Add tracing to understand Toolforge and CloudVPS usage and dependencies
Open, HighPublic
Actions

Assigned To

None

Authored By

	joanna_borun
	Jul 11 2025, 3:10 PM

Description

We’d like to add tracing to both Toolforge and CloudVPS so we can better understand how tools are being used internally and how they interact with each other.
Right now, many tools rely on others as part of larger workflows, but these relationships aren’t always obvious. This becomes a real problem when we’re thinking about migrations or decommissioning - for example, a tool that looks unused might actually be quietly powering dozens of others. If we remove it without realizing that, we could end up breaking a whole chain of tools.
To prevent this, we want visibility into how tools are connected and what services they’re talking to.

This includes things like:

Which tools are calling other tools
Which tools are making requests to shared infrastructure, like:
- Wikireplicas
- MediaWiki APIs
- Redis, databases, proxy services, etc.
How often these interactions are happening and in what direction

Ideally, we want a way to trace and quantify this usage: number of requests, how frequently they happen, which tools are involved, and which external components are being hit.

This will help us:

Understand hidden dependencies between tools
Group tools that need to be migrated or maintained together
Avoid surprises during future infrastructure changes
Improve reliability across Toolforge and CloudVPS

We could be looking into a few different options to make this work, including:

eBPF: way to observe behavior (like network traffic or syscalls) without needing to change the tools themselves. It’s lightweight and could give us good insights into what’s talking to what.
SSL sniffing + HTTP protocol inspection: this also would let us passively watch encrypted traffic and decode requests to see which tools are communicating and how.
Zero-code OpenTelemetry setups: anothar way of collecting tracing data without needing tool owners to manually instrument their code. That might include things like sidecar proxies or dynamic injection.

Next Steps:

Explore options for implementing tracing
Start collecting dependency data for a representative set of tools
Build some basic dashboards or reports to visualize tool-to-tool and tool-to-service usage
Document any key findings and plan for scaling this out

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
wmcs infra-tracing: simplify Loki indexing	operations/puppet	production	+11 -15
P:toolforge::prometheus: Collect metrics for infra-tracing-loki	operations/puppet	production	+6 -0
wmcs infra-tracing: optimize Loki indexing	operations/puppet	production	+86 -52
toolforge: add ingress for infra-tracing-loki	operations/puppet	production	+50 -15
wmcs k8s nfs: pass the config to the NFS tracer	operations/puppet	production	+4 -2
labs: enable infra-tracing-nfs tracing	labs/private	master	+1 -0
wmcs k8s nfs: add NFS tracing script	operations/puppet	production	+340 -0
labs: add infra-tracing-nfs account	labs/private	master	+4 -0

Customize query in gerrit

Related Changes in GitLab:

Title	Reference	Author	Source Branch	Dest Branch
infra-tracing: extend loki retention to 60 days	repos/cloud/toolforge/toolforge-deploy!1092	volans	loki-tracing	main
shared: k8s security group for infra-metrics-loki	repos/cloud/toolforge/tofu-provisioning!104	volans	loki-tracing	main
tools/toolsbeta: add CNAME for infra-tracing-loki	repos/cloud/toolforge/tofu-provisioning!103	volans	loki-tracing	main
infra-tracing: set the X-Scope-OrgId header	repos/cloud/toolforge/toolforge-deploy!1087	volans	loki-tracing	main
ingress-admission: bump to 0.0.72-20251118104433-d892c480	repos/cloud/toolforge/toolforge-deploy!1082	group_203_bot_f4d95069bb2675e4ce1fff090c1c1620	bump_ingress-admission	main
Use final namespace name for the tracing loki	repos/cloud/toolforge/ingress-admission!32	volans	T399313	main
tracing: add tracing loki instance	repos/cloud/toolforge/toolforge-deploy!1040	volans	loki-tracing	main
kind: add port 30004 for loki-tracing	repos/cloud/toolforge/lima-kilo!294	volans	loki-tracing	main
shared: add loki-tracing S3 buckets	repos/cloud/toolforge/tofu-provisioning!92	volans	loki-tracing	main

Customize query in GitLab

Related Objects

Mentioned Here: P80229 toolforge_file_snoop.py

Event Timeline

joanna_borun created this task.Jul 11 2025, 3:10 PM

The Cloud-Services project tag is not intended to have any tasks. Please check the list on https://phabricator.wikimedia.org/project/profile/832/ and replace it with a more specific project tag to this task. Thanks!

Don-vip awarded a token.Jul 11 2025, 3:11 PM

Don-vip subscribed.Jul 11 2025, 3:16 PM

elukey subscribed.Jul 28 2025, 2:32 PM

taavi edited projects, added cloud-services-team, Toolforge, Cloud-VPS; removed Cloud-Services.Jul 29 2025, 9:54 AM

taavi subscribed.

For reference, there was a POC created several years back that was able to extract the network connections (to redis, wikis, ...):

https://github.com/david-caro/netsnoop

And for file snooping I used

P80229 toolforge_file_snoop.py

1	#!/usr/bin/env python3
2	import datetime
3	from bcc import BPF
4	from typing import Any
5	from pathlib import Path
6	from time import sleep
7	from functools import cache
8	import os
9	import pwd
10	import click
11	import logging
12	from prometheus_client import CollectorRegistry, Counter, write_to_textfile
13
14
15	LOGGER = logging.getLogger(__name__)
16	BASE_PATH=Path("/mnt/nfs")
17
18
19	BPF_PROGRAM = """
20	#include <uapi/linux/ptrace.h>
21
22	int check_if_fname(struct pt_regs *ctx) {
23	char fname[256];
24	bpf_probe_read_user(&fname, sizeof(fname), (void *)PT_REGS_PARM2(ctx));
25	int uid = bpf_get_current_uid_gid();
26
27	// trying to optimize the amount of instructions :/
28	// char by char hardcoded check, as loops are costly in ebpf
29	if (
30	uid == 0 // skip root
31	\|\| fname[0] == '/' && ( // it's a full path
32	fname[1] != 'm' // but not /mnt/nfs/
33	\|\| fname[2] != 'n'
34	\|\| fname[3] != 't'
35	\|\| fname[4] != '/'
36	\|\| fname[5] != 'n'
37	\|\| fname[6] != 'f'
38	\|\| fname[7] != 's'
39	)
40	)
41	return 0;
42
43	bpf_trace_printk("%s@@@%d", fname, uid);
44	return 0;
45	}
46	"""
47
48
49	def get_dependency(path: Path) -> dict[str, Any]:
50	if len(path.parts) < 4:
51	return {}
52
53	if path.parts[3].startswith("dumps"):
54	return {
55	"dependency": "dumps",
56	"dumps_server": path.parts[3],
57	"dumps_subpath": path.parts[4] if len(path.parts) >= 5 else "",
58	"dest_user": "",
59	"dest_tool": "",
60	}
61
62	if path.parts[3].endswith("tools-home"):
63	return {
64	"dependency": "users-home",
65	"dest_user": path.parts[4] if len(path.parts) >= 5 else "",
66	"dumps_server": "",
67	"dumps_subpath": "",
68	"dest_tool": "",
69	}
70
71	if path.parts[3].endswith("tools-project"):
72	return {
73	"dependency": "tools-home",
74	"dest_tool": f"tools.{path.parts[4]}" if len(path.parts) >= 5 else "",
75	"dumps_server": "",
76	"dumps_subpath": "",
77	"dest_user": "",
78	}
79
80	if path.parts[3].endswith("scratch"):
81	return {
82	"dependency": "scratch",
83	}
84
85	return {}
86
87
88
89
90	""
91	# dumps -> subdir
92	# scratch
93	# tool-home -> toolname
94	# user-home -> username
95
96	@cache
97	def resolve_uid(uid: int) -> str:
98	return pwd.getpwuid(uid)
99
100	def resolve_path(pid: int, relative_path: Path) -> Path:
101	try:
102	cwd_path = Path(f"/proc/{pid}/cwd")
103	return cwd_path.resolve() / relative_path
104	except Exception:
105	pass
106
107	return relative_path
108
109
110
111	@click.option("-d", "--debug", is_flag=True, show_default=True, default=False)
112	@click.option("-p", "--prometheus-file", type=click.Path(), show_default=True, default='./filesnoop.prom')
113	@click.command()
114	def main(debug: bool, prometheus_file: Path):
115
116	logging.basicConfig(level=logging.DEBUG if debug else logging.INFO)
117	LOGGER.debug(f"Using prometheus file {prometheus_file}")
118	LOGGER.debug(f"Loading eBPF code:\n{BPF_PROGRAM}\n{'-'*80}")
119	b = BPF(text=BPF_PROGRAM, debug=1 if debug else 0)
120	b.attach_kprobe(event="do_sys_openat2", fn_name="check_if_fname")
121	b.attach_kprobe(event="do_sys_open", fn_name="check_if_fname")
122
123	LOGGER.info(f"Watching directory: {BASE_PATH}")
124	LOGGER.info("Press Ctrl+C to stop.\n")
125
126	registry = CollectorRegistry()
127	stats = Counter(
128	"toolforge_internal_dependencies",
129	"Number of times a tool has known to start a connection to the given known dependency",
130	['tool', 'dependency', 'dumps_server', 'dumps_subpath', 'dest_user', 'dest_tool'],
131	registry=registry,
132	)
133	try:
134	last_time = datetime.datetime.now()
135	while True:
136	cur_time = datetime.datetime.now()
137	if cur_time - last_time > datetime.timedelta(seconds=60):
138	LOGGER.info(f"Writting stats to file {prometheus_file}")
139	write_to_textfile(prometheus_file, registry)
140	last_time = cur_time
141
142	(task, pid, cpu, flags, ts, msg) = b.trace_fields()
143	raw_path, raw_uid = msg.decode().split("@@@", 1)
144	path, uid = Path(raw_path), int(raw_uid)
145
146	if not path.is_absolute():
147	LOGGER.debug(f"Resolving non-absolute path {path}")
148	path = resolve_path(pid, path)
149
150	userinfo = resolve_uid(uid)
151
152	if not userinfo.pw_name.startswith("tools."):
153	LOGGER.debug(f"Ignoring entry for user {userinfo}, not a tools user")
154	continue
155
156	if path.is_relative_to(BASE_PATH):
157	dependency_info = get_dependency(path)
158	LOGGER.info(f"PID {pid}, USER {userinfo.pw_name}({uid}), DEPENDENCY {dependency_info}, PATH {path}")
159	if dependency_info:
160	stats.labels(tool=userinfo.pw_name, **dependency_info).inc()
161	else:
162	LOGGER.debug(f"Path {path} for {userinfo} not relative to {BASE_PATH}, ignored")
163	except KeyboardInterrupt:
164	LOGGER.info("\nStopped.")
165
166
167	if __name__ == "__main__":
168	main()

That ran on tools-k8s-worker-nfs-47 for some time, populating the 'tools dependency' graps from https://grafana-rw.wmcloud.org/d/3jhWxB8Vk/toolforge-general-overview?orgId=1&from=now-6h&to=now&timezone=utc&var-cluster_datasource=P8433460076D33992&var-cluster=tools&forceLogin (just ran it again just now to refresh it).

dcaro triaged this task as High priority.Jul 31 2025, 12:21 PM

akosiaris subscribed.Sep 15 2025, 2:28 PM

AntiCompositeNumber subscribed.Oct 15 2025, 12:42 AM

volans updated https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/1040

logging: add tracing loki instance

volans updated https://gitlab.wikimedia.org/repos/cloud/toolforge/lima-kilo/-/merge_requests/294

kind: add port 30004 for loki-tracing

volans updated https://gitlab.wikimedia.org/repos/cloud/toolforge/tofu-provisioning/-/merge_requests/92

shared: add loki-tracing S3 buckets

Mentioned in SAL (#wikimedia-cloud-feed) [2025-11-11T15:28:24Z] <volans@cloudcumin1001> START - Cookbook wmcs.toolforge.k8s.logging.copy_images_to_registry for Loki 3.5.7 (T399313)

Mentioned in SAL (#wikimedia-cloud-feed) [2025-11-11T15:28:28Z] <volans@cloudcumin1001> Updating container image docker-registry.svc.toolforge.org/grafana/loki:3.5.7 (T399313)

Mentioned in SAL (#wikimedia-cloud-feed) [2025-11-11T15:28:45Z] <volans@cloudcumin1001> END (PASS) - Cookbook wmcs.toolforge.k8s.logging.copy_images_to_registry (exit_code=0) for Loki 3.5.7 (T399313)

volans merged https://gitlab.wikimedia.org/repos/cloud/toolforge/lima-kilo/-/merge_requests/294

kind: add port 30004 for loki-tracing

volans opened https://gitlab.wikimedia.org/repos/cloud/toolforge/ingress-admission/-/merge_requests/32

Use final namespace name for the tracing loki

volans merged https://gitlab.wikimedia.org/repos/cloud/toolforge/ingress-admission/-/merge_requests/32

Use final namespace name for the tracing loki

group_203_bot_f4d95069bb2675e4ce1fff090c1c1620 opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/1082

ingress-admission: bump to 0.0.72-20251118104433-d892c480

volans merged https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/1082

ingress-admission: bump to 0.0.72-20251118104433-d892c480

volans merged https://gitlab.wikimedia.org/repos/cloud/toolforge/tofu-provisioning/-/merge_requests/92

shared: add loki-tracing S3 buckets

volans merged https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/1040

tracing: add tracing loki instance

volans opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/1087

infra-tracing: set the X-Scope-OrgId header

Change #1210582 had a related patch set uploaded (by Volans; author: Volans):

[operations/puppet@production] wmcs k8s nfs: add NFS tracing script

https://gerrit.wikimedia.org/r/1210582

Change #1210591 had a related patch set uploaded (by Volans; author: Volans):

[labs/private@master] labs: add infra-tracing-nfs account

https://gerrit.wikimedia.org/r/1210591

volans merged https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/1087

infra-tracing: set the X-Scope-OrgId header

Change #1210664 had a related patch set uploaded (by Volans; author: Volans):

[labs/private@master] labs: enable infra-tracing-nfs tracing

https://gerrit.wikimedia.org/r/1210664

Change #1210591 merged by Volans:

[labs/private@master] labs: add infra-tracing-nfs account

https://gerrit.wikimedia.org/r/1210591

Change #1210582 merged by Volans:

[operations/puppet@production] wmcs k8s nfs: add NFS tracing script

https://gerrit.wikimedia.org/r/1210582

Change #1211164 had a related patch set uploaded (by Volans; author: Volans):

[operations/puppet@production] wmcs k8s nfs: pass the config to the NFS tracer

https://gerrit.wikimedia.org/r/1211164

Change #1210664 abandoned by Volans:

[labs/private@master] labs: enable infra-tracing-nfs tracing

Reason:

Putting the setting in horizon like the other similar ones.

https://gerrit.wikimedia.org/r/1210664

Change #1211164 merged by Volans:

[operations/puppet@production] wmcs k8s nfs: pass the config to the NFS tracer

https://gerrit.wikimedia.org/r/1211164

volans opened https://gitlab.wikimedia.org/repos/cloud/toolforge/tofu-provisioning/-/merge_requests/103

tools/toolsbeta: add CNAME for infra-tracing-loki

Change #1211610 had a related patch set uploaded (by Volans; author: Volans):

[operations/puppet@production] toolforge: add ingress for infra-tracing-loki

https://gerrit.wikimedia.org/r/1211610

volans merged https://gitlab.wikimedia.org/repos/cloud/toolforge/tofu-provisioning/-/merge_requests/103

tools/toolsbeta: add CNAME for infra-tracing-loki

Change #1211610 merged by Volans:

[operations/puppet@production] toolforge: add ingress for infra-tracing-loki

https://gerrit.wikimedia.org/r/1211610

volans opened https://gitlab.wikimedia.org/repos/cloud/toolforge/tofu-provisioning/-/merge_requests/104

shared: k8s security group for infra-metrics-loki

volans merged https://gitlab.wikimedia.org/repos/cloud/toolforge/tofu-provisioning/-/merge_requests/104

shared: k8s security group for infra-metrics-loki

Change #1212186 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] P:toolforge::prometheus: Collect metrics for infra-tracing-loki

https://gerrit.wikimedia.org/r/1212186

Change #1212559 had a related patch set uploaded (by Volans; author: Volans):

[operations/puppet@production] wmcs infra-tracing: optimize Loki indexing

https://gerrit.wikimedia.org/r/1212559

Change #1212559 merged by Volans:

[operations/puppet@production] wmcs infra-tracing: optimize Loki indexing

https://gerrit.wikimedia.org/r/1212559

Change #1212186 merged by Majavah:

[operations/puppet@production] P:toolforge::prometheus: Collect metrics for infra-tracing-loki

https://gerrit.wikimedia.org/r/1212186

volans opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/1092

infra-tracing: extend loki retention to 60 days

volans merged https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/1092

infra-tracing: extend loki retention to 60 days

Mentioned in SAL (#wikimedia-cloud-feed) [2025-12-01T22:30:37Z] <volans@cloudcumin1001> START - Cookbook wmcs.toolforge.k8s.logging.copy_images_to_registry for Alloy 1.4.0 (T399313)

Mentioned in SAL (#wikimedia-cloud-feed) [2025-12-01T22:30:42Z] <volans@cloudcumin1001> Updating container image docker-registry.svc.toolforge.org/grafana/alloy:v1.4.0 (T399313)

Mentioned in SAL (#wikimedia-cloud-feed) [2025-12-01T22:31:20Z] <volans@cloudcumin1001> END (PASS) - Cookbook wmcs.toolforge.k8s.logging.copy_images_to_registry (exit_code=0) for Alloy 1.4.0 (T399313)

Mentioned in SAL (#wikimedia-cloud-feed) [2025-12-02T08:30:52Z] <volans@cloudcumin1001> START - Cookbook wmcs.toolforge.k8s.logging.copy_images_to_registry for Alloy 1.11.3 (T399313)

Mentioned in SAL (#wikimedia-cloud-feed) [2025-12-02T08:30:57Z] <volans@cloudcumin1001> Updating container image docker-registry.svc.toolforge.org/grafana/alloy:v1.11.3 (T399313)

Mentioned in SAL (#wikimedia-cloud-feed) [2025-12-02T08:31:45Z] <volans@cloudcumin1001> END (PASS) - Cookbook wmcs.toolforge.k8s.logging.copy_images_to_registry (exit_code=0) for Alloy 1.11.3 (T399313)

Change #1214012 had a related patch set uploaded (by Volans; author: Volans):

[operations/puppet@production] wmcs infra-tracing: simplify Loki indexing

https://gerrit.wikimedia.org/r/1214012

Change #1214012 merged by Volans: