Page MenuHomePhabricator
Create Task
Maniphest T296411

cloud: decide on general idea for having cloud-dedicated hardware provide service in the cloud realm & the internet
Closed, ResolvedPublic
Actions

Description

What do we do when we have a cloud-dedicated hardware server and we need it to provide service to both cloud realm & the internet?

Ideas:

  • allocate a public IPv4 subnet behind cloudgw and have a NIC on the cloud-dedicated servers be on this subnet. How to do load-balancing then?
  • Use neutron VIP as load balancer
  • Use cloudgw to NAT to private cloudswift subnet
  • Run your own LVS
  • BGP to advertise IP, have VLAN terminate on cloudsw and not cloudgw

This also means extending or better shaping https://wikitech.wikimedia.org/wiki/Cross-Realm_traffic_guidelines#Case_4:_using_isolation_mechanisms

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedPapaulT342076 Decommission asw-b1-codfw
 ResolvedaborreroT296411 cloud: decide on general idea for having cloud-dedicated hardware provide service in the cloud realm & the internet
 DeclinedNoneT297587 PoC: have cloud hardware servers to the cloud realm using neutron VLAN
 DeclinedNoneT297588 connect 2nd cloudcontrol200x-dev NIC to vlan 2105
 ResolvedaborreroT297596 have cloud hardware servers in the cloud realm using a dedicated LB layer
 ResolvedaborreroT324992 cloudlb: create PoC on codfw
 ResolvedaborreroT327908 rename cloudgw2001-dev into cloudlb2001-dev
 ResolvedayounsiT327930 Is Vlan 2122 cloud-support1-b-codfw required?
 ResolvedcmooneyT327919 Configure cloudsw1-b1-codfw and migrate cloud hosts in codfw B1 to it
 ResolvedPapaulT331470 Run 2x1G links from asw-b1-codfw to cloudsw1-b1-codfw
Restricted Task
 ResolvedcmooneyT333316 Homer unable to commit config to cloudsw1-b1-codfw (QFX5120 21.4R3.16)
 ResolvedcmooneyT336368 cloudgw: review security policy for edge network
 ResolvedaborreroT332153 cloudlb PoC: prepare backends
 ResolvedaborreroT336236 cloudcontrol2001-dev: make it a cloudlb backend
 ResolvedJhancock.wmT336564 cloudcontrol2005-dev: make it a cloudlb backend
 ResolvedaborreroT336723 cloudlb vs. password_safelist
 ResolvedaborreroT336808 Inconsistent connectivity between cloudservices200[45]-dev and codfw1dev cloudcontrols
 ResolvedaborreroT336963 cloudcontrol2001-dev can't reach cloud-vps public IPs
 ResolvedaborreroT338125 cloudvirt: connect them to cloud-private
 ResolvedaborreroT338314 cloudnet: connect them to cloud-private
 ResolvedaborreroT307357 Move cloud vps ns-recursor IPs to host/row-independent addressing
 ResolvedcmooneyT336587 cloudservices[2004/2005]-dev & cloudweb2002-dev: connect them to cloudsw so they can have cloud-private vlan
 ResolvedaborreroT338433 openstack: figure out how to change /etc/resolv.conf in all VMs
 ResolvedaborreroT338778 cloudservices2004-dev: reimage into new network setup
 InvalidNoneT339869 codfw1dev: LDAP database content seems to have lost years of content
 ResolvedaborreroT338779 cloudservices2005-dev: reimage into new network setup
 ResolvedaborreroT340047 LDAP problems following cloudservices2005-dev reimage
 OpenNoneT340127 systemctl restart keystone doesn't actually restart keystone sometimes
 ResolvedaborreroT340488 codfw1dev: OpenStack services can only sort of talk to memacached on cloudcontrols
 InvalidaborreroT338938 codfw1dev: finish auth DNS server transition
 ResolvedaborreroT339905 codfw1dev: LDAP setup needs a refresh so TLS works
 ResolvedfgiunchediT341966 prometheus in codfw can't reach cloudservices' pdns to fetch metrics
 ResolvedcmooneyT347858 Manage WMCS codfw public service VIP DNS from Netbox
 ResolvedJhancock.wmT337828 cloudcontrol2004-dev: make it a cloudlb backend
 ResolvedaborreroT338132 cloudcontrol: review connectivity with backup system
 ResolvedAndrewT340791 galera sync failures on cloudcontrol2005-dev
 ResolvedaborreroT340881 proxy api crashing in codfw1dev
 ResolvedaborreroT335759 cloud-private subnet: introduce new domain
 Resolved taaviT336566 cloud: failures resolving some `wikimedia.cloud` domains
 OpencmooneyT346428 Netbox: Add support for our complex host network setups in provision script
 ResolvedaborreroT346410 need private IPs for cloudvirt200[4-6]-dev.codfw.wmnet
 OpencmooneyT347375 Netbox device location information not available on the first Puppet run of a device
 ResolvedaborreroT335760 Modify Bird module to allow source IP to be passed to template
 ResolvedaborreroT336071 cloudlb: figure out routing
 ResolvedaborreroT337758 puppet: interface::route resource does not persists settings
 ResolvedaborreroT338936 cloudlb: figure out plans for eqiad1
 ResolvedaborreroT338937 cloudlb: review swift/radosgw status
ResolvedAndrewT341380 Open swift port (28080) to the public internet
 ResolvedAndrewT341484 Horizon object store UI doesn't allow uploading of files
 ResolvedAndrewT341640 Move Horizon deploy to a Docker container
 ResolvedAndrewT341509 radosgw+keystone chokes on projects with '-' in their id
 ResolvedAndrewT343158 Support OpenStack projects where project name != project id
 OpenNoneT366679 openstack-browser support for projects where id != name
 ResolvedAndrewT347927 Better swift error messages for projects with invalid chars
 ResolvedAndrewT366301 Document and enforce restrictions on openstack project names
 ResolvedaborreroT340536 cloud-private: figure out, implement and test cross-DC traffic
 ResolvedJhancock.wmT289882 Q1:(Need By: TBD) rack/setup/install cloudswift100[12]
 ResolvedJeltoT338130 cloud-private: CIDR clash with gitlab-runners
 ResolvedaborreroT346060 GitLab Runners in WMCS are offline
 Resolved taaviT341060 openstack eqiad1: introduce cloud-private and cloudlb
 ResolvedaborreroT341061 eqiad1: repurpose 2 cloudswift servers as cloudlb
 ResolvedPapaulT341200 rename cloudswift1001 as cloudlb1001
 ResolvedaborreroT341201 rename cloudswift1002 as cloudlb1002
 OpenAndrewT341062 eqiad1: procure 1 additional cloudlb server
 ResolvedcmooneyT341063 eqiad1: introduce cloud-private support
 ResolvedcmooneyT341223 Configure eqiad cloudsw devices to support cloud-private
 ResolvedcmooneyT341220 eqiad1: allocate public IPv4 CIDR for BGP-based virtual IP addresses
 OpenAndrewT341338 eqiad1: fix PTR delegations for 185.15.56.0/24
 ResolvedJclark-ctrT341494 cloud @ eqiad: hardware re-racking plan
 ResolvedPapaulT342161 Q1:rack/setup/install cloudservices1006.eqiad.wmnet
 ResolvedaborreroT345240 cloudservices1006: put into service
 Resolved taaviT345654 cloudservices1006 can't talk to the cloud-wide puppetmaster
 OpenNoneT345731 cloudservices1006: debian bullseye installer hangs when partitioning /srv
 ResolvedJclark-ctrT346042 cloudservices1005: move to new setup
 ResolvedaborreroT346177 Certain systems failing to resolve DNS entries under toolforge.org, wmcloud.org, wmflabs.org, toolserver.org
 ResolvedRobHT346326 markmonitor update: refresh ns0.openstack.eqiad1.wikimediacloud.org glue A record to point to 185.15.56.162
 ResolvedfnegriT346385 cloudservices1006 using 10. address to send DNS NOTIFYs to cloudservices1005
 ResolvedJclark-ctrT346033 cloudservices1004: decomission
 Resolved taaviT346891 cloudcontrol1006: move to new network setup
 Resolved taaviT347381 Support maintain-dbusers on the new network layout
 Resolved taaviT346892 cloudcontrol1007: move to new network setup
 Resolved taaviT345610 cloudrabbit: connect them via cloudsw and cloud-private
 ResolvedaborreroT341495 eqiad1: cloudlb: reimage cloudcontrol1005 into new network setup
 ResolvedaborreroT342619 eqiad1: cloudlb: enable cloud-private subnet in cloudnet servers
 ResolvedaborreroT342621 eqiad1: cloudlb: transition DNS clients (VMs) to the new BGP-based recursor VIP
 InvalidaborreroT346092 cloudcontrols can't reach ns-recursor.openstack.eqiad1.wikimediacloud.org
 ResolvedaborreroT346426 Some VPS instances still using ns-recursor0
 ResolvedaborreroT346441 openstack eqiad1: verify new control plane works with cloudlb
 ResolvedaborreroT346439 cloudlb: eqiad1: change openstack.eqiad1.wikimediacloud.org endpoint to point to cloudlb
 Resolved taaviT346630 openstack: eqiad1: cleanup leaks from the cloudlb migration
 ResolvedaborreroT346896 eqiad1 cloudcontrols can't access designate API
 ResolvedaborreroT346603 openstack: eqiad1: review DB grants for new network setup
 Resolved taaviT346651 cloudvirt: eqiad1: connect them to cloud-private
 ResolvedJclark-ctrT346948 Move cloudvirt-wdqs hosts
 Resolved taaviT346993 dns + puppet failures on many cloud hosts
 OpenNoneT347148 Determine how to monitor services in cloud-private / cloudlb
 Resolved taaviT347277 metricsinfra: add support dns blackbox scrapes
 OpenNoneT288053 Add external meta-monitoring for metricsinfra
 Resolved taaviT347554 Do not require overriding ::openstack_controllers per context
 Resolved taaviT349801 Linting problems found for OpenstackAPIResponse
 OpenNoneT355416 Move Cloud VPS internal flows from cloud-hosts to cloud-private
 OpenNoneT355145 Use cloud-private and cfssl certs for instance live migrations
 Resolved taaviT355417 Move cloudcontrol memcached flows to cloud-private
 ResolvedAndrewT355418 Move Galera clustering to cloud-private
 OpenNoneT357543 clouddb: evaluate moving them into cloud-private
 DeclinedNoneT346946 move cloudelastic behind cloudlb
 Resolved taaviT346947 Move wiki replicas behind cloudlb
 Resolved taaviT351087 Migrate cloudlb hosts to nftables
 ResolvedjbondT351094 nftables ignores drange filter for IPv6 if drange only has IPv4 addresses

Event Timeline

aborrero created this task.Nov 24 2021, 3:59 PM
Restricted Application added a project: Infrastructure-Foundations. · View Herald TranscriptNov 24 2021, 3:59 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
aborrero mentioned this in T289882: Q1:(Need By: TBD) rack/setup/install cloudswift100[12].Nov 24 2021, 4:00 PM
cmooney added a comment.Nov 24 2021, 4:41 PM

Thanks @arturo, I think that sums up the options we discussed. A few notes:

Existing Production LVS

One other option that was mentioned, and I'm not sure how viable it is, would be to utilize the existing production LVS. But you made a good point that this doesn't align with the goal of keeping cloud services as a separate realm.

Anycast

The last option you list is basically Anycasting the traffic from the cloudsw across a bunch of servers. This works well, the switch will forward each flow (based on src+dst IP) to one of the servers. If a server dies the BGP session will too, and the switch will lose that route and redirect traffic to the remaining servers. You can also add additional health-checks to force the BGP down on a server if there is a more subtle problem with a service that doesn't bring the box itself down.

Anycasting is usually stateless on the switch. One problem that causes is that all flows get remapped if the number of available back-ends change, but often that's not an issue, or can be tolerated in the rare case of failure. More sophisticated load balancing techniques generally keep track of what flows go to what servers, minimizing the disruption if one fails. They can also have better awareness of the load on each backend, and use more granular criteria to decide what flows go to which box. But if you can get away without that Anycasting works very well, and leaves all the heavy lifting to the switch ASIC.

Existing servers on production public subnets

Finally we should consider things like cloudcontrol, cloudservices, cloudstore and cloudelastic, which are on the current production public Vlan. Ideally whichever option is selected would also support migration of those to the cloud realm at some stage in the future.

Maintenance_bot added a project: SRE.Nov 24 2021, 4:45 PM
ayounsi updated the task description. (Show Details)Nov 24 2021, 5:07 PM
aborrero added a comment.Nov 30 2021, 6:02 PM

I did not forget this task, but have been busy the last few days and was unable to take time and write down my thoughts, yet.

aborrero added a comment.Dec 1 2021, 12:06 PM

create and shared a spreadsheet trying to capture/compare the different options being considered.

aborrero added a comment.Dec 1 2021, 5:40 PM

We had a meeting today, rough summary:

The idea is roughly:

  • get a couple new hardware servers (cloudlb?) dual homed (cloud-dedicated VLAN <-> cloud-host vlan, exact details TBD).
  • give them a public IPv4 address. Only 1, for a VIP. This IP is allocated from a cloud-dedicated IPv4 pool/CIDR and it will be associated with the wikimediacloud.org domain.
  • introduce keepalived (VRRP) and haproxy (proxying/loadbalancing) into the new servers
  • have all new services be backends of the above. Initially cloudswift, others likely to follow (cloudcontrol, cloudservices, etc).

Our next steps will be:

  • create a draft with the plans, diagrams and some initial implementation details -- Arturo to bootstrap this in the next few weeks.
  • iterate over the draft until we feel it sounds like an actual plan --- both WMCS & SRE/IF to iterate over it.
  • once we have a clear picture of what the architecture is and how the service will work, talk to the Traffic SRE team and coordinate with them. --- both WMCS & SRE/IF to participate in this meeting
aborrero triaged this task as Medium priority.Dec 13 2021, 10:18 AM
aborrero changed the status of subtask T297596: have cloud hardware servers in the cloud realm using a dedicated LB layer from Open to Stalled.Dec 13 2021, 12:39 PM
aborrero changed the task status from Open to Stalled.Dec 14 2021, 5:54 PM
aborrero changed the status of subtask T297587: PoC: have cloud hardware servers to the cloud realm using neutron VLAN from Open to Stalled.
aborrero moved this task from Inbox to Soon! on the cloud-services-team (Kanban) board.

We just re-shifted team priorities. We wont be working on this for now.

Andrew mentioned this in T305453: Horizon should use a proxy to access cloud vps hosted apis.May 2 2022, 9:45 PM
ayounsi moved this task from Backlog to Watching on the netops board.Jul 5 2022, 6:29 AM
Andrew mentioned this in T314522: Dedicated cloudrabbit nodes in eqiad1.Aug 8 2022, 7:42 PM
dcaro subscribed.Aug 10 2022, 7:19 AM

Related to T314847

aborrero changed the task status from Stalled to In Progress.Oct 17 2022, 3:06 PM
aborrero claimed this task.
aborrero raised the priority of this task from Medium to High.
aborrero moved this task from Soon! to Doing on the cloud-services-team (Kanban) board.
aborrero closed subtask T297587: PoC: have cloud hardware servers to the cloud realm using neutron VLAN as Declined.Nov 10 2022, 12:24 PM
aborrero changed the status of subtask T297596: have cloud hardware servers in the cloud realm using a dedicated LB layer from Stalled to In Progress.
nskaggs closed this task as Resolved.Jan 10 2023, 9:51 PM

As https://wikitech.wikimedia.org/wiki/Cross-Realm_traffic_guidelines#Case_4:_using_isolation_mechanisms is now updated and published, I believe this can be closed.

aborrero closed subtask T297596: have cloud hardware servers in the cloud realm using a dedicated LB layer as Resolved.Oct 10 2023, 3:49 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits