Ensure Search Platform-owned Elasticsearch cookbooks can handle Opensearch
Open, In Progress, HighPublic
Actions

Assigned To

None

Authored By

	bking
	Jan 15 2025, 7:02 PM

Description

We need to ensure our cookbooks can still handle common operations (banning nodes, restarting services, etc) during and after our migration from Elastic -> OpenSearch. As noted in T391151, our current Elastic/OpenSearch cookbooks don't always meet our needs. The elasticsearch-python library dependencies in Spicerack can also affect other teams, see T390860 and this CR for examples.

Creating this ticket to:

Examine existing cookbooks
- ban.py
- force-shard-allocation.py
- force-unfreeze.py
- reset-read-only.py
- restart-nginx.py
- rolling-operation.py
Identify potential improvements (use other teams' OpenSearch cookbooks? Use python requests instead of ES/OS python libraries? Move the logic out of Spicerack completely?)
Implement the improvements

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
sre.elasticsearch: remove unused cookbooks	operations/cookbooks	master	+0 -80
sre.elasticsearch.rolling-operation: refactor external cookbook invocations	operations/cookbooks	master	+14 -12
sre.elasticsearch.rolling-operation: use tftp, run puppet with new hostname	operations/cookbooks	master	+2 -4
sre.elasticsearch.rolling-operation: handle negative caches between rename/reimage	operations/cookbooks	master	+13 -0
elasticsearch rolling-operation: add arguments for rename & reimage cookbooks	operations/cookbooks	master	+11 -2
WIP: more fine-grained shard status checks	operations/software/spicerack	master	+22 -0
cirrussearch: add puppet 7 hieradata to DC-specific config	operations/puppet	production	+2 -0
relforge: enable rack awareness	operations/puppet	production	+1 -1
cloudelastic: replace failed master-eligible host	operations/puppet	production	+1 -2
cloudelastic: DO NOT MERGE (just for PCC)	operations/puppet	production	+1 -1
rolling-operation.py: Put back a reference to nodes.start_elasticsearch()	operations/cookbooks	master	+1 -1
sre.elasticsearch.rolling-operation: make plugin upgrade work for opensearch	operations/cookbooks	master	+13 -13

Related Objects
Search...

Status	Assigned	Task
Open	None	T370147 [Epic] Migration of the Elasticsearch 7.10 search cluster to OpenSearch
Resolved	bking	T388610 Migrate production Elastic clusters to Opensearch
In Progress	None	T383811 Ensure Search Platform-owned Elasticsearch cookbooks can handle Opensearch
Resolved	bking	T391151 Ensure our automation can ban not-yet-existing hosts

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

bking updated the task description. (Show Details)Mar 17 2025, 10:47 PM

bking updated Other Assignee, added: RKemper.

bking mentioned this in T389119: Upgrade wmf_opensearch_search_plugins .deb and restart opensearch.Mar 17 2025, 10:49 PM

bking added a subscriber: Volans.Mar 17 2025, 11:22 PM

bking updated the task description. (Show Details)Mar 18 2025, 1:19 PM

bking updated the task description. (Show Details)Mar 18 2025, 6:59 PM

Per today's conversation with my teammates in Data Platform SRE, we have decided that the rolling-operation cookbook provides enough value in terms of orchestrating the batching and healthchecks that it should be used to carry out the migration.

As such, I'm setting this task as a blocker to the production migration ( T388610 ).

bking added a parent task: T388610: Migrate production Elastic clusters to Opensearch.Mar 18 2025, 7:42 PM

Change #1129373 had a related patch set uploaded (by Bking; author: Bking):

[operations/cookbooks@master] rolling-operation.py: Put back a reference to nodes.start_elasticsearch()

https://gerrit.wikimedia.org/r/1129373

gerritbot added a project: Patch-For-Review.Mar 19 2025, 9:01 PM

Change #1129373 merged by Ryan Kemper:

[operations/cookbooks@master] rolling-operation.py: Put back a reference to nodes.start_elasticsearch()

https://gerrit.wikimedia.org/r/1129373

Maintenance_bot removed a project: Patch-For-Review.Mar 19 2025, 10:31 PM

Per the above patch, rolling-operation.py works...however, I did have a timeout when I used the --allow-yellow flag: Error while waiting for yellow with no initializing or relocating shards . The cluster was in green, which makes me wonder if the cookbook is checking for ' yellow and no relocating shards'. We want 'green' (unqualified) OR 'yellow and no relocating shards.', so that 'green and no relocating shards' is also a valid status. Will follow up on this hunch tomorrow.

Icinga downtime and Alertmanager silence (ID=b3f79c36-c233-46b5-bfaf-6d5a09ed70df) set by bking@cumin2002 for 4:00:00 on 5 host(s) and their services with reason: troubleshooting red status

cloudelastic[1007,1009-1012].eqiad.wmnet

I ran the cookbook without the allow-yellow flag: sudo cookbook sre.elasticsearch.rolling-operation cloudelastic "try rolling operation without allow-yellow flag" --restart --task-id T389119 --nodes-per-run 1

and it still caused a red status on Cloudelastic. Until we can figure out what's going wrong, we need to either:

migrate without the rolling-operation cookbook, as originally planned in T388610
hold up the migration until we can fix the issue

Gehel edited projects, added Data-Platform-SRE (2025.03.22 - 2025.04.11); removed Data-Platform-SRE (2025.03.01 - 2025.03.21).Mar 21 2025, 9:57 AM

bking moved this task from Backlog - project to In Progress on the Data-Platform-SRE (2025.03.22 - 2025.04.11) board.Mar 21 2025, 10:16 PM

Adding a few notes from pairing with @RKemper today:

We repeated the rolling operation today with the same arguments as above, and got the exact same results (red status).
The operation seems to work OK for the first 2 hosts, then all clusters go red when it gets to the third host.
I sent the command 'for n in $(cat /etc/opensearch/instances); do systemctl start $n; done' to all hosts when we were in red status, but I don't think it actually helped anything. I'm pretty sure it recovered on its own.
We noticed that there are unit files for both opensearch_1@cloudelastic-eqiad.service and opensearch_1@cloudelastic-chi-eqiad.service. . The unit opensearch_1@cloudelastic-eqiad.service was showing in failed state. I don't think we want both of these. red herring, you can trigger this behavior by passing systemctl start any-invalid-unit-file-name.service, which will fail and set off alerts. So I probably created this problem by trying to systemctl start opensearch_1@cloudelastic-eqiad.service (which doesn't actually have a unit file).

Further investigation is necessary.

Change #1130624 had a related patch set uploaded (by Bking; author: Bking):

[operations/puppet@production] cloudelastic: DO NOT MERGE (just for PCC)

https://gerrit.wikimedia.org/r/1130624

gerritbot added a project: Patch-For-Review.Mar 24 2025, 2:45 PM

Change #1130624 abandoned by Bking:

[operations/puppet@production] cloudelastic: DO NOT MERGE (just for PCC)

Reason:

figured out what I needed from this. closing...

https://gerrit.wikimedia.org/r/1130624

Maintenance_bot removed a project: Patch-For-Review.Mar 24 2025, 6:30 PM

Change #1130701 had a related patch set uploaded (by Bking; author: Bking):

[operations/puppet@production] cloudelastic: replace failed master-eligible host

https://gerrit.wikimedia.org/r/1130701

gerritbot added a project: Patch-For-Review.Mar 24 2025, 7:15 PM

Change #1130701 merged by Ryan Kemper:

[operations/puppet@production] cloudelastic: replace failed master-eligible host

https://gerrit.wikimedia.org/r/1130701

Maintenance_bot removed a project: Patch-For-Review.Mar 24 2025, 7:30 PM

Change #1132024 had a related patch set uploaded (by Bking; author: Bking):

[operations/puppet@production] relforge: enable rack awareness

https://gerrit.wikimedia.org/r/1132024

gerritbot added a project: Patch-For-Review.Mar 28 2025, 8:17 PM

Change #1132024 merged by Bking:

[operations/puppet@production] relforge: enable rack awareness

https://gerrit.wikimedia.org/r/1132024

Maintenance_bot removed a project: Patch-For-Review.Mar 28 2025, 8:31 PM

Following up, the above issue was due to cluster quorum and didn't have anything to do with the cookbook.

There are a few things we need to address in Spicerack before we can move forward with the migration:

--allow-yellow , which enables the check_yellow_w_no_moving_shards function , doesn't quite fit our scenario. We'll need a few function that allows the cluster to restart when we have UNASSIGNED ALLOCATION_FAILED replica shards. This is because OpenSearch hosts can't replicate their primary shards to Elasticsearch.

Fixed thanks to @RKemper

Lower priority/not a migration blocker:

--allow-yellow needs BOTH no relocating shards AND yellow status, it doesn't seem to work with no relocating shards AND green status.

Change #1133967 had a related patch set uploaded (by Bking; author: Bking):

[operations/software/spicerack@master] WIP: more fine-grained shard status checks

https://gerrit.wikimedia.org/r/1133967

gerritbot added a project: Patch-For-Review.Apr 3 2025, 4:29 PM

Change #1134043 had a related patch set uploaded (by Bking; author: Bking):

[operations/puppet@production] cirrussearch: add puppet 7 hieradata to DC-specific config

https://gerrit.wikimedia.org/r/1134043

Change #1134043 merged by Bking:

[operations/puppet@production] cirrussearch: add puppet 7 hieradata to DC-specific config

https://gerrit.wikimedia.org/r/1134043

Change #1133967 abandoned by Bking:

[operations/software/spicerack@master] WIP: more fine-grained shard status checks

Reason:

not needed after all

https://gerrit.wikimedia.org/r/1133967

Maintenance_bot removed a project: Patch-For-Review.Apr 3 2025, 9:30 PM

Change #1131446 had a related patch set uploaded (by Bking; author: Bking):

[operations/cookbooks@master] elasticsearch rolling-operation: add arguments for rename & reimage cookbooks

https://gerrit.wikimedia.org/r/1131446

gerritbot added a project: Patch-For-Review.Apr 4 2025, 7:38 PM

bking changed the status of subtask T391151: Ensure our automation can ban not-yet-existing hosts from Open to In Progress.Apr 7 2025, 2:01 PM

Change #1131446 merged by Bking:

[operations/cookbooks@master] elasticsearch rolling-operation: add arguments for rename & reimage cookbooks

https://gerrit.wikimedia.org/r/1131446

Change #1135133 had a related patch set uploaded (by Ryan Kemper; author: Ryan Kemper):

[operations/cookbooks@master] sre.elasticsearch.rolling-operation: handle negative caches between rename/reimage

https://gerrit.wikimedia.org/r/1135133

Change #1135133 merged by Ryan Kemper:

[operations/cookbooks@master] sre.elasticsearch.rolling-operation: handle negative caches between rename/reimage

https://gerrit.wikimedia.org/r/1135133

Maintenance_bot removed a project: Patch-For-Review.Apr 9 2025, 2:30 AM

Change #1135826 had a related patch set uploaded (by Ryan Kemper; author: Ryan Kemper):

[operations/cookbooks@master] sre.elasticsearch.rolling-operation: don't use http for dhcp for reimage

https://gerrit.wikimedia.org/r/1135826

gerritbot added a project: Patch-For-Review.Apr 10 2025, 9:22 PM

Gehel edited projects, added Data-Platform-SRE (2025.04.12 - 2025.05.02); removed Data-Platform-SRE (2025.03.22 - 2025.04.11).Apr 11 2025, 1:14 PM

Gehel moved this task from Backlog - project to In Progress on the Data-Platform-SRE (2025.04.12 - 2025.05.02) board.

bking mentioned this in T390860: Elasticsearch dependency upgrade in spicerack.Apr 14 2025, 7:18 PM

Change #1135826 merged by Bking:

[operations/cookbooks@master] sre.elasticsearch.rolling-operation: use tftp, run puppet with new hostname

https://gerrit.wikimedia.org/r/1135826

Maintenance_bot removed a project: Patch-For-Review.Apr 15 2025, 5:30 PM

bking closed subtask T391151: Ensure our automation can ban not-yet-existing hosts as Resolved.Apr 15 2025, 7:14 PM

Change #1136796 had a related patch set uploaded (by Ryan Kemper; author: Ryan Kemper):

[operations/cookbooks@master] sre.elasticsearch.rolling-operation: refactor external cookbook invocations

https://gerrit.wikimedia.org/r/1136796

gerritbot added a project: Patch-For-Review.Apr 15 2025, 7:48 PM

bking updated the task description. (Show Details)Apr 15 2025, 8:37 PM

bking mentioned this in T392015: Refactor/replace Search Platform-owned Elastic/OpenSearch cookbooks.

Gehel merged a task: T392015: Refactor/replace Search Platform-owned Elastic/OpenSearch cookbooks.Apr 16 2025, 7:44 AM

Change #1136796 merged by Ryan Kemper:

[operations/cookbooks@master] sre.elasticsearch.rolling-operation: refactor external cookbook invocations

https://gerrit.wikimedia.org/r/1136796

Maintenance_bot removed a project: Patch-For-Review.Apr 16 2025, 9:31 PM

Gehel edited projects, added Data-Platform-SRE (2025.05.02 - 2025.05.23); removed Data-Platform-SRE (2025.04.12 - 2025.05.02).May 5 2025, 12:49 PM

Gehel moved this task from Backlog - project to In Progress on the Data-Platform-SRE (2025.05.02 - 2025.05.23) board.

Let's finish T388610 first

Gehel moved this task from In Progress to Blocked/Waiting on the Data-Platform-SRE (2025.05.02 - 2025.05.23) board.May 7 2025, 1:50 PM

Gehel edited projects, added Data-Platform-SRE (2025.05.24 - 2025.06.13); removed Data-Platform-SRE (2025.05.02 - 2025.05.23).May 23 2025, 1:07 PM

Gehel moved this task from Backlog - project to Blocked/Waiting on the Data-Platform-SRE (2025.05.24 - 2025.06.13) board.

Mentioned in SAL (#wikimedia-operations) [2025-05-28T13:19:38Z] <bking@cumin2002> START - Cookbook sre.elasticsearch.rolling-operation Operation.RESTART (3 nodes at a time) for ElasticSearch cluster search_eqiad: T383811 - bking@cumin2002

Mentioned in SAL (#wikimedia-operations) [2025-05-28T13:20:17Z] <bking@cumin2002> END (ERROR) - Cookbook sre.elasticsearch.rolling-operation (exit_code=97) Operation.RESTART (3 nodes at a time) for ElasticSearch cluster search_eqiad: T383811 - bking@cumin2002

Change #1151797 had a related patch set uploaded (by Ryan Kemper; author: Ryan Kemper):

[operations/cookbooks@master] sre.elasticsearch: remove unused cookbooks

https://gerrit.wikimedia.org/r/1151797

gerritbot added a project: Patch-For-Review.May 28 2025, 9:17 PM

Mentioned in SAL (#wikimedia-operations) [2025-06-06T17:06:55Z] <bking@cumin2002> START - Cookbook sre.elasticsearch.rolling-operation Operation.RESTART (3 nodes at a time) for ElasticSearch cluster search_eqiad: T383811 - bking@cumin2002

Mentioned in SAL (#wikimedia-operations) [2025-06-06T17:08:51Z] <bking@cumin2002> END (FAIL) - Cookbook sre.elasticsearch.rolling-operation (exit_code=99) Operation.RESTART (3 nodes at a time) for ElasticSearch cluster search_eqiad: T383811 - bking@cumin2002

Mentioned in SAL (#wikimedia-operations) [2025-06-06T17:20:21Z] <bking@cumin2002> START - Cookbook sre.elasticsearch.rolling-operation Operation.RESTART (3 nodes at a time) for ElasticSearch cluster search_eqiad: T383811 - bking@cumin2002

Mentioned in SAL (#wikimedia-operations) [2025-06-06T19:11:22Z] <bking@cumin2002> END (PASS) - Cookbook sre.elasticsearch.rolling-operation (exit_code=0) Operation.RESTART (3 nodes at a time) for ElasticSearch cluster search_eqiad: T383811 - bking@cumin2002

Gehel edited projects, added Data-Platform-SRE (2025.06.13 - 2025.07.04); removed Data-Platform-SRE (2025.05.24 - 2025.06.13).Jun 13 2025, 8:48 AM

Gehel moved this task from Backlog - project to Blocked/Waiting on the Data-Platform-SRE (2025.06.13 - 2025.07.04) board.

BTullis edited projects, added Data-Platform-SRE (2025.07.05 - 2025.07.25); removed Data-Platform-SRE (2025.06.13 - 2025.07.04).Jul 4 2025, 3:59 PM

BTullis moved this task from Backlog - project to In Progress on the Data-Platform-SRE (2025.07.05 - 2025.07.25) board.Jul 4 2025, 4:28 PM