Page MenuHomePhabricator
Create Task
Maniphest T297596

have cloud hardware servers in the cloud realm using a dedicated LB layer
Closed, ResolvedPublic
Actions

Description

In a meeting on 2021-12-01 we decided to:

  • get a couple new hardware servers (cloudlb?) dual homed (cloud-dedicated VLAN <-> cloud-host vlan, exact details TBD).
  • give them a public IPv4 address. Only 1, for a VIP. This IP is allocated from a cloud-dedicated IPv4 pool/CIDR and it will be associated with the wikimediacloud.org domain.
  • introduce keepalived (VRRP) and haproxy (proxying/loadbalancing) into the new servers
  • have all new services be backends of the above. Initially cloudswift, others likely to follow (cloudcontrol, cloudservices, etc).

We agreed on our next steps being:

  • create a draft with the plans, diagrams and some initial implementation details -- @aborrero to do this
  • iterate over the draft until we feel it sounds like an actual plan --- both WMCS & SRE/IF to iterate over it.
  • once we have a clear picture of what the architecture is and how the service will work, talk to the Traffic SRE team and coordinate with them. --- both WMCS & SRE/IF to participate in this meeting

Details

SubjectRepoBranchLines +/-
cloudlb: introduce role skeletonoperations/puppetproduction+871 -2
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedPapaulT342076 Decommission asw-b1-codfw
 ResolvedaborreroT296411 cloud: decide on general idea for having cloud-dedicated hardware provide service in the cloud realm & the internet
 ResolvedaborreroT297596 have cloud hardware servers in the cloud realm using a dedicated LB layer
 ResolvedaborreroT324992 cloudlb: create PoC on codfw
 ResolvedaborreroT327908 rename cloudgw2001-dev into cloudlb2001-dev
 ResolvedayounsiT327930 Is Vlan 2122 cloud-support1-b-codfw required?
 ResolvedcmooneyT327919 Configure cloudsw1-b1-codfw and migrate cloud hosts in codfw B1 to it
 ResolvedPapaulT331470 Run 2x1G links from asw-b1-codfw to cloudsw1-b1-codfw
Restricted Task
 ResolvedcmooneyT333316 Homer unable to commit config to cloudsw1-b1-codfw (QFX5120 21.4R3.16)
 ResolvedcmooneyT336368 cloudgw: review security policy for edge network
 ResolvedaborreroT332153 cloudlb PoC: prepare backends
 ResolvedaborreroT336236 cloudcontrol2001-dev: make it a cloudlb backend
 ResolvedJhancock.wmT336564 cloudcontrol2005-dev: make it a cloudlb backend
 ResolvedaborreroT336723 cloudlb vs. password_safelist
 ResolvedaborreroT336808 Inconsistent connectivity between cloudservices200[45]-dev and codfw1dev cloudcontrols
 ResolvedaborreroT336963 cloudcontrol2001-dev can't reach cloud-vps public IPs
 ResolvedaborreroT338125 cloudvirt: connect them to cloud-private
 ResolvedaborreroT338314 cloudnet: connect them to cloud-private
 ResolvedaborreroT307357 Move cloud vps ns-recursor IPs to host/row-independent addressing
 ResolvedcmooneyT336587 cloudservices[2004/2005]-dev & cloudweb2002-dev: connect them to cloudsw so they can have cloud-private vlan
 ResolvedaborreroT338433 openstack: figure out how to change /etc/resolv.conf in all VMs
 ResolvedaborreroT338778 cloudservices2004-dev: reimage into new network setup
 InvalidNoneT339869 codfw1dev: LDAP database content seems to have lost years of content
 ResolvedaborreroT338779 cloudservices2005-dev: reimage into new network setup
 ResolvedaborreroT340047 LDAP problems following cloudservices2005-dev reimage
 OpenNoneT340127 systemctl restart keystone doesn't actually restart keystone sometimes
 ResolvedaborreroT340488 codfw1dev: OpenStack services can only sort of talk to memacached on cloudcontrols
 InvalidaborreroT338938 codfw1dev: finish auth DNS server transition
 ResolvedaborreroT339905 codfw1dev: LDAP setup needs a refresh so TLS works
 ResolvedfgiunchediT341966 prometheus in codfw can't reach cloudservices' pdns to fetch metrics
 ResolvedcmooneyT347858 Manage WMCS codfw public service VIP DNS from Netbox
 ResolvedJhancock.wmT337828 cloudcontrol2004-dev: make it a cloudlb backend
 ResolvedaborreroT338132 cloudcontrol: review connectivity with backup system
 ResolvedAndrewT340791 galera sync failures on cloudcontrol2005-dev
 ResolvedaborreroT340881 proxy api crashing in codfw1dev
 ResolvedaborreroT335759 cloud-private subnet: introduce new domain
 Resolved taaviT336566 cloud: failures resolving some `wikimedia.cloud` domains
 OpencmooneyT346428 Netbox: Add support for our complex host network setups in provision script
 ResolvedaborreroT346410 need private IPs for cloudvirt200[4-6]-dev.codfw.wmnet
 OpencmooneyT347375 Netbox device location information not available on the first Puppet run of a device
 ResolvedaborreroT335760 Modify Bird module to allow source IP to be passed to template
 ResolvedaborreroT336071 cloudlb: figure out routing
 ResolvedaborreroT337758 puppet: interface::route resource does not persists settings
 ResolvedaborreroT338936 cloudlb: figure out plans for eqiad1
 ResolvedaborreroT338937 cloudlb: review swift/radosgw status
ResolvedAndrewT341380 Open swift port (28080) to the public internet
 ResolvedAndrewT341484 Horizon object store UI doesn't allow uploading of files
 ResolvedAndrewT341640 Move Horizon deploy to a Docker container
 ResolvedAndrewT341509 radosgw+keystone chokes on projects with '-' in their id
 ResolvedAndrewT343158 Support OpenStack projects where project name != project id
 OpenNoneT366679 openstack-browser support for projects where id != name
 ResolvedAndrewT347927 Better swift error messages for projects with invalid chars
 ResolvedAndrewT366301 Document and enforce restrictions on openstack project names
 ResolvedaborreroT340536 cloud-private: figure out, implement and test cross-DC traffic
 ResolvedJhancock.wmT289882 Q1:(Need By: TBD) rack/setup/install cloudswift100[12]
 ResolvedJeltoT338130 cloud-private: CIDR clash with gitlab-runners
 ResolvedaborreroT346060 GitLab Runners in WMCS are offline
 Resolved taaviT341060 openstack eqiad1: introduce cloud-private and cloudlb
 ResolvedaborreroT341061 eqiad1: repurpose 2 cloudswift servers as cloudlb
 ResolvedPapaulT341200 rename cloudswift1001 as cloudlb1001
 ResolvedaborreroT341201 rename cloudswift1002 as cloudlb1002
 OpenAndrewT341062 eqiad1: procure 1 additional cloudlb server
 ResolvedcmooneyT341063 eqiad1: introduce cloud-private support
 ResolvedcmooneyT341223 Configure eqiad cloudsw devices to support cloud-private
 ResolvedcmooneyT341220 eqiad1: allocate public IPv4 CIDR for BGP-based virtual IP addresses
 OpenAndrewT341338 eqiad1: fix PTR delegations for 185.15.56.0/24
 ResolvedJclark-ctrT341494 cloud @ eqiad: hardware re-racking plan
 ResolvedPapaulT342161 Q1:rack/setup/install cloudservices1006.eqiad.wmnet
 ResolvedaborreroT345240 cloudservices1006: put into service
 Resolved taaviT345654 cloudservices1006 can't talk to the cloud-wide puppetmaster
 OpenNoneT345731 cloudservices1006: debian bullseye installer hangs when partitioning /srv
 ResolvedJclark-ctrT346042 cloudservices1005: move to new setup
 ResolvedaborreroT346177 Certain systems failing to resolve DNS entries under toolforge.org, wmcloud.org, wmflabs.org, toolserver.org
 ResolvedRobHT346326 markmonitor update: refresh ns0.openstack.eqiad1.wikimediacloud.org glue A record to point to 185.15.56.162
 ResolvedfnegriT346385 cloudservices1006 using 10. address to send DNS NOTIFYs to cloudservices1005
 ResolvedJclark-ctrT346033 cloudservices1004: decomission
 Resolved taaviT346891 cloudcontrol1006: move to new network setup
 Resolved taaviT347381 Support maintain-dbusers on the new network layout
 Resolved taaviT346892 cloudcontrol1007: move to new network setup
 Resolved taaviT345610 cloudrabbit: connect them via cloudsw and cloud-private
 ResolvedaborreroT341495 eqiad1: cloudlb: reimage cloudcontrol1005 into new network setup
 ResolvedaborreroT342619 eqiad1: cloudlb: enable cloud-private subnet in cloudnet servers
 ResolvedaborreroT342621 eqiad1: cloudlb: transition DNS clients (VMs) to the new BGP-based recursor VIP
 InvalidaborreroT346092 cloudcontrols can't reach ns-recursor.openstack.eqiad1.wikimediacloud.org
 ResolvedaborreroT346426 Some VPS instances still using ns-recursor0
 ResolvedaborreroT346441 openstack eqiad1: verify new control plane works with cloudlb
 ResolvedaborreroT346439 cloudlb: eqiad1: change openstack.eqiad1.wikimediacloud.org endpoint to point to cloudlb
 Resolved taaviT346630 openstack: eqiad1: cleanup leaks from the cloudlb migration
 ResolvedaborreroT346896 eqiad1 cloudcontrols can't access designate API
 ResolvedaborreroT346603 openstack: eqiad1: review DB grants for new network setup
 Resolved taaviT346651 cloudvirt: eqiad1: connect them to cloud-private
 ResolvedJclark-ctrT346948 Move cloudvirt-wdqs hosts
 Resolved taaviT346993 dns + puppet failures on many cloud hosts
 OpenNoneT347148 Determine how to monitor services in cloud-private / cloudlb
 Resolved taaviT347277 metricsinfra: add support dns blackbox scrapes
 OpenNoneT288053 Add external meta-monitoring for metricsinfra
 Resolved taaviT347554 Do not require overriding ::openstack_controllers per context
 Resolved taaviT349801 Linting problems found for OpenstackAPIResponse
 OpenNoneT355416 Move Cloud VPS internal flows from cloud-hosts to cloud-private
 OpenNoneT355145 Use cloud-private and cfssl certs for instance live migrations
 Resolved taaviT355417 Move cloudcontrol memcached flows to cloud-private
 ResolvedAndrewT355418 Move Galera clustering to cloud-private
 OpenNoneT357543 clouddb: evaluate moving them into cloud-private
 DeclinedNoneT346946 move cloudelastic behind cloudlb
 Resolved taaviT346947 Move wiki replicas behind cloudlb
 Resolved taaviT351087 Migrate cloudlb hosts to nftables
 ResolvedjbondT351094 nftables ignores drange filter for IPv6 if drange only has IPv4 addresses

Event Timeline

aborrero created this task.Dec 13 2021, 12:38 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 13 2021, 12:38 PM
aborrero changed the task status from Open to Stalled.Dec 13 2021, 12:39 PM
aborrero triaged this task as Medium priority.

Marking this as blocked by T297587: PoC: have cloud hardware servers to the cloud realm using neutron VLAN, as they are competing solutions to the same problem, and we're evaluating the other first.

aborrero moved this task from Inbox to Blocked on the cloud-services-team (Kanban) board.Dec 13 2021, 12:39 PM
aborrero changed the task status from Stalled to In Progress.Nov 10 2022, 12:24 PM
aborrero raised the priority of this task from Medium to High.
aborrero mentioned this in T297587: PoC: have cloud hardware servers to the cloud realm using neutron VLAN.
aborrero mentioned this in T297588: connect 2nd cloudcontrol200x-dev NIC to vlan 2105.
aborrero moved this task from Blocked to Doing on the cloud-services-team (Kanban) board.
aborrero added a comment.Nov 10 2022, 12:26 PM

This project has been restarted, more information at https://wikitech.wikimedia.org/wiki/Wikimedia_Cloud_Services_team/EnhancementProposals/Iteration_on_network_isolation

aborrero claimed this task.Nov 10 2022, 12:27 PM
gerritbot added a comment.Nov 29 2022, 5:34 PM

Change 861902 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):

[operations/puppet@production] openstack: haproxy: introduce hiera config hash

https://gerrit.wikimedia.org/r/861902

gerritbot added a project: Patch-For-Review.Nov 29 2022, 5:34 PM
gerritbot added a comment.Dec 16 2022, 10:49 AM

Change 861902 merged by Arturo Borrero Gonzalez:

[operations/puppet@production] cloudlb: introduce role skeleton

https://gerrit.wikimedia.org/r/861902

Maintenance_bot removed a project: Patch-For-Review.Dec 16 2022, 11:30 AM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 7:25 PM
fnegri moved this task from Kanban to Doing? (legacy column) on the cloud-services-team board.
fnegri moved this task from Doing? (legacy column) to FY2022/2023-Q3 on the cloud-services-team board.Jan 19 2023, 12:37 PM
fnegri edited projects, added cloud-services-team (FY2022/2023-Q3); removed cloud-services-team.
fnegri moved this task from Backlog to In progress on the cloud-services-team (FY2022/2023-Q3) board.
aborrero changed the status of subtask T324992: cloudlb: create PoC on codfw from Open to Stalled.Mar 2 2023, 3:18 PM
aborrero changed the status of subtask T324992: cloudlb: create PoC on codfw from Stalled to In Progress.Mar 14 2023, 12:39 PM
nskaggs mentioned this in T289882: Q1:(Need By: TBD) rack/setup/install cloudswift100[12].Apr 5 2023, 2:03 PM
nskaggs added a subtask: T289882: Q1:(Need By: TBD) rack/setup/install cloudswift100[12].
nskaggs closed subtask T324992: cloudlb: create PoC on codfw as Resolved.Apr 11 2023, 9:15 PM
nskaggs reopened subtask T324992: cloudlb: create PoC on codfw as In Progress.
fnegri moved this task from FY2022/2023-Q3 to FY2022/2023-Q4 on the cloud-services-team board.Apr 12 2023, 5:11 PM
fnegri edited projects, added cloud-services-team (FY2022/2023-Q4); removed cloud-services-team (FY2022/2023-Q3).
fnegri moved this task from Backlog to Planned Goals on the cloud-services-team (FY2022/2023-Q4) board.
fnegri added a project: Goal.Apr 19 2023, 2:27 PM
fnegri moved this task from Planned Goals to In progress on the cloud-services-team (FY2022/2023-Q4) board.
aborrero mentioned this in T336587: cloudservices[2004/2005]-dev & cloudweb2002-dev: connect them to cloudsw so they can have cloud-private vlan.May 12 2023, 3:52 PM
aborrero mentioned this in T307357: Move cloud vps ns-recursor IPs to host/row-independent addressing.May 12 2023, 4:06 PM
nskaggs mentioned this in T337571: Requesting access to ops group for nskaggs.May 31 2023, 8:57 PM
aborrero added a subtask: T307357: Move cloud vps ns-recursor IPs to host/row-independent addressing.Jun 2 2023, 4:27 PM
Papaul closed subtask T289882: Q1:(Need By: TBD) rack/setup/install cloudswift100[12] as Resolved.Jun 9 2023, 2:22 AM
aborrero changed the status of subtask T307357: Move cloud vps ns-recursor IPs to host/row-independent addressing from Open to Stalled.Jun 12 2023, 3:18 PM
aborrero changed the status of subtask T307357: Move cloud vps ns-recursor IPs to host/row-independent addressing from Stalled to Open.Jun 13 2023, 4:32 PM
aborrero closed subtask T324992: cloudlb: create PoC on codfw as Resolved.Jul 4 2023, 12:40 PM
aborrero changed the status of subtask T341060: openstack eqiad1: introduce cloud-private and cloudlb from Open to In Progress.Jul 4 2023, 12:42 PM
fnegri moved this task from FY2022/2023-Q4 to FY2023/2024-Q1-Q2 on the cloud-services-team board.Jul 26 2023, 5:49 PM
fnegri edited projects, added cloud-services-team (FY2023/2024-Q1-Q2); removed cloud-services-team (FY2022/2023-Q4).
fnegri moved this task from Backlog to In progress on the cloud-services-team (FY2023/2024-Q1-Q2) board.
aborrero closed subtask T307357: Move cloud vps ns-recursor IPs to host/row-independent addressing as Resolved.Sep 20 2023, 10:25 AM
taavi closed subtask T338130: cloud-private: CIDR clash with gitlab-runners as Resolved.Sep 27 2023, 7:51 AM
aborrero closed this task as Resolved.Oct 10 2023, 3:49 PM
aborrero removed projects: cloud-services-team (FY2023/2024-Q1-Q2), Goal.

This is completed: we have now the cloudlb systems.

Aklapper added projects: cloud-services-team (FY2023/2024-Q1-Q2), Goal.Oct 10 2023, 4:03 PM
fnegri moved this task from In progress to Done on the cloud-services-team (FY2023/2024-Q1-Q2) board.Oct 19 2023, 3:44 PM
taavi closed subtask T346947: Move wiki replicas behind cloudlb as Resolved.Jan 17 2024, 1:46 PM
cmooney closed subtask T346946: move cloudelastic behind cloudlb as Declined.Jan 23 2024, 1:54 PM
taavi closed subtask T341060: openstack eqiad1: introduce cloud-private and cloudlb as Resolved.Apr 10 2024, 8:29 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits