Page MenuHomePhabricator
Create Task
Maniphest T221690

Allow analytics VLAN to reach schema.svc.$site.wmnet
Closed, ResolvedPublic
Actions

Description

The Analytics VLAN needs to be able to talk to the schema registry http service. Can we add a rule in the network ACLs to allow this?

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+2 -4refine mediawiki-events - remove use of http proxy after T221690
Customize query in gerrit

Related Objects
Search...

Event Timeline

Ottomata created this task.Apr 23 2019, 6:50 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 23 2019, 6:50 PM
Ottomata added a project: netops.Apr 23 2019, 6:50 PM
Restricted Application added a project: SRE. · View Herald TranscriptApr 23 2019, 6:50 PM
Ottomata removed Ottomata as the assignee of this task.Apr 24 2019, 2:58 PM
ayounsi claimed this task.Apr 24 2019, 3:19 PM
Stashbot added a comment.Apr 25 2019, 4:58 PM

Mentioned in SAL (#wikimedia-operations) [2019-04-25T16:58:58Z] <XioNoX> add analytics firewall filter term schema to cr1/2-eqiad - T221690

ayounsi closed this task as Resolved.Apr 25 2019, 5:02 PM

I assumed you needed HTTPS and not HTTP based on T219552, but please reopen if it's wrong.

Ottomata added a comment.Apr 25 2019, 5:07 PM

HTTP is enough for now, thanks. If/when this gets exposed publicly we'll put it through the usual frontend nginx tls stuff there. Thank you!

Ottomata added a comment.Apr 25 2019, 6:34 PM

Hm, @ayounsi:

[@stat1004:/home/otto] $ curl -Iv http://schema.svc.eqiad.wmnet:8190/repositories/
*   Trying 10.2.2.43...

[@stat1004:/home/otto] $ curl -Iv http://schema1001.eqiad.wmnet:8190/repositories/
*   Trying 10.64.0.18...

But

[@stat1004:/home/otto] $ export http_proxy=http://webproxy.eqiad.wmnet:8080;

[@stat1004:/home/otto]↥ $ curl -I http://schema.svc.eqiad.wmnet:8190/repositories/
HTTP/1.1 200 OK

[@stat1004:/home/otto]↥ $ curl -I http://schema1001.eqiad.wmnet:8190/repositories/
HTTP/1.1 200 OK
Ottomata added a comment.Apr 25 2019, 6:35 PM

Ah I think that might have been my fault. T219552 doesn't specify a port; that task description was made before service was implemented. Port 8190 plz! :)

Ottomata reopened this task as Open.Apr 25 2019, 6:36 PM
Ottomata moved this task from Backlog to In Progress Before Value Streams Kickoff (August 15th) on the Event-Platform Value Stream board.Apr 25 2019, 7:24 PM
gerritbot added a comment.Apr 25 2019, 7:43 PM

Change 506543 had a related patch set uploaded (by Ottomata; owner: Ottomata):
[operations/puppet@production] refine mediawiki-events - remove use of http proxy after T221690

https://gerrit.wikimedia.org/r/506543

gerritbot added a project: Patch-For-Review.Apr 25 2019, 7:43 PM
gerritbot added a comment.Apr 25 2019, 7:49 PM

Change 506543 merged by Ottomata:
[operations/puppet@production] refine mediawiki-events - remove use of http proxy after T221690

https://gerrit.wikimedia.org/r/506543

elukey closed this task as Resolved.Apr 26 2019, 7:09 AM

To keep archives happy:

term schema {
    from {
        destination-address {
            /* schema.svc.codfw */
            10.2.1.43/32;
            /* schema.svc.eqiad */
            10.2.2.43/32;
        }
        protocol tcp;
        destination-port 8190;
    }
    then accept;
}

elukey@stat1004:~$ curl -I http://schema.svc.eqiad.wmnet:8190/repositories/
HTTP/1.1 200 OK
Ottomata mentioned this in T176875: Allow access to wdqs.svc.eqiad.wmnet on port 8888.Jul 9 2019, 3:09 PM
Maintenance_bot removed a project: Patch-For-Review.Jul 9 2019, 3:10 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL