Page MenuHomePhabricator
Create Task
Maniphest T323913

Move thanos-sso away from CNAME discovery.wmnet
Closed, ResolvedPublic
Actions

Description

Today I was in the process of upgrading Thanos in T303154 and while depooling thanos-query kinda worked as expected (grafana kept the connections, to be investigated later) I noticed that thanos.w.o web interface did not switch. After a bit of digging I finally remembered about T151009: Provide authenticated access to Thanos native web interface which means web requests for thanos.w.o are backed thanos-sso.discovery.wmnet which is a CNAME to a single host (because sso sessions are not shared among hosts, at least as of Jul 2020)

The schema works fine, though it complicates failover and isn't intuitive with how the rest of thanos works. Therefore I think we should:

  • Investigate whether nowadays we can share sso sessions, cc @jbond @Muehlenhoff as they would know. If that's possible/supported then we can flip back to thanos-query.discovery.wmnet to proxy thanos.w.o
  • If the above isn't possible/desired, then move thanos-sso.discovery.wmnet to be another service IP with hashing based on client IP, this way we can confctl pool/depool like we do for thanos-swift and thanos-query

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
hieradata: add note re: thanos-web and scheduler: sh and SSOoperations/puppetproduction+5 -1
wmnet: remove thanos-ssooperations/dnsmaster+0 -4
hiera: replace thanos-sso with thanos-weboperations/puppetproduction+1 -1
Revert thanos-web discovery recordoperations/dnsmaster+0 -2
hiera: set thanos-web service to productionoperations/puppetproduction+4 -1
hiera: move thanos-web to lvs_setupoperations/puppetproduction+1 -1
thanos: add thanos-web to catalog and frontendoperations/puppetproduction+41 -1
conftool: add thanos-web serviceoperations/puppetproduction+9 -6
Add thanos-web.svc and discoveryoperations/dnsmaster+6 -0
Customize query in gerrit

Related Objects

Event Timeline

fgiunchedi created this task.Nov 28 2022, 2:04 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 28 2022, 2:04 PM
fgiunchedi updated the task description. (Show Details)Nov 28 2022, 2:37 PM
fgiunchedi added a comment.Nov 28 2022, 2:57 PM

(thinking out loud) actually going with shared-nothing seems like a better option here, even though thanos.w.o isn't super critical (i.e. option #2 )

gerritbot added a comment.Nov 28 2022, 3:15 PM

Change 861396 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/dns@master] Add thanos-web.svc and discovery

https://gerrit.wikimedia.org/r/861396

gerritbot added a project: Patch-For-Review.Nov 28 2022, 3:15 PM
gerritbot added a comment.Nov 28 2022, 3:59 PM

Change 861411 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] conftool: add thanos-web service

https://gerrit.wikimedia.org/r/861411

gerritbot added a comment.Nov 28 2022, 3:59 PM

Change 861412 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] thanos: add thanos-web to catalog and frontend

https://gerrit.wikimedia.org/r/861412

fgiunchedi moved this task from Backlog to Up next on the User-fgiunchedi board.Nov 28 2022, 4:10 PM
fgiunchedi moved this task from Up next to Doing on the User-fgiunchedi board.
gerritbot added a comment.Nov 29 2022, 11:23 AM

Change 861396 merged by Filippo Giunchedi:

[operations/dns@master] Add thanos-web.svc and discovery

https://gerrit.wikimedia.org/r/861396

gerritbot added a comment.Nov 29 2022, 11:29 AM

Change 861827 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/dns@master] Revert thanos-web discovery record

https://gerrit.wikimedia.org/r/861827

gerritbot added a comment.Nov 29 2022, 11:30 AM

Change 861827 merged by Filippo Giunchedi:

[operations/dns@master] Revert thanos-web discovery record

https://gerrit.wikimedia.org/r/861827

gerritbot added a comment.Nov 29 2022, 11:39 AM

Change 861411 merged by Filippo Giunchedi:

[operations/puppet@production] conftool: add thanos-web service

https://gerrit.wikimedia.org/r/861411

gerritbot added a comment.Nov 30 2022, 1:17 PM

Change 861412 merged by Filippo Giunchedi:

[operations/puppet@production] thanos: add thanos-web to catalog and frontend

https://gerrit.wikimedia.org/r/861412

gerritbot added a comment.Nov 30 2022, 1:25 PM

Change 862258 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] hiera: move thanos-web to lvs_setup

https://gerrit.wikimedia.org/r/862258

gerritbot added a comment.Nov 30 2022, 3:31 PM

Change 862258 merged by Filippo Giunchedi:

[operations/puppet@production] hiera: move thanos-web to lvs_setup

https://gerrit.wikimedia.org/r/862258

Stashbot added a comment.Nov 30 2022, 3:35 PM

Mentioned in SAL (#wikimedia-operations) [2022-11-30T15:35:12Z] <godog> roll-restart pybal on lvs[21]020 to pick up thanos-web service and then on lvs1019 lvs2009 - T323913

Maintenance_bot removed a project: Patch-For-Review.Nov 30 2022, 4:29 PM
MoritzMuehlenhoff subscribed.Dec 1 2022, 9:45 AM

Investigate whether nowadays we can share sso sessions,

The CAS cookie used by mod_auth_cas is stored locally under /var/cache/apache2/mod_auth_cas/thanos.wikimedia.org. If this were written to some shared storage it might work, but we haven't tested this yet.

fgiunchedi added a comment.Dec 1 2022, 10:02 AM
In T323913#8434818, @MoritzMuehlenhoff wrote:

Investigate whether nowadays we can share sso sessions,

The CAS cookie used by mod_auth_cas is stored locally under /var/cache/apache2/mod_auth_cas/thanos.wikimedia.org. If this were written to some shared storage it might work, but we haven't tested this yet.

Thank you that makes sense! I ended up going with sticky requests via sh scheduler, we'll see how that goes

gerritbot added a comment.Dec 1 2022, 10:35 AM

Change 862843 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] hiera: set thanos-web service to production

https://gerrit.wikimedia.org/r/862843

gerritbot added a project: Patch-For-Review.Dec 1 2022, 10:35 AM
gerritbot added a comment.Dec 1 2022, 10:44 AM

Change 862843 merged by Filippo Giunchedi:

[operations/puppet@production] hiera: set thanos-web service to production

https://gerrit.wikimedia.org/r/862843

Maintenance_bot removed a project: Patch-For-Review.Dec 1 2022, 11:30 AM
gerritbot added a comment.Dec 1 2022, 2:41 PM

Change 862937 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] hiera: replace thanos-sso with thanos-web

https://gerrit.wikimedia.org/r/862937

gerritbot added a project: Patch-For-Review.Dec 1 2022, 2:41 PM
gerritbot added a comment.Dec 1 2022, 2:44 PM

Change 862939 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/dns@master] wmnet: remove thanos-sso

https://gerrit.wikimedia.org/r/862939

gerritbot added a comment.Dec 5 2022, 7:40 AM

Change 862937 merged by Filippo Giunchedi:

[operations/puppet@production] hiera: replace thanos-sso with thanos-web

https://gerrit.wikimedia.org/r/862937

fgiunchedi added a comment.Dec 5 2022, 8:32 AM

I was a little too hasty/optimistic in imagining the outcome; in the sense that even for pass traffic from varnish-frontend to ats-backend the selection is still random and thus even sh scheduler won't work because the client IP is random.

At any rate, we now have thanos-web discovery service which does simplify operations compared to merging DNS patches to move thanos.wikimedia.org to a different host. I've updated https://wikitech.wikimedia.org/wiki/Thanos#Pool_/_depool_a_site accordingly.

gerritbot added a comment.Dec 5 2022, 8:33 AM

Change 862939 merged by Filippo Giunchedi:

[operations/dns@master] wmnet: remove thanos-sso

https://gerrit.wikimedia.org/r/862939

fgiunchedi added a comment.Dec 5 2022, 8:36 AM

I'll call this resolved since we have moved away from thanos-sso CNAME and into thanos-web for conftool instead.

fgiunchedi closed this task as Resolved.Dec 5 2022, 8:36 AM
fgiunchedi claimed this task.
gerritbot added a comment.Dec 5 2022, 8:39 AM

Change 864663 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] hieradata: add note re: thanos-web and scheduler: sh and SSO

https://gerrit.wikimedia.org/r/864663

gerritbot added a comment.Dec 6 2022, 8:28 AM

Change 864663 merged by Filippo Giunchedi:

[operations/puppet@production] hieradata: add note re: thanos-web and scheduler: sh and SSO

https://gerrit.wikimedia.org/r/864663

lmata moved this task from Inbox to Done on the Observability-Metrics board.Jan 16 2023, 5:42 PM
fgiunchedi mentioned this in T328117: Move performance.w.o to be backed by an active/active discovery record.Jan 27 2023, 10:25 AM
Maintenance_bot removed a project: Patch-For-Review.Jan 27 2023, 10:30 AM
fgiunchedi mentioned this in T331512: Support for multiple SSO thanos-web backends.Mar 8 2023, 9:26 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits