Page MenuHomePhabricator
Create Task
Maniphest T211096

PAWS: Rebuild and upgrade Kubernetes
Closed, ResolvedPublic
Actions

Assigned To
Bstorm
Authored By
GTirloni
Dec 4 2018, 11:35 AM
Tags
Referenced Files
F28465108: paws_puppet_WIP_20190325.diff
Mar 25 2019, 6:54 PM
Subscribers
aborrero
Aklapper
Andrew
AntiCompositeNumber
Bstorm
Chicocvenancio
mdaniels5757
Nintendofan885
Tokens
"Love" token, awarded by MichaelSchoenitzer."Love" token, awarded by Bstorm."Love" token, awarded by Chicocvenancio."100" token, awarded by aborrero.

Description

PAWS Kubernetes needs to be upgraded as it is well outside of supported releases at this point.

Co-opting this task to introduce a full redesign of the PAWS Kubernetes layer to work similar to the build of Toolforge Kubernetes.
Following that model the resulting cluster will be

  • Highly available
  • Debian Buster
  • Much more secure
  • Hopefully use a normal k8s ingress like Toolforge does
  • Be understood and supportable for WMCS
  • Largely puppetized T188912
  • kubeadm controlled

Scope notes

Details

Show related patches Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 DuplicateChicocvenancioT218150 Update PAWS with Zero to JupyterHub k8s 0.8.0 chart
Restricted Task
 ResolvedBstormT246122 Upgrade the Toolforge Kubernetes cluster to v1.16
 ResolvedBstormT211096 PAWS: Rebuild and upgrade Kubernetes
 DuplicateNoneT219077 Add NFS to project paws
 ResolvedaborreroT195217 Simplify ingress methods for PAWS
 DuplicateChicocvenancioT218157 Determine TLS termination
 ResolvedBstormT253702 Figure out storing images for PAWS
 ResolvedaborreroT255252 PAWS: enable acme-chief in the project
 ResolvedaborreroT255997 PAWS: figure out paws-public in the new service model
 ResolvedBstormT167086 Consider moving PAWS to its own Cloud VPS project, rather than using instances inside Toolforge
 ResolvedBstormT160113 Move PAWS nfs onto its own share
 ResolvedBstormT255628 VPS Project dumps is using 2.4 TB at /data/project on NFS
 ResolvedBstormT188912 Puppetize PAWS k8s cluster
ResolvedaborreroT251295 Plan the integration of new WMCS naming schemes into PAWS
 ResolvedaborreroT251297 Refactor the toolforge::k8s::kubeadm* modules
 ResolvedBstormT251298 Design the resource limits, RBAC and PSP needed for the PAWS Kubernetes cluster
 ResolvedBstormT253071 Grant permissions to TravisCI for the Toolforge GitHub organization
 ResolvedBstormT253241 Add helm3 to the component repo
 ResolvedBstormT253267 Configure the soft anti-affinity (and presumably the soft affinity) server policy
 ResolvedBstormT255635 Proposal to protect the master branch for https://github.com/toolforge/paws
 ResolvedBstormT256140 Create whatever is needed for OAUTH grants for the new paws cluster and domain
 OpenNoneT243200 Move PAWS to OAuth 2.0
 OpenFeatureNoneT323849 pywikibot: Support OAuth2 token
 ResolvedBstormT256361 PAWS: get new service and cluster metrics into prometheus
 ResolvedaborreroT257534 CloudVPS: a VM is unable to contact floating IPs of other VMs
 ResolvedaborreroT287107 CloudVPS: we may need DNS records for neutron port VIP addresses
 ResolvedBstormT256689 Add test and lint to the CI setup for PAWS
 ResolvedBstormT258812 Fix the paws-public links in the new cluster!
 ResolvedNoneT258831 Odd error when creating a new session on the new PAWS cluster occasionally
 DeclinedNoneT218152 Test new configuration in PAWS-Beta

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
gerritbot added a comment.May 26 2020, 10:18 PM

Change 598863 merged by jenkins-bot:
[labs/tools/maintain-kubeusers@master] contexts: context should be correct for project

https://gerrit.wikimedia.org/r/598863

Stashbot added a comment.May 26 2020, 10:34 PM

Mentioned in SAL (#wikimedia-cloud) [2020-05-26T22:34:39Z] <bstorm_> restored the deployment for maintain-kubeusers so anyone added to the paws.admin group will have admin on the cluster now that the bug is fixed T211096 T246059

Bstorm mentioned this in T195217: Simplify ingress methods for PAWS.May 26 2020, 10:50 PM
srodlund mentioned this in T253761: Update and improve PAWS documentation on Wikitech.May 27 2020, 3:31 PM
Bstorm closed subtask T253702: Figure out storing images for PAWS as Resolved.May 27 2020, 9:55 PM
mdaniels5757 added a subscriber: mdaniels5757.May 28 2020, 7:41 PM
Bstorm added a comment.Jun 12 2020, 4:59 PM

I'm putting up a series of test images in quay.io/brookestorm to validate settings and changes in the new cluster. I'm hoping not to push into the main quay.io repo until we are ready for a PR. Then I'll do a manual tag push in order to allow the deploy-hook to use cached versions of the images (so it isn't compiling openresty).

Stashbot added a comment.Jun 12 2020, 6:49 PM

Mentioned in SAL (#wikimedia-cloud) [2020-06-12T18:49:03Z] <bstorm_> deployed a test of paws chart in the new cluster T211096

Bstorm added a comment.Jun 12 2020, 6:50 PM

I did the deploy with root on paws-k8s-control-1 with the command

helm install paws --namespace prod ./paws -f paws/secrets.yaml --set=dbProxy.image.name=quay.io/brookestorm/db-proxy --set=deployHook.image.name=quay.io/brookestorm/deploy-hook --set=dbProxy.image.tag=test --set=deployHook.image.tag=test --set=jupyterhub.hub.db.url="sqlite://" --set=jupyterhub.hub.image.name=quay.io/brookestorm/paws-hub --set=jupyterhub.hub.image.tag=test --set=jupyterhub.hub.db.type=sqlite --set=jupyterhub.singleuser.image.name=quay.io/brookestorm/singleuser --set=jupyterhub.singleuser.image.tag=test

To ensure only the test images are used and this doesn't touch the database of the running paws instance. This is effectively what the build.py script does with a lot more control.

Bstorm added a comment.Jun 12 2020, 6:52 PM
bstorm@paws-k8s-control-1:~/src/paws$ kubectl -n prod get pods
NAME                              READY   STATUS    RESTARTS   AGE
continuous-image-puller-6kmb7     1/1     Running   0          2m54s
continuous-image-puller-d4tn5     1/1     Running   0          2m54s
continuous-image-puller-llh74     1/1     Running   0          2m54s
continuous-image-puller-skw95     1/1     Running   0          2m54s
db-proxy-8559ddc847-wzl5d         1/1     Running   0          2m54s
deploy-hook-7867c755bc-97cc9      1/1     Running   0          2m54s
proxy-5cbf487898-rlzrv            1/1     Running   0          2m54s
user-scheduler-59b557759f-65lq5   1/1     Running   0          2m54s
user-scheduler-59b557759f-jpg7j   1/1     Running   0          2m54s

The deploy is happy so far. This will give the ingress something to target in T195217: Simplify ingress methods for PAWS

Bstorm added a comment.Jun 12 2020, 7:18 PM

I redeployed it quickly to make sure it had the new volume changes right. The volumes in the current PAWS deployment won't work for dumps anymore at all.

Bstorm added a comment.Jun 12 2020, 7:19 PM

If the whole project drags on too long I'll do a separate PR from a feature branch in the toolforge/paws repo to fix the volumes on the live setup.

Bstorm added a subtask: T255635: Proposal to protect the master branch for https://github.com/toolforge/paws.Jun 16 2020, 11:22 PM
MichaelSchoenitzer awarded a token.Jun 23 2020, 3:17 PM
Bstorm added a subtask: T243200: Move PAWS to OAuth 2.0.Jun 23 2020, 10:00 PM
Bstorm closed subtask T256140: Create whatever is needed for OAUTH grants for the new paws cluster and domain as Resolved.Jun 23 2020, 10:51 PM
Bstorm closed subtask T251298: Design the resource limits, RBAC and PSP needed for the PAWS Kubernetes cluster as Resolved.Jun 24 2020, 5:24 PM
Bstorm added a comment.Jun 24 2020, 5:31 PM

We also have now fixed a quirk of permissions for the homes that was corrected by an initcontainer previously. Fixing it in the hub values means the containers don't need root.

Bstorm updated the task description. (Show Details)Jun 24 2020, 5:32 PM

Helm3 seems to "just work" ™
That said, I think we should leave that box unchecked until we are deploying via a deployhook and build.py instead of by hand :)

Bstorm updated the task description. (Show Details)Jun 24 2020, 5:33 PM
Bstorm updated the task description. (Show Details)
Bstorm updated the task description. (Show Details)Jun 24 2020, 5:36 PM
Bstorm merged a task: T218150: Update PAWS with Zero to JupyterHub k8s 0.8.0 chart.Jun 24 2020, 5:43 PM
Bstorm added a subscriber: AntiCompositeNumber.
Bstorm closed subtask T255635: Proposal to protect the master branch for https://github.com/toolforge/paws as Resolved.Jun 24 2020, 5:48 PM
Bstorm reopened subtask T251298: Design the resource limits, RBAC and PSP needed for the PAWS Kubernetes cluster as Open.Jun 24 2020, 6:02 PM
Bstorm closed subtask T251298: Design the resource limits, RBAC and PSP needed for the PAWS Kubernetes cluster as Resolved.
Stashbot mentioned this in T255997: PAWS: figure out paws-public in the new service model.Jun 24 2020, 11:18 PM

Mentioned in SAL (#wikimedia-cloud) [2020-06-24T23:18:03Z] <bstorm> added A record for *.paws.wmcloud.org to public and hub to use T211096 T255997 T195217

Bstorm added a comment.Jun 24 2020, 11:38 PM

We should put this into tools-prometheus: https://hub.paws.wmcloud.org/hub/metrics

aborrero added a comment.EditedJun 25 2020, 9:54 AM
In T211096#6255108, @Bstorm wrote:

We should put this into tools-prometheus: https://hub.paws.wmcloud.org/hub/metrics

I suggest we use the metricsinfra prometheus instead to reduce coupling with the tools project.

I just created T256361: PAWS: get new service and cluster metrics into prometheus

Maintenance_bot removed a project: Patch-For-Review.Jun 25 2020, 10:10 AM
Bstorm updated the task description. (Show Details)Jun 25 2020, 4:33 PM
Stashbot added a comment.Jun 25 2020, 4:39 PM

Mentioned in SAL (#wikimedia-cloud) [2020-06-25T16:39:53Z] <bstorm> deleted the deployhook from the in-progress new cluster for now just in case T211096

Stashbot added a comment.Jun 25 2020, 10:43 PM

Mentioned in SAL (#wikimedia-cloud) [2020-06-25T22:43:44Z] <bstorm> bumped quota up to 24 instances, 128 GB RAM and 56 cores T211096

Stashbot mentioned this in T253267: Configure the soft anti-affinity (and presumably the soft affinity) server policy.Jun 25 2020, 10:52 PM

Mentioned in SAL (#wikimedia-cloud) [2020-06-25T22:52:04Z] <bstorm> created paws-k8s-worker-5/6/7 as x-large nodes to bring the cluster up to roughly the same capacity as the existing one using soft anti-affinity T211096 T253267

Bstorm closed subtask T253267: Configure the soft anti-affinity (and presumably the soft affinity) server policy as Resolved.Jun 25 2020, 10:54 PM
Bstorm added a comment.Jun 25 2020, 11:29 PM

I've added 3 x-large nodes to the cluster to see how that works out. They should work better than 6 large nodes (which would be a replacement for what's in tools-paws) because the larger nodes will handle the overhead better.

bstorm@paws-k8s-control-1:~$ kubectl --as admin --as-group system:masters get nodes
NAME                 STATUS   ROLES     AGE     VERSION
paws-k8s-control-1   Ready    master    30d     v1.16.10
paws-k8s-control-2   Ready    master    30d     v1.16.10
paws-k8s-control-3   Ready    master    30d     v1.16.10
paws-k8s-ingress-1   Ready    ingress   21d     v1.16.10
paws-k8s-ingress-2   Ready    ingress   21d     v1.16.10
paws-k8s-worker-1    Ready    <none>    30d     v1.16.10
paws-k8s-worker-2    Ready    <none>    30d     v1.16.10
paws-k8s-worker-3    Ready    <none>    30d     v1.16.10
paws-k8s-worker-4    Ready    <none>    30d     v1.16.10
paws-k8s-worker-5    Ready    <none>    15m     v1.16.10
paws-k8s-worker-6    Ready    <none>    6m23s   v1.16.10
paws-k8s-worker-7    Ready    <none>    29s     v1.16.10
Bstorm updated the task description. (Show Details)Jul 6 2020, 10:19 PM
Stashbot added a comment.Jul 23 2020, 9:06 PM

Mentioned in SAL (#wikimedia-cloud) [2020-07-23T21:06:44Z] <bstorm> pushing dbproxy docker image for new cluster into main quay.io repo T211096

Stashbot added a comment.Jul 23 2020, 9:08 PM

Mentioned in SAL (#wikimedia-cloud) [2020-07-23T21:08:28Z] <bstorm> pushing quay.io/wikimedia-paws-prod/paws-hub:newbuild to the main repo T211096

Stashbot added a comment.Jul 23 2020, 9:09 PM

Mentioned in SAL (#wikimedia-cloud) [2020-07-23T21:09:53Z] <bstorm> pushing quay.io/wikimedia-paws-prod/singleuser:newbuild to the main repo T211096

Stashbot added a comment.Jul 23 2020, 9:11 PM

Mentioned in SAL (#wikimedia-cloud) [2020-07-23T21:11:44Z] <bstorm> pushing quay.io/wikimedia-paws-prod/deploy-hook:newbuild to main repo T211096

Stashbot added a comment.Jul 23 2020, 9:14 PM

Mentioned in SAL (#wikimedia-cloud) [2020-07-23T21:14:36Z] <bstorm> pushing quay.io/wikimedia-paws-prod/nbserve:newbuild to main repo T211096

Bstorm added a comment.Jul 23 2020, 9:24 PM

Updated the command used to deploy and upgrade here https://wikitech.wikimedia.org/wiki/PAWS/Admin

Bstorm updated the task description. (Show Details)Jul 23 2020, 9:44 PM
Bstorm added a comment.Jul 23 2020, 9:51 PM

Trimmed the deploy command to helm upgrade paws --namespace prod ./paws -f paws/secrets.yaml --set=jupyterhub.hub.db.url="sqlite://" --set=jupyterhub.hub.db.type=sqlite

That can remain permanent after we start adding the latest tag to images (though the deploy-hook should be more specific). I'm just moving toward sane defaults for development and simplification purposes. On switch-over, I will be dropping the sqlite params and it will *just* be: helm upgrade paws --namespace prod ./paws -f paws/secrets.yaml. That that point, we are helming! The deploy-hook should specify tags and image dev would override the images as well, but we shouldn't require all that just to basically run helm and have it not explode. This is especially true because I'm pushing off deploy-hook updates until after the cutover.

Bstorm updated the task description. (Show Details)Jul 23 2020, 9:54 PM
Bstorm updated the task description. (Show Details)
Bstorm updated the task description. (Show Details)Jul 23 2020, 9:57 PM
Bstorm added a comment.Jul 23 2020, 10:23 PM

Timeline! https://wikitech.wikimedia.org/wiki/User:Bstorm/sandbox/paws_timeline
I think that should get this done.

Stashbot added a comment.Jul 23 2020, 10:48 PM

Mentioned in SAL (#wikimedia-cloud) [2020-07-23T22:48:50Z] <bstorm> tagged the newbuild tags with "latest" to set sane defaults for all images in the helm chart T211096

Stashbot added a comment.Jul 23 2020, 10:51 PM

Mentioned in SAL (#wikimedia-cloud) [2020-07-23T22:51:38Z] <bstorm> deploying via the default 'latest' tag in the new cluster T211096

aborrero added a comment.Jul 24 2020, 9:36 AM
In T211096#6331251, @Bstorm wrote:

Updated the command used to deploy and upgrade here https://wikitech.wikimedia.org/wiki/PAWS/Admin

That's for taking over this! I promised many times that I would do it, and then never did it for real....

I saw the diagram and left some comments in the talk page, here: https://wikitech.wikimedia.org/wiki/File_talk:PAWS_Design.png

One thing: I believe we don't need the DNS wildcard for *.paws.wmcloud.org and instead we could just hardcode the few actual domains we use:

  • paws.wmclod.org A 185.15.56.57
  • public.paws.wmcloud.org CNAME paws.wmcloud.org
  • hub.paws.wmcloud.org CNAME paws.wmcloud.org
  • deploy-hook.paws.wmcloud.org CNAME paws.wmcloud.org

Not having the wildcard may reduce confusion for example with the `k8s.svc.paws.wmcloud,org' address, which is not an actual service address for anything.

I will introduce this DNS change now, feel free to revert if you think this is wrong!

Stashbot added a comment.Jul 24 2020, 9:39 AM

Mentioned in SAL (#wikimedia-cloud) [2020-07-24T09:39:46Z] <arturo> dropped the DNS wildcard record *.paws.wmcloud.org IN A 185.15.56.57 and created concrete CNAME records for the FQDNs we actually use (T211096)

aborrero added a comment.Jul 24 2020, 9:43 AM
In T211096#6331379, @Bstorm wrote:

Timeline! https://wikitech.wikimedia.org/wiki/User:Bstorm/sandbox/paws_timeline
I think that should get this done.

I've reviewed the plan, and I like it! +1, thanks!

aborrero closed subtask T195217: Simplify ingress methods for PAWS as Resolved.Jul 24 2020, 10:17 AM
Bstorm added a comment.Jul 24 2020, 3:01 PM
In T211096#6332497, @aborrero wrote:

Not having the wildcard may reduce confusion for example with the `k8s.svc.paws.wmcloud,org' address, which is not an actual service address for anything.

Oops! I messed up the service address in my diagram. It is supposed to be k8s.svc.paws.eqiad1.wikimedia.cloud :)

Nintendofan885 added a subscriber: Nintendofan885.Jul 24 2020, 3:02 PM
Bstorm added a comment.Jul 24 2020, 3:02 PM

My diagram also could confuse a person into thinking that CoreDNS labels these services with these addresses (which it doesn't, they have very different addresses in CoreDNS). It's just to show the general flows, really.

Bstorm added a comment.Jul 24 2020, 3:04 PM

@aborrero I think the specific records are more correct, in general, so that's cool. The wildcard was just the super-easy thing to do while banging on it :)

Bstorm added a comment.Jul 24 2020, 4:05 PM

One thing I will say is that the k8s API is built to be public-facing when RBAC and auth are correctly implemented with a load balancer out front. There isn't a very strong reason we keep it restricted to local shell access. Because of the general security model here, I don't intend to make it public right now--just a comment. I'd prefer if Kubernetes x509-based auth had a clear way of generating revocation lists before doing that, as well.

Bstorm closed subtask T258812: Fix the paws-public links in the new cluster! as Resolved.Jul 24 2020, 7:58 PM
Bstorm mentioned this in T157378: User/file-names containing _ breaks notebook imports.Jul 24 2020, 9:47 PM
Bstorm added a comment.Jul 28 2020, 7:31 PM

The PR is up. Please, nobody merge it until after we move DNS (which implies we've done a final NFS sync and actually announced the change first).
https://github.com/toolforge/paws/pull/51

Stashbot added a comment.Aug 7 2020, 3:53 PM

Mentioned in SAL (#wikimedia-cloud) [2020-08-07T15:53:18Z] <bstorm> downtiming alerts in case they need changes (seems likely) T211096

Stashbot added a comment.Aug 7 2020, 3:58 PM

Mentioned in SAL (#wikimedia-cloud) [2020-08-07T15:58:10Z] <bstorm> switching old cluster to sqlite T211096

Stashbot added a comment.Aug 7 2020, 4:02 PM

Mentioned in SAL (#wikimedia-cloud) [2020-08-07T16:02:15Z] <bstorm> switching old cluster to toolsdb T211096

Stashbot added a comment.Aug 7 2020, 4:02 PM

Mentioned in SAL (#wikimedia-cloud) [2020-08-07T16:02:34Z] <bstorm> LAST MESSAGE WRONG: switching NEW cluster to toolsdb T211096

Stashbot added a comment.Aug 7 2020, 4:08 PM

Mentioned in SAL (#wikimedia-cloud) [2020-08-07T16:08:06Z] <bstorm> changing paws.wmflabs.org to point at the new cluster ip 185.15.56.57 T211096

Stashbot added a comment.Aug 7 2020, 5:05 PM

Mentioned in SAL (#wikimedia-cloud) [2020-08-07T17:05:45Z] <bstorm> running the final rsync to the new cluster's nfs T211096

gerritbot added a comment.Aug 7 2020, 5:44 PM

Change 619019 had a related patch set uploaded (by Bstorm; owner: Bstorm):
[operations/puppet@production] paws: monitor the new URLs instead of the deprecated ones

https://gerrit.wikimedia.org/r/619019

gerritbot added a project: Patch-For-Review.Aug 7 2020, 5:44 PM
Stashbot added a comment.Aug 7 2020, 5:49 PM

Mentioned in SAL (#wikimedia-cloud) [2020-08-07T17:49:52Z] <bstorm> shutting down the entire old cluster T211096

Stashbot added a comment.Aug 7 2020, 6:01 PM

Mentioned in SAL (#wikimedia-cloud) [2020-08-07T18:01:02Z] <bstorm> shutting down paws-proxy-02 T211096

Bstorm updated the task description. (Show Details)Aug 7 2020, 6:22 PM
Bstorm closed subtask T188912: Puppetize PAWS k8s cluster as Resolved.
Bstorm closed subtask T160113: Move PAWS nfs onto its own share as Resolved.
Bstorm closed subtask T167086: Consider moving PAWS to its own Cloud VPS project, rather than using instances inside Toolforge as Resolved.Aug 7 2020, 6:25 PM
Bstorm closed subtask T256361: PAWS: get new service and cluster metrics into prometheus as Resolved.
gerritbot added a comment.Aug 7 2020, 10:00 PM

Change 619019 merged by Bstorm:
[operations/puppet@production] paws: monitor the new URLs instead of the deprecated ones

https://gerrit.wikimedia.org/r/619019

Stashbot added a comment.Aug 7 2020, 10:30 PM

Mentioned in SAL (#wikimedia-cloud) [2020-08-07T22:30:53Z] <bstorm> removing downtime for paws and front page monitor T211096

Stashbot added a comment.Aug 14 2020, 5:04 PM

Mentioned in SAL (#wikimedia-cloud) [2020-08-14T17:04:42Z] <bstorm> deleting instances "tools-paws-master-01", "tools-paws-worker-1005", "tools-paws-worker-1006", "tools-paws-worker-1003", "tools-paws-worker-1002", "tools-paws-worker-1001", "tools-paws-worker-1007", "tools-paws-worker-1013", "tools-paws-worker-1016", "tools-paws-worker-1017", "tools-paws-worker-1010", "tools-paws-worker-1019" T211096

Stashbot added a comment.Aug 14 2020, 5:09 PM

Mentioned in SAL (#wikimedia-cloud) [2020-08-14T17:09:38Z] <bstorm> backing up the old proxy config to NFS and deleting paws-proxy-02 T211096

Bstorm closed this task as Resolved.Aug 14 2020, 5:11 PM
Bstorm claimed this task.
Bstorm updated the task description. (Show Details)

First phase of productionalizing and enabling paws is done.

Bstorm closed subtask T256689: Add test and lint to the CI setup for PAWS as Resolved.Aug 19 2020, 3:52 PM
Nintendofan885 added a subtask: T218152: Test new configuration in PAWS-Beta.Aug 28 2020, 8:37 PM
Bstorm removed a subtask: T253134: Find an alternative solution for the mysql-proxy in PAWS.Nov 17 2020, 12:23 AM
rook closed subtask T218152: Test new configuration in PAWS-Beta as Declined.Nov 21 2022, 9:51 PM
rook closed subtask T258831: Odd error when creating a new session on the new PAWS cluster occasionally as Resolved.Feb 1 2023, 10:33 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL