Page MenuHomePhabricator
Create Task
Maniphest T288093

Place m5 proxies in codfw and eqiad
Closed, ResolvedPublic
Actions

Description

Wikitech will be moved out from m5 (T167973), and we should restore the proxies to avoid connecting directly to the database.

The eqiad proxies are in place:
dbproxy1017
dbproxy1021

We just need to switch DNS to point to them (and possible review all the grants).

codfw proxy isn't set in place, but it is ready to do so:
dbproxy2004 is set as spare
DNS record needs to be created for m5-master.codfw.wmnet pointing to it.

We need to review those grants too.

  • proxy in eqiad
  • fully reviewed proxy grants in eqiad
  • proxy in codfw
  • fully reviewed proxy grants in codfw

Details

Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

Marostegui created this task.Aug 4 2021, 12:35 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 4 2021, 12:35 PM
Marostegui triaged this task as Medium priority.Aug 4 2021, 12:36 PM
Marostegui moved this task from Triage to Ready on the DBA board.

We could work on setting up the codfw proxy anytime, as there's nothing using it at the moment, as the service is active-passive.

Marostegui added subscribers: Bstorm, Andrew, bd808.Aug 4 2021, 12:38 PM

@bd808 @Andrew @Bstorm I don't think there's anything that will affect your services on m5 codfw at the moment, but just a heads up.
eqiad one might be a different story if there's something not using m5-master.eqiad.wmnet and just using db1128.eqiad.wmnet...anyways, that change won't happen before the wikitech move (which is scheduled to be done after the DC switch in September)

gerritbot added a comment.Aug 5 2021, 2:09 PM

Change 710266 had a related patch set uploaded (by Marostegui; author: Marostegui):

[operations/puppet@production] mariadb: Productionize dbproxy2004

https://gerrit.wikimedia.org/r/710266

gerritbot added a project: Patch-For-Review.Aug 5 2021, 2:09 PM
gerritbot added a comment.Aug 5 2021, 2:13 PM

Change 710266 merged by Marostegui:

[operations/puppet@production] mariadb: Productionize dbproxy2004

https://gerrit.wikimedia.org/r/710266

gerritbot added a comment.Aug 5 2021, 2:15 PM

Change 710267 had a related patch set uploaded (by Marostegui; author: Marostegui):

[operations/puppet@production] production-m5.sql: Add codfw proxy user

https://gerrit.wikimedia.org/r/710267

gerritbot added a comment.Aug 5 2021, 2:17 PM

Change 710267 merged by Marostegui:

[operations/puppet@production] production-m5.sql: Add codfw proxy user

https://gerrit.wikimedia.org/r/710267

gerritbot added a comment.Aug 5 2021, 2:22 PM

Change 710268 had a related patch set uploaded (by Marostegui; author: Marostegui):

[operations/puppet@production] dbproxy2004: Fix port

https://gerrit.wikimedia.org/r/710268

gerritbot added a comment.Aug 5 2021, 2:23 PM

Change 710268 merged by Marostegui:

[operations/puppet@production] dbproxy2004: Fix port

https://gerrit.wikimedia.org/r/710268

Marostegui added a comment.Aug 5 2021, 2:27 PM

dbproxy2004 is now in place but not active yet (as in, there is no CNAME pointing to it), first I need to review all m5 grants as for now I only created the haproxy user to get haproxy up and running:

root@dbproxy2004:~# echo "show stat" | socat /run/haproxy/haproxy.sock stdio
# pxname,svname,qcur,qmax,scur,smax,slim,stot,bin,bout,dreq,dresp,ereq,econ,eresp,wretr,wredis,status,weight,act,bck,chkfail,chkdown,lastchg,downtime,qlimit,pid,iid,sid,throttle,lbtot,tracked,type,rate,rate_lim,rate_max,check_status,check_code,check_duration,hrsp_1xx,hrsp_2xx,hrsp_3xx,hrsp_4xx,hrsp_5xx,hrsp_other,hanafail,req_rate,req_rate_max,req_tot,cli_abrt,srv_abrt,comp_in,comp_out,comp_byp,comp_rsp,lastsess,last_chk,last_agt,qtime,ctime,rtime,ttime,agent_status,agent_code,agent_duration,check_desc,agent_desc,check_rise,check_fall,check_health,agent_rise,agent_fall,agent_health,addr,cookie,mode,algo,conn_rate,conn_rate_max,conn_tot,intercepted,dcon,dses,
mariadb,FRONTEND,,,0,0,5000,0,0,0,0,0,0,,,,,OPEN,,,,,,,,,1,2,0,,,,0,0,0,0,,,,,,,,,,,0,0,0,,,0,0,0,0,,,,,,,,,,,,,,,,,,,,,tcp,,0,0,0,,0,0,
mariadb,db2135,0,0,0,0,,0,0,0,,0,,0,0,0,0,UP,1,1,0,0,0,5,0,,1,2,1,,0,,2,0,,0,L7OK,0,0,,,,,,,,,,,0,0,,,,,-1,5.5.5-10.4.18-MariaDB-log,,0,0,0,0,,,,Layer7 check passed,,99999999,20,100000018,,,,,,tcp,,,,,,,,
mariadb,db2078:3325,0,0,0,0,,0,0,0,,0,,0,0,0,0,UP,1,0,1,0,0,5,0,,1,2,2,,0,,2,0,,0,L7OK,0,0,,,,,,,,,,,0,0,,,,,-1,5.5.5-10.4.18-MariaDB-log,,0,0,0,0,,,,Layer7 check passed,,2,3,4,,,,,,tcp,,,,,,,,
mariadb,BACKEND,0,0,0,0,500,0,0,0,0,0,,0,0,0,0,UP,1,1,1,,0,5,0,,1,2,0,,0,,1,0,,0,,,,,,,,,,,,,,0,0,0,0,0,0,-1,,,0,0,0,0,,,,,,,,,,,,,,tcp,,,,,,,,
Maintenance_bot removed a project: Patch-For-Review.Aug 5 2021, 3:10 PM
gerritbot added a comment.Aug 6 2021, 7:52 AM

Change 710489 had a related patch set uploaded (by Marostegui; author: Marostegui):

[operations/puppet@production] production-m5.sql.erb: Add dbproxy2004 grants

https://gerrit.wikimedia.org/r/710489

gerritbot added a project: Patch-For-Review.Aug 6 2021, 7:52 AM

Change 710489 merged by Marostegui:

[operations/puppet@production] production-m5.sql.erb: Add dbproxy2004 grants

https://gerrit.wikimedia.org/r/710489

Maintenance_bot removed a project: Patch-For-Review.Aug 6 2021, 8:10 AM
gerritbot added a comment.Aug 6 2021, 11:42 AM

Change 710526 had a related patch set uploaded (by Marostegui; author: Marostegui):

[operations/puppet@production] production-m5.sql: Add more grants to dbproxy2004

https://gerrit.wikimedia.org/r/710526

gerritbot added a project: Patch-For-Review.Aug 6 2021, 11:42 AM

Change 710526 merged by Marostegui:

[operations/puppet@production] production-m5.sql: Add more grants to dbproxy2004

https://gerrit.wikimedia.org/r/710526

Marostegui moved this task from Ready to In progress on the DBA board.Aug 9 2021, 11:22 AM
gerritbot added a comment.Aug 11 2021, 11:06 AM

Change 711437 had a related patch set uploaded (by Marostegui; author: Marostegui):

[operations/dns@master] wmnet: Add dbproxy2004 as m5-master in codfw

https://gerrit.wikimedia.org/r/711437

gerritbot added a comment.Aug 11 2021, 1:16 PM

Change 711437 merged by Marostegui:

[operations/dns@master] wmnet: Add dbproxy2004 as m5-master in codfw

https://gerrit.wikimedia.org/r/711437

Marostegui added a comment.Aug 11 2021, 1:19 PM

I have merged and deployed m5-master.codfw.wmnet.

# host m5-master.codfw.wmnet
m5-master.codfw.wmnet is an alias for dbproxy2004.codfw.wmnet.
dbproxy2004.codfw.wmnet has address 10.192.48.47

Next: keep reviewing all grants.

Marostegui updated the task description. (Show Details)Aug 11 2021, 1:46 PM
Marostegui mentioned this in T288720: Failover m5 master (db1128) to db1132 to upgrade its kernel.Aug 12 2021, 6:18 AM
gerritbot added a comment.Aug 12 2021, 8:02 AM

Change 712085 had a related patch set uploaded (by Marostegui; author: Marostegui):

[operations/puppet@production] production-m5.sql: Add mailman grants from dbproxies

https://gerrit.wikimedia.org/r/712085

gerritbot added a comment.Aug 12 2021, 8:03 AM

Change 712085 merged by Marostegui:

[operations/puppet@production] production-m5.sql: Add mailman grants from dbproxies

https://gerrit.wikimedia.org/r/712085

Marostegui added a comment.Aug 12 2021, 8:12 AM

Grants for dbproxy2004 added (also added for eqiad proxies for mailman)

Marostegui updated the task description. (Show Details)Aug 12 2021, 8:12 AM
Marostegui added a comment.Aug 13 2021, 9:30 AM

I have reviewed all the eqiad grants for m5 (it is a bit of a pain) and I think they are all in place, so going to mark it as done. I have not reviewed labswiki ones as the proxy will be turned on once labswiki has been moved out.

Marostegui updated the task description. (Show Details)Aug 13 2021, 9:30 AM
Marostegui moved this task from In progress to Blocked on the DBA board.Aug 16 2021, 5:58 AM
gerritbot added a comment.Aug 17 2021, 4:46 AM

Change 713384 had a related patch set uploaded (by Marostegui; author: Marostegui):

[operations/puppet@production] dbproxy2004: Enable notifications

https://gerrit.wikimedia.org/r/713384

gerritbot added a comment.Aug 17 2021, 4:51 AM

Change 713384 merged by Marostegui:

[operations/puppet@production] dbproxy2004: Enable notifications

https://gerrit.wikimedia.org/r/713384

Marostegui added a comment.Sep 17 2021, 5:13 AM

wikitech was moved to s6. Still a few clean ups needed, but this can happen in a couple of weeks

Marostegui moved this task from Blocked to Ready on the DBA board.Sep 17 2021, 5:13 AM
Marostegui claimed this task.Sep 29 2021, 1:48 PM
Marostegui moved this task from Ready to In progress on the DBA board.Oct 19 2021, 1:02 PM
Kormat subscribed.Oct 19 2021, 1:10 PM
LSobanski subscribed.Oct 19 2021, 1:19 PM
Legoktm subscribed.Oct 19 2021, 5:32 PM
Marostegui added a comment.Oct 22 2021, 5:03 AM

Scheduled for Wednesday 27th Nov at 14:00 UTC

Marostegui added a comment.Oct 25 2021, 7:08 AM

I am going to decrease the TTL to 1M on Tuesday.

gerritbot added a comment.Oct 26 2021, 4:31 AM

Change 734449 had a related patch set uploaded (by Marostegui; author: Marostegui):

[operations/dns@master] wmnet: Decrease TTL for m5-master

https://gerrit.wikimedia.org/r/734449

gerritbot added a comment.Oct 26 2021, 12:19 PM

Change 734449 merged by Marostegui:

[operations/dns@master] wmnet: Decrease TTL for m5-master

https://gerrit.wikimedia.org/r/734449

Marostegui added a comment.Oct 26 2021, 12:20 PM

TTL decreased to 1M

gerritbot added a comment.Oct 27 2021, 6:17 AM

Change 734806 had a related patch set uploaded (by Marostegui; author: Marostegui):

[operations/dns@master] wmnet: Replace m5-master with dbproxy1017

https://gerrit.wikimedia.org/r/734806

Marostegui added a parent task: T288720: Failover m5 master (db1128) to db1132 to upgrade its kernel.Oct 27 2021, 7:43 AM
Marostegui added a comment.Oct 27 2021, 11:02 AM

This is happening in 3 hours.

Marostegui added a comment.Oct 27 2021, 1:58 PM

Active databases in m5:

+---------------------+
| Database            |
+---------------------+
| labsdbaccounts      |
| mailman3            |
| mailman3web         |
| striker             |
| test_labsdbaccounts |
| toolhub             |
+---------------------+
Stashbot added a comment.Oct 27 2021, 2:00 PM

Mentioned in SAL (#wikimedia-operations) [2021-10-27T14:00:04Z] <marostegui> Replace m5-master so it points to dbproxy1017 - T288093

gerritbot added a comment.Oct 27 2021, 2:00 PM

Change 734806 merged by Marostegui:

[operations/dns@master] wmnet: Replace m5-master with dbproxy1017

https://gerrit.wikimedia.org/r/734806

gerritbot added a comment.Oct 27 2021, 2:33 PM

Change 734976 had a related patch set uploaded (by Legoktm; author: Legoktm):

[operations/puppet@production] mariadb: Allow lists1001 to talk to m5's dbproxy

https://gerrit.wikimedia.org/r/734976

gerritbot added a comment.Oct 27 2021, 2:35 PM

Change 734976 merged by Legoktm:

[operations/puppet@production] mariadb: Allow lists1001 to talk to m5's dbproxy

https://gerrit.wikimedia.org/r/734976

Marostegui added a comment.Oct 27 2021, 2:40 PM

So we had to revert, we found 3 issues.

root@lists1001:~# telnet dbproxy1017.eqiad.wmnet 3306
Trying 10.64.48.43...
Connected to dbproxy1017.eqiad.wmnet.
Escape character is '^]'
  • Striker was missing a grant (it was fixed on the fly and confirmed it was working)
  • Toolhub was missing egress rules as well, created T294437 to follow up.

I will review all the grants again, especially those not under 10.% rules (striker was using 208.%).

Thanks @Andrew @bd808 and @Legoktm for all the help before, during and after the deployment (and revert!)

bd808 changed the status of subtask T294437: Add egress rules for dbproxy1017 & dbproxy1021 from Open to In Progress.Oct 27 2021, 4:36 PM
bd808 closed subtask T294437: Add egress rules for dbproxy1017 & dbproxy1021 as Resolved.Oct 27 2021, 6:42 PM
Marostegui added a comment.Oct 28 2021, 4:56 AM

I have reviewed the grants and they are all supposed to be in place. There are some of users which I think aren't in use (ie: ceilometer) that will need to be reviewed, cause we might want to do a massive clean up once we've moved to the proxy.
So I am ready to try this migration again. How about Tuesday 2nd at 14:00 UTC again? @Andrew @bd808 @Legoktm would that work?

gerritbot added a comment.Oct 28 2021, 5:09 AM

Change 735092 had a related patch set uploaded (by Marostegui; author: Marostegui):

[operations/puppet@production] production-m5.sql: Add striker GRANTS

https://gerrit.wikimedia.org/r/735092

gerritbot added a comment.Oct 28 2021, 5:09 AM

Change 735092 merged by Marostegui:

[operations/puppet@production] production-m5.sql: Add striker GRANTS

https://gerrit.wikimedia.org/r/735092

Andrew added a comment.Oct 28 2021, 4:22 PM
In T288093#7464049, @Marostegui wrote:

I have reviewed the grants and they are all supposed to be in place. There are some of users which I think aren't in use (ie: ceilometer) that will need to be reviewed, cause we might want to do a massive clean up once we've moved to the proxy.

Feel free to wipe out any references to ceilometer that you find, it's a long-abandoned service.

So I am ready to try this migration again. How about Tuesday 2nd at 14:00 UTC again? @Andrew @bd808 @Legoktm would that work?

That time works for me!

Legoktm added a comment.Oct 28 2021, 4:50 PM
In T288093#7464049, @Marostegui wrote:

How about Tuesday 2nd at 14:00 UTC again? @Andrew @bd808 @Legoktm would that work?

On the staff calendar that's listed as a US holiday because of election day.

Marostegui added a comment.Oct 28 2021, 5:05 PM

Ah ups! Let's go for Thursday 11th Nov then?

bd808 added a comment.Oct 28 2021, 9:57 PM
In T288093#7466056, @Marostegui wrote:

Ah ups! Let's go for Thursday 11th Nov then?

This is going to make you giggle. That date is Armistice Day and also US Veterans Day (WMF US holiday).

Marostegui added a comment.Oct 31 2021, 6:17 AM
In T288093#7466858, @bd808 wrote:
In T288093#7466056, @Marostegui wrote:

Ah ups! Let's go for Thursday 11th Nov then?

This is going to make you giggle. That date is Armistice Day and also US Veterans Day (WMF US holiday).

!!!!!
How about Wednesday 10th 14:00 UTC? I wanted to avoid it as I have the s8 master switch pretty early in the EU morning, but I don't want to delay this a lot more.

Legoktm added a comment.Nov 1 2021, 3:33 PM
In T288093#7470015, @Marostegui wrote:

How about Wednesday 10th 14:00 UTC?

Works for me :)

Marostegui added a comment.Nov 2 2021, 6:03 AM

Thanks @Legoktm - let's wait to see if this also works for @bd808 and if it does I will send a calendar invite again :)

bd808 added a comment.Nov 3 2021, 5:48 PM
In T288093#7473813, @Marostegui wrote:

Thanks @Legoktm - let's wait to see if this also works for @bd808 and if it does I will send a calendar invite again :)

Yes, 2021-11-10T14:00Z works for me.

Marostegui added a comment.Nov 4 2021, 5:47 AM

Thank you! Invite sent.

gerritbot added a comment.Nov 10 2021, 7:17 AM

Change 737837 had a related patch set uploaded (by Marostegui; author: Marostegui):

[operations/dns@master] wmnet: Replace m5-master with dbproxy1017

https://gerrit.wikimedia.org/r/737837

gerritbot added a comment.Nov 10 2021, 2:02 PM

Change 737837 merged by Marostegui:

[operations/dns@master] wmnet: Replace m5-master with dbproxy1017

https://gerrit.wikimedia.org/r/737837

Marostegui closed this task as Resolved.Nov 10 2021, 2:14 PM

This has been done and so far everything has worked fine.
Going to call this resolved! If for any reason this needs to be reverted during the EU night, it is as simple as:

Thank you @bd808, @Andrew and @Legoktm for your patience and testing!

Marostegui updated the task description. (Show Details)Nov 10 2021, 2:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits