Page MenuHomePhabricator

[cookbooks] Add ssh socks5 proxy support
Closed, ResolvedPublic

Description

The goal is to be able to automatically start a sock proxy and tunnel all http requests through it.

This task includes deciding how to do so and implementing it.

A manual example:

dcaro@vulcanus$ ssh -nf -D 8888 cumin1001.eqiad.wmnet
…
—----
dcaro@vulcanus$ pip install 'requests[socks]'
dcaro@vulcanus$ python
>>> import requests
>>> res = requests.get("http://alertmanager-eqiad.wikimedia.org/api/v2/silences", proxies={"http": "socks5://127.0.0.1:8888"}).json()
>>> len(res)
4894

This should also work for puppetdb queries, but that requires also adding the proper CA to the host.
If possible, that should be automated (ask the user for permission before acting though), in the setup script or the
code itself (that last one might be more complicated), if not, documented.

After this, the user should be able to:

  • do a requset from python (a test cookbook) to the alertmanager, see the example before
  • get a list of hosts using a cumin puppetdb query (in a test cookbook)

Event Timeline

dcaro triaged this task as High priority.Oct 5 2022, 3:00 PM
dcaro created this task.
dcaro changed the task status from Open to In Progress.Nov 3 2022, 3:48 PM
dcaro claimed this task.
dcaro moved this task from To refine to Doing on the User-dcaro board.

We can't use though the alerts as they are now, as we are expecting to be able to downtime things using only the 'services' and 'team' label (and current spicerack implementation injects the instance label unconditionally).

That was done as some alerts come from second-hand instances (ex. cloudcephmon1001/1002/1003 the three might be running the exporter service that then triggers the ceph related alerts, so the instance label will be different), and as some of the alerts are service-specific, not instance-specific (too many cloudvirts down).

@Volans can we extend the alertmanager implementation in spicerack to allow not using the instance label when downtiming things?

Change 852960 had a related patch set uploaded (by David Caro; author: David Caro):

[operations/cookbooks@wmcs] wmcs: add socks proxy libraries

https://gerrit.wikimedia.org/r/852960

Change 852960 merged by jenkins-bot:

[operations/cookbooks@wmcs] wmcs: add socks proxy support to wmcs cookbooks

https://gerrit.wikimedia.org/r/852960