Page MenuHomePhabricator
Create Task
Maniphest T322579

give releng access to logs to debug buildkit-to-wmf-registry publishing
Closed, ResolvedPublic
Actions

Description

This ticket is to discuss and possibly implement access for releng group shell users to any access logs that are considered helpful to debug buildkit-to-wmf-registry publishing problems.

re this IRC comment:

< dduvall> ..debug a buildkit-to-wmf-registry publishing problem...

< dduvall> long term, it would be great if we could figure out a level of access for releng folks to see the access logs because i imagine we might be debugging publishing issues once in a while once we start migrating projects

< dduvall> ah i just saw the comment here https://phabricator.wikimedia.org/T322453#8375676 maybe it's just about simply upgrading. however, it's probably still a good idea to see what's happening server side which i cannot

Let's go from here and define which hosts, which logs etc and then see if we want to do that via admin groups or logstash?

We have another open ticket about getting gitlab logs into logstash.

Details

SubjectRepoBranchLines +/-
registry: Add nginx logs to rsyslogoperations/puppetproduction+8 -0
Send nginx and docker-registry logs to kafkaoperations/puppetproduction+3 -0
Add nginx logs for docker-registry host to rsyslogoperations/puppetproduction+8 -0
Customize query in gerrit

Related Objects

Event Timeline

Dzahn created this task.Nov 7 2022, 8:27 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 7 2022, 8:27 PM
Dzahn added a project: collaboration-services.Nov 7 2022, 8:28 PM
Dzahn updated the task description. (Show Details)
Dzahn added a subscriber: dduvall.
dduvall awarded a token.Nov 7 2022, 9:28 PM
dduvall added subscribers: jnuche, dancy.Nov 7 2022, 9:39 PM

Thanks for filing this!

This is what would be helpful for us in debugging registry access issues.

  • nginx access logs and error logs on the registry hosts (registry{1003,1004}.eqiad.wmnet, registry{2003,2004}.codfw.wmnet)
  • docker-registry service logs and access logs on the registry hosts
  • jwt-authorizer systemd logs on the registry hosts

@dancy, @jnuche ^ does this seem exhaustive enough for us?

I can imagine a scenario where there might be issues with the swift backend, but I don't think anything at that level wouldn't be surfaced by the other logs somehow and probably noticed and fixed by SRE very quickly.

dduvall added a project: Release-Engineering-Team (Radar).Nov 7 2022, 9:40 PM
Dzahn added a project: serviceops.Nov 7 2022, 10:25 PM
Joe subscribed.Nov 8 2022, 7:42 AM
In T322579#8377279, @dduvall wrote:

Thanks for filing this!

This is what would be helpful for us in debugging registry access issues.

  • nginx access logs and error logs on the registry hosts (registry{1003,1004}.eqiad.wmnet, registry{2003,2004}.codfw.wmnet)
  • docker-registry service logs and access logs on the registry hosts
  • jwt-authorizer systemd logs on the registry hosts

@dancy, @jnuche ^ does this seem exhaustive enough for us?

I can imagine a scenario where there might be issues with the swift backend, but I don't think anything at that level wouldn't be surfaced by the other logs somehow and probably noticed and fixed by SRE very quickly.

I would be ok with granting access to logs via logstash, I'm quite opposed to widen access to the registry hosts, it seems not really useful.

Also: both the registry and nginx keep access logs, so I guess it's enough to export one of the two.

Joe edited projects, added serviceops-radar; removed serviceops.Nov 8 2022, 7:42 AM
JMeybohm subscribed.Nov 8 2022, 8:41 AM
In T322579#8378397, @Joe wrote:

[...]
Also: both the registry and nginx keep access logs, so I guess it's enough to export one of the two.

I'd say export those from docker-registry. It writes access log plus additional stuff that might be useful

Dzahn added a comment.Nov 8 2022, 5:58 PM

I just added this small section to the Wikitech Logstash page how I got logs from "misc" systems into logstash with 2 changes.

One to get them to local syslog via rsyslog and then another to tell rsyslog to ship to kafka. And then I could see them in logstash filtering by "program". Example patches linked below are what I would copy to get nginx logs there.

https://wikitech.wikimedia.org/wiki/Logstash#Getting_logs_from_misc_systems_into_logstash

dduvall added a comment.EditedNov 8 2022, 7:40 PM
In T322579#8378513, @JMeybohm wrote:
In T322579#8378397, @Joe wrote:

[...]
Also: both the registry and nginx keep access logs, so I guess it's enough to export one of the two.

I'd say export those from docker-registry. It writes access log plus additional stuff that might be useful

There will be nginx access log entries that are not reflected in the docker-registry access logs that would be useful to us as well, most notably anything related to auth using the GitLab JWT tokens, subrequests between nginx and jwt-authorizer and the related nginx responses to the client. These do not hit docker-registry at all.

In T322579#8378397, @Joe wrote:

I would be ok with granting access to logs via logstash, I'm quite opposed to widen access to the registry hosts, it seems not really useful.

Also: both the registry and nginx keep access logs, so I guess it's enough to export one of the two.

FWIW we're not looking for anything close to root. We just need visibility into jwt-authorizer (via journalctl -u jwt-authorizer would be plenty), the communication between nginx and jwt-authorizer (so subrequest entries in the access logs), and the nginx responses from auth (that never hit docker-registry).

dancy added a comment.Nov 9 2022, 3:55 PM
In T322579#8377279, @dduvall wrote:

Thanks for filing this!

This is what would be helpful for us in debugging registry access issues.

  • nginx access logs and error logs on the registry hosts (registry{1003,1004}.eqiad.wmnet, registry{2003,2004}.codfw.wmnet)
  • docker-registry service logs and access logs on the registry hosts
  • jwt-authorizer systemd logs on the registry hosts

@dancy, @jnuche ^ does this seem exhaustive enough for us?

That list looks good to me.

LSobanski triaged this task as High priority.Nov 15 2022, 3:57 PM
LSobanski moved this task from Incoming to Backlog on the collaboration-services board.
LSobanski lowered the priority of this task from High to Medium.Jan 17 2023, 4:17 PM
dduvall mentioned this in T322453: Buildkit erroring with "cannot reuse body, request must be retried" upon multi-platform push.Mar 22 2023, 4:07 PM

Friendly ping. :)

eoghan changed the task status from Open to In Progress.May 12 2023, 9:02 AM
eoghan claimed this task.
eoghan moved this task from Backlog to Work in Progress on the collaboration-services board.
gerritbot added a comment.May 12 2023, 3:22 PM

Change 919350 had a related patch set uploaded (by EoghanGaffney; author: EoghanGaffney):

[operations/puppet@production] Add nginx logs for docker-registry host to rsyslog

https://gerrit.wikimedia.org/r/919350

gerritbot added a project: Patch-For-Review.May 12 2023, 3:22 PM
gerritbot added a comment.May 12 2023, 3:25 PM

Change 919351 had a related patch set uploaded (by EoghanGaffney; author: EoghanGaffney):

[operations/puppet@production] Send nginx and docker-registry logs to kafka

https://gerrit.wikimedia.org/r/919351

eoghan added a comment.May 12 2023, 3:46 PM

@dduvall I put up some changes to move the nginx (/var/log/nginx/{error,access}.log) and docker-registry (journalctl -u docker-registry) logs to logstash. The logs for jwt-authorizer seem to be empty though (from looking at journalctl -u jwt-authorizer), is there another place they might be?

gerritbot added a comment.May 23 2023, 3:53 PM

Change 919350 merged by EoghanGaffney:

[operations/puppet@production] Add nginx logs for docker-registry host to rsyslog

https://gerrit.wikimedia.org/r/919350

gerritbot added a comment.May 25 2023, 10:49 AM

Change 919351 merged by EoghanGaffney:

[operations/puppet@production] Send nginx and docker-registry logs to kafka

https://gerrit.wikimedia.org/r/919351

Maintenance_bot removed a project: Patch-For-Review.May 25 2023, 11:11 AM
gerritbot added a comment.Jun 15 2023, 10:40 PM

Change 930719 had a related patch set uploaded (by EoghanGaffney; author: EoghanGaffney):

[operations/puppet@production] registry: Add nginx logs to rsyslog

https://gerrit.wikimedia.org/r/930719

gerritbot added a project: Patch-For-Review.Jun 15 2023, 10:40 PM
gerritbot added a comment.Jun 20 2023, 10:50 AM

Change 930719 merged by EoghanGaffney:

[operations/puppet@production] registry: Add nginx logs to rsyslog

https://gerrit.wikimedia.org/r/930719

Maintenance_bot removed a project: Patch-For-Review.Jun 20 2023, 11:12 AM
eoghan closed this task as Resolved.Jun 20 2023, 11:17 AM

@dduvall I've fixed the problem that caused the nginx logs not to be included, you can now see all the logs from these hosts by filtering for program being one of docker-registry, input-finput-file-registry-nginx-access, and input-file-registry-nginx-error.

Here's a sample query: https://logstash.wikimedia.org/goto/ce91b70ec9e282c5ed7fbba0cc3fddd3

Feel free to re-open if there's any problems!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL