Page MenuHomePhabricator
Create Task
Maniphest T312557

Some WMCS clusters have inconsistent AAAA DNS records for the primary IPv6 of the hosts
Closed, ResolvedPublic
Actions

Description

Some clusters managed by the Cloud Services team have inconsistent AAAA DNS records for the primary IPv6 of the hosts. Some hosts have the AAAA record in the DNS for their primary IPv6 address, some don't.
See https://wikitech.wikimedia.org/wiki/DNS/Netbox#Mixed_clusters for more details about the possible risks of the current setup and the two alternative actions to move forward.

This is the list of the affected clusters and related hosts as of 04/07/2022:

  • cloudbackup*: DONE (added AAAA record)
    • have the AAAA record: cloudbackup100[3-4]
    • lack the AAAA record: cloudbackup200[1-2]
  • cloudcephmon*: DONE (added AAAA record)
    • have the AAAA record: cloudcephmon1003,cloudcephmon[2004-2006]-dev
    • lack the AAAA record: cloudcephmon100[1-2]
  • cloudcephosd*: DONE (added AAAA record)
    • have the AAAA record: cloudcephosd200[1-3]-dev,cloudcephosd10[16-34]
    • lack the AAAA record: cloudcephosd[1001-1015]
  • cloudnet*: DONE (cloudnet[1003-1004] don't exist anymore)
    • have the AAAA record: cloudnet[2005-2006]-dev,cloudnet[1005-1006]
    • lack the AAAA record: cloudnet[1003-1004]
  • cloudvirt*: DONE (added AAAA record)
    • have the AAAA record: cloudvirt[1019-1022,1025-1026,1028-1030,1040-1053]
    • lack the AAAA record: cloudvirt[2001-2003]-dev,cloudvirt[1017,1023-1024,1027,1030-1039]

Related Objects
Search...

Event Timeline

Volans created this task.Jul 7 2022, 2:56 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 7 2022, 2:56 PM
taavi edited projects, added cloud-services-team (Kanban), Cloud-VPS; removed Cloud-Services.Jul 7 2022, 2:56 PM
dcaro subscribed.Aug 10 2022, 7:21 AM
dcaro added a comment.EditedAug 10 2022, 7:40 AM

Added dns AAAA record to cloudcephosd10[01-15]

dcaro updated the task description. (Show Details)Aug 10 2022, 7:41 AM
dcaro updated the task description. (Show Details)Aug 10 2022, 7:51 AM

Added AAAA record for coludbockup and cloudcephmon, the rest will need more careful checking

dcaro added a subscriber: Andrew.Aug 25 2022, 10:27 AM

@Andrew Can you give it a look too? may be related to the issues you were seeing with auth timeouts?

Andrew claimed this task.Aug 25 2022, 1:54 PM
Andrew added a comment.Aug 31 2022, 8:53 PM

Clouddb: I know little to nothing about these servers. Most sql grants are only configured for ipv4, so it's possible that adding AAAA records will cause access failures. Note, though, that this is not a mixed cluster: the clouddb hosts in codfw server an entirely different purpose from those in eqiad. Bad naming :(

Cloudnet100[34]: It's definitely true that the service running on this is ipv4 only, but since the counterparts in codfw1dev work it should be safe to add.

It should be safe to add the cloudvirt records.

Andrew removed Andrew as the assignee of this task.Aug 31 2022, 8:55 PM

What's involved in adding these records? Is it just filling in a field in netbox or are there separate dns steps needed?

Andrew claimed this task.Aug 31 2022, 8:55 PM
Volans added a comment.Sep 1 2022, 10:49 AM
In T312557#8204286, @Andrew wrote:

What's involved in adding these records? Is it just filling in a field in netbox or are there separate dns steps needed?

As mentioned in the task description, it's all outlined in the wikitech page: https://wikitech.wikimedia.org/wiki/DNS/Netbox#Mixed_clusters that would point you to https://wikitech.wikimedia.org/wiki/DNS/Netbox#Add_missing_DNS_name_to_the_primary_IPv6_address where, based if you need to add to few hosts or many hosts, there are two different approaches.

Andrew updated the task description. (Show Details)Sep 1 2022, 9:41 PM
Volans added a comment.EditedSep 2 2022, 8:11 AM

@Andrew the outlined process required 2 steps. You just performed step 1 (adding the DNS names in Netbox) and not step 2 (running the sre.dns.netbox cookbook).
The lack of running step 2 is causing various issues:

  1. The changes have not been deployed to the DNS so they are not live and we don't know if they are ok or might cause issues to the services on those hosts
  2. It caused Icinga to alert:
Thu 22:25:33   icinga-wm| PROBLEM - Uncommitted DNS changes in Netbox on netbox1002 is CRITICAL: Netbox has uncommitted DNS changes https://wikitech.wikimedia.org/wiki/Monitoring/Netbox_DNS_uncommitted_changes
  1. It's currently de-facto blocking any other Netbox changes to be propagated via the sre.dns.netbox cookbook without incurring in the risk of breaking the services on those hosts
    • In particular when people run the provision or decommissioning workflows expect a DNS diff when running the cookbook to just have the affected hosts and not spurious changes. In those cases usually the operator stops and have to go around and ask to know if it's safe to proceed or not, blocking them.

I'm raising this to the WMCS folks in EU timezones to see if we can merge those changes and unblock other changes.

FYI the current diff is P33742

fnegri subscribed.EditedSep 2 2022, 8:58 AM

@Volans I've now run the sre.dns.netbox cookbook, which completed successfully.

bd808 moved this task from Inbox to Doing on the cloud-services-team (Kanban) board.Sep 27 2022, 9:25 PM
Andrew updated the task description. (Show Details)Nov 17 2022, 9:23 PM
Andrew closed this task as Resolved.Nov 17 2022, 9:43 PM
Andrew updated the task description. (Show Details)
dcaro reopened this task as Stalled.Nov 24 2022, 10:30 AM
dcaro mentioned this in T323550: clouddb* hosts with ipv6 access timeout from cumin.

Note that the clouddb AAAA records can't be added yet, blocked by T270101

dcaro added a subtask: T270101: Grants not working with DB hosts with to ipv6.Nov 24 2022, 10:31 AM
dcaro updated the task description. (Show Details)
Andrew removed Andrew as the assignee of this task.Nov 28 2022, 8:04 PM
bd808 updated the task description. (Show Details)Nov 28 2022, 8:33 PM
Andrew added a comment.Nov 28 2022, 9:12 PM

Just so I'm up to speed -- did you remove the AAAA records that I added before my break?

dcaro closed this task as Resolved.Nov 29 2022, 9:22 AM
dcaro claimed this task.
In T312557#8426337, @Andrew wrote:

Just so I'm up to speed -- did you remove the AAAA records that I added before my break?

Partially yes, it turns out, that as you suspected, the clouddb* hosts have the grants set only for IPv4 addresses, and the clients started using the IPv6 by default, failing to connect to the DB server. So I removed the AAAA entries for the clouddb* hosts (more details in T323550: clouddb* hosts with ipv6 access timeout from cumin).

Also linked the task on the DBA side to setup those grants that will unblock this one (T270101: Grants not working with DB hosts with to ipv6).

dcaro reopened this task as Stalled.Nov 29 2022, 9:23 AM
dcaro removed dcaro as the assignee of this task.
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 7:26 PM
fnegri moved this task from Kanban to Doing? (legacy column) on the cloud-services-team board.
fnegri moved this task from Doing? (legacy column) to Inbox on the cloud-services-team board.Jan 19 2023, 12:55 PM
joanna_borun triaged this task as Low priority.Sep 4 2024, 2:07 PM
taavi edited subtasks, added: T369308: Decommission clouddb2002-dev.codfw.wmnet; removed: T270101: Grants not working with DB hosts with to ipv6.Nov 15 2024, 9:07 AM
Volans closed this task as Resolved.Nov 19 2024, 9:31 AM
Volans claimed this task.

There are no more inconsistent cluster, all the above have been resolved.

The only left hosts are I think expected to not support AAAA records for now:

an-redacteddb1001.eqiad.wmnet,clouddb2002-dev.codfw.wmnet,clouddb[1013-1020].eqiad.wmnet
Papaul closed subtask T369308: Decommission clouddb2002-dev.codfw.wmnet as Resolved.Nov 26 2024, 4:45 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits