Page MenuHomePhabricator
Create Task
Maniphest T355686

Configure mesh listeners to allow IPv6 localhost (::) as well as IPv4 (127.0.0.1)
Closed, DuplicatePublic
Actions

Description

A few times services have been caught out by the Node 16 -> 18 upgrade changing the default IP version from 4 to 6, which then errors out with ECONNREFUSED:

Could we add :: to the default allow list?
Could we configure envoy listeners for dual-stack binding?

Details

SubjectRepoBranchLines +/-
wikifunctions: Add mesh.configuration in package.jsonoperations/deployment-chartsmaster+66 -31
cxserver: Bump mesh.configuration to 1.7operations/deployment-chartsmaster+134 -84
rec-api: Bump mesh.configuration to 1.7operations/deployment-chartsmaster+122 -76
eventstreams: Bump mesh.configuration to 1.7operations/deployment-chartsmaster+123 -85
Customize query in gerrit

Related Objects

Event Timeline

Jdforrester-WMF created this task.Jan 23 2024, 3:49 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 23 2024, 3:49 PM
Lucas_Werkmeister_WMDE subscribed.Jan 23 2024, 3:50 PM
Clement_Goubert subscribed.EditedJan 23 2024, 4:28 PM

At the moment, we are binding only to 127.0.0.1 for listeners, which forces IPv4 only.

According to envoy's SocketAddress doc, we would need to bind to :: and set ipv4_compat: true in order to support dual stack.

As far as I understand, communication inside a pod on localhost addresses, no matter the stack, are not affected by networkpolicies.

I've updated the task description to match the work needed :)

Clement_Goubert renamed this task from Adjust general (mesh?) security rules to allow IPv6 localhost (::) as well as IPv4 (127.0.0.1) to Configure mesh listeners to allow IPv6 localhost (::) as well as IPv4 (127.0.0.1).Jan 23 2024, 4:34 PM
Clement_Goubert triaged this task as Medium priority.
Clement_Goubert updated the task description. (Show Details)
Lucas_Werkmeister_WMDE mentioned this in T355685: Migrate Termbox SSR from Node 16 to 18.Jan 26 2024, 3:01 PM
akosiaris subscribed.Jan 26 2024, 3:19 PM
In T355686#9481762, @Clement_Goubert wrote:

At the moment, we are binding only to 127.0.0.1 for listeners, which forces IPv4 only.

According to envoy's SocketAddress doc, we would need to bind to :: and set ipv4_compat: true in order to support dual stack.

Let's avoid ipv4_compat: true please. It can be a mess. Look at T255568 about a long discussion regarding this. The proper way is to listen on both address families (dual-stack binding), effectively (and unfortunately, but that's how envoy works) duplicating the configuration. I 've followed that approach already in that task, admittedly for a subset of our envoy installations.

As far as I understand, communication inside a pod on localhost addresses, no matter the stack, are not affected by networkpolicies.

Absolutely correct.

Clement_Goubert closed this task as a duplicate of T255568: Envoy should listen on ipv6 and ipv4.Jan 29 2024, 11:37 AM
gerritbot added a comment.Feb 14 2024, 8:31 AM

Change 1003368 had a related patch set uploaded (by Alexandros Kosiaris; author: Alexandros Kosiaris):

[operations/deployment-charts@master] eventstreams: Bump mesh.configuration to 1.7

https://gerrit.wikimedia.org/r/1003368

gerritbot added a project: Patch-For-Review.Feb 14 2024, 8:31 AM

Change 1003369 had a related patch set uploaded (by Alexandros Kosiaris; author: Alexandros Kosiaris):

[operations/deployment-charts@master] cxserver: Bump mesh.configuration to 1.7

https://gerrit.wikimedia.org/r/1003369

gerritbot added a comment.Feb 14 2024, 9:43 AM

Change 1003376 had a related patch set uploaded (by Alexandros Kosiaris; author: Alexandros Kosiaris):

[operations/deployment-charts@master] rec-api: Bump mesh.configuration to 1.7

https://gerrit.wikimedia.org/r/1003376

gerritbot added a comment.Feb 14 2024, 9:43 AM

Change 1003377 had a related patch set uploaded (by Alexandros Kosiaris; author: Alexandros Kosiaris):

[operations/deployment-charts@master] wikifunctions: Add mesh.configuration in package.json

https://gerrit.wikimedia.org/r/1003377

gerritbot added a comment.Feb 14 2024, 9:48 AM

Change 1003368 merged by jenkins-bot:

[operations/deployment-charts@master] eventstreams: Bump mesh.configuration to 1.7

https://gerrit.wikimedia.org/r/1003368

gerritbot added a comment.Feb 14 2024, 11:06 AM

Change 1003376 merged by jenkins-bot:

[operations/deployment-charts@master] rec-api: Bump mesh.configuration to 1.7

https://gerrit.wikimedia.org/r/1003376

akosiaris added a comment.Feb 14 2024, 11:06 AM

I 've posted changes to revert the hardcoded of localhost to 127.0.0.1. I 've already deployed eventstreams and recommendation-api changes since Luca isn't currently around. cxserver and function-orchestrator devs have been added to the other 2 changes.

gerritbot added a comment.Feb 15 2024, 9:35 AM

Change 1003377 merged by jenkins-bot:

[operations/deployment-charts@master] wikifunctions: Add mesh.configuration in package.json

https://gerrit.wikimedia.org/r/1003377

gerritbot added a comment.Feb 15 2024, 2:50 PM

Change 1003369 merged by jenkins-bot:

[operations/deployment-charts@master] cxserver: Bump mesh.configuration to 1.7

https://gerrit.wikimedia.org/r/1003369

Maintenance_bot removed a project: Patch-For-Review.Feb 15 2024, 3:30 PM
Stashbot mentioned this in T255568: Envoy should listen on ipv6 and ipv4.Feb 20 2024, 12:04 PM

Mentioned in SAL (#wikimedia-operations) [2024-02-20T12:04:12Z] <kart_> cxserver: Update to 2024-02-15-085232-production + Bump mesh.configuration to 1.7 (T333969, T352747, T355686, T255568)

Stashbot mentioned this in T333969: Enable Opus models for languages lacking other Machine Translation options.Feb 20 2024, 12:04 PM
Stashbot mentioned this in T352747: Google is not listed as an option for Norwegian.
Lucas_Werkmeister_WMDE unsubscribed.Feb 20 2024, 2:02 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL