Page MenuHomePhabricator
Create Task
Maniphest T379599

Reevaluate the requirement for dedicated sessionstore/kask nodes in wikikube clusters
Closed, ResolvedPublic
Actions

Description

We're currently dedicating 4 nodes (ganeti VMs with 15 vCPUs and 5GB memory each) per DC to run only sessionstore/kask.

AIUI the initial reasoning was that the services does process PII and, during the early days of kubernetes adoption, we felt the need for increased isolation by not running it side-by-side with other containers.
With most of our services now running on kubernetes, the higher level of confidence and the improved tooling around it it might be time to revisit this decision. Removing this snowflake would reduce complexity and a point of failure (which already caused an outage at least once).

I could not find documentaion about the decision process to run on dedicated nodes. If somebody happens to recall details, please share.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Decom kubernetes[12]0[01][56] dedicates sessionstore nodesoperations/puppetproduction+2 -95
Remove affinity and tolerations from sessionstore deploymentsoperations/deployment-chartsmaster+0 -50
Remove alert for sessionstore not running on dedicated nodesoperations/alertsmaster+0 -37
Customize query in gerrit

Related Objects

Event Timeline

JMeybohm created this task.Nov 12 2024, 9:26 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 12 2024, 9:26 AM
MoritzMuehlenhoff subscribed.Nov 12 2024, 9:27 AM
akosiaris added a comment.Nov 13 2024, 5:51 PM

The best I could find is T220821 and T221986.

As far as I am concerned, the approach we took back then, might have been too aggressive and driven by the fact that OCI container escapes were much more common and easy back then. This isn't any more the case and the setup has indeed cause at least a couple of incidents.

  1. https://wikitech.wikimedia.org/wiki/Incidents/2020-06-11_sessionstore%2Bkubernetes
  2. https://wikitech.wikimedia.org/wiki/Incidents/2022-12-13_sessionstore

    and a number of alerts and worry every now and then.

I think the approach isn't useful anymore, we can indeed ditch it.

Clement_Goubert subscribed.Nov 22 2024, 11:05 AM

I'm good with removing them as well.

gerritbot added a comment.Nov 25 2024, 9:02 AM

Change #1097311 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/alerts@master] Remove alert for sessionstore not running on dedicated nodes

https://gerrit.wikimedia.org/r/1097311

gerritbot added a project: Patch-For-Review.Nov 25 2024, 9:02 AM

Change #1097312 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] Remove affinity and tolerations from sessionstore deployments

https://gerrit.wikimedia.org/r/1097312

gerritbot added a comment.Nov 25 2024, 11:59 AM

Change #1097311 merged by jenkins-bot:

[operations/alerts@master] Remove alert for sessionstore not running on dedicated nodes

https://gerrit.wikimedia.org/r/1097311

gerritbot added a comment.Nov 25 2024, 12:02 PM

Change #1097312 merged by jenkins-bot:

[operations/deployment-charts@master] Remove affinity and tolerations from sessionstore deployments

https://gerrit.wikimedia.org/r/1097312

Maintenance_bot removed a project: Patch-For-Review.Nov 25 2024, 12:30 PM
Stashbot added a comment.Nov 25 2024, 1:43 PM

Mentioned in SAL (#wikimedia-operations) [2024-11-25T13:43:20Z] <jayme> cordoned kubernetes[2005-2006,2015-2016].codfw.wmnet,kubernetes[1005-1006,1015-1016].eqiad.wmnet - T379599

Stashbot added a comment.Nov 25 2024, 1:46 PM

Mentioned in SAL (#wikimedia-operations) [2024-11-25T13:46:04Z] <jayme> deployed sessionstore to non-dedicated nodes - T379599

Clement_Goubert mentioned this in T380350: wikikube-worker13[13-27] implementation tracking.Nov 25 2024, 4:34 PM
gerritbot added a comment.Nov 25 2024, 5:05 PM

Change #1097442 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/puppet@production] Decom kubernetes[12]0[01][56] dedicates sessionstore nodes

https://gerrit.wikimedia.org/r/1097442

gerritbot added a project: Patch-For-Review.Nov 25 2024, 5:05 PM
ops-monitoring-bot added a comment.Nov 26 2024, 8:46 AM

depool host kubernetes[2005-2006,2015-2016].codfw.wmnet by jayme@cumin2002 with reason: None

ops-monitoring-bot added a comment.Nov 26 2024, 8:46 AM

Cookbook cookbooks.sre.k8s.pool-depool-node started by jayme@cumin2002 depool for host kubernetes[2005-2006,2015-2016].codfw.wmnet completed:

  • kubernetes[2005-2006,2015-2016].codfw.wmnet (PASS)
    • Host kubernetes[2005-2006,2015-2016].codfw.wmnet depooled from wikikube-codfw
ops-monitoring-bot added a comment.Nov 26 2024, 8:48 AM

depool host kubernetes[1005-1006,1015-1016].eqiad.wmnet by jayme@cumin2002 with reason: None

ops-monitoring-bot added a comment.Nov 26 2024, 8:48 AM

Cookbook cookbooks.sre.k8s.pool-depool-node started by jayme@cumin2002 depool for host kubernetes[1005-1006,1015-1016].eqiad.wmnet completed:

  • kubernetes[1005-1006,1015-1016].eqiad.wmnet (PASS)
    • Host kubernetes[1005-1006,1015-1016].eqiad.wmnet depooled from wikikube-eqiad
gerritbot added a comment.Nov 26 2024, 8:53 AM

Change #1097442 merged by JMeybohm:

[operations/puppet@production] Decom kubernetes[12]0[01][56] dedicates sessionstore nodes

https://gerrit.wikimedia.org/r/1097442

ops-monitoring-bot added a comment.Nov 26 2024, 9:21 AM

cookbooks.sre.hosts.decommission executed by jayme@cumin2002 for hosts: kubernetes[2005-2006,2015-2016].codfw.wmnet,kubernetes[1005-1006,1015-1016].eqiad.wmnet

  • kubernetes2005.codfw.wmnet (PASS)
    • Downtimed host on Icinga/Alertmanager
    • Found Ganeti VM
    • VM shutdown
    • Started forced sync of VMs in Ganeti cluster codfw to Netbox
    • Removed from DebMonitor
    • Removed from Puppet master and PuppetDB
    • VM removed
    • Started forced sync of VMs in Ganeti cluster codfw to Netbox
  • kubernetes2006.codfw.wmnet (PASS)
    • Downtimed host on Icinga/Alertmanager
    • Found Ganeti VM
    • VM shutdown
    • Started forced sync of VMs in Ganeti cluster codfw to Netbox
    • Removed from DebMonitor
    • Removed from Puppet master and PuppetDB
    • VM removed
    • Started forced sync of VMs in Ganeti cluster codfw to Netbox
  • kubernetes2015.codfw.wmnet (PASS)
    • Downtimed host on Icinga/Alertmanager
    • Found Ganeti VM
    • VM shutdown
    • Started forced sync of VMs in Ganeti cluster codfw to Netbox
    • Removed from DebMonitor
    • Removed from Puppet master and PuppetDB
    • VM removed
    • Started forced sync of VMs in Ganeti cluster codfw to Netbox
  • kubernetes2016.codfw.wmnet (PASS)
    • Downtimed host on Icinga/Alertmanager
    • Found Ganeti VM
    • VM shutdown
    • Started forced sync of VMs in Ganeti cluster codfw to Netbox
    • Removed from DebMonitor
    • Removed from Puppet master and PuppetDB
    • VM removed
    • Started forced sync of VMs in Ganeti cluster codfw to Netbox
  • kubernetes1005.eqiad.wmnet (PASS)
    • Downtimed host on Icinga/Alertmanager
    • Found Ganeti VM
    • VM shutdown
    • Started forced sync of VMs in Ganeti cluster eqiad to Netbox
    • Removed from DebMonitor
    • Removed from Puppet master and PuppetDB
    • VM removed
    • Started forced sync of VMs in Ganeti cluster eqiad to Netbox
  • kubernetes1006.eqiad.wmnet (PASS)
    • Downtimed host on Icinga/Alertmanager
    • Found Ganeti VM
    • VM shutdown
    • Started forced sync of VMs in Ganeti cluster eqiad to Netbox
    • Removed from DebMonitor
    • Removed from Puppet master and PuppetDB
    • VM removed
    • Started forced sync of VMs in Ganeti cluster eqiad to Netbox
  • kubernetes1015.eqiad.wmnet (PASS)
    • Downtimed host on Icinga/Alertmanager
    • Found Ganeti VM
    • VM shutdown
    • Started forced sync of VMs in Ganeti cluster eqiad to Netbox
    • Removed from DebMonitor
    • Removed from Puppet master and PuppetDB
    • VM removed
    • Started forced sync of VMs in Ganeti cluster eqiad to Netbox
  • kubernetes1016.eqiad.wmnet (PASS)
    • Downtimed host on Icinga/Alertmanager
    • Found Ganeti VM
    • VM shutdown
    • Started forced sync of VMs in Ganeti cluster eqiad to Netbox
    • Removed from DebMonitor
    • Removed from Puppet master and PuppetDB
    • VM removed
    • Started forced sync of VMs in Ganeti cluster eqiad to Netbox
Maintenance_bot removed a project: Patch-For-Review.Nov 26 2024, 9:31 AM
JMeybohm closed this task as Resolved.Nov 26 2024, 9:40 AM
JMeybohm claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits