Page MenuHomePhabricator
Create Task
Maniphest T344998

Wikifunctions functions that require a lookup on wikifunctions.org timing out in the orchestrator, UX instead showing 'http'
Closed, ResolvedPublicPRODUCTION ERROR
Actions

Description

Steps to replicate the issue (include links if applicable):

  • visit any function on Wikifunctions that doesn't have a connected built in implentation (e.g. Z10000)
  • enter any input(s)
  • click "Run function"
  • wait while the function runs (which seems to be taking an abnormaly long time)

What happens?:
Where the output of the function should be (underneath "Result"), only the text "http" is displayed. The normal "Details" link is not present, nor is the drop down ">" button that is normally next to the output.

What should have happened instead?:
The actual output of the function should have been displayed, along with the afformentioned "Details" link and drop down ">" button.

Software version (skip for WMF-hosted wikis like Wikipedia):

Other information (browser name/version, screenshots, etc.): I'm using Firefox version 116.0.3. The issue is also occuring on Edge version 116.0.1938.54. I think (although I may be misremembering) that the last function (without a built in implementation) I was able to succesfully run did return "http" as its (correct) output. That would have been yesterday. Functions with a connected built in implementation work as expected.

Z10237:

image.png (365×242 px, 9 KB)

Z10018:

image.png (322×363 px, 7 KB)

Details

SubjectRepoBranchLines +/-
wikifunctions: Switch all clusters to use the service meshoperations/deployment-chartsmaster+5 -8
wikifunctions: Enable/Use service-mesh to reach mw-apioperations/deployment-chartsmaster+13 -0
Re-apply "Fix wikifunctions orchestrator not using the service mesh"operations/deployment-chartsmaster+7 -0
Fix wikifunctions orchestrator not using the service meshoperations/deployment-chartsmaster+7 -0
Re-apply "admin_ng: Disable GlobalNetworkPolicy allow rules for wikifunctions"operations/deployment-chartsmaster+4 -4
Re-apply "wikifunctions: Fix networkpolicies"operations/deployment-chartsmaster+28 -63
Revert "admin_ng: Disable GlobalNetworkPolicy allow rules for wikifunctions"operations/deployment-chartsmaster+5 -5
Revert "wikifunctions: Fix networkpolicies"operations/deployment-chartsmaster+12 -82
wikifunctions: Bump evaluator to 2023-08-08-220047operations/deployment-chartsmaster+2 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

Bongo50 created this task.Aug 25 2023, 3:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 25 2023, 3:58 PM
Bongo50 updated the task description. (Show Details)Aug 25 2023, 4:00 PM
Bongo50 added a subscriber: Abstract Wikipedia team.Aug 25 2023, 4:26 PM
Maintenance_bot added a project: Abstract Wikipedia team.Aug 25 2023, 4:30 PM
Jdforrester-WMF renamed this task from Wikifunctions functions that use non-built in implementations return 'http' regardless of the input. to Wikifunctions functions that call the evaluator are all getting no response, UX instead showing 'http'.Aug 25 2023, 5:38 PM
Jdforrester-WMF triaged this task as Unbreak Now! priority.
Jdforrester-WMF subscribed.

No recent changes to the service (no deploys in a couple of weeks), and it's working fine in staging, but can confirm.

Jdforrester-WMF changed the subtype of this task from "Bug Report" to "Production Error".Aug 25 2023, 5:43 PM
Restricted Application added a project: Wikimedia-production-error. · View Herald TranscriptAug 25 2023, 5:43 PM
gerritbot added a comment.Aug 25 2023, 6:07 PM

Change 952434 had a related patch set uploaded (by Jforrester; author: Jforrester):

[operations/deployment-charts@master] Revert "wikifunctions: Fix networkpolicies"

https://gerrit.wikimedia.org/r/952434

gerritbot added a project: Patch-For-Review.Aug 25 2023, 6:07 PM

Change 952484 had a related patch set uploaded (by Jforrester; author: Jforrester):

[operations/deployment-charts@master] wikifunctions: Bump evaluator to 2023-08-08-220047

https://gerrit.wikimedia.org/r/952484

gerritbot added a comment.Aug 25 2023, 6:10 PM

Change 952484 merged by jenkins-bot:

[operations/deployment-charts@master] wikifunctions: Bump evaluator to 2023-08-08-220047

https://gerrit.wikimedia.org/r/952484

gerritbot added a comment.Aug 25 2023, 6:21 PM

Change 952434 merged by jenkins-bot:

[operations/deployment-charts@master] Revert "wikifunctions: Fix networkpolicies"

https://gerrit.wikimedia.org/r/952434

Maintenance_bot removed a project: Patch-For-Review.Aug 25 2023, 6:30 PM
Jdforrester-WMF added a comment.Aug 25 2023, 6:31 PM

Possibly also caused by https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/950189/ ?

gerritbot added a comment.Aug 25 2023, 6:35 PM

Change 952435 had a related patch set uploaded (by Jforrester; author: Jforrester):

[operations/deployment-charts@master] Revert "admin_ng: Disable GlobalNetworkPolicy allow rules for wikifunctions"

https://gerrit.wikimedia.org/r/952435

gerritbot added a project: Patch-For-Review.Aug 25 2023, 6:35 PM
gerritbot added a comment.Aug 25 2023, 6:42 PM

Change 952435 merged by jenkins-bot:

[operations/deployment-charts@master] Revert "admin_ng: Disable GlobalNetworkPolicy allow rules for wikifunctions"

https://gerrit.wikimedia.org/r/952435

gerritbot added a comment.Aug 25 2023, 6:52 PM

Change 952436 had a related patch set uploaded (by Jforrester; author: Jforrester):

[operations/deployment-charts@master] Re-apply "wikifunctions: Fix networkpolicies"

https://gerrit.wikimedia.org/r/952436

gerritbot added a comment.Aug 25 2023, 6:53 PM

Change 952437 had a related patch set uploaded (by Jforrester; author: Jforrester):

[operations/deployment-charts@master] Re-apply "admin_ng: Disable GlobalNetworkPolicy allow rules for wikifunctions"

https://gerrit.wikimedia.org/r/952437

Jdforrester-WMF added projects: SRE, serviceops.Aug 25 2023, 6:57 PM

Unfortunately at this point I'm out of ideas as to what's causing the issue.

Ameisenigel removed a subscriber: Abstract Wikipedia team.Aug 25 2023, 8:30 PM
elukey subscribed.Aug 26 2023, 7:27 AM

@Jdforrester-WMF Hi! I am ignorant about Wikifunctions so please be patient, but I have a question about the reverts: I see that https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/952435 was reverted (again) since it didn't fix things, but how did you apply it? The admin_ng stuff requires SRE priviledges, not a regular deployment to the target application's namespace. Have you done it before? (curious because I saw only SREs handling that up to now).

On the logs front - in the logstash dashboard for k8s I noticed some occurrences of this error:

https://logstash.wikimedia.org/app/discover#/doc/logstash-*/logstash-k8s-1-7.0.0-1-2023.08.26?id=aGNkMIoBt3kDdlqnHU9y

Call tuples failed in returnOnFirstError. Error: FetchError: request to https://api-rw.discovery.wmnet/w/api.php?action=wikilambda_fetch&format=json&zids=Z10000 failed, reason: connect ETIMEDOUT 10.2.2.22:443.

I checked with nsenter and the pod cannot reach api-rw, and afaics it is not configured to use the envoy tls proxy. Maybe we are simply missing an egress rule?

Moreover - is there anything in the logs that could explain what is happening? I feel that reverting and re-applying changes may lead to false positive results (see the admin_ng one).

RhinosF1 subscribed.Aug 26 2023, 7:53 AM
Envlh subscribed.Aug 26 2023, 10:18 AM
elukey added a comment.Aug 28 2023, 5:56 AM

Answering to myself - I see in admin_ng that https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/952435/ is still to be applied:

kube-system, allow-uncached-api, GlobalNetworkPolicy (crd.projectcalico.org) has changed:
  # Source: calico/templates/globalnetworkpolicy.yaml
  apiVersion: crd.projectcalico.org/v1
  kind: GlobalNetworkPolicy
  metadata:
    name: allow-uncached-api            <<<<===================
    labels:
      helm.sh/chart: calico-0.2.10
      app.kubernetes.io/name: calico
      app.kubernetes.io/instance: calico
      app.kubernetes.io/version: "3.23.3"
      app.kubernetes.io/managed-by: Helm
  spec:
    egress:
    - action: Allow
      destination:
        nets:
        - 10.2.2.22/32
        - 10.2.1.22/32
        ports:
        - 80
        - 443
      protocol: TCP
-   namespaceSelector: has(projectcalico.org/name) && projectcalico.org/name not in {"kube-system",
-     "wikifunctions"}
+   namespaceSelector: has(projectcalico.org/name) && projectcalico.org/name != "kube-system"

Summary:

Reverts merged:

gerritbot added a comment.Aug 28 2023, 7:26 AM

Change 952436 merged by jenkins-bot:

[operations/deployment-charts@master] Re-apply "wikifunctions: Fix networkpolicies"

https://gerrit.wikimedia.org/r/952436

gerritbot added a comment.Aug 28 2023, 7:41 AM

Change 952782 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] Fix wikifunctions orchestrator not using the service mesh

https://gerrit.wikimedia.org/r/952782

gerritbot added a comment.Aug 28 2023, 8:15 AM

Change 952437 merged by jenkins-bot:

[operations/deployment-charts@master] Re-apply "admin_ng: Disable GlobalNetworkPolicy allow rules for wikifunctions"

https://gerrit.wikimedia.org/r/952437

JMeybohm lowered the priority of this task from Unbreak Now! to High.Aug 28 2023, 8:20 AM
JMeybohm subscribed.

Thanks @elukey for stepping in!

I did deploy those changes last week and the tests described in https://wikitech.wikimedia.org/wiki/Wikifunctions/Runbook where okay, so I was confident that I did not break anything. The orchestrator is obviously connecting to mw-api directly, which it is not supposed to do. Those connections need to go through the service mesh.
I drafted a change here https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/952782 although I think this won't work as is as you will probably have to provide the correct host header (api-rw.discovery.wmnet) for the calls.

I have temporarily allowed direct access to mw-api again to unblock this.

JMeybohm removed a project: SRE.Aug 28 2023, 8:20 AM
elukey added a comment.Aug 28 2023, 8:33 AM

Tested the use case outlined in the task's description, all works now!

jijiki subscribed.Aug 28 2023, 10:10 AM

@Jdforrester-WMF it will be extremely useful for the future to improve wikifunction's observability, for instance, there were logs emitted to logstash which logged that specific problem, and would be visible with a better curated dashboard.

wikifunctions logstash

request to https://api-rw.discovery.wmnet/w/api.php?action=wikilambda_fetch&format=json&zids=Z10618 failed, reason: connect ETIMEDOUT 10.2.2.22:443
Jdforrester-WMF added a comment.Aug 28 2023, 1:48 PM
In T344998#9122506, @JMeybohm wrote:

Thanks @elukey for stepping in!

I did deploy those changes last week and the tests described in https://wikitech.wikimedia.org/wiki/Wikifunctions/Runbook where okay, so I was confident that I did not break anything.

Yeah, sorry about this. In this case the problem was not apparent when making curl requests from the deployment server, but were when coming from the MW cluster; presumably there are extra rights bundled along with those somehow?

The primary service alerting would have spotted this issue, but I'd not written it yet because of other tasks.

The orchestrator is obviously connecting to mw-api directly, which it is not supposed to do. Those connections need to go through the service mesh.
I drafted a change here https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/952782 although I think this won't work as is as you will probably have to provide the correct host header (api-rw.discovery.wmnet) for the calls.

I have temporarily allowed direct access to mw-api again to unblock this.

Thanks! Given that we can't test from the command line against staging, do you know if we could make sure that the call is working without a full deploy? We're setting the Host: wikifunctions.org header in the service (and have been since last month); is that sufficient?

In T344998#9122893, @jijiki wrote:

@Jdforrester-WMF it will be extremely useful for the future to improve wikifunction's observability, for instance, there were logs emitted to logstash which logged that specific problem, and would be visible with a better curated dashboard.

wikifunctions logstash

request to https://api-rw.discovery.wmnet/w/api.php?action=wikilambda_fetch&format=json&zids=Z10618 failed, reason: connect ETIMEDOUT 10.2.2.22:443

Which specific problem? The link you've provided is showing the ETIMEDOUT in logstash; do you mean a different message? Log it to a different channel?

JMeybohm added a comment.Aug 28 2023, 2:25 PM
In T344998#9123566, @Jdforrester-WMF wrote:
In T344998#9122506, @JMeybohm wrote:

Thanks @elukey for stepping in!

I did deploy those changes last week and the tests described in https://wikitech.wikimedia.org/wiki/Wikifunctions/Runbook where okay, so I was confident that I did not break anything.

Yeah, sorry about this. In this case the problem was not apparent when making curl requests from the deployment server, but were when coming from the MW cluster; presumably there are extra rights bundled along with those somehow?

No. I think the code is doing something different when called from mediawiki instead of curl. The issue clearly is that with the curl command the orchestrator does not call back to mw-api.

In T344998#9123566, @Jdforrester-WMF wrote:

Thanks! Given that we can't test from the command line against staging, do you know if we could make sure that the call is working without a full deploy? We're setting the Host: wikifunctions.org header in the service (and have been since last month); is that sufficient?

As said above I think you should be able to test from the command line against staging (with the correct request).
I would assume setting the header that way works as you already send it to the mw-api discovery endpoint (although I wonder what you have WIKI_VIRTUAL_HOST defined for in the charts environment variables). Please see https://wikitech.wikimedia.org/wiki/Envoy#Use_a_listener on general instructions how to use the service mesh listener. Setting a proper user-agent would also be a good idea I suppose.

Jdforrester-WMF renamed this task from Wikifunctions functions that call the evaluator are all getting no response, UX instead showing 'http' to Wikifunctions functions that require a lookup on wikifunctions.org timing out in the orchestrator, UX instead showing 'http'.Aug 28 2023, 3:22 PM
Jdforrester-WMF moved this task from To triage to Verify in production on the Abstract Wikipedia team board.
Jdforrester-WMF claimed this task.Aug 28 2023, 8:02 PM
akosiaris subscribed.Aug 29 2023, 2:24 PM
gerritbot added a comment.Aug 29 2023, 4:14 PM

Change 952782 merged by jenkins-bot:

[operations/deployment-charts@master] Fix wikifunctions orchestrator not using the service mesh

https://gerrit.wikimedia.org/r/952782

Maintenance_bot removed a project: Patch-For-Review.Aug 29 2023, 4:30 PM
gerritbot added a comment.Aug 29 2023, 4:35 PM

Change 953212 had a related patch set uploaded (by Jforrester; author: Jforrester):

[operations/deployment-charts@master] Re-apply "Fix wikifunctions orchestrator not using the service mesh"

https://gerrit.wikimedia.org/r/953212

gerritbot added a project: Patch-For-Review.Aug 29 2023, 4:35 PM
thcipriani moved this task from Untriaged to Aug 2023 on the Wikimedia-production-error board.Aug 31 2023, 3:46 PM
JMeybohm mentioned this in T346264: Improve wikifunctions logging.Sep 13 2023, 4:59 PM
Clement_Goubert moved this task from Incoming 🐫 to 🌻Mediawiki on the serviceops board.Sep 18 2023, 11:33 AM
gerritbot added a comment.Sep 25 2023, 2:28 PM

Change 953212 merged by jenkins-bot:

[operations/deployment-charts@master] Re-apply "Fix wikifunctions orchestrator not using the service mesh"

https://gerrit.wikimedia.org/r/953212

Maintenance_bot removed a project: Patch-For-Review.Sep 25 2023, 2:31 PM
Jdforrester-WMF added a comment.Sep 25 2023, 2:43 PM

I re-deployed after we moved to the version of the image with the wmf-certificates package, but it still errored in production but worked in staging.

curl https://wikifunctions.discovery.wmnet:30443/1/v1/evaluate/ -X POST --data '{"zobject":{"Z1K1":"Z7","Z7K1":"Z10000","Z10000K1":"foo","Z10000K2":"bar"},"doValidate":false}' --header "Content-type: application/json"

{"Z1K1":"Z22","Z22K1":"Z24","Z22K2":{"Z1K1":{"Z1K1":"Z7","Z7K1":"Z883","Z883K1":"Z6","Z883K2":"Z1"},"K1":[{"Z1K1":"Z7","Z7K1":"Z882","Z882K1":"Z6","Z882K2":"Z1"},{"Z1K1":{"Z1K1":"Z7","Z7K1":"Z882","Z882K1":"Z6","Z882K2":"Z1"},"K1":"errors","K2":{"Z1K1":"Z5","Z5K1":"Z507","Z5K2":{"Z1K1":{"Z1K1":"Z7","Z7K1":"Z885","Z885K1":"Z507"},"Z507K1":{"Z1K1":"Z99","Z99K1":{"Z1K1":"Z7","Z7K1":"Z10000","Z10000K1":"foo","Z10000K2":"bar"}},"Z507K2":{"Z1K1":"Z99","Z99K1":{"Z1K1":{"Z1K1":"Z9","Z9K1":"Z5"},"Z5K1":{"Z1K1":"Z9","Z9K1":"Z500"},"Z5K2":{"Z1K1":{"Z1K1":{"Z1K1":"Z9","Z9K1":"Z7"},"Z7K1":{"Z1K1":"Z9","Z9K1":"Z885"},"Z885K1":{"Z1K1":"Z9","Z9K1":"Z500"}},"Z500K1":"Call tuples failed in returnOnFirstError. Error: FetchError: invalid json response body at http://localhost:6501/w/api.php?action=wikilambda_fetch&format=json&zids=Z10000 reason: Unexpected token u in JSON at position 0."}}}}}},{"Z1K1":{"Z1K1":"Z7","Z7K1":"Z882","Z882K1":"Z6","Z882K2":"Z1"},"K1":"orchestrationMemoryUsage","K2":"131.94 MiB"},{"Z1K1":{"Z1K1":"Z7","Z7K1":"Z882","Z882K1":"Z6","Z882K2":"Z1"},"K1":"orchestrationCpuUsage","K2":"5.903 ms"},{"Z1K1":{"Z1K1":"Z7","Z7K1":"Z882","Z882K1":"Z6","Z882K2":"Z1"},"K1":"orchestrationStartTime","K2":"2023-09-25T14:35:20.453Z"},{"Z1K1":{"Z1K1":"Z7","Z7K1":"Z882","Z882K1":"Z6","Z882K2":"Z1"},"K1":"orchestrationEndTime","K2":"2023-09-25T14:35:20.708Z"},{"Z1K1":{"Z1K1":"Z7","Z7K1":"Z882","Z882K1":"Z6","Z882K2":"Z1"},"K1":"orchestrationDuration","K2":"255 ms"},{"Z1K1":{"Z1K1":"Z7","Z7K1":"Z882","Z882K1":"Z6","Z882K2":"Z1"},"K1":"orchestrationHostname","K2":"function-orchestrator-main-orchestrator-84bf7bd68f-fgspt"}]}}

Again, it worked in staging. Clearly there's a config difference in the mesh that means we can't use it to verify before rolling out to user-facing prod.

Jdforrester-WMF mentioned this in T347397: Migrate functions-orchestrator service to mw-api-int.Sep 26 2023, 12:45 PM
gerritbot added a comment.Sep 26 2023, 12:46 PM

Change 961099 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] wikifunctions: Enable/Use service-mesh to reach mw-api

https://gerrit.wikimedia.org/r/961099

gerritbot added a project: Patch-For-Review.Sep 26 2023, 12:46 PM
gerritbot added a comment.Sep 26 2023, 12:57 PM

Change 961099 merged by jenkins-bot:

[operations/deployment-charts@master] wikifunctions: Enable/Use service-mesh to reach mw-api

https://gerrit.wikimedia.org/r/961099

Maintenance_bot removed a project: Patch-For-Review.Sep 26 2023, 1:10 PM
gerritbot added a comment.Sep 26 2023, 1:28 PM

Change 961108 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] wikifunctions: Switch all clusters to use the service mesh

https://gerrit.wikimedia.org/r/961108

gerritbot added a project: Patch-For-Review.Sep 26 2023, 1:28 PM
gerritbot added a comment.Sep 26 2023, 1:32 PM

Change 961108 merged by jenkins-bot:

[operations/deployment-charts@master] wikifunctions: Switch all clusters to use the service mesh

https://gerrit.wikimedia.org/r/961108

Maintenance_bot removed a project: Patch-For-Review.Sep 26 2023, 2:11 PM
Etonkovidova closed this task as Resolved.Oct 11 2023, 9:38 PM
Etonkovidova subscribed.

Checked all examples in the task ( Z10000, Z10018, and Z10237) in wikifunctions wmf.30 - all results displayed correctly.

Jdforrester-WMF added a parent task: T343458: Allow logged-out users to run (community-approved) implementations on wikifunctions.org via the `wikilambda-execute` right.Oct 12 2023, 4:34 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL