the same domain. But I'm gladly willing to be wrong ☺️

And yes, same host key for the ssh daemon.

demon mentioned this in T185645: Switch gerrit from using apache to nginx.Jan 24 2018, 7:06 PM
demon mentioned this in T180978: Switch on http/2 in apache for gerrit.Jan 25 2018, 2:50 AM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 9:15 PM
hashar updated the task description. (Show Details)Nov 20 2020, 9:58 AM
elukey subscribed.Nov 20 2020, 10:03 AM
ayounsi subscribed.Nov 20 2020, 10:15 AM

Decent transition might be to:

  1. Create public LVS VIP
  2. Test it on the Gerrit instance (in public)
  3. If all good, decom the current (non-LVS) VIP

Later one:

  1. Move gerrit2001 to the private vlan (re-image)
  2. If all good, do the same with gerrit1001
LSobanski subscribed.Dec 13 2022, 3:34 PM

@Dzahn other than the outdated host names, is this task still relevant?

Dzahn added a comment.Dec 13 2022, 4:14 PM

@LSobanski good find! Hmm.. probably not but maybe let's talk about it for a minute before declining it.

Dzahn added a project: collaboration-services.Dec 13 2022, 4:15 PM
LSobanski closed this task as Declined.Dec 13 2022, 5:23 PM
ayounsi added a comment.Dec 19 2022, 9:24 AM

@Dzahn, why is this not relevant anymore?

Dzahn added a comment.Dec 21 2022, 5:41 PM

@ayounsi It would mean a considerable effort to recreate an entire LVS service, which we just recently shut down for Phabricator in a lenghty decom process (git-ssh.wm.org), just to have a relatively small improvement, that users can use the "nice" port 22 instead of 29418.

So for the group of existing users it would actually introduce a change to their existing (and working) setup while the group of new users are encouraged to use gitlab instead of Gerrit anyways.

Further WMF as a whole has decided to move towards gitlab and isn't planning to keep 2 code review systems around in the long term (not my personal decision).

So basically it'd be quite some work for relatively little improvement and resources are used for the new system rather than putting effort into the old system at this point.

ayounsi added a comment.Dec 22 2022, 7:48 AM

Noted, thanks for the explanation!

demon added a comment.Jan 16 2023, 3:10 AM
In T165631#8485123, @Dzahn wrote:

@ayounsi It would mean a considerable effort to recreate an entire LVS service, which we just recently shut down for Phabricator in a lenghty decom process (git-ssh.wm.org), just to have a relatively small improvement, that users can use the "nice" port 22 instead of 29418.

FWIW, we've been able to run Gerrit off 22 since the beginning, we just never did. All we would have to do is run the system sshd on something like 2222 to free up 22 for the Gerrit daemon.

But it's not really worth it at this point.

Dzahn mentioned this in T334524: add new and remove old Gerrit service IP from netbox and DNS.Apr 11 2023, 9:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL