Page MenuHomePhabricator
Create Task
Maniphest T271967

Enable TLS on memcached for cross-dc replication
Closed, ResolvedPublic
Actions

Description

Since version v1.5.13, memcached supports TLS!

Problem

Backstory: Our mcrouter instances have 2 server pools: one that includes all mc* hosts on the local primary DC and another pool that consists of 4 mw* servers which act as a "mcrouter proxy" to the other primary DC, for example in eqiad we have:

"codfw": {
  "servers": [
    "10.192.0.61:11214:ascii:ssl",
    "10.192.16.56:11214:ascii:ssl",
    "10.192.32.113:11214:ascii:ssl",
    "10.192.48.94:11214:ascii:ssl"
  ]
},
"eqiad": {
  "servers": [
    "10.64.0.80:11211:ascii:plain",
    "10.64.0.81:11211:ascii:plain",
    "10.64.0.82:11211:ascii:plain",
    "10.64.0.83:11211:ascii:plain",
    "10.64.0.84:11211:ascii:plain",
    "10.64.16.107:11211:ascii:plain",
    "10.64.16.108:11211:ascii:plain",
    "10.64.16.109:11211:ascii:plain",
    "10.64.16.110:11211:ascii:plain",
    "10.64.32.208:11211:ascii:plain",
    "10.64.32.209:11211:ascii:plain",
    "10.64.32.210:11211:ascii:plain",
    "10.64.32.211:11211:ascii:plain",
    "10.64.32.212:11211:ascii:plain",
    "10.64.48.155:11211:ascii:plain",
    "10.64.48.156:11211:ascii:plain",
    "10.64.48.157:11211:ascii:plain",
    "10.64.48.158:11211:ascii:plain"
  ]
}

Goal
If we were to enable TLS, will eliminate the need to use those "mcrouter proxies", and secure connectivity between mediawiki and the memcached cluster. This will eliminate 4 snowflake mediawiki servers from production! We can run memcached on two ports, a TLS one, for cross-dc replication, and a nontls one for local datacentre traffic.

Versions:

  • v1.6.6: we have this version packaged and ready, but it will need to be deployed with caution since there are some changes which can affect a busy cluster like ours

How? (mediawiki is on eqiad)

We will enable_tls so to have memcached listening on 11214 for TLS connections and on 11211 for notls connections. When both clusters are listening to both ports, we can replace the relevant pools in mcrouter

  • Create the relevant puppet changes
  • Test on mwdebug2001: we can enable_tlson mc2019, add it on mwdebug2001's pool and run a simple url list against mwdebug2001.
  • Enable both tls and notls listening ports on codfw
  • Enable both tls and notls listening ports on eqiad (after June 2021 switchover)
  • Replace the eqiad pool in the codfw mcrouter configs (after June 2021 switchover)
  • Replace the codfw pool in the eqiad mcrouter configs

Notes
We could consider switching all memcached traffic to TLS, but this comes with a major drawback: all tools that can provide real time key traffic (such as memkeys etc all), practically dump the network traffic. If this traffic is encrypted, the tools become useless. We are going to solve this problem at a later time.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
hieradata: replace mcrouter proxies in with eqiad hostsoperations/puppetproduction+128 -240
hieradata: enable TLS on memcached eqiad hostsoperations/puppetproduction+10 -18
hieradata: Use TLS codfw pool for memcached replication on eqiadoperations/puppetproduction+224 -0
hieradata: Replace mcrouter proxies with codfw hosts on mwdebug1002operations/puppetproduction+224 -0
hieradata: enable TLS for memcached on all codfw hostsoperations/puppetproduction+1 -1
(WIP) hieradata: enable tls on mc2019 (3)operations/puppetproduction+5 -0
hieradata: enable tls on codfw gutter pooloperations/puppetproduction+8 -0
profile::memcached::instance: Add TLS supportoperations/puppetproduction+59 -10
modules::memcached: add notls support for external addressesoperations/puppetproduction+12 -2
WIP: add notls support for external addresses to memcached (1)operations/puppetproduction+21 -6
Customize query in gerrit

Related Objects
Search...

Event Timeline

jijiki created this task.Jan 13 2021, 6:19 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 13 2021, 6:19 PM
jijiki added a parent task: T244852: Upgrade and improve our application object caching service (memcached).Jan 13 2021, 6:19 PM
jijiki updated the task description. (Show Details)
Nintendofan885 added a project: HTTPS.Jan 13 2021, 6:34 PM
Restricted Application added a project: Traffic. · View Herald TranscriptJan 13 2021, 6:34 PM
Aklapper removed projects: Traffic, HTTPS.Jan 13 2021, 6:53 PM
Aklapper added a subscriber: Nintendofan885.

@Nintendofan885 This is unrelated to HTTPS

elukey added a comment.Jan 13 2021, 7:20 PM

My 2c: I'd vote for 1.6.x since it is close to what upstream is currently supporting, plus I don't think that it would be less stable than the last 1.5.x version.. In 1.6 a lot of new things were added (like the exstore) but nothing big changed from the rest IIRC. Any issue that might arise from running 1.6 could be easily debugged and fixed with upstream if needed (we cannot really follow up with Debian upstream anymore if we package 1.5.22)

MoritzMuehlenhoff subscribed.Jan 13 2021, 7:24 PM

Also, memcached 1.6.6 is already used on the IDPs and available in a component.

jijiki triaged this task as Medium priority.Jan 15 2021, 10:02 AM
jijiki moved this task from Incoming🐅 to Next up 🥌 on the User-jijiki board.Feb 5 2021, 4:44 PM
jijiki updated the task description. (Show Details)Mar 1 2021, 11:08 AM
jijiki mentioned this in T276029: Renew certs for mcrouter on all mw appservers.Mar 1 2021, 11:49 AM
taavi subscribed.Mar 1 2021, 11:52 AM
Joe subscribed.Mar 3 2021, 9:27 AM

Can I ask how do we intend to perform the transition from non-tls to tls in detail? I see a series of pitfalls with our current setup and the code I see in puppet, but please be explicit about the steps you want to take to switch one server to enable tls.

jijiki moved this task from Next up 🥌 to In Progress 🏋️‍♀️ on the User-jijiki board.Mar 4 2021, 4:53 PM
jijiki renamed this task from Enable TLS on memcached to Enable TLS on memcached for cross-dc replication.EditedMar 4 2021, 5:14 PM
jijiki updated the task description. (Show Details)
In T271967#6877704, @Joe wrote:

Can I ask how do we intend to perform the transition from non-tls to tls in detail? I see a series of pitfalls with our current setup and the code I see in puppet, but please be explicit about the steps you want to take to switch one server to enable tls.

I updated the task description (the task was used as a placeholder for when I would come up with a more well thought plan), comments welcome!

jijiki added a subtask: T270315: Upgrade memcached to version 1.6.x.Mar 11 2021, 4:10 PM
Krinkle added a project: Performance-Team (Radar).Mar 11 2021, 4:11 PM
Krinkle moved this task from Limbo to Watching on the Performance-Team (Radar) board.
Krinkle mentioned this in T235216: Consider socket files for MW-to-mcrouter connection.Mar 11 2021, 4:41 PM
jijiki added a comment.Mar 12 2021, 11:05 PM

I run a test on mwdebug1001 where I switched on mcrouter its onhost memcached from plain to ssl:

"onhost": {
  "servers": [
    "127.0.0.1:11209:ascii:ssl"
  ]
}

and run mwdebug1001's onhost memcached to listen tls on 0.0.0.0:11209 and notls 0.0.0.0:11210 on with the following arguments:

/usr/bin/memcached  -vv -p  11209 -m 986 -u nobody -c 25000 -f 1.25 -n 48 -l 0.0.0.0  -l notls:0.0.0.0:11210  -Z -o ssl_chain_cert=/var/lib/puppet/ssl/certs/mwdebug1001.eqiad.wmnet.pem  -o ssl_key=/var/lib/puppet/ssl/private_keys/mwdebug1001.eqiad.wmnet.pem

By running memcached verbosed (since now I can't snoop the onhost memcached traffic),

<32 get eswiki:pcache:idoptions:5623639
>32 END
<32 add eswiki:pcache:idoptions:5623639 0 10 707
>32 STORED

So far, so good :)

jijiki mentioned this in T277711: Memcached, mcrouter in MediaWiki on Kubernetes.Mar 18 2021, 6:20 PM
jijiki closed subtask T270315: Upgrade memcached to version 1.6.x as Resolved.Mar 24 2021, 5:33 PM
jijiki reopened subtask T270315: Upgrade memcached to version 1.6.x as Open.Apr 23 2021, 3:21 PM
jijiki moved this task from In Progress 🏋️‍♀️ to Next up 🥌 on the User-jijiki board.May 19 2021, 10:54 AM
gerritbot added a comment.May 21 2021, 5:41 PM

Change 693474 had a related patch set uploaded (by Effie Mouzeli; author: Effie Mouzeli):

[operations/puppet@production] WIP: add notls support for external addresses to memcached

https://gerrit.wikimedia.org/r/693474

gerritbot added a project: Patch-For-Review.May 21 2021, 5:41 PM
gerritbot added a comment.May 25 2021, 12:58 PM

Change 694465 had a related patch set uploaded (by Effie Mouzeli; author: Effie Mouzeli):

[operations/puppet@production] (WIP) profile::memcached::instance: Add TLS support

https://gerrit.wikimedia.org/r/694465

gerritbot added a comment.May 25 2021, 1:48 PM

Change 694484 had a related patch set uploaded (by Effie Mouzeli; author: Effie Mouzeli):

[operations/puppet@production] (WIP) hieradata: enable tls on mc2019

https://gerrit.wikimedia.org/r/694484

jijiki updated the task description. (Show Details)May 25 2021, 6:22 PM
jbond subscribed.May 25 2021, 7:42 PM

i wonder if we have considered just having the TLS port every where accept localhost?

jbond added a comment.May 25 2021, 7:45 PM

i wonder if we have considered just having the TLS port every where accept localhost?

regardless i guess we need a transition config but still curious if this if that is the long trm goal or not?

gerritbot added a comment.May 26 2021, 4:14 PM

Change 695377 had a related patch set uploaded (by Jbond; author: John Bond):

[operations/puppet@production] WIP: add notls support for external addresses to memcached (1)

https://gerrit.wikimedia.org/r/695377

jijiki added a comment.EditedMay 26 2021, 4:55 PM
In T271967#7112446, @jbond wrote:

i wonder if we have considered just having the TLS port every where accept localhost?

regardless i guess we need a transition config but still curious if this if that is the long trm goal or not?

We want our memcached servers to listen to notls:11211 for DC local memcached traffic and tls:11214 for cross DC traffic. The reason we want the local traffic to be notls is because the tools we use to view live keep traffic, rely on the fact that this traffic is unencrypted.

The configuration that is generated from the patches I submitted, is the final one. Since before and after memcached will be listening to notls:11211, we are good. After we have all memcached servers listening to both, we will switch mcrouter on the mediawiki servers to directly use tls:11214, which is when the change will actually have effect.

gerritbot added a comment.Jun 7 2021, 1:57 PM

Change 695377 merged by Effie Mouzeli:

[operations/puppet@production] modules::memcached: add notls support for external addresses

https://gerrit.wikimedia.org/r/695377

gerritbot added a comment.Jun 14 2021, 10:43 AM

Change 694465 merged by Effie Mouzeli:

[operations/puppet@production] profile::memcached::instance: Add TLS support

https://gerrit.wikimedia.org/r/694465

gerritbot added a comment.Jun 14 2021, 10:51 AM

Change 699727 had a related patch set uploaded (by Effie Mouzeli; author: Effie Mouzeli):

[operations/puppet@production] hieradata: enable tls on codfw gutter pool

https://gerrit.wikimedia.org/r/699727

gerritbot added a comment.Jun 14 2021, 11:05 AM

Change 699727 merged by Effie Mouzeli:

[operations/puppet@production] hieradata: enable tls on codfw gutter pool

https://gerrit.wikimedia.org/r/699727

gerritbot added a comment.Jun 14 2021, 12:39 PM

Change 699738 had a related patch set uploaded (by Effie Mouzeli; author: Effie Mouzeli):

[operations/puppet@production] hieradata: enable TLS for memcached on all codfw hosts

https://gerrit.wikimedia.org/r/699738

gerritbot added a comment.Jun 14 2021, 12:40 PM

Change 694484 abandoned by Effie Mouzeli:

[operations/puppet@production] (WIP) hieradata: enable tls on mc2019 (3)

Reason:

used regex.yaml instead

https://gerrit.wikimedia.org/r/694484

gerritbot added a comment.Jun 14 2021, 12:53 PM

Change 699738 merged by Effie Mouzeli:

[operations/puppet@production] hieradata: enable TLS for memcached on all codfw hosts

https://gerrit.wikimedia.org/r/699738

gerritbot added a comment.Jun 14 2021, 2:40 PM

Change 699764 had a related patch set uploaded (by Effie Mouzeli; author: Effie Mouzeli):

[operations/puppet@production] hieradata: Replace mcrouter proxies with codfw hosts

https://gerrit.wikimedia.org/r/699764

gerritbot added a comment.Jun 14 2021, 2:55 PM

Change 699764 merged by Effie Mouzeli:

[operations/puppet@production] hieradata: Replace mcrouter proxies with codfw hosts on mwdebug1002

https://gerrit.wikimedia.org/r/699764

jijiki moved this task from Next up 🥌 to In Progress 🏋️‍♀️ on the User-jijiki board.Jun 17 2021, 11:02 AM
gerritbot added a comment.Jun 22 2021, 10:28 AM

Change 700861 had a related patch set uploaded (by Effie Mouzeli; author: Effie Mouzeli):

[operations/puppet@production] hieradata: Use TLS codfw pool for memcached replication on eqiad

https://gerrit.wikimedia.org/r/700861

jijiki updated the task description. (Show Details)Jun 22 2021, 10:30 AM

Tested using the codfw TLS pool on eqiad canaries https://gerrit.wikimedia.org/r/c/operations/puppet/+/699908

gerritbot added a comment.Jun 23 2021, 10:32 AM

Change 700861 merged by Effie Mouzeli:

[operations/puppet@production] hieradata: Use TLS codfw pool for memcached replication on eqiad

https://gerrit.wikimedia.org/r/700861

gerritbot added a comment.Jul 1 2021, 8:49 AM

Change 702590 had a related patch set uploaded (by Effie Mouzeli; author: Effie Mouzeli):

[operations/puppet@production] hieradata: enable TLS on memcached eqiad hosts

https://gerrit.wikimedia.org/r/702590

gerritbot added a comment.Jul 1 2021, 8:53 AM

Change 702592 had a related patch set uploaded (by Effie Mouzeli; author: Effie Mouzeli):

[operations/puppet@production] hieradata: replace mcrouter proxies in with eqiad hosts

https://gerrit.wikimedia.org/r/702592

Stashbot added a comment.Jul 21 2021, 6:35 AM

Mentioned in SAL (#wikimedia-operations) [2021-07-21T06:35:45Z] <effie> disable puppet on mc1* hosts and icinga - T271967

gerritbot added a comment.Jul 21 2021, 6:41 AM

Change 702590 merged by Effie Mouzeli:

[operations/puppet@production] hieradata: enable TLS on memcached eqiad hosts

https://gerrit.wikimedia.org/r/702590

gerritbot added a comment.Jul 21 2021, 9:59 AM

Change 702592 merged by Effie Mouzeli:

[operations/puppet@production] hieradata: replace mcrouter proxies in with eqiad hosts

https://gerrit.wikimedia.org/r/702592

jijiki added a comment.Jul 21 2021, 7:07 PM

image.png (1×3 px, 931 KB)

Mcrouter instances in codfw are connecting directly to memeched hosts in eqiad

jijiki closed this task as Resolved.Jul 21 2021, 7:08 PM
jijiki claimed this task.
jijiki updated the task description. (Show Details)
Lalamarie69 subscribed.Jun 20 2022, 4:37 PM
jijiki closed subtask T270315: Upgrade memcached to version 1.6.x as Resolved.Jan 10 2023, 8:51 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits