Page MenuHomePhabricator
Create Task
Maniphest T407123

Mirror OpenSearch repos from upstream
Closed, ResolvedPublic
Actions

Description

Per parent ticket (and the discussion in T403301) , we'll need to create the

thirdparty/opensearch2
thirdparty/opensearch3

repos for Bullseye, Bookworm, and Trixie (Trixie might be blocked; we'll need to check upstream's signing key. More details in this comment ).

The combination of OpenSearch 3/Bookworm is the highest priority.

AC: The following repos are mirrored to from upstream OpenSearch to WMF's internal repo infra.

  • opensearch3/bookworm
  • opensearch2/bullseye
  • opensearch2/bookworm

Details

Other Assignee
BTullis
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
opensearch: Fix typo in repo GPG key filename.operations/puppetproduction+0 -0
apt: update opensearch3 keyoperations/puppetproduction+65 -1
Configure reprepro to mirror upstream opensearch2 and opensearch3 reposoperations/puppetproduction+89 -0
Configure reprepro to mirror upstream opensearch2 and opensearch3 reposoperations/puppetproduction+89 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

bking created this task.Oct 13 2025, 2:06 PM
bking mentioned this in T405985: OpenSearch on K8s: migrate from 2.7.0 to 2.8.0 or later version of the chart.Oct 13 2025, 2:18 PM
bking added a subtask: T407126: OpenSearch on K8s: build OpenSearch images for latest versions 2x and 3x.Oct 13 2025, 2:23 PM
BTullis removed a project: Essential-Work.Oct 13 2025, 10:45 PM
BTullis claimed this task.Oct 14 2025, 12:08 AM
BTullis triaged this task as High priority.
BTullis moved this task from Backlog - project to In Progress on the Data-Platform-SRE (2025.09.26 - 2025.10.17) board.
BTullis mentioned this in T407199: Pin opensearch and logstash related package versions in puppet to avoid updates when we mirror the upstream repositories.Oct 14 2025, 10:16 AM
Gehel edited projects, added Data-Platform-SRE (2025.10.17 - 2025.11.07); removed Data-Platform-SRE (2025.09.26 - 2025.10.17).Oct 17 2025, 8:49 AM
Gehel moved this task from Backlog - project to In Progress on the Data-Platform-SRE (2025.10.17 - 2025.11.07) board.
gerritbot added a comment.Oct 17 2025, 5:11 PM

Change #1196949 had a related patch set uploaded (by Btullis; author: Btullis):

[operations/puppet@production] Configure reprepro to mirror upstream opensearch2 and opensearch3 repos

https://gerrit.wikimedia.org/r/1196949

gerritbot added a project: Patch-For-Review.Oct 17 2025, 5:11 PM
BTullis moved this task from In Progress to Needs Review on the Data-Platform-SRE (2025.10.17 - 2025.11.07) board.Oct 17 2025, 5:13 PM
Gehel added a project: OKR-Work.Oct 24 2025, 2:53 PM
Gehel edited projects, added Data-Platform-SRE (2025.11.07 - 2025.11.28); removed Data-Platform-SRE (2025.10.17 - 2025.11.07).Nov 7 2025, 1:30 PM
Gehel moved this task from Backlog - project to Needs Review on the Data-Platform-SRE (2025.11.07 - 2025.11.28) board.
BTullis closed subtask T407199: Pin opensearch and logstash related package versions in puppet to avoid updates when we mirror the upstream repositories as Resolved.Nov 10 2025, 11:03 PM
bking claimed this task.Nov 12 2025, 4:33 PM
bking updated Other Assignee, added: BTullis.
bking added a subscriber: BTullis.
bking mentioned this in T409898: Set up OpenSearch instance supporting vector search.Nov 12 2025, 4:39 PM
bking mentioned this in T409941: Figure out/implement an OpenSearch docker image strategy.
gerritbot added a comment.Nov 12 2025, 4:57 PM

Change #1196949 merged by Bking:

[operations/puppet@production] Configure reprepro to mirror upstream opensearch2 and opensearch3 repos

https://gerrit.wikimedia.org/r/1196949

Maintenance_bot removed a project: Patch-For-Review.Nov 12 2025, 5:31 PM
gerritbot added a comment.Nov 12 2025, 6:13 PM

Change #1204639 had a related patch set uploaded (by Bking; author: Btullis):

[operations/puppet@production] Configure reprepro to mirror upstream opensearch2 and opensearch3 repos

https://gerrit.wikimedia.org/r/1204639

gerritbot added a project: Patch-For-Review.Nov 12 2025, 6:13 PM
gerritbot added a comment.Nov 13 2025, 2:25 PM

Change #1204639 merged by Bking:

[operations/puppet@production] Configure reprepro to mirror upstream opensearch2 and opensearch3 repos

https://gerrit.wikimedia.org/r/1204639

Maintenance_bot removed a project: Patch-For-Review.Nov 13 2025, 2:30 PM
gerritbot added a comment.Nov 19 2025, 4:19 PM

Change #1207195 had a related patch set uploaded (by Bking; author: DCausse):

[operations/puppet@production] apt: update opensearch3 key

https://gerrit.wikimedia.org/r/1207195

gerritbot added a project: Patch-For-Review.Nov 19 2025, 4:19 PM
gerritbot added a comment.Nov 20 2025, 7:46 PM

Change #1207195 merged by Bking:

[operations/puppet@production] apt: update opensearch3 key

https://gerrit.wikimedia.org/r/1207195

Maintenance_bot removed a project: Patch-For-Review.Nov 20 2025, 8:30 PM
gerritbot added a comment.Nov 20 2025, 10:24 PM

Change #1208020 had a related patch set uploaded (by Bking; author: Bking):

[operations/puppet@production] opensearch: Fix typo in repo GPG key filename.

https://gerrit.wikimedia.org/r/1208020

gerritbot added a project: Patch-For-Review.Nov 20 2025, 10:24 PM
gerritbot added a comment.Nov 20 2025, 10:36 PM

Change #1208020 merged by Bking:

[operations/puppet@production] opensearch: Fix typo in repo GPG key filename.

https://gerrit.wikimedia.org/r/1208020

bking updated the task description. (Show Details)Nov 20 2025, 11:14 PM
Maintenance_bot removed a project: Patch-For-Review.Nov 20 2025, 11:30 PM
colewhite added a subtask: T410795: Logstash: No longer able to install OpenSearch 2.7.0 from internal apt repo.Nov 21 2025, 10:21 PM
colewhite closed subtask T410795: Logstash: No longer able to install OpenSearch 2.7.0 from internal apt repo as Resolved.Nov 25 2025, 12:04 AM
bking added a comment.EditedDec 15 2025, 3:35 PM

I took another look at this today, as we (DPE SRE) are starting to build our first Docker images from the upstream package. Suddenly, I realize that I don't know enough about how our repo mirroring works. Let me explain:

If I configure the upstream OpenSearch 2.x repo , I can see many different versions of the 2.x release:

 apt policy opensearch
opensearch:
  Installed: (none)
  Candidate: 2.19.4
  Version table:
     2.19.4 500
        500 https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable/main amd64 Packages
     2.19.3 500
        500 https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable/main amd64 Packages
     2.19.2 500
        500 https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable/main amd64 Packages
     2.19.1 500
        500 https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable/main amd64 Packages
     2.19.0 500
        500 https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable/main amd64 Packages
     2.18.0 500
        500 https://artifacts.opensearch.org/releases/bundle/
[...]
     2.5.0 500
        500 https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable/main amd64 Packages

But if I use our mirror, I only see the latest available version:

apt policy opensearch
opensearch:
  Installed: (none)
  Candidate: 2.19.4
  Version table:
     2.19.4 1001
       1001 http://apt.wikimedia.org/wikimedia bookworm-wikimedia/thirdparty/opensearch2 amd64 Packages

We would prefer to have older versions of the package in the repo as well, if possible. Maybe I missed a setting or something when I set up a mirror? I'll go back and consult the docs, and I've also pinged in #wikimedia-sre-foundations IRC.

bking added a subscriber: Muehlenhoff.EditedDec 15 2025, 3:45 PM

Checking the docs, it seems that reprepro doesn't support hosting multiple versions of the same package in the repo:

If you need to keep multiple versions of the same package in the repo, you will need to create versioned components, as reprepro doesn't support keeping foo_10-1.deb and foo_20-1.deb at the same time in the same component.

@Muehlenhoff can you confirm that there is no supported way to host multiple versions of the same package in the same repo at the moment?

MoritzMuehlenhoff subscribed.Dec 16 2025, 12:47 PM
In T407123#11460859, @bking wrote:

Checking the docs, it seems that reprepro doesn't support hosting multiple versions of the same package in the repo:

If you need to keep multiple versions of the same package in the repo, you will need to create versioned components, as reprepro doesn't support keeping foo_10-1.deb and foo_20-1.deb at the same time in the same component.

@Muehlenhoff can you confirm that there is no supported way to host multiple versions of the same package in the same repo at the moment?

Depends on what you plan to do:
You can't have opensearch_1.0.deb, opensearch_2.0 and opensearch_3.0 in the same component, but it's possible to have to opensearch_1.0.deb in component/opensearch1, opensearch_2.0 in component/opensearch2 and opensearch_3.0 in component/opensearch3. We're already following this scheme for a lot of components like Elastic already, so maybe I misunderstand your question?

bking moved this task from Needs Review to In Progress on the Data-Platform-SRE (2025.11.07 - 2025.11.28) board.Dec 16 2025, 3:36 PM
bking added a comment.EditedDec 17 2025, 3:27 PM

Closing the loop for IRC conversation with @Muehlenhoff :

  1. Reprepro does not support hosting multiple minor versions of the upstream repo in the same component. This is not a dealbreaker as we have never had a problem with minor version updates of Elasticsearch/OpenSearch. We can be careful in other ways (gradual rollouts).
  1. Infrastructure Foundations will be responsible for checking the upstream repo and notifying us/updating the repo if there are any security issues.
bking closed this task as Resolved.Tue, Dec 23, 3:18 PM
bking updated the task description. (Show Details)
bking moved this task from In Progress to Done on the Data-Platform-SRE (2025.11.07 - 2025.11.28) board.

I tried copying to Bullseye today, and it looks like someone already beat me to it:

 sudo -i reprepro copy bullseye-wikimedia bookworm-wikimedia opensearch
Warning: replacing 'opensearch' version '2.19.4' with equal version '2.19.4' in 'bullseye-wikimedia|thirdparty/opensearch2|amd64'!
Exporting indices...

This means the AC is completed. Closing...

Gehel edited projects, added Data-Platform-SRE (2026.01.05 - 2026.01.23); removed Data-Platform-SRE (2025.11.07 - 2025.11.28).Thu, Jan 8, 1:13 PM
Gehel moved this task from Backlog - project to Done on the Data-Platform-SRE (2026.01.05 - 2026.01.23) board.
Gehel moved this task from Done to Reported on the Data-Platform-SRE (2026.01.05 - 2026.01.23) board.Fri, Jan 9, 2:08 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits