sre.discovery.datacenter should handle depooled dnsbox hosts
Open, LowPublic
Actions

Assigned To

None

Authored By

	Scott_French
	Sep 20 2024, 4:43 PM

Description

Background

This is a follow-up from discussion on https://gerrit.wikimedia.org/r/1072612 and is closely related to the T375014.

In short, for each service operated on, the sre.discovery.datacenter cookbook polls all authdns servers to validate the expected state is returned, before then flushing the discovery record from all recursors.

We should make these operations aware of the conftool pooled-state of the dnsbox hosts, otherwise a host that is unavailable (but depooled) for maintenance would cause either operation to fail. Specifically:

When polling, we should ignore-but-warn when resolution fails or stale state is returned by a depooled host.
When flushing, we should ignore-but-warn when the remote command to flush fails for a depooled host.

Where this connects back to T375014 is that there's a lot of overlap between what we need in order to achieve the above and what spicerack might consider supporting (and what we could then adopt).

In addition, there's also a lot of overlap between logic that exists in spicerack.dnsdisc.Discovery and sre.discovery.datacenter that we can potentially deduplicate in this process (e.g., resolve_with_client_ip and Discovery.resolve_with_client_ip) if indeed we want similar behavior.

Current status

As of January 2026, the current plan is wait for some form of functionality for listing only pooled dnsbox hosts in Spicerack (T375014), and then once that lands, integrate it into sre.discovery.datacenter to implement the functionality described above for the polling and flushing cases.

Alternatively, we could revive the work in https://gerrit.wikimedia.org/r/c/operations/cookbooks/+/1074551, which implements that functionality directly.

Details

Related Changes in Gerrit:

	Subject	Repo	Branch	Lines +/-
	sre.discovery.datacenter: restrict checks to active authdns hosts	operations/cookbooks	master	+55 -13
	sre.discovery.datacenter: handle depooled dnsboxen	operations/cookbooks	master	+68 -20

Customize query in gerrit

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Open		None	T375285 sre.discovery.datacenter should handle depooled dnsbox hosts
		Open		None	T375014 Support listing pooled / active authdns hosts (rather than all)

Event Timeline

Scott_French created this task.Sep 20 2024, 4:43 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 20 2024, 4:43 PM

Change #1073524 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/cookbooks@master] sre.discovery.datacenter: restrict checks to active authdns hosts

https://gerrit.wikimedia.org/r/1073524

gerritbot added a project: Patch-For-Review.Sep 20 2024, 4:46 PM

Scott_French mentioned this in T374047: Pre-switchover cookbook testing.Sep 20 2024, 4:49 PM

Change #1074551 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/cookbooks@master] sre.discovery.datacenter: handle depooled dnsboxen

https://gerrit.wikimedia.org/r/1074551

If this is not super urgent, do you think it could wait an "upstream" solution in spicerack as discussed in T375014?

@Volans - Yes, in fact that would be ideal. I went ahead and drafted https://gerrit.wikimedia.org/r/1074551 mainly to sketch out the specific behaviors we're looking for in sre.discovery.datacenter, but that patch should be able to easily adapt to the conftool-aware accessors in spicerack once they're ready. Thanks!

@Blake @Scott_French could you assess what part of this is still valid (please edit the description) and see what we can schedule this quarter?

MLechvien-WMF reassigned this task from Scott_French to Blake.Mon, Jan 19, 4:57 PM

MLechvien-WMF edited projects, added ServiceOps new; removed serviceops.

MLechvien-WMF moved this task from Inbox to Needs Info / Blocked on the ServiceOps new board.

From what I can see in the linked tickets, it looks like there are 2 relevant, outstanding patches. Scott's makes the pooled-state check in the cookbook, and Riccardo's makes the check as part of a new Spicerack accessor.

It sounds like the consensus is that the completion Riccardo's patch is the long-term path forward, so it's not clear to me that there's outstanding Serviceops work here at the moment (unless it's urgent that we finish Scott's patch to have an interim solution deployed).

Makes sense, then I'll close this one as duplicate of https://phabricator.wikimedia.org/T375014 and follow up on the other ticket. @Scott_French or @Blake feel free to reopen if you disagree

MLechvien-WMF closed this task as a duplicate of T375014: Support listing pooled / active authdns hosts (rather than all).Tue, Jan 20, 10:21 AM

Reopening, since we'll likely need to make changes to sre.discovery.datacenter to adopt the functionality discussed in T375014 once it lands in Spicerack. I'm making that dependency explicit now, and will update the description shortly.

Scott_French added a subtask: T375014: Support listing pooled / active authdns hosts (rather than all).Wed, Jan 21, 7:54 PM

Triaging as "Low" since, in practice, the main issue we've run into historically is DNS hosts that do not respond at all, which is (now) addressed by setting proper query timeouts. Also moving to backlog.

Scott_French moved this task from Needs Info / Blocked to Backlog on the ServiceOps new board.Wed, Jan 21, 7:57 PM

Scott_French renamed this task from sre.discovery.datacenter should handle depooled authdns hosts to sre.discovery.datacenter should handle depooled dnsbox hosts.Wed, Jan 21, 8:06 PM

Scott_French updated the task description. (Show Details)

Change #1073524 abandoned by Scott French:

[operations/cookbooks@master] sre.discovery.datacenter: restrict checks to active authdns hosts

Reason:

Only addresses the authdns polling case, not recdns flush case. See I67e2f950631c2ed53fab9fb022ca7d27a6467315 for an alternative.