Page MenuHomePhabricator
Create Task
Maniphest T317182

Move archiva to private IPs + CDN
Closed, DeclinedPublic
Actions

Description

Bold title to start the conversation and help with T317177.

The archiva1001 server might be a good candidate to move from public to private vlan and be fronted by the CDN. Using the squid proxies if external resources (eg. git) needs to be fetched from the Internet. The CDN brings also a layer of security with abuse control and rate limiting.
If deemed a good option (eg. no blockers) this could for example be bundled with the bullseye upgrade.

Related Objects
Search...

Event Timeline

ayounsi created this task.Sep 7 2022, 10:34 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 7 2022, 10:34 AM
ayounsi added a parent task: T317177: [tracking] Don't keep on the public vlans hosts that don't require it.Sep 7 2022, 10:35 AM
MoritzMuehlenhoff subscribed.Sep 7 2022, 10:38 AM
Ottomata added a comment.Sep 7 2022, 1:33 PM

+1

if external resources (eg. git) needs to be fetched from the Internet

JVM Dependencies are automatically fetched from the internet (maven central usually) and cached in our archiva.

Ottomata added a subscriber: BTullis.Sep 7 2022, 1:34 PM
ayounsi mentioned this in T288804: Upgrade the Data Engineering infrastructure to Debian Bullseye.Sep 7 2022, 1:45 PM
BTullis added a comment.Sep 7 2022, 4:14 PM

I'm also fine with this move and the use of the squid proxies.

elukey added a comment.Sep 8 2022, 6:54 AM
In T317182#8217435, @Ottomata wrote:

+1

if external resources (eg. git) needs to be fetched from the Internet

JVM Dependencies are automatically fetched from the internet (maven central usually) and cached in our archiva.

Andrew don't we have also to allow git-fat binaries to be deployed on external clients? Or do I misremember? I don't see anything against moving forward but I am wondering if the git-fat workflow needs some extra care before moving to the CDN.

Ottomata added a comment.Sep 8 2022, 2:26 PM

Oh hm. Yes. Well maybe. Scap uses git fat to pull artifacts via rsync from archiva. This should still work internally.

Errrr, I'm not certain about how the refinery artifact update Jenkins job works. I don't think it needs to run any git-fat push or pull commands. The artifacts are added to the git-fat repo by a cron job on archiva, and git-fat pulls are only needed during scap deployments. Adding the artifacts to git-fat should just be a regular git push of a text file to gerrit that points at the git-fat repo.

But sometimes, if CI/CD goes wrong, then we do manage the git-fat files locally. I think that all the real interactions are with gerrit though, so it will be okay. We don't allow git-fat pushes directly.

elukey added a comment.Sep 8 2022, 2:33 PM

Ack! I was thinking also to when one tests stuff like refinery-source locally (on their laptop/workstation outside the WMF), IIRC it pulls directly from archiva.wikimedia.org? it should work via squid proxy anyway, but I wanted to explore all ideas since in the past we had an issue with it (IIRC). Anyway, it is probably very easy to spin up archiva-next.wikimedia.org (backed up by a non-public-ip config) and see how it goes :)

Ottomata added a comment.Sep 8 2022, 2:48 PM

When testing analytics/refinery/source, it is all Archiva / maven API.

analytics/refinery is used for deployment in prod of .jar files pulled from archiva via git-fat rsync. Sometimes, users might want to be able to do git-fat pull locally, but I think that is rare enough that we might not need to.

elukey added a comment.Sep 8 2022, 2:51 PM

ack thanks for the clarification!

EChetty edited projects, added Data-Engineering-Planning; removed Data-Engineering.Sep 27 2022, 2:23 PM
EChetty moved this task from Backlog to Event Platform on the Data-Engineering-Planning board.Nov 7 2022, 10:58 AM
EChetty added a project: Event-Platform.
Ottomata edited projects, added Data-Engineering; removed Event-Platform, Data-Engineering-Planning.Nov 28 2022, 2:07 PM
Ottomata added a subscriber: EChetty.

@EChetty I don't think this task belongs in Event Platform. Removing tag.

BTullis edited projects, added Shared-Data-Infrastructure, Data-Engineering-Planning; removed Data-Engineering.Nov 28 2022, 2:11 PM

Dropping it into Shared-Data-Infrastructure

BTullis moved this task from Event Platform to Shared Data Infra on the Data-Engineering-Planning board.Nov 28 2022, 2:11 PM
EChetty moved this task from Backlog to To be discussed on the Shared-Data-Infrastructure board.Feb 6 2023, 10:09 AM
BTullis added a project: Data-Platform-SRE.Jun 9 2023, 11:56 AM
JArguello-WMF removed a project: Shared-Data-Infrastructure.Jun 29 2023, 1:41 PM
JArguello-WMF removed a project: Data-Engineering-Planning.Jun 29 2023, 4:14 PM
BTullis triaged this task as High priority.Jul 3 2023, 12:12 PM

Setting to high priority, as it will help not only with the bullseye upgrade, but also T323210

Gehel moved this task from Incoming to Misc on the Data-Platform-SRE board.Aug 29 2023, 1:53 PM
BTullis mentioned this in T349292: Migrate archiva to Debian bullseye (or bookworm).Oct 19 2023, 12:11 PM
bking subscribed.Dec 19 2023, 5:55 PM
Gehel closed this task as Declined.Mar 20 2024, 9:06 AM
Gehel subscribed.

Given that Archiva isn't supported anymore, we will migrate away from it. Thus this ticket isn't needed anymore.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL