Page MenuHomePhabricator
Create Task
Maniphest T233933

Replicated ticket registry
Closed, ResolvedPublic
Actions

Description

We currently use the default in-memory ticket registry, but a pre-requisite for HA is a replicated ticket registry (Redis, Memcached, ActiveMQ, MySQL/JPA).

Details

SubjectRepoBranchLines +/-
apereo_cas: add ability to configure basic memcached supportoperations/puppetproduction+76 -42
Add a helper to dump/restore memcached for rebootsoperations/puppetproduction+64 -1
build.gradle: add memcached support to cas bloboperations/software/cas-overlay-templatemaster+8 -2
Add CAP_DAC_OVERRIDE to the CapabilityBoundingSetoperations/puppetproduction+2 -0
profile::idp::memcached: move SSL termination to memcachedoperations/puppetproduction+20 -23
memcached: add TLS supportoperations/puppetproduction+63 -11
Make memcached 1.6 an option for the memcached class and enable for the IDPsoperations/puppetproduction+12 -3
Create repository component for memcached 1.6operations/puppetproduction+1 -0
IPv6: add AAAA records for francium & htmldumper1001operations/dnsmaster+9 -2
role:idp* add arguments for default memcached portoperations/puppetproduction+2 -0
profile::idp::memcached: mcrouter also needs to own the certoperations/puppetproduction+1 -0
profile::idp: use mcrouter portoperations/puppetproduction+1 -0
profile::idp: split memcached function to its on profileoperations/puppetproduction+69 -63
apero_cas: enable memcached on idp_testoperations/puppetproduction+2 -0
apero_cas: alow ability to use memcached for ticketsoperations/puppetproduction+124 -57
profile::idp: add mcrouteroperations/puppetproduction+65 -5
memcache: comment out memcacheoperations/software/cas-overlay-templatemaster+2 -2
build.gradle: add memcached support to cas bloboperations/software/cas-overlay-templatemaster+2 -0
Show related patches Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT233921 Further steps for CAS/web SSO
 ResolvedMoritzMuehlenhoffT233931 Cross data center setup for CAS
 ResolvedjbondT233933 Replicated ticket registry

Event Timeline

MoritzMuehlenhoff created this task.Sep 26 2019, 12:56 PM
herron triaged this task as Medium priority.Sep 26 2019, 5:18 PM
jbond added a project: User-jbond.Oct 30 2019, 5:56 PM
jbond moved this task from Unsorted 💣 to Back Burner 🏛️ on the User-jbond board.Oct 30 2019, 6:06 PM
jbond added a parent task: T233931: Cross data center setup for CAS.Nov 14 2019, 11:39 AM

Looking at the list of supported ticketing registries we have the following options

  • Hazelcast
  • Ehcache
  • Ignite
  • CouchDb
  • Memcached

I believe only Memcached is implemented in the current production network as such that seems to be the more sensible option to explore as we can make use of existing infrastructure and expertises . The following options exist for memcached

cas.ticket.registry.memcached.servers=localhost:11211
cas.ticket.registry.memcached.locatorType=ARRAY_MOD
cas.ticket.registry.memcached.failureMode=Redistribute
cas.ticket.registry.memcached.hashAlgorithm=FNV1_64_HASH
cas.ticket.registry.memcached.shouldOptimize=false
cas.ticket.registry.memcached.daemon=true
cas.ticket.registry.memcached.maxReconnectDelay=-1
cas.ticket.registry.memcached.useNagleAlgorithm=false
cas.ticket.registry.memcached.shutdownTimeoutSeconds=-1
cas.ticket.registry.memcached.opTimeout=-1
cas.ticket.registry.memcached.timeoutExceptionThreshold=2
cas.ticket.registry.memcached.maxTotal=20
cas.ticket.registry.memcached.maxIdle=8
cas.ticket.registry.memcached.minIdle=0
cas.ticket.registry.memcached.transcoder=KRYO|SERIAL|WHALIN|WHALINV1
cas.ticket.registry.memcached.transcoderCompressionThreshold=16384
cas.ticket.registry.memcached.kryoAutoReset=false
cas.ticket.registry.memcached.kryoObjectsByReference=false
cas.ticket.registry.memcached.kryoRegistrationRequired=false

From reading the guide most of theses can remain the same, although it would be usefull to have someone with more memcachd knowledge to validate this. We will need the cas.ticket.registry.memcached.servers setting and the advice is to set cas.ticket.registry.memcached.transcode to KRYO.

Finaly i assume we will need something configuring on the memcached side

gerritbot added a comment.Nov 14 2019, 11:41 AM

Change 550682 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/software/cas-overlay-template@master] build.gradle: add memcached support to cas blob

https://gerrit.wikimedia.org/r/550682

gerritbot added a project: Patch-For-Review.Nov 14 2019, 11:41 AM

Change 550695 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] apereo_cas: add ability to configure basic memcached support

https://gerrit.wikimedia.org/r/550695

gerritbot added a comment.Nov 15 2019, 11:56 AM

Change 550682 merged by Jbond:
[operations/software/cas-overlay-template@master] build.gradle: add memcached support to cas blob

https://gerrit.wikimedia.org/r/550682

gerritbot added a comment.Nov 19 2019, 11:16 AM

Change 551795 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/software/cas-overlay-template@master] memcache: comment out memcache

https://gerrit.wikimedia.org/r/551795

gerritbot added a comment.Nov 19 2019, 11:18 AM

Change 551795 merged by Jbond:
[operations/software/cas-overlay-template@master] memcache: comment out memcache

https://gerrit.wikimedia.org/r/551795

gerritbot added a comment.Apr 27 2020, 11:36 AM

Change 592642 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] profile::idp: add mcrouter (WIP)

https://gerrit.wikimedia.org/r/592642

gerritbot added a comment.Apr 27 2020, 1:46 PM

Change 592659 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/software/cas-overlay-template@master] build.gradle: add memcached support to cas blob

https://gerrit.wikimedia.org/r/592659

gerritbot added a comment.Apr 27 2020, 1:47 PM

Change 592661 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] apero_cas: enable memcached on idp_test

https://gerrit.wikimedia.org/r/592661

gerritbot added a comment.Apr 27 2020, 1:53 PM

Change 592660 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] apero_cas: alow ability to use memcached for tickets

https://gerrit.wikimedia.org/r/592660

MoritzMuehlenhoff added a project: CAS-SSO.May 6 2020, 11:18 AM
jbond added a comment.May 26 2020, 9:36 AM

Currently blocked waiting on mcrouter for buster

jbond moved this task from Backlog to blocked on the CAS-SSO board.May 26 2020, 9:37 AM
gerritbot added a comment.May 29 2020, 1:48 PM

Change 592642 merged by Jbond:
[operations/puppet@production] profile::idp: add mcrouter

https://gerrit.wikimedia.org/r/592642

gerritbot added a comment.May 29 2020, 1:48 PM

Change 592660 merged by Jbond:
[operations/puppet@production] apero_cas: alow ability to use memcached for tickets

https://gerrit.wikimedia.org/r/592660

gerritbot added a comment.May 29 2020, 1:58 PM

Change 592661 merged by Jbond:
[operations/puppet@production] apero_cas: enable memcached on idp_test

https://gerrit.wikimedia.org/r/592661

jbond moved this task from blocked to in progress on the CAS-SSO board.Jun 1 2020, 8:50 AM
gerritbot added a comment.Jun 1 2020, 8:51 AM

Change 601301 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] profile::idp: split memcached function to its on profile

https://gerrit.wikimedia.org/r/601301

gerritbot added a comment.Jun 1 2020, 8:59 AM

Change 601301 merged by Jbond:
[operations/puppet@production] profile::idp: split memcached function to its on profile

https://gerrit.wikimedia.org/r/601301

gerritbot added a comment.Jun 1 2020, 9:40 AM

Change 601315 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] profile::idp: use mcrouter port

https://gerrit.wikimedia.org/r/601315

gerritbot added a comment.Jun 1 2020, 9:44 AM

Change 601315 merged by Jbond:
[operations/puppet@production] profile::idp: use mcrouter port

https://gerrit.wikimedia.org/r/601315

gerritbot added a comment.Jun 1 2020, 9:59 AM

Change 601321 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/dns@master] IPv6: add AAAA records for francium & htmldumper1001

https://gerrit.wikimedia.org/r/601321

gerritbot added a comment.Jun 1 2020, 10:17 AM

Change 601325 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] profile::idp::memcached: mcrouter also needs to own the cert

https://gerrit.wikimedia.org/r/601325

gerritbot added a comment.Jun 1 2020, 10:21 AM

Change 601325 merged by Jbond:
[operations/puppet@production] profile::idp::memcached: mcrouter also needs to own the cert

https://gerrit.wikimedia.org/r/601325

gerritbot added a comment.Jun 1 2020, 10:29 AM

Change 601327 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] role:idp* add arguments for default memcached port

https://gerrit.wikimedia.org/r/601327

gerritbot added a comment.Jun 1 2020, 10:51 AM

Change 601327 merged by Jbond:
[operations/puppet@production] role:idp* add arguments for default memcached port

https://gerrit.wikimedia.org/r/601327

gerritbot added a comment.Jun 1 2020, 11:44 AM

Change 601321 merged by Jbond:
[operations/dns@master] IPv6: add AAAA records for francium & htmldumper1001

https://gerrit.wikimedia.org/r/601321

jbond moved this task from Back Burner 🏛️ to Active 🚁 on the User-jbond board.Jun 2 2020, 2:18 PM
jbond added a subscriber: elukey.Jun 3 2020, 3:20 PM

I have configured memcache and mcrouter for CAS however there is currently an error. If CAS talks directly to memcache then all works fine. however when CAS talks to mcrouter we get and amplification storm before a timeout is sent to CAS. After speaking with @elukey we think the following may be happening

  1. idp-test2001 cas sends a set to mcrouter
  2. idp-test2001 mcrouter sends this command to idp-test1001 mcrouter instance and localhost using SyncRoute meaning the worst result should be returned to CAS
  3. localhost on idp-test2001 responds STORED for the set, idp-test2001 is still waiting for a responds from idp-test2001
  4. idp-test1001 mcrouter sends this connection to idp-test2001 mcrouter instance and localhost using SyncRoute meaning the worst result should be returned to CAS
  5. localhost on idp-test1001 responds STORED for the set, idp-test2001 is still waiting for a responds from idp-test2001
  6. as idp-test1001 has not finished its connection it canont send a confirmation back to idp-test2001
  7. steps 2 to 6 repeat for a second when the timeout experies and sends SERVER_ERROR Reply timeout back to the idp-test2001 cas

We could resolve this by having mcrouter talk directly to memcache in the other DC however this requires 1.5.13 which is not currently in buster. We could of course wrap the current memcache in stunnle but that seems a bit of a hack?

I had a quick look at the mediawiki config and i believe mediawiki resolves this problem in the mediawiki code by modifying the memcache key prefix however we don't [easily] have that control with CAS. Currently exploring further options.

@elukey please add anything i missed and correct anything i got wrong, thanks :)

jbond added a comment.EditedJun 3 2020, 3:48 PM

We could resolve this by having mcrouter talk directly to memcache in the other DC however this requires 1.5.13 which is not currently in buster.

1.6.6 is available in testing and seems to build correctly on buster.

@MoritzMuehlenhoff what is your opinion on using a backported memcache?

@elukey would this be a good path forward or dose mcrouter offer more then just TLS termination and replication?

MoritzMuehlenhoff added a comment.Jun 4 2020, 7:19 AM

I'll let Luca comment what's best option-wise, but building (and maintaining with custom patches in case of security issues) seems like an acceptable option to me:

  • most memcached security issues are harmless given it's nature
  • it's temporary until we move the IDPs to bullseye
  • given how much we rely on memcached for our core services, gaining some advance handson experience with changes in 1.6 seems useful as well
elukey added a comment.Jun 8 2020, 6:23 AM

I am all for testing new versions of memcached to get experience, so on this front you'll always have my +1 :)
Upstream is also very available to help and give feedback, especially if we test recent versions.

One consideration - I tried to check what is the use case for CAS using memcached, and I ended up in here (not sure if the right link). It seems that CAS already have a mcrouter-like way of handling HA, so another solution could be to configure mcrouter with only the pool for the other DC (to leverage TLS) and configure two servers in CAS: localhost:11211 and localhost:11213. The latter will proxy transparently to the other DC's memcached without requiring us to have memcached listening on TLS.

jbond added a comment.Jun 9 2020, 11:33 AM
In T233933#6200461, @elukey wrote:

I am all for testing new versions of memcached to get experience, so on this front you'll always have my +1 :)
Upstream is also very available to help and give feedback, especially if we test recent versions.

One consideration - I tried to check what is the use case for CAS using memcached, and I ended up in here (not sure if the right link). It seems that CAS already have a mcrouter-like way of handling HA,

Thanks for looking at this. This is the correct page however this solution seems sub-optimal. From my reading all this does is automatically switch to a backup server in the event that the primary server fails. however when it dose so any sessions already established will be gone and users will be forced to re-authenticate or am i missing something. This is what we would like to avoid, i.e. we want to be able to transparently fail over services from codfw to eqiad without users noticing or being interrupted.

elukey added a comment.Jun 10 2020, 1:32 PM

Ah ok thanks for the explanation, now it is more clear. We have to keep in mind that mcrouter can have tkos and stop sending keys to a particular shard if not responsive, so even in this case the replication could end up to become inconsistent.

I didn't find a good solution for this use case, all docs in mcrouter seem to assume that the pools are configured to contact memcached hosts directly (so not using mcrouter as proxy).

jbond added a comment.Jun 10 2020, 2:14 PM

We have to keep in mind that mcrouter can have tkos and stop sending keys to a particular shard if not responsive, so even in this case the replication could end up to become inconsistent.

Good to know I think its acceptable to drop the odd session here or there, would just mean that one or two users would need to re-authenticat which is much better then everyone

I didn't find a good solution for this use case, all docs in mcrouter seem to assume that the pools are configured to contact memcached hosts directly (so not using mcrouter as proxy).

Ack thanks for looking, i will try out using memcache 1.6 in that case and let you know how i go

gerritbot added a comment.Jun 11 2020, 8:16 AM

Change 604603 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Create repository component for memcached 1.6

https://gerrit.wikimedia.org/r/604603

gerritbot added a comment.Jun 11 2020, 8:17 AM

Change 604603 merged by Muehlenhoff:
[operations/puppet@production] Create repository component for memcached 1.6

https://gerrit.wikimedia.org/r/604603

gerritbot added a comment.Jun 11 2020, 9:08 AM

Change 604626 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Make memcached 1.6 an option for the memcached class and enable for the IDPs

https://gerrit.wikimedia.org/r/604626

gerritbot added a comment.Jun 11 2020, 11:38 AM

Change 604626 merged by Muehlenhoff:
[operations/puppet@production] Make memcached 1.6 an option for the memcached class and enable for the IDPs

https://gerrit.wikimedia.org/r/604626

gerritbot added a comment.Jun 16 2020, 3:03 PM

Change 605937 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] memcached: add TLS support

https://gerrit.wikimedia.org/r/605937

gerritbot added a comment.Jun 16 2020, 3:29 PM

Change 605947 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] profile::idp::memcached: move SSL termination to memcached

https://gerrit.wikimedia.org/r/605947

gerritbot added a comment.Jun 17 2020, 1:05 PM

Change 605937 merged by Jbond:
[operations/puppet@production] memcached: add TLS support

https://gerrit.wikimedia.org/r/605937

gerritbot added a comment.Jun 17 2020, 1:33 PM

Change 605947 merged by Jbond:
[operations/puppet@production] profile::idp::memcached: move SSL termination to memcached

https://gerrit.wikimedia.org/r/605947

gerritbot added a comment.Jun 18 2020, 1:34 PM

Change 606433 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Add CAP_DAC_OVERRIDE to the CapabilityBoundingSet

https://gerrit.wikimedia.org/r/606433

gerritbot added a comment.Jun 19 2020, 6:23 AM

Change 606433 merged by Muehlenhoff:
[operations/puppet@production] Add CAP_DAC_OVERRIDE to the CapabilityBoundingSet

https://gerrit.wikimedia.org/r/606433

Stashbot added a comment.Jun 19 2020, 6:47 AM

Mentioned in SAL (#wikimedia-operations) [2020-06-19T06:47:47Z] <moritzm> force reinstall of memcached 1.6 deb packages to ensure that the override is used in addition to the unmodified systemd unit from the deb T233933

gerritbot added a comment.Jun 23 2020, 9:52 AM

Change 592659 abandoned by Jbond:
build.gradle: add memcached support to cas blob

Reason:
already deployed

https://gerrit.wikimedia.org/r/592659

MoritzMuehlenhoff added a comment.Jun 23 2020, 3:14 PM

Did some tests on idp-test* and it's working nicely; sessions persisted across a Tomcat restart when explicitly addressing the failover IDP, they were also present.

gerritbot added a comment.Jun 24 2020, 11:16 AM

Change 592659 restored by Jbond:
build.gradle: add memcached support to cas blob

https://gerrit.wikimedia.org/r/592659

gerritbot added a comment.Jun 24 2020, 11:17 AM

Change 592659 merged by Jbond:
[operations/software/cas-overlay-template@master] build.gradle: add memcached support to cas blob

https://gerrit.wikimedia.org/r/592659

gerritbot added a comment.Sep 23 2020, 10:42 AM

Change 629344 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Add a helper to dump/restore memcached for reboots

https://gerrit.wikimedia.org/r/629344

gerritbot added a comment.Sep 24 2020, 1:52 PM

Change 629344 merged by Muehlenhoff:
[operations/puppet@production] Add a helper to dump/restore memcached for reboots

https://gerrit.wikimedia.org/r/629344

gerritbot added a comment.Nov 3 2020, 8:44 PM

Change 550695 abandoned by Jbond:
[operations/puppet@production] apereo_cas: add ability to configure basic memcached support

Reason:
superseded

https://gerrit.wikimedia.org/r/550695

jbond closed this task as Resolved.May 27 2021, 4:26 PM
jbond claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL