Page MenuHomePhabricator
Create Task
Maniphest T326167

Can't connect to database replicas via PAWS
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  • Open PAWS
  • Attempt to connect to one of the database replicas:
import pymysql
pymysql.connect(
    host="enwikisource.analytics.db.svc.wikimedia.cloud",
    read_default_file=".my.cnf",
    database="enwikisource_p"
)

What happens?:

OperationalError: (2003, "Can't connect to MySQL server on 'enwikisource.analytics.db.svc.wikimedia.cloud' (timed out)")

What should have happened instead?:

The connection should have succeeded

Based on timing alone, this is likely related to T325812

Related Objects

Event Timeline

Vahurzpu created this task.Jan 3 2023, 7:02 PM
Chicocvenancio added a subscriber: Chicocvenancio.Jan 3 2023, 7:17 PM

This seems to be the new networkpolicy blocking private ip addresses.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: singleuser
spec:
  egress:
(...)
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 10.0.0.0/8
        - 172.16.0.0/12 # this impact replicas
        - 192.168.0.0/16
        - 169.254.169.254/32
rook added a subscriber: rook.Jan 3 2023, 7:20 PM

If I'm understanding that network policy shouldn't 172.16.1.129 be permitted under 172.16.0.0/12?

Chicocvenancio added a comment.Jan 3 2023, 7:23 PM
In T326167#8495997, @rook wrote:

If I'm understanding that network policy shouldn't 172.16.1.129 be permitted under 172.16.0.0/12?

Glad I'm not the only one to read that as the sane interpretation. But no, egress is the list of allowed destinations, cidr: 0.0.0.0/0 is allowed, except for the private spaces listed. I'm making a PR.

rook added a comment.Jan 3 2023, 7:24 PM

Oh wait, looks like that isn't allowing all the ports...

Chicocvenancio mentioned this in rPAWS5031159f6a45: Allow access to private ips from singleuser servers Fixes:T326167.Jan 3 2023, 7:24 PM
rook added a comment.Jan 3 2023, 7:25 PM

I added

- ports:
  - port: 3306
    protocol: TCP

And it seems to be working, though it wouldn't survive a helm upgrade

GitHub <noreply@github.com> mentioned this in rPAWSd98cf02c4eec: Allow access to private ips from singleuser servers Fixes:T326167 (#238).Jan 3 2023, 7:27 PM
rook added a comment.Jan 3 2023, 7:28 PM

@Vahurzpu would you give it a try now?

Vahurzpu added a comment.Jan 3 2023, 7:29 PM

I can connect now. Thanks!

Chicocvenancio closed this task as Resolved.Jan 3 2023, 8:11 PM
Chicocvenancio claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL