Page MenuHomePhabricator
Create Task
Maniphest T326316

Misconfigured proxies on I/F hosts
Closed, ResolvedPublic
Actions

Description

I added a filter term (disabled by default) on the Squid proxy dashboard to surface traffic to any *.wikimedia.org or *.wikipedia.org domain:
https://logstash.wikimedia.org/app/dashboards#/view/58c908a0-a394-11ec-bf8e-43f1807d5bc2

Any queries to those two domains (and more) doesn't need to (and shouldn't) go through the Squid proxies are they're internal hosts. See doc on https://wikitech.wikimedia.org/wiki/HTTP_proxy#How-to?

Longer term plans might be to block such traffic flows to prevent configuration mistake at their creation.

Here are the largest offending hosts relevant to Infrastructure Foundations in the last 24h:

build2001.codfw.wmnet.

Various UA:
Debian APT-HTTP/1.3 (1.8.2.3) 1,397
Debian APT-HTTP/1.3 (2.2.4) 526
Debian APT-HTTP/1.3 (1.4.11) 291
Debian APT-HTTP/1.3 (1.8.2.1) 113
Debian APT-HTTP/1.3 (1.8.2.2) 28

Two destinations:
mirrors.wikimedia.org 2,070
apt.wikimedia.org 285

After a chat with @MoritzMuehlenhoff they are from the pbuilder environments
It's not clear how they learn the proxy config, but we should be able to configure the DIRECT keyword for those two domains. See more information about DIRECT in https://www.claudiokuenzler.com/blog/619/apt-behind-proxy-no-proxy-for-some-repositories

Similarly, deploy1002.eqiad.wmnet have calls to the same two destinations.

Lat pattern, the host not relevant as they're provisioning hosts, but UA set to "debian-installer"
Fetching data from:
mirrors.wikimedia.org 162
apt.wikimedia.org 2

Details

SubjectRepoBranchLines +/-
environment: add no_proxy config directly to environmentoperations/puppetproduction+32 -5
docker::baseimages: inject no_proxy config to rebuild joboperations/puppetproduction+10 -1
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 OpenNoneT300977 Maybe restrict domains accessible by webproxy
 ResolvedayounsiT326316 Misconfigured proxies on I/F hosts

Event Timeline

ayounsi created this task.Jan 5 2023, 2:15 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 5 2023, 2:15 PM
ayounsi added a parent task: T300977: Maybe restrict domains accessible by webproxy.Jan 5 2023, 2:15 PM
Aklapper renamed this task from Missconfigured proxies on I/F hosts to Misconfigured proxies on I/F hosts.Jan 8 2023, 7:00 PM
gerritbot added a comment.Jan 10 2023, 3:02 PM

Change 878063 had a related patch set uploaded (by Jbond; author: John Bond):

[operations/puppet@production] docker::baseimages: inject no_proxy config to rebuild job

https://gerrit.wikimedia.org/r/878063

gerritbot added a project: Patch-For-Review.Jan 10 2023, 3:02 PM
jbond added a comment.Jan 10 2023, 3:22 PM

After a chat with @MoritzMuehlenhoff they are from the pbuilder environments

I took a look at this and the pbuilder environments already go direct however there is a systemd timer debian-weekly-rebuild.service that seems to be responsible for this traffic, CR sent.

Similarly, deploy1002.eqiad.wmnet have calls to the same two destinations.

I didn't see the apt domains for this one but i did see

  • helm-charts.wikimedia.org
  • gerrit.wikimedia.org

Both of theses look like manual user actions possibly would be fixed with https://gerrit.wikimedia.org/r/c/operations/puppet/+/771568/ been rolled out globally

ayounsi added a comment.Jan 11 2023, 7:14 AM

Both of theses look like manual user actions possibly would be fixed with https://gerrit.wikimedia.org/r/c/operations/puppet/+/771568/ been rolled out globally

Only seeing that set of patches now, I left a comment on:
https://gerrit.wikimedia.org/r/c/operations/puppet/+/771411/8#message-232fee2f2106f145e77d72a41219ced4f1b8d120

I don't see any red-flag on rolling it out globally, if there are no blockers, let's draft an email for sre-at-large@ to plan a global roll out?

gerritbot added a comment.Jan 11 2023, 11:01 AM

Change 878063 merged by Jbond:

[operations/puppet@production] docker::baseimages: inject no_proxy config to rebuild job

https://gerrit.wikimedia.org/r/878063

Maintenance_bot removed a project: Patch-For-Review.Jan 11 2023, 11:30 AM
gerritbot added a comment.Jan 11 2023, 12:45 PM

Change 878884 had a related patch set uploaded (by Jbond; author: John Bond):

[operations/puppet@production] environment: add no_proxy config directly to environment

https://gerrit.wikimedia.org/r/878884

gerritbot added a project: Patch-For-Review.Jan 11 2023, 12:45 PM
jbond added a comment.Jan 11 2023, 12:46 PM
In T326316#8515619, @ayounsi wrote:

Both of theses look like manual user actions possibly would be fixed with https://gerrit.wikimedia.org/r/c/operations/puppet/+/771568/ been rolled out globally

Only seeing that set of patches now, I left a comment on:
https://gerrit.wikimedia.org/r/c/operations/puppet/+/771411/8#message-232fee2f2106f145e77d72a41219ced4f1b8d120

I don't see any red-flag on rolling it out globally, if there are no blockers, let's draft an email for sre-at-large@ to plan a global roll out?

i have created a new CR once that is reviewed by you and Moritz ill send an email and plan to roll out globally

gerritbot added a comment.Jan 12 2023, 2:13 PM

Change 878884 merged by Jbond:

[operations/puppet@production] environment: add no_proxy config directly to environment

https://gerrit.wikimedia.org/r/878884

Maintenance_bot removed a project: Patch-For-Review.Jan 12 2023, 2:30 PM
ayounsi closed this task as Resolved.Nov 9 2023, 2:43 PM
ayounsi claimed this task.

Seems fixed now.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL