Page MenuHomePhabricator
Create Task
Maniphest T266509

Make testreduce web UI publicly accessible on the internet
Closed, ResolvedPublic
Actions

Description

At one point, scandium used to have http://parsoid-rt-tests.wikimedia.org/ pointed at the parsoid-rt webservice web UI. But, once scandium became a mediawiki appserver, and since parsoid's rt test services aren't as heavily security hardened or tested or updated compared to production code, we decided to disable that public web access as part of this patch.

Now, as we move the parsoid-rt and parsoid-rt-client node services away from scandium onto testreduce1001, we can revisit this decision. testreduce1001 is not (need not be) a mediawiki app server and doesn't need to run PHP code at all. Right now parsoid-rt on testreduce1001 continues to connect to a database hosted on a production database server. However, as noted in T257906#6390890 parsoid-rt on testreduce1001 can simply connect to a local database on testreduce1001 and be completely isolated from any production services (but it still needs enough access to be able to issue Parsoid REST API requests to scandium).

So, here are some tasks:

  • Enable mysql/maraiadb on testreduce1001
  • Create a new database
  • Initialize this with a fresh set of test titles
  • Revert some version of https://gerrit.wikimedia.org/r/c/operations/puppet/+/534271 to enable the webserver on testreduce1001 and to point parsoid-rt-tests.wikimedia.org to parsoid-rt webserver UI
  • create certificate for testreduce.discovery.wmnet in private repo, copy to public repo, create fake cert in labs/private
  • add testreduce.discovery.wmnet in DNS and point to testreduce1001
  • add envoy on backend for TLS termination and let it speak to 8001 on nginx as upstream
  • add parsoid-rt-tests to the envoy TLS cert for testreduce.discovery.wmnet

This is not high priority and if any of this work is cumbersome or involves a lot of work, feel free to decline. And, this can also be done after the parent task is resolved as well. So free to edit / update the task as appropriate.

Details

SubjectRepoBranchLines +/-
cache::text_haproxy: Add missing parsoid-rt-tests.wm.o to alternate domainsoperations/puppetproduction+2 -0
add parsoid-rt-tests.wikimedia.org to alternate_domainsoperations/puppetproduction+2 -0
ssl: add regenerated TLS cert for testreduce with new SANoperations/puppetproduction+20 -19
Revert "parsoid::testreduce: let envoy listen on IPv6 as well"operations/puppetproduction+0 -1
parsoid::testreduce: let envoy listen on IPv6 as welloperations/puppetproduction+1 -0
parsoid/testing: let nginx also listen on IPv6operations/puppetproduction+1 -0
trafficserver/parsoid: switch TLS termination to 443, upstream port 8001operations/puppetproduction+4 -1
parsoid/testreduce: add envoy on testreduce1001 for TLS terminationoperations/puppetproduction+4 -0
add testreduce.discovery.wmnet, point to testreduce1001operations/dnsmaster+1 -0
ATS: re-add config for parsoid-rt-tests.wikimedia.orgoperations/puppetproduction+3 -0
add fake cert for testreduce.discovery.wmnetlabs/privatemaster+3 -0
add certificate for testreduce.discovery.wmnetoperations/puppetproduction+23 -0
Parsoid Testing: Switch rt/vd server db hosts to localhostoperations/puppetproduction+2 -2
Revert "remove parsoid-rt-tests.wikimedia.org"operations/dnsmaster+1 -0
parsoid::testing: switch db_host from m5-master to localhostoperations/puppetproduction+1 -1
parsoid::testing: fix duplicate declaration of mariadb-client for busteroperations/puppetproduction+6 -8
parsoid: include a generic mariadb server in testreduce roleoperations/puppetproduction+2 -0
Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

ssastry created this task.Oct 26 2020, 9:07 PM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptOct 26 2020, 9:07 PM
ssastry moved this task from Needs Triage to Non-Parsing-Team Tasks on the Parsoid board.Oct 27 2020, 3:54 PM
Dzahn added a comment.Nov 3 2020, 2:14 AM

I will be afk for about 2 weeks. If this needs earlier attention (I assume not, based on low prio etc) please contact the subteam.

Dzahn triaged this task as Medium priority.Nov 3 2020, 2:14 AM
Dzahn moved this task from Incoming 🐫 to API Gateway 🥌 on the serviceops board.
MBinder_WMF edited projects, added Parsoid (Tracking); removed Parsoid.Dec 10 2020, 8:12 PM
gerritbot added a comment.Jan 4 2021, 10:20 PM

Change 654318 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] parsoid: include a generic mariadb server in testreduce role

https://gerrit.wikimedia.org/r/654318

gerritbot added a project: Patch-For-Review.Jan 4 2021, 10:20 PM
gerritbot added a comment.Jan 4 2021, 10:48 PM

Change 654318 merged by Dzahn:
[operations/puppet@production] parsoid: include a generic mariadb server in testreduce role

https://gerrit.wikimedia.org/r/654318

gerritbot added a comment.Jan 4 2021, 11:05 PM

Change 654322 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] parsoid::testing: fix duplicate declaration of mariadb-client for buster

https://gerrit.wikimedia.org/r/654322

gerritbot added a comment.Jan 4 2021, 11:14 PM

Change 654322 merged by Dzahn:
[operations/puppet@production] parsoid::testing: fix duplicate declaration of mariadb-client for buster

https://gerrit.wikimedia.org/r/654322

Dzahn updated the task description. (Show Details)Jan 4 2021, 11:15 PM
Dzahn added a comment.Jan 4 2021, 11:18 PM

A generic mariadb server has now been installed by puppet on testreduce1001. (no change on scandium which at first conflicted with this).

The config is in /etc/my.cnf

The data_dir is /srv/sqldata.

No database has been created yet though.

ssastry updated the task description. (Show Details)Jan 4 2021, 11:21 PM
gerritbot added a comment.Jan 4 2021, 11:24 PM

Change 653998 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/dns@master] Revert "remove parsoid-vd/parsoid-rt.wikimedia.org"

https://gerrit.wikimedia.org/r/653998

Dzahn added a comment.Jan 4 2021, 11:26 PM

Next we need to re-create the DNS entries (parsoid-rt-tests, parsoid-vd-tests) before we can point them to the new backend in the caching layer.

nginx config exists on testreduce1001 as it is puppetized.

ssastry added a comment.EditedJan 4 2021, 11:52 PM

Couple observations:

  1. We don't need parsoid-vd-tests on testreduce1001 anymore since there are no immediate plans to run visual diff tests there. If we need do that on production vms in the future, that will probably be its own vm.
  2. If we are going to have the test db be local on testreduce1001, then all parsoid-test-roots should have all privileges to those db. You can pick the same db-name and user-name from /etc/testreduce/parsoid-rt.settings.js for that new local db.
gerritbot added a comment.Jan 5 2021, 2:11 AM

Change 654351 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ATS: re-add config for parsoid-rt-tests.wikimedia.org

https://gerrit.wikimedia.org/r/654351

Dzahn updated the task description. (Show Details)Jan 6 2021, 1:07 AM
Dzahn added a comment.Jan 6 2021, 1:09 AM

@ssastry ACK, only "rt" no "vd" needed. Adjusted the patches accordingly.

Regarding the database:

  • I created a new database "testreduce" on the local MariaDB server
  • I then granted "all privileges" to a user also called "testreduce" and with the password from parsoid-rt.settings.js.

So database name, user name and password are all exactly like before, just that it is now running on localhost instead of on m5-master.

[testreduce1001:~] $ mysql -h localhost -u testreduce testreduce -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 56

Now you can use that user to import the data you need.

gerritbot added a comment.Jan 6 2021, 1:32 AM

Change 654565 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] parsoid::testing: switch db_host from m5-master to localhost

https://gerrit.wikimedia.org/r/654565

gerritbot added a comment.Jan 26 2021, 12:02 AM

Change 654565 merged by Dzahn:
[operations/puppet@production] parsoid::testing: switch db_host from m5-master to localhost

https://gerrit.wikimedia.org/r/654565

ssastry updated the task description. (Show Details)Jan 26 2021, 12:03 AM
gerritbot added a comment.Jan 26 2021, 5:17 PM

Change 653998 merged by Dzahn:
[operations/dns@master] Revert "remove parsoid-rt-tests.wikimedia.org"

https://gerrit.wikimedia.org/r/653998

gerritbot added a comment.Jan 26 2021, 9:09 PM

Change 658679 had a related patch set uploaded (by Subramanya Sastry; owner: Subramanya Sastry):
[operations/puppet@production] Parsoid Testing: Switch rt/vd server db hosts to localhost

https://gerrit.wikimedia.org/r/658679

gerritbot added a comment.Jan 26 2021, 9:15 PM

Change 658679 merged by Dzahn:
[operations/puppet@production] Parsoid Testing: Switch rt/vd server db hosts to localhost

https://gerrit.wikimedia.org/r/658679

gerritbot added a comment.Jan 26 2021, 11:11 PM

Change 658695 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] add certificate for testreduce.discovery.wmnet

https://gerrit.wikimedia.org/r/658695

gerritbot added a comment.Jan 26 2021, 11:12 PM

Change 658696 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[labs/private@master] add fake cert for testreduce.discovery.wmnet

https://gerrit.wikimedia.org/r/658696

gerritbot added a comment.Jan 26 2021, 11:15 PM

Change 658695 merged by Dzahn:
[operations/puppet@production] add certificate for testreduce.discovery.wmnet

https://gerrit.wikimedia.org/r/658695

gerritbot added a comment.Jan 26 2021, 11:15 PM

Change 658696 merged by Dzahn:
[labs/private@master] add fake cert for testreduce.discovery.wmnet

https://gerrit.wikimedia.org/r/658696

Dzahn mentioned this in rLPRI5a7d0e090aae: add fake cert for testreduce.discovery.wmnet.Jan 26 2021, 11:19 PM
gerritbot added a comment.Jan 26 2021, 11:26 PM

Change 654351 merged by Dzahn:
[operations/puppet@production] ATS: re-add config for parsoid-rt-tests.wikimedia.org

https://gerrit.wikimedia.org/r/654351

gerritbot added a comment.Jan 26 2021, 11:54 PM

Change 658701 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/dns@master] add testreduce.discovery.wmnet, point to testreduce1001

https://gerrit.wikimedia.org/r/658701

Dzahn updated the task description. (Show Details)Jan 26 2021, 11:55 PM
gerritbot added a comment.Jan 26 2021, 11:56 PM

Change 658701 merged by Dzahn:
[operations/dns@master] add testreduce.discovery.wmnet, point to testreduce1001

https://gerrit.wikimedia.org/r/658701

Dzahn updated the task description. (Show Details)Jan 27 2021, 12:09 AM
gerritbot added a comment.Jan 27 2021, 12:15 AM

Change 658706 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] parsoid/testreduce: add envoy on testreduce1001 for TLS termination

https://gerrit.wikimedia.org/r/658706

gerritbot added a comment.Jan 27 2021, 12:18 AM

Change 658706 merged by Dzahn:
[operations/puppet@production] parsoid/testreduce: add envoy on testreduce1001 for TLS termination

https://gerrit.wikimedia.org/r/658706

gerritbot added a comment.Jan 27 2021, 12:27 AM

Change 658708 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] trafficserver/parsoid: switch TLS termination to 443, upstream port 8001

https://gerrit.wikimedia.org/r/658708

gerritbot added a comment.Jan 27 2021, 12:38 AM

Change 658708 merged by Dzahn:
[operations/puppet@production] trafficserver/parsoid: switch TLS termination to 443, upstream port 8001

https://gerrit.wikimedia.org/r/658708

Dzahn mentioned this in T255568: Envoy should listen on ipv6 and ipv4.Jan 27 2021, 1:13 AM
gerritbot added a comment.Jan 27 2021, 6:22 PM

Change 659051 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] parsoid::testreduce: let envoy listen on IPv6 as well

https://gerrit.wikimedia.org/r/659051

gerritbot added a comment.Jan 27 2021, 6:26 PM

Change 659051 merged by Dzahn:
[operations/puppet@production] parsoid::testreduce: let envoy listen on IPv6 as well

https://gerrit.wikimedia.org/r/659051

Stashbot added a comment.Jan 27 2021, 6:50 PM

Mentioned in SAL (#wikimedia-operations) [2021-01-27T18:50:14Z] <mutante> testreduce1001 - making nginx listen on IPv6 and restarting it T266509

gerritbot added a comment.Jan 27 2021, 6:53 PM

Change 659058 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] parsoid/testing: let nginx also listen on IPv6

https://gerrit.wikimedia.org/r/659058

gerritbot added a comment.Jan 27 2021, 7:17 PM

Change 659058 merged by Dzahn:
[operations/puppet@production] parsoid/testing: let nginx also listen on IPv6

https://gerrit.wikimedia.org/r/659058

gerritbot added a comment.Feb 24 2021, 9:02 PM

Change 666694 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] Revert "parsoid::testreduce: let envoy listen on IPv6 as well"

https://gerrit.wikimedia.org/r/666694

gerritbot added a comment.Feb 24 2021, 9:05 PM

Change 666694 merged by Dzahn:
[operations/puppet@production] Revert "parsoid::testreduce: let envoy listen on IPv6 as well"

https://gerrit.wikimedia.org/r/666694

Stashbot added a comment.Mar 12 2021, 9:52 PM

Mentioned in SAL (#wikimedia-operations) [2021-03-12T21:52:08Z] <mutante> puppetmaster1001 sudo puppet cert clean testreduce.discovery.wmnet (T266509)

gerritbot added a comment.Mar 12 2021, 9:59 PM

Change 671275 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ssl: add regenerated TLS cert for testreduce with new SAN

https://gerrit.wikimedia.org/r/671275

gerritbot added a comment.Mar 12 2021, 10:00 PM

Change 671275 merged by Dzahn:
[operations/puppet@production] ssl: add regenerated TLS cert for testreduce with new SAN

https://gerrit.wikimedia.org/r/671275

Dzahn updated the task description. (Show Details)Mar 12 2021, 10:03 PM

@ssastry Done! https://parsoid-rt-tests.wikimedia.org/ has been reactivated.

It needed the parsoid-rt-tests.wikimedia.org name on the envoy certificate to allow for TLS termination on the backend. Fixed that and now it's back.

Dzahn closed this task as Resolved.Mar 12 2021, 10:05 PM

Screenshot at 2021-03-12 14-05-10.png (612×628 px, 62 KB)

Arlolra subscribed.EditedApr 21 2021, 9:33 PM

@Dzahn The static files aren't rendering, ex. https://parsoid-rt-tests.wikimedia.org/static/style.css

curl http://localhost:8003/static/style.css on testreduce1001 returns the expected result though.

A quick glance at nginx-parsoid-testing seems alright, so maybe the requests aren't making it there?

ssastry reopened this task as Open.Jul 2 2021, 11:47 PM

Reopening to follow up on the failure to fully serve all the static files.

To followup on Arlo's comments above, it looks like something is intercepting requests to parsoid-rt-tests.wikimedia.org/static/ ... That url returns 503 forbidden even when I stop nginx. Additionally, if I add /static1/ or some other path component that is not /static/ to the testreduce server, they all work fine. It is only this exact /static/ path component that is a problem.

@Dzahn or someone in serviceops, can you take a look please?

ssastry added a comment.Nov 17 2021, 3:36 PM

Ping! This would also make accessing test results less cumbersome without needing to set up ssh tunnels.

Dzahn added a comment.Dec 22 2021, 8:26 PM

So, I have been debugging this again and summary is:

the chain here is (traffic layer) -> envoy (443) -> nginx (8001) -> nodejs (8003)

And i can fetch the missing /static/style.css from all 3 places:

I can get it directly from nodejs:

curl http://localhost:8003/static/style.css (works)

I can get it from nginx:

curl http://localhost:8001/static/style.css (works)

I can get it from envoy:

curl --connect-to parsoid-rt-tests.wikimedia.org:443:localhost:443 https://parsoid-rt-tests.wikimedia.org/static/style.css (works)

All of this works so that should rule out a bunch of things we have been guessing it could be.

Dzahn added a comment.Dec 22 2021, 8:40 PM
In T266509#7195286, @ssastry wrote:

looks like something is intercepting requests to parsoid-rt-tests.wikimedia.org/static/ ... That url returns 503 forbidden even when I stop nginx. Additionally, if I add /static1/ or some other path component that is not /static/ to the testreduce server, they all work fine. It is only this exact /static/ path component that is a problem.

@ssastry Sorry for the delay here, but see above. I can confirm it's working through the entire stack on testreduce1001 itself and was already suspicious it must then be traffic layer. Then I re-read your comment and eventually found this:

# normalize all /static to the same hostname for caching
if (req.url ~ "^/static/") { set req.http.host = "<%= @vcl_config.fetch("static_host") %>"; }

This is in puppet/modules/varnish/templates/text-frontend.inc.vcl.erb so... I am relatively sure now this is varnish and outside testreduce1001.

The options seem to escalate this as a bug to traffic or to avoid the specific string "static" in your URLs. I will add traffic to this now.

Dzahn added a project: Traffic.Dec 22 2021, 8:43 PM
Dzahn added a comment.EditedDec 22 2021, 8:47 PM

Hey traffic, I added you to this ticket because I think a line in varnish config above, the one that handles URLs with "static" in it in a different way, caused this issue here for a non-mediawiki/appserver backend behind Varnish.

effect: https://parsoid-rt-tests.wikimedia.org/ works but https://parsoid-rt-tests.wikimedia.org/static/style.css is 404 but not on the backend

Should other clients just avoid that kind of URL or can we exclude certiain backends from that rule above?

edit: uploaded suggested fix after Majavah pointed me to the list of "alternate_domains" in Hiera.

gerritbot added a comment.Dec 22 2021, 8:53 PM

Change 749574 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] add parsoid-rt-tests.wikimedia.org to alternate_domains

https://gerrit.wikimedia.org/r/749574

gerritbot added a comment.Jan 5 2022, 5:28 PM

Change 749574 merged by Dzahn:

[operations/puppet@production] add parsoid-rt-tests.wikimedia.org to alternate_domains

https://gerrit.wikimedia.org/r/749574

Dzahn added a comment.Jan 5 2022, 5:57 PM

@ssastry @Arlolra I self-merged that traffic change and https://parsoid-rt-tests.wikimedia.org/static/style.css is NOT 404 anymore :)

ssastry closed this task as Resolved.Jan 5 2022, 6:05 PM

Perfect! It works now. Thanks!

Dzahn added a comment.Jan 5 2022, 6:06 PM

Great! thanks for confirming. and sorry for the delay in between

ssastry reopened this task as Open.Jan 6 2022, 2:38 PM

Broken again .. not sure if someone reverted the patch or something else overwriote your changes but https://parsoid-rt-tests.wikimedia.org/static/style.css is 404ing.

Dzahn added a comment.Jan 6 2022, 6:32 PM

its not 404ing for me right now. I suspect it was still cached on some of the caching servers. change is not reverted

ssastry closed this task as Resolved.Jan 6 2022, 6:38 PM

Okay, thanks! :) Yes, working for me as well now.

gerritbot added a comment.May 5 2022, 8:31 AM

Change 789561 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] cache::text_haproxy: Add missing parsoid-rt-tests.wm.o to alternate domains

https://gerrit.wikimedia.org/r/789561

gerritbot added a comment.May 5 2022, 8:35 AM

Change 789561 merged by Vgutierrez:

[operations/puppet@production] cache::text_haproxy: Add missing parsoid-rt-tests.wm.o to alternate domains

https://gerrit.wikimedia.org/r/789561

ssastry mentioned this in T345220: Upgrade nodejs on testreduce1001.Oct 3 2023, 10:22 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits