Last modified: 2013-12-13 15:18:29 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T47868, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 45868 - [OPS] let instances access *.beta.wmflabs public IP (NAT issue in labs)
[OPS] let instances access *.beta.wmflabs public IP (NAT issue in labs)
Status: RESOLVED FIXED
Product: Wikimedia Labs
Classification: Unclassified
deployment-prep (beta) (Other open bugs)
unspecified
All All
: Normal minor
: ---
Assigned To: Antoine "hashar" Musso (WMF)
: ops
: 49300 (view as bug list)
Depends on: 49300
Blocks:
  Show dependency treegraph
 
Reported: 2013-03-08 00:18 UTC by Antoine "hashar" Musso (WMF)
Modified: 2013-12-13 15:18 UTC (History)
8 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Antoine "hashar" Musso (WMF) 2013-03-08 00:18:14 UTC 
The search indexer instance attempts to reach the *.beta.wmflabs.org which is pointing to a public IP part of labs.  That does not work.

A hacky quick solution would be to rewrite any request sent from the search indexer for the squid public IP (208.80.153.219) to use the internal squid instance private IP.
Comment 1 Antoine "hashar" Musso (WMF) 2013-03-08 01:17:41 UTC 
Iptable rule would be:

iptables -t nat -I OUTPUT --dest 208.80.153.219 -j DNAT --to-dest 10.4.0.17
Comment 2 Antoine "hashar" Musso (WMF) 2013-03-08 01:35:43 UTC 
Needs to be puppetized.
Comment 3 Antoine "hashar" Musso (WMF) 2013-03-11 05:22:56 UTC 
Mailled ops to figure out how to get the iptables rule to be puppetized.
Comment 4 Antoine "hashar" Musso (WMF) 2013-03-26 12:18:52 UTC 
I have no idea how to puppetize the iptables rule mentionned in comment #1. So I have filled RT #4824 that list the mail exchanges on ops mailing list.
Comment 5 Antoine "hashar" Musso (WMF) 2013-07-02 12:54:07 UTC 
same issue happens on deployment-upload.pmtpa.wmflabs which is an internal proxy for thumbnails generation.
Comment 6 Antoine "hashar" Musso (WMF) 2013-07-02 12:56:03 UTC 
The text cache has been migrated out of deployment-squid [10.4.0.17] to a varnish instance deployment-cache-text1 [10.4.1.133]

The iptables command is thus:

  iptables -t nat -I OUTPUT --dest 208.80.153.219 -j DNAT --to-dest 10.4.1.133
Comment 7 Antoine "hashar" Musso (WMF) 2013-07-02 13:10:42 UTC 
(In reply to comment #5)
> same issue happens on deployment-upload.pmtpa.wmflabs which is an internal
> proxy for thumbnails generation.

That was unrelated. The thumb handler points directly to the varnish cache via its private IP.
Comment 8 Antoine "hashar" Musso (WMF) 2013-09-19 22:05:37 UTC 
Rephrasing summary.

Wikidata is hit by the same issue (was bug 49300) when some script attempt to access: 
http://en.wikipedia.beta.wmflabs.org/w/api.php?action=query&prop=info&redirects=1&converttitles=1&format=json&titles=Keyboard+Cat

The RT is https://rt.wikimedia.org/Ticket/Display.html?id=4824

The workaround is to use an iptables rule to rewrite networking packet:

  iptables -t nat -I OUTPUT --dest 208.80.153.219 -j DNAT --to-dest 10.4.1.133
Comment 9 Antoine "hashar" Musso (WMF) 2013-09-19 22:06:12 UTC 
*** Bug 49300 has been marked as a duplicate of this bug. ***
Comment 10 Antoine "hashar" Musso (WMF) 2013-09-24 13:44:48 UTC 
The iptables command for all the beta public IP:

 iptables -t nat -I OUTPUT --dest 208.80.153.219 -j DNAT --to-dest 10.4.1.133
 iptables -t nat -I OUTPUT --dest 208.80.153.242 -j DNAT --to-dest 10.4.0.211
 iptables -t nat -I OUTPUT --dest 208.80.153.243 -j DNAT --to-dest 10.4.0.51
 iptables -t nat -I OUTPUT --dest 208.80.153.244 -j DNAT --to-dest 10.4.0.48
 iptables -t nat -I OUTPUT --dest 208.80.153.243 -j DNAT --to-dest 10.4.1.82
Comment 11 Antoine "hashar" Musso (WMF) 2013-12-13 14:37:16 UTC 
https://gerrit.wikimedia.org/r/#/c/101192/ converts the above iptables rules to ferm.  They can be applied on instances using the puppet class role::beta::natfixup.

I have applied the class on the following instances:

 deployment-apache32
 deployment-apache33
 deployment-bastion
 deployment-jobrunner08
 deployment-parsoid2
 deployment-video06
Comment 12 Gerrit Notification Bot 2013-12-13 14:53:37 UTC 
Change 101209 had a related patch set uploaded by Hashar:
beta: ferm on appservers must allow port 80

https://gerrit.wikimedia.org/r/101209
Comment 13 Gerrit Notification Bot 2013-12-13 14:53:45 UTC 
Change 101210 had a related patch set uploaded by Hashar:
role::parsoid::beta must allow port 8080

https://gerrit.wikimedia.org/r/101210
Comment 14 Gerrit Notification Bot 2013-12-13 15:11:12 UTC 
Change 101209 merged by ArielGlenn:
beta: ferm on appservers must allow port 80

https://gerrit.wikimedia.org/r/101209
Comment 15 Gerrit Notification Bot 2013-12-13 15:15:10 UTC 
Change 101210 merged by ArielGlenn:
role::parsoid::beta must allow port 8000

https://gerrit.wikimedia.org/r/101210
Comment 16 Antoine "hashar" Musso (WMF) 2013-12-13 15:18:29 UTC 
Everything working again now. I will close the related RT #4824.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links