Provide a ferm based alternative to tcp-mss-clamper
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Vgutierrez
	May 23 2024, 9:42 AM

Description

tcp-mss-clamper works great but has some limitations that could be avoided by using ferm on realservers where it's available. Our current puppezation profile::lvs::realserver::ipip is already firewall aware (only adding certain ferm rules if ferm is present) so switching between tcp-mss-clamper or ferm based MSS clamping should be feasible

Details

Subject	Repo	Branch	Lines +/-
lvs: Deploy node_ferm_mss exporter on ferm based realservers	operations/puppet	production	+5 -0
realserver::ipip: Fix ferm MSS clamping rule	operations/puppet	production	+2 -2
lvs::realserver::ipip: Provide ferm MSS clamping support	operations/puppet	production	+42 -5

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
In Progress	Vgutierrez	T332027 Replace current L4LB with with Katran-based alternative
Resolved	Vgutierrez	T365689 Provide a ferm based alternative to tcp-mss-clamper
Open	CDobbins	T367204 LVSRealserverMSS alert is broken for ferm based hosts

Event Timeline

Vgutierrez created this task.May 23 2024, 9:42 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 23 2024, 9:42 AM

MoritzMuehlenhoff subscribed.May 23 2024, 9:43 AM

Change #1035724 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] lvs::realserver::ipip: Provide ferm MSS clamping support

https://gerrit.wikimedia.org/r/1035724

gerritbot added a project: Patch-For-Review.May 24 2024, 8:20 AM

Mentioned in SAL (#wikimedia-operations) [2024-06-11T13:06:30Z] <vgutierrez> disable puppet on A:ncredir before merging https://gerrit.wikimedia.org/r/c/operations/puppet/+/1035724 - T365689

Change #1035724 merged by Vgutierrez:

[operations/puppet@production] lvs::realserver::ipip: Provide ferm MSS clamping support

https://gerrit.wikimedia.org/r/1035724

Mentioned in SAL (#wikimedia-operations) [2024-06-11T13:15:58Z] <vgutierrez> depool ncredir6001 - T365689

Maintenance_bot removed a project: Patch-For-Review.Jun 11 2024, 1:31 PM

Change #1041645 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] realserver::ipip: Fix ferm MSS clamping rule

https://gerrit.wikimedia.org/r/1041645

gerritbot added a project: Patch-For-Review.Jun 11 2024, 1:33 PM

Mentioned in SAL (#wikimedia-operations) [2024-06-11T13:36:54Z] <vgutierrez> repool ncredir6001 - T365689

Change #1041645 merged by Vgutierrez:

[operations/puppet@production] realserver::ipip: Fix ferm MSS clamping rule

https://gerrit.wikimedia.org/r/1041645

Mentioned in SAL (#wikimedia-operations) [2024-06-11T13:45:34Z] <vgutierrez> rolling switch from tcp-mss-clamper to ferm based MSS clamping on A:ncredir - T365689

Maintenance_bot removed a project: Patch-For-Review.Jun 11 2024, 2:31 PM

ferm based MSS clamping is live on ncredir cluster

Vgutierrez mentioned this in T365616: Consider migrating Search Platform-owned clusters to IPIP encapsulation (LVS).Jun 11 2024, 3:59 PM

Change #1099792 had a related patch set uploaded (by CDobbins; author: CDobbins):

[operations/puppet@production] lvs: add prometheus::node_ferm_mss to ipip.pp

https://gerrit.wikimedia.org/r/1099792

gerritbot added a project: Patch-For-Review.Dec 2 2024, 8:31 PM

Change #1099792 merged by CDobbins:

[operations/puppet@production] lvs: Deploy node_ferm_mss exporter on ferm based realservers

https://gerrit.wikimedia.org/r/1099792

Maintenance_bot removed a project: Patch-For-Review.Dec 5 2024, 7:30 PM

Provide a ferm based alternative to tcp-mss-clamperClosed, ResolvedPublicActions

Description

Details

Related ObjectsSearch...

Event Timeline

Provide a ferm based alternative to tcp-mss-clamper
Closed, ResolvedPublic
Actions

Related Objects
Search...