Page MenuHomePhabricator
Create Task
Maniphest T92604

IPSec: roll-out plan
Closed, ResolvedPublic
Actions

Description

This task is to plan the incremental deployment of IPsec transports in production.

The smallest fraction of production traffic may be moved to IPsec transport by selecting one pair of nodes from the largest pools: one text node in ESAMS + one in EQIAD. Alternately, we could do one pair of nodes from the upload pool so that in the worst case a failure will only result in images not loading rather than a page not loading.

Because firewalls enforcing IPsec transport have not been configured (T85823), any failure to establish encrypted transport is expected to result in uninterrupted communication between affected hosts via standard unencrypted transport. In the case that traffic is interrupted for any reason, a fall back can be affected by executing 'ipsec-global down' on at least one of the affected nodes, as described in T88536.

Once this milestone is passed and we are satisfied with the function and performance of this single pair of nodes, deployment will continue with application of the ipsec role to greater numbers of text caches, and following a similar strategy for other cache classes.

Details

SubjectRepoBranchLines +/-
enable ipsec for all upload cachesoperations/puppetproduction+2 -6
enable upload ipsec for eqiad + cp3034 for upload-reload testingoperations/puppetproduction+6 -2
enable ipsec for mobile and bits clustersoperations/puppetproduction+6 -6
enable ipsec on ulsfo text clusteroperations/puppetproduction+1 -1
enable ipsec on all remaining esams textoperations/puppetproduction+1 -1
enable ipsec on cp3031,40,41operations/puppetproduction+1 -5
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 DuplicateNoneT101339 Expand misc cluster into cache PoPs
 Resolved GageT81543 Enable IPSec between datacenters
 ResolvedBBlackT92604 IPSec: roll-out plan
 ResolvedBBlackT94417 Fix ipv6 autoconf issues

Event Timeline

Gage created this task.Mar 13 2015, 5:36 AM
Gage raised the priority of this task from to Needs Triage.
Gage updated the task description. (Show Details)
Gage added projects: Interdatacenter-IPsec, acl*sre-team.
Gage subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 13 2015, 5:36 AM
Gage mentioned this in T85823: IPsec: add firewall rules.Mar 13 2015, 5:37 AM
BBlack added a subtask: T94417: Fix ipv6 autoconf issues.Mar 30 2015, 3:33 PM
Gage claimed this task.Mar 30 2015, 4:41 PM
Gage triaged this task as Medium priority.
Gage set Security to None.
BBlack mentioned this in T81543: Enable IPSec between datacenters.May 3 2015, 11:19 PM
Gage updated the task description. (Show Details)May 4 2015, 5:52 PM
BBlack closed subtask T94417: Fix ipv6 autoconf issues as Resolved.May 28 2015, 6:53 PM
jayvdb subscribed.Jun 13 2015, 1:58 AM
BBlack subscribed.Jul 29 2015, 1:26 AM

Status update:

  • ipsec puppet role is running on
    • codfw: all multi-tier cache clusters (text, mobile, bits, upload)
    • eqiad: only the text cluster
    • esams: only cp3030 (text cluster)
    • ulsfo: none

The net of this is that only cp3030 is actually using ipsec in practice, and with the changes today all of its backhaul to eqiad (and in theory, codfw too) is ipsec. This finally gives us a full picture of the perf impact of full ipsec deployment on a tier2 cache node. Will watch stats there as we ramp into the next EU daytime and then move forward as appropriate.

The probable next steps are:

  1. Ramp in the rest of the cp30xx text-cluster nodes, which will show us a somewhat-full load on the tier1 side on the eqiad text clusters. Should be pretty unsurprising once we've seen the tier2 impact.
  2. Turn on ulsfo text-cluster as well, which gives us full ipsec for the text cluster globally at that point.
  3. Turn on the other multi-tier clusters: mobile, upload, bits (unless bits goes away before we get to this step).
Restricted Application added a subscriber: Matanya. · View Herald TranscriptJul 29 2015, 1:26 AM
BBlack added a parent task: T81543: Enable IPSec between datacenters.Jul 29 2015, 1:27 AM
gerritbot subscribed.Jul 29 2015, 1:14 PM

Change 227692 had a related patch set uploaded (by BBlack):
enable ipsec on cp3031,40,41

https://gerrit.wikimedia.org/r/227692

gerritbot added a project: Patch-For-Review.Jul 29 2015, 1:14 PM

Change 227693 had a related patch set uploaded (by BBlack):
enable ipsec on all remaining esams text

https://gerrit.wikimedia.org/r/227693

BBlack added a comment.Jul 29 2015, 1:14 PM

CPU impact on cp3030 seems to be minimal. You can see it if you squint at the graph, but it's not significant in any decision-making sort of way. Moving forward today with remainder of text cluster in pieces.

BBlack added a comment.Jul 29 2015, 1:16 PM

However, I forget to test another scenario: should do a cache wipe (backend + frontend) on a depooled cp3030 and then repool it, to see the ipsec spike from cache reload. Will do that before turning on any more nodes in esams.

BBlack added a comment.Jul 29 2015, 1:41 PM

Cache-wipe test didn't induce any notable spike, probably because the order-of-magnitude (or more) traffic reduction we see from fe->be in the text-cache case makes text-cache backend dataset reloads pretty slow and relatively insignificant. Proceeding with remainder of text rollout.

Should do a similar isolated test for the upload caches as well before fully enabling that cluster, as their backend dataset is much more active and thus could have more impact on reload.

BBlack renamed this task from IPsec: roll-out plan to IPSec: roll-out plan.Jul 29 2015, 1:44 PM
BBlack claimed this task.
gerritbot added a comment.Jul 29 2015, 1:49 PM

Change 227692 merged by BBlack:
enable ipsec on cp3031,40,41

https://gerrit.wikimedia.org/r/227692

gerritbot added a comment.Jul 29 2015, 2:57 PM

Change 227693 merged by BBlack:
enable ipsec on all remaining esams text

https://gerrit.wikimedia.org/r/227693

BBlack added a comment.Jul 29 2015, 3:07 PM

Update: all of esams text cluster is now using ipsec for backhaul to tier1.

gerritbot added a comment.Jul 29 2015, 8:02 PM

Change 227867 had a related patch set uploaded (by BBlack):
enable ipsec on ulsfo text cluster

https://gerrit.wikimedia.org/r/227867

gerritbot added a comment.Jul 29 2015, 8:05 PM

Change 227867 merged by BBlack:
enable ipsec on ulsfo text cluster

https://gerrit.wikimedia.org/r/227867

Nemo_bis subscribed.Jul 29 2015, 8:06 PM
BBlack added a comment.Jul 29 2015, 8:14 PM

Update: all of the text cluster has ipsec turned on globally now. Holding here until tomorrow in case there's some subtle fallout not yet being observed.

gerritbot added a comment.Jul 30 2015, 11:45 AM

Change 227980 had a related patch set uploaded (by BBlack):
enable ipsec for mobile and bits clusters

https://gerrit.wikimedia.org/r/227980

gerritbot added a comment.Jul 30 2015, 11:46 AM

Change 227980 merged by BBlack:
enable ipsec for mobile and bits clusters

https://gerrit.wikimedia.org/r/227980

BBlack mentioned this in rOPUP8672aff3b407: enable ipsec on cp3031,40,41.Jul 30 2015, 10:16 PM
BBlack mentioned this in rOPUPb1d0a55005a5: enable ipsec on all remaining esams text.
BBlack mentioned this in rOPUP333abb149dcd: enable ipsec on ulsfo text cluster.
BBlack mentioned this in rOPUPe0d0c4655c8c: enable ipsec for mobile and bits clusters.
gerritbot added a comment.Aug 3 2015, 2:03 PM

Change 228811 had a related patch set uploaded (by BBlack):
enable upload ipsec for eqiad cp3034 for upload-reload testing

https://gerrit.wikimedia.org/r/228811

gerritbot added a comment.Aug 3 2015, 2:06 PM

Change 228811 merged by BBlack:
enable upload ipsec for eqiad cp3034 for upload-reload testing

https://gerrit.wikimedia.org/r/228811

BBlack mentioned this in rOPUP4966e697fd4b: enable upload ipsec for eqiad + cp3034 for upload-reload testing.Aug 3 2015, 2:07 PM
BBlack added a comment.Aug 3 2015, 3:29 PM

cp3034 (upload esams) has had all its backhaul to eqiad over ipsec now for ~1h. CPU impact is, again, virtually non-existent. Attempting wipe-test now.

BBlack added a comment.Aug 3 2015, 3:40 PM

Wipe-test success. The cpu bump in iowait% from rewriting the cache (which is also minor) is easier to see than any from the related extra crypto.

gerritbot added a comment.Aug 3 2015, 3:42 PM

Change 228838 had a related patch set uploaded (by BBlack):
enable ipsec for all upload caches

https://gerrit.wikimedia.org/r/228838

gerritbot added a comment.Aug 3 2015, 3:44 PM

Change 228838 merged by BBlack:
enable ipsec for all upload caches

https://gerrit.wikimedia.org/r/228838

BBlack mentioned this in rOPUP090a4df593e1: enable ipsec for all upload caches.Aug 3 2015, 3:44 PM
BBlack closed this task as Resolved.Aug 3 2015, 3:56 PM

ipsec is active for all of the primary clusters for cache<->cache from tier2 to tier1: text, upload, mobile, bits. bits doesn't technically protect anything since its inter-DC traffic is via-LVS, but that cluster is going away ASAP regardless and isn't handling much of the traditional bits traffic anymore anyways.

Nemo_bis awarded a token.Aug 3 2015, 8:06 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits