Page MenuHomePhabricator
Create Task
Maniphest T348851

Add custom HAProxy backend only for healthchecks
Closed, ResolvedPublic
Actions

Description

Currently the L4 LBs sends healtchecks for Varnish through HAProxy "transparently", meaning that HAProxy routes these requests along with the other (non-hc) ones to Varnish.

This could be problematic during high traffic (legitimate or not) as an eventual limit on maximum number of connections towards Varnish will impact the healthcheck requests too, with obvious consequences.

A solution is to use another, dedicated backend on HAProxy just for healthchecks, with a custom ACL to differentiate the traffic.

Implementation notes:

Currently healthchecks sent by PyBal have the following characteristics that should be matched by the HAProxy ACL:

  • Host: healthcheck.wikimedia.org
  • Url: /varnish-fe
  • Source IPv4/IPv6 addr: [depends on the DC]

The ACL and dedicated backend in the HAProxy configuration should be surrounded by a hiera switch to allow a smoother and safer deployment across all cp hosts.

The list of the source IP addresses (L4 LBs) should go into a separate list file for ACL readability and to easily differentiate them per DC.

The change has been currently deployed to:

  • ulsfo
  • eqsin
  • codfw
  • drms
  • eqiad
  • esams

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
haproxy: enable healthcheck-dedicated backend in esamsoperations/puppetproduction+1 -5
haproxy: enable healthcheck-dedicated backend in eqiadoperations/puppetproduction+1 -0
haproxy: enable healthcheck-dedicated backend in drmrsoperations/puppetproduction+1 -0
haproxy: enable healthcheck-dedicated backend in codfwoperations/puppetproduction+1 -0
haproxy: enable healthcheck-dedicated backend in eqsinoperations/puppetproduction+1 -0
haproxy: enable healthcheck-dedicated backend in ulsfooperations/puppetproduction+0 -0
haproxy: enable healthcheck-dedicated backendoperations/puppetproduction+133 -0
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 ResolvedFabfurT348851 Add custom HAProxy backend only for healthchecks

Event Timeline

Fabfur created this task.Oct 13 2023, 11:57 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 13 2023, 11:57 AM
Vgutierrez added a parent task: Restricted Task.Oct 13 2023, 12:35 PM
Vgutierrez moved this task from Backlog to Scheduled incidental work on the Traffic board.
Fabfur updated the task description. (Show Details)Oct 13 2023, 12:54 PM
gerritbot added a comment.Oct 17 2023, 12:15 PM

Change 966221 had a related patch set uploaded (by Fabfur; author: Fabfur):

[operations/puppet@production] haproxy: start working on healthcheck-dedicated backend

https://gerrit.wikimedia.org/r/966221

gerritbot added a project: Patch-For-Review.Oct 17 2023, 12:15 PM
KOfori moved this task from Scheduled incidental work to Actively Servicing on the Traffic board.Oct 27 2023, 7:06 PM
KOfori removed a project: SRE.
gerritbot added a comment.Nov 2 2023, 3:24 PM

Change 966221 merged by Fabfur:

[operations/puppet@production] haproxy: enable healthcheck-dedicated backend

https://gerrit.wikimedia.org/r/966221

Fabfur added a comment.Nov 2 2023, 3:27 PM

The change is been deployed on cp4037.ulsfo.wmnet as test host, PyBal healthchecks failures will be monitored.

Maintenance_bot removed a project: Patch-For-Review.Nov 2 2023, 3:30 PM
Stashbot added a comment.Nov 2 2023, 3:40 PM

Mentioned in SAL (#wikimedia-operations) [2023-11-02T15:40:10Z] <fabfur> cp4037 repooling with changes for dedicated healthcheck backend (haproxy): https://gerrit.wikimedia.org/r/c/operations/puppet/+/966221/ (T348851)

gerritbot added a comment.Nov 2 2023, 4:20 PM

Change 971228 had a related patch set uploaded (by Fabfur; author: Fabfur):

[operations/puppet@production] haproxy: enable healthcheck-dedicated backend in ulsfo

https://gerrit.wikimedia.org/r/971228

gerritbot added a project: Patch-For-Review.Nov 2 2023, 4:20 PM
gerritbot added a comment.Nov 2 2023, 4:25 PM

Change 971228 merged by Fabfur:

[operations/puppet@production] haproxy: enable healthcheck-dedicated backend in ulsfo

https://gerrit.wikimedia.org/r/971228

Stashbot added a comment.Nov 2 2023, 4:26 PM

Mentioned in SAL (#wikimedia-operations) [2023-11-02T16:26:14Z] <fabfur> haproxy: this change https://gerrit.wikimedia.org/r/c/operations/puppet/+/971228 will be propagated soon to all cp-ulsfo hosts (T348851)

Maintenance_bot removed a project: Patch-For-Review.Nov 2 2023, 4:31 PM
Fabfur added a comment.Nov 2 2023, 5:03 PM

the change has been deployed to all ulsfo cp hosts

Fabfur updated the task description. (Show Details)Nov 6 2023, 9:40 AM
gerritbot added a comment.Nov 6 2023, 9:43 AM

Change 971907 had a related patch set uploaded (by Fabfur; author: Fabfur):

[operations/puppet@production] haproxy: enable healthcheck-dedicated backend in eqsin

https://gerrit.wikimedia.org/r/971907

gerritbot added a project: Patch-For-Review.Nov 6 2023, 9:43 AM
gerritbot added a comment.Nov 6 2023, 10:03 AM

Change 971907 merged by Fabfur:

[operations/puppet@production] haproxy: enable healthcheck-dedicated backend in eqsin

https://gerrit.wikimedia.org/r/971907

Maintenance_bot removed a project: Patch-For-Review.Nov 6 2023, 10:10 AM
gerritbot added a comment.Nov 6 2023, 11:17 AM

Change 971922 had a related patch set uploaded (by Fabfur; author: Fabfur):

[operations/puppet@production] haproxy: enable healthcheck-dedicated backend in codfw

https://gerrit.wikimedia.org/r/971922

gerritbot added a project: Patch-For-Review.Nov 6 2023, 11:17 AM
Fabfur updated the task description. (Show Details)Nov 6 2023, 12:21 PM
gerritbot added a comment.Nov 6 2023, 2:42 PM

Change 971922 merged by Fabfur:

[operations/puppet@production] haproxy: enable healthcheck-dedicated backend in codfw

https://gerrit.wikimedia.org/r/971922

Fabfur updated the task description. (Show Details)Nov 6 2023, 2:46 PM
gerritbot added a comment.Nov 6 2023, 2:54 PM

Change 971966 had a related patch set uploaded (by Fabfur; author: Fabfur):

[operations/puppet@production] haproxy: enable healthcheck-dedicated backend in drmrs

https://gerrit.wikimedia.org/r/971966

gerritbot added a comment.Nov 7 2023, 8:38 AM

Change 971966 merged by Fabfur:

[operations/puppet@production] haproxy: enable healthcheck-dedicated backend in drmrs

https://gerrit.wikimedia.org/r/971966

Fabfur updated the task description. (Show Details)Nov 7 2023, 8:40 AM
gerritbot added a comment.Nov 7 2023, 8:42 AM

Change 972320 had a related patch set uploaded (by Fabfur; author: Fabfur):

[operations/puppet@production] haproxy: enable healthcheck-dedicated backend in eqiad

https://gerrit.wikimedia.org/r/972320

gerritbot added a comment.Nov 7 2023, 9:34 AM

Change 972320 merged by Fabfur:

[operations/puppet@production] haproxy: enable healthcheck-dedicated backend in eqiad

https://gerrit.wikimedia.org/r/972320

Fabfur updated the task description. (Show Details)Nov 7 2023, 9:39 AM
gerritbot added a comment.Nov 7 2023, 9:44 AM

Change 972336 had a related patch set uploaded (by Fabfur; author: Fabfur):

[operations/puppet@production] haproxy: enable healthcheck-dedicated backend in esams

https://gerrit.wikimedia.org/r/972336

gerritbot added a comment.Nov 7 2023, 10:32 AM

Change 972336 merged by Fabfur:

[operations/puppet@production] haproxy: enable healthcheck-dedicated backend in esams

https://gerrit.wikimedia.org/r/972336

Fabfur closed this task as Resolved.Nov 7 2023, 10:32 AM
Fabfur updated the task description. (Show Details)
Maintenance_bot removed a project: Patch-For-Review.Nov 7 2023, 11:10 AM
Fabfur mentioned this in T349287: HAProxy should use a single backend for Vanish.Nov 7 2023, 11:15 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits