Page MenuHomePhabricator
Create Task
Maniphest T387569

Update Elastic puppet code to filter LVS config based on cluster membership
Closed, ResolvedPublic
Actions

Description

Each Elastic host runs 2 instances of Elasticsearch:

  1. The main instance (chi, ports 9200/9243)
  2. One of two secondary clusters (omega, 9400/9443 or psi, 9600/9643)

Per Slack conversation with @Vgutierrez , our current Elastic Puppet code is creating LVS config for both secondary clusters on all Elastic hosts, regardless of their actual secondary cluster membership. This will set off false positive alerts during the IPIP migration, so we'll need to clean this up.

Creating this ticket to:

  • Identify/update Puppet code
  • Confirm operation with Traffic team

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
elastic: add test hieradata to help with LVS migrationoperations/puppetproduction+12 -0
cirrussearch: move soon-to-be-decommed hosts to insetup roleoperations/puppetproduction+10 -12
elasticsearch: filter LVS config based on cluster membershipoperations/puppetproduction+188 -0
elasticsearch: filter LVS config based on cluster membershipoperations/puppetproduction+1 K -19
Customize query in gerrit

Related Objects
Search...

Event Timeline

bking created this task.Feb 28 2025, 2:50 PM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptFeb 28 2025, 2:50 PM
bking updated the task description. (Show Details)Feb 28 2025, 2:52 PM
Vgutierrez mentioned this in T387309: Migrate search LB VIPs to IPIP encapsulation.Feb 28 2025, 2:52 PM
Vgutierrez mentioned this in T387310: Migrate search-https LB VIPs to IPIP encapsulation.
Vgutierrez mentioned this in T387311: Migrate search-omega-https LB VIPs to IPIP encapsulation.
Vgutierrez mentioned this in T387312: Migrate search-psi-https LB VIPs to IPIP encapsulation.
Gehel added a project: Discovery-Search.Feb 28 2025, 2:53 PM
Gehel moved this task from needs triage to Ops / SRE on the Discovery-Search board.Mar 3 2025, 2:40 PM
Gehel moved this task from Backlog - project to Backlog - operations on the Data-Platform-SRE (2025.03.01 - 2025.03.21) board.Mar 4 2025, 4:55 PM
BTullis subscribed.Mar 13 2025, 1:03 PM

I've had a quick look at this to see if it is easy, but I don't immediately see a way of doing it without incurring a relatively high maintenance cost of lots of individual YAML files in hieradata/hosts.

We would need to match all of the cluster host names mentioned in the various cirrus.yaml files. e.g. here.

The only other way I could think of doing it would be to split the current role::elasticsearch::cirrus into two discrete roles, one with the omega instance the other with the psi instance installed.

BTullis added a comment.Mar 13 2025, 1:05 PM

Oh, maybe we could use hieradata/regex.yaml but that is still a bit fiddly.

bking added a comment.EditedMar 17 2025, 7:43 PM

Many of us in Data Platform SRE and/or Search Platform have looked this over, and I think we're in agreement that @Vgutierrez 's original suggestion is the least bad way to move the migration forward.

"The only alternative I see right now is setting profile::lvs::realservers::pools values per instance in hiera, cause all of those share the same puppet role and puppet profiles"

regex.yaml (suggested by Ben and others) could work, but seems more error-prone than hostvars, so we will move forward with the host-specific hieradata approach.

Gehel edited projects, added Data-Platform-SRE (2025.03.22 - 2025.04.11); removed Data-Platform-SRE (2025.03.01 - 2025.03.21).Mar 21 2025, 9:57 AM
Gehel moved this task from Backlog - project to Backlog - operations on the Data-Platform-SRE (2025.03.22 - 2025.04.11) board.
bking claimed this task.Mar 21 2025, 5:17 PM
gerritbot added a comment.Mar 21 2025, 5:25 PM

Change #1130162 had a related patch set uploaded (by Bking; author: Bking):

[operations/puppet@production] elastic: add test hieradata to help with LVS migration

https://gerrit.wikimedia.org/r/1130162

gerritbot added a project: Patch-For-Review.Mar 21 2025, 5:25 PM
bking moved this task from Backlog - operations to In Progress on the Data-Platform-SRE (2025.03.22 - 2025.04.11) board.Mar 21 2025, 6:41 PM
Gehel edited projects, added Data-Platform-SRE (2025.04.12 - 2025.05.02); removed Data-Platform-SRE (2025.03.22 - 2025.04.11).Apr 11 2025, 1:14 PM
Gehel moved this task from Backlog - project to In Progress on the Data-Platform-SRE (2025.04.12 - 2025.05.02) board.
gerritbot added a comment.Apr 23 2025, 3:36 PM

Change #1138400 had a related patch set uploaded (by Bking; author: Bking):

[operations/puppet@production] elasticsearch: filter LVS config based on cluster membership

https://gerrit.wikimedia.org/r/1138400

Gehel edited projects, added Data-Platform-SRE (2025.05.02 - 2025.05.23); removed Data-Platform-SRE (2025.04.12 - 2025.05.02).May 5 2025, 12:49 PM
Gehel moved this task from Backlog - project to In Progress on the Data-Platform-SRE (2025.05.02 - 2025.05.23) board.
Gehel moved this task from In Progress to Blocked/Waiting on the Data-Platform-SRE (2025.05.02 - 2025.05.23) board.May 7 2025, 1:48 PM
Gehel subscribed.

Let's finish the OpenSearch migration first (T388610)

Gehel edited projects, added Data-Platform-SRE (2025.05.24 - 2025.06.13); removed Data-Platform-SRE (2025.05.02 - 2025.05.23).May 23 2025, 1:07 PM
Gehel moved this task from Backlog - project to Blocked/Waiting on the Data-Platform-SRE (2025.05.24 - 2025.06.13) board.
bking moved this task from Blocked/Waiting to Needs Review on the Data-Platform-SRE (2025.05.24 - 2025.06.13) board.Jun 3 2025, 5:21 PM
bking moved this task from Needs Review to In Progress on the Data-Platform-SRE (2025.05.24 - 2025.06.13) board.Jun 9 2025, 2:54 PM
Gehel edited projects, added Data-Platform-SRE (2025.06.13 - 2025.07.04); removed Data-Platform-SRE (2025.05.24 - 2025.06.13).Jun 13 2025, 8:49 AM
Gehel moved this task from Backlog - project to In Progress on the Data-Platform-SRE (2025.06.13 - 2025.07.04) board.
gerritbot added a comment.Jun 16 2025, 1:14 PM

Change #1138400 merged by Bking:

[operations/puppet@production] elasticsearch: filter LVS config based on cluster membership

https://gerrit.wikimedia.org/r/1138400

gerritbot added a comment.Jun 16 2025, 1:34 PM

Change #1159459 had a related patch set uploaded (by Bking; author: Bking):

[operations/puppet@production] elasticsearch: filter LVS config based on cluster membership

https://gerrit.wikimedia.org/r/1159459

gerritbot added a comment.Jun 16 2025, 2:15 PM

Change #1159459 merged by Bking:

[operations/puppet@production] elasticsearch: filter LVS config based on cluster membership

https://gerrit.wikimedia.org/r/1159459

Stashbot added a comment.Jun 16 2025, 3:17 PM

Mentioned in SAL (#wikimedia-operations) [2025-06-16T15:17:27Z] <inflatador> bking@cumin2002:~$ sudo cumin A:lvs-low-traffic 'run-puppet-agent' T387569

gerritbot added a comment.Jun 16 2025, 4:05 PM

Change #1159517 had a related patch set uploaded (by Bking; author: Bking):

[operations/puppet@production] cirrussearch: move soon-to-be-decommed hosts to insetup role

https://gerrit.wikimedia.org/r/1159517

gerritbot added a comment.Jun 17 2025, 6:09 AM

Change #1159517 merged by Ryan Kemper:

[operations/puppet@production] cirrussearch: move soon-to-be-decommed hosts to insetup role

https://gerrit.wikimedia.org/r/1159517

bking changed the task status from Open to In Progress.Jun 20 2025, 1:29 PM
bking moved this task from In Progress to Needs Review on the Data-Platform-SRE (2025.06.13 - 2025.07.04) board.

After merging the above changes, we believe our Puppet code is correctly filtering based on cluster membership. Moving to "Needs Review" so @Vgutierrez can verify as time permits.

BTullis edited projects, added Data-Platform-SRE (2025.07.05 - 2025.07.25); removed Data-Platform-SRE (2025.06.13 - 2025.07.04).Jul 4 2025, 3:59 PM
BTullis moved this task from Backlog - project to Blocked/Waiting on the Data-Platform-SRE (2025.07.05 - 2025.07.25) board.Jul 4 2025, 4:22 PM
BTullis edited projects, added Data-Platform-SRE (2025.07.26 - 2025.08.15); removed Data-Platform-SRE (2025.07.05 - 2025.07.25).Jul 28 2025, 4:46 PM
BTullis moved this task from Backlog - project to Blocked/Waiting on the Data-Platform-SRE (2025.07.26 - 2025.08.15) board.
BTullis edited projects, added Data-Platform-SRE (2025.08.16 - 2025.09.05); removed Data-Platform-SRE (2025.07.26 - 2025.08.15).Aug 20 2025, 10:31 AM
BTullis moved this task from Backlog - project to Blocked/Waiting on the Data-Platform-SRE (2025.08.16 - 2025.09.05) board.
bking closed this task as Resolved.Aug 25 2025, 3:16 PM
bking moved this task from Blocked/Waiting to Done on the Data-Platform-SRE (2025.08.16 - 2025.09.05) board.

No response, so I'm going to go ahead and close this one out. Feel free to reopen if we missed anything!

gerritbot added a comment.Sep 4 2025, 2:50 PM

Change #1130162 abandoned by Bking:

[operations/puppet@production] elastic: add test hieradata to help with LVS migration

Reason:

no longer needed

https://gerrit.wikimedia.org/r/1130162

Gehel moved this task from Done to Reported on the Data-Platform-SRE (2025.08.16 - 2025.09.05) board.Sep 5 2025, 12:45 PM
Gehel added a project: Essential-Work.Sep 5 2025, 3:08 PM
Gehel moved this task from Incoming to Done on the Discovery-Search (2025.09.05 - 2025.09.26) board.Sep 8 2025, 1:15 PM
Gehel edited projects, added Discovery-Search (2025.09.05 - 2025.09.26); removed Discovery-Search.
pfischer moved this task from Done to Reported on the Discovery-Search (2025.09.05 - 2025.09.26) board.Sep 12 2025, 9:31 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits