Page MenuHomePhabricator
Create Task
Maniphest T268329

Request new database for pki.discovery.wmnet
Closed, ResolvedPublic
Actions

Description

> Brief summary (or pointer to a task) indicating how it is intended to be used (application or service)
Can i request a new database to store signed certificates managed by pki.discovery.wmnet

Previewed queries per second (worse case secenario)

In the initial deployment queries will only be issued when a new signed certificate is generated. In a later phase when adding OCSP support we will need to generate the OCSP response periodicity. however i suspect the period will be unlikely to be more then 1/min.

Total space needed and growth provision

Each entry will comprise of the signed certificate which is likely to be between 500B -> 4KB. If we assume every servers had 10 signed certs using RSA4096 we would need ~ 100MB

Availability constraints (can it suffer downtimes for maintenance?)

We could suffer short periods of downtime, the impact would be that no new certs could be signed and the OSCP database could not be generated. The later not been much of an issue due to the former

Owner person or (preferred) team to contact

@jbond @MoritzMuehlenhoff

DB Name

pki or cfssl (can use something elses if needed)

User or users' names and their grants needed (recommended to separate admin accounts from service accounts, with limited rights)

The user will need the ability to create, insert, delete update and alter.

Backup policy

required daily should be sufficient

From which ips the services will be accessed from (mysql client locations)

pki2001.codfw.wmnet
pki1001.eqiad.wmnet

Please let me know if i have missed anything

Details

Due Date
Dec 30 2020, 11:00 PM
SubjectRepoBranchLines +/-
production-m1.sql: Add dbproxy grantsoperations/puppetproduction+6 -4
production_m1.sql: Add pki user grantsoperations/puppetproduction+7 -0
Customize query in gerrit

Event Timeline

jbond triaged this task as Medium priority.Nov 20 2020, 12:12 PM
jbond created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 20 2020, 12:12 PM
LSobanski added a subscriber: LSobanski.Nov 20 2020, 12:31 PM

@jbond What is your preferred delivery date for this?

LSobanski moved this task from Triage to Refine on the DBA board.Nov 20 2020, 12:31 PM
jbond added a comment.Nov 20 2020, 12:34 PM
In T268329#6636560, @LSobanski wrote:

@jbond What is your preferred delivery date for this?

for this one ~1 week would be nice however it wont really become a blocker for me untill we approch the end of the Q ~4weeks

LSobanski set Due Date to Dec 30 2020, 11:00 PM.Nov 20 2020, 12:43 PM
Marostegui claimed this task.Nov 24 2020, 8:04 AM
gerritbot added a comment.Nov 24 2020, 8:11 AM

Change 643208 had a related patch set uploaded (by Marostegui; owner: Marostegui):
[operations/puppet@production] production_m1.sql: Add pki user grants

https://gerrit.wikimedia.org/r/643208

gerritbot added a project: Patch-For-Review.Nov 24 2020, 8:11 AM
Marostegui moved this task from Refine to In progress on the DBA board.Nov 24 2020, 8:19 AM
gerritbot added a comment.Nov 24 2020, 8:21 AM

Change 643208 merged by Marostegui:
[operations/puppet@production] production_m1.sql: Add pki user grants

https://gerrit.wikimedia.org/r/643208

gerritbot added a comment.Nov 24 2020, 8:28 AM

Change 643209 had a related patch set uploaded (by Marostegui; owner: Marostegui):
[operations/puppet@production] production-m1.sql: Add dbproxy grants

https://gerrit.wikimedia.org/r/643209

gerritbot added a comment.Nov 24 2020, 8:30 AM

Change 643209 merged by Marostegui:
[operations/puppet@production] production-m1.sql: Add dbproxy grants

https://gerrit.wikimedia.org/r/643209

Stashbot added a comment.Nov 24 2020, 8:31 AM

Mentioned in SAL (#wikimedia-operations) [2020-11-24T08:31:22Z] <marostegui> Deploy user for pki database for dbproxy1012, dbproxy1014, dbproxy2001 - T268329

Marostegui moved this task from In progress to Done on the DBA board.Nov 24 2020, 8:40 AM
Marostegui added a subscriber: jcrespo.

@jbond this is done, the database name is pki. Please remember you have to use m1-master.eqiad.wmnet as a connection entry point.
I have tested it and it works:

root@cumin1001:/home/marostegui# mysql --ssl-verify-server-cert=false -h m1-master.eqiad.wmnet -upki -p pki
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 62553978
Server version: 10.4.13-MariaDB-log MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

pki@m1-master.eqiad.wmnet[pki]> show tables;
Empty set (0.001 sec)

pki@m1-master.eqiad.wmnet[pki]>

The password is at: puppetmaster1001:/home/jbond/pki_pass
@jcrespo the pki database has been added to the dump grants on eqiad and codfw.

Database added to: https://wikitech.wikimedia.org/wiki/MariaDB/misc#m1

@jbond can you test this works fine? And if so, close the task?

jcrespo added a comment.Nov 24 2020, 8:49 AM

Thanks, I will keep an eye to make sure the db is backed up.

Maintenance_bot removed a project: Patch-For-Review.Nov 24 2020, 9:10 AM
jbond closed this task as Resolved.Nov 24 2020, 5:03 PM

This is working as expected thanks

jcrespo added a comment.Dec 9 2020, 9:48 AM

2 tables and its schema were backed up yesterday, with around 4K in size after gzip compression. If that seems right I would call out the backups "working". Please confirm.

jbond added a comment.Dec 9 2020, 9:49 AM
In T268329#6678525, @jcrespo wrote:

2 tables and its schema were backed up yesterday, with around 4K in size after gzip compression. If that seems right I would call out the backups "working". Please confirm.

yes that sounds about right to me

jcrespo added a comment.Dec 9 2020, 9:53 AM
In T268329#6678526, @jbond wrote:
In T268329#6678525, @jcrespo wrote:

2 tables and its schema were backed up yesterday, with around 4K in size after gzip compression. If that seems right I would call out the backups "working". Please confirm.

yes that sounds about right to me

Thanks!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL