Page MenuHomePhabricator
Create Task
Maniphest T285104

Deploy Shellbox instance (shellbox-constraints) for Wikidata constraint regexes
Closed, ResolvedPublic
Actions

Description

Description: T176312: Don’t check format constraint via SPARQL (safely evaluating user-provided regular expressions)
Timeline: <A desired timeline>
Diagram: <Link to an architectural diagram>
Technologies: PHP, bash
Point persons: @Legoktm, Wikidata team (Initial deployment: @Ladsgroup @Addshore @Lucas_Werkmeister_WMDE)

This is being run in a separate instance from Score Shellbox for better isolation and the performance characteristics will be rather different.

  • helm chart: already done
  • shellbox-constraints namespaces in k8s
  • shellbox-constraints accounts in k8s. ??
  • shellbox-constraints puppet private tokens.
  • Generate TLS certificates
  • Review helmfile.d files:
  • LVS setup
  • DNS for LVS records
  • Discovery DNS
  • envoy proxy
  • Monitoring dashboard
  • Integration and Acceptance tests

Details

Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

Legoktm created this task.Jun 17 2021, 5:46 PM
Restricted Application added projects: Services, SRE. · View Herald TranscriptJun 17 2021, 5:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Maintenance_bot added a project: Wikidata.Jun 17 2021, 6:45 PM
Restricted Application added a project: [DEPRECATED] wdwb-tech. · View Herald TranscriptJun 17 2021, 6:45 PM
Ladsgroup updated the task description. (Show Details)Jun 18 2021, 3:03 AM
Ladsgroup added subscribers: Lucas_Werkmeister_WMDE, Addshore.
Ladsgroup updated the task description. (Show Details)Jun 18 2021, 3:07 AM
jbond triaged this task as Medium priority.Jun 21 2021, 2:46 PM
Addshore moved this task from Inbox to External Realm on the [DEPRECATED] wdwb-tech board.Jun 22 2021, 9:01 AM
JMeybohm subscribed.Jun 23 2021, 9:04 AM
Ladsgroup closed subtask T285105: MediaWiki should support routing to different shellbox instances as Resolved.Jun 23 2021, 1:23 PM
Addshore added a comment.Jul 1 2021, 10:55 PM

Any idea on a timeline for being able to get this ticket moving?
It's blocking T176312 which is in turn blocking T204031!

Ladsgroup added a comment.Jul 2 2021, 9:35 AM

The main person working on this is Kunal and he was busy with deploying shellbox for Score last week and dc switchover, next week is WMF holiday so I guess the week after that we can start looking at it (/me secretly wishes we had several clones of Kunal)

Addshore added a comment.Jul 16 2021, 9:25 AM
In T285104#7193129, @Ladsgroup wrote:

The main person working on this is Kunal and he was busy with deploying shellbox for Score last week and dc switchover, next week is WMF holiday so I guess the week after that we can start looking at it (/me secretly wishes we had several clones of Kunal)

If I'm correct that's this week? :D

Ladsgroup added a comment.Jul 16 2021, 9:41 AM

Yeah, we're looking at it :D It will take a bit of time, there some open questions like LVS or ingress we need to adrress

Michael subscribed.Jul 27 2021, 9:07 AM
Michael added a comment.Jul 27 2021, 9:10 AM

Is there an update on this? Anything we (WMDE) can do to help this move forward?

Ladsgroup added a comment.Jul 27 2021, 9:10 AM

I'm on it

Michael mentioned this in T204031: Deploy regular running of wikidata constraint checks using the job queue.Jul 27 2021, 9:11 AM
Joe subscribed.Jul 27 2021, 3:00 PM

I think there are two options, depending on the level of security we want to achieve and the urgency of bringing this to production:

  1. We just point to the current installation and it should just work(TM). But we'd need to perform a small migration afterwards.
  2. We wait for Serviceops to set up an ingress properly, which is next in line for us, and we do a proper separate shellbox deployment for this. It will take more time but will in the end cost less.

Depending on:

  • When will this be needed?
  • How stringent are the isolation needs?

we can pick the best option.

Michael added a comment.Jul 27 2021, 3:43 PM
In T285104#7239822, @Joe wrote:

I think there are two options, depending on the level of security we want to achieve and the urgency of bringing this to production:

  1. We just point to the current installation and it should just work(TM). But we'd need to perform a small migration afterwards.
  2. We wait for Serviceops to set up an ingress properly, which is next in line for us, and we do a proper separate shellbox deployment for this. It will take more time but will in the end cost less.

Can you give us a very rough idea what "more time" here means? Are talking about a small number of weeks, or are we talking about 6 months?

Depending on:

  • When will this be needed?

It would be nice to unblock those tasks, but we lived with the current situation for so long, a bit more time won't make a huge difference, I think.

  • How stringent are the isolation needs?

I'm not entirely sure, tbh. My limited understanding was that all this effort is made in order to guard against malicious regex attacks in a more efficient way. So in that sense, more isolation might be preferable? But I'm really not the expert here, @Ladsgroup or @Lucas_Werkmeister_WMDE can probably give a more authoritative answer and correct the rubbish that I'm talking.

Ladsgroup added a comment.Jul 27 2021, 3:49 PM
In T285104#7239822, @Joe wrote:

I think there are two options, depending on the level of security we want to achieve and the urgency of bringing this to production:

  1. We just point to the current installation and it should just work(TM). But we'd need to perform a small migration afterwards.

To make things even more complicated, I want to say that the config is a ratio so we can start by sending only 1% of these regexes to shellbox to make sure everything works fine and nothing explodes majestically and slowly increase it. If we hit shellbox limits in matter of resources, we can tune the ratio down.

I like to do that to at least make sure the setup works, we can for example send 10% to the main shellbox (and 90% to wdqs) and wait until ingress is setup and then simply move to that path and increase it to 100%. Would that work?

Legoktm added a comment.Jul 27 2021, 8:58 PM
In T285104#7240005, @Michael wrote:
In T285104#7239822, @Joe wrote:
  • How stringent are the isolation needs?

I'm not entirely sure, tbh. My limited understanding was that all this effort is made in order to guard against malicious regex attacks in a more efficient way. So in that sense, more isolation might be preferable? But I'm really not the expert here, @Ladsgroup or @Lucas_Werkmeister_WMDE can probably give a more authoritative answer and correct the rubbish that I'm talking.

I don't think this service has strong isolation requirements, but Shellbox for Score/lilypond does. I would much rather have this be a separate shellbox install mostly so lilypond/ghostscript/lame are isolated.

Legoktm added a comment.Jul 27 2021, 9:01 PM
In T285104#7239822, @Joe wrote:

I think there are two options, depending on the level of security we want to achieve and the urgency of bringing this to production:

  1. We just point to the current installation and it should just work(TM). But we'd need to perform a small migration afterwards.
  2. We wait for Serviceops to set up an ingress properly, which is next in line for us, and we do a proper separate shellbox deployment for this. It will take more time but will in the end cost less.

Also #3, which is to set up another LVS endpoint for this, separate, Shellbox instance. Which is not technically nice, but nothing blocking us from doing it right now.

Legoktm mentioned this in T261277: Create a gateway in kubernetes for the execution of our "lambdas".Jul 29 2021, 6:08 AM
gerritbot added a comment.Jul 30 2021, 6:57 PM

Change 709093 had a related patch set uploaded (by Legoktm; author: Legoktm):

[mediawiki/libs/Shellbox@master] pipeline: Publish plain Shellbox image for RPC usage

https://gerrit.wikimedia.org/r/709093

gerritbot added a project: Patch-For-Review.Jul 30 2021, 6:57 PM
gerritbot added a comment.Jul 30 2021, 7:26 PM

Change 709097 had a related patch set uploaded (by Legoktm; author: Legoktm):

[operations/puppet@production] Add tokens and users for shellbox-constraints service

https://gerrit.wikimedia.org/r/709097

gerritbot added a comment.Jul 30 2021, 8:23 PM

Change 709093 merged by jenkins-bot:

[mediawiki/libs/Shellbox@master] pipeline: Publish plain Shellbox image for RPC usage

https://gerrit.wikimedia.org/r/709093

gerritbot added a comment.Jul 30 2021, 8:44 PM

Change 709104 had a related patch set uploaded (by Legoktm; author: Legoktm):

[operations/deployment-charts@master] Add shellbox-constraints namespace

https://gerrit.wikimedia.org/r/709104

gerritbot added a comment.Jul 30 2021, 8:57 PM

Change 709106 had a related patch set uploaded (by Legoktm; author: Legoktm):

[labs/private@master] Add tokens for shellbox-constraints service

https://gerrit.wikimedia.org/r/709106

gerritbot added a comment.Jul 30 2021, 8:58 PM

Change 709106 merged by Legoktm:

[labs/private@master] Add tokens for shellbox-constraints service

https://gerrit.wikimedia.org/r/709106

Legoktm mentioned this in rLPRId0c718b69255: Add tokens for shellbox-constraints service.Jul 30 2021, 9:00 PM
gerritbot added a comment.Jul 30 2021, 9:08 PM

Change 709108 had a related patch set uploaded (by Legoktm; author: Legoktm):

[labs/private@master] Add k8s shellbox and shellbox-constraints users

https://gerrit.wikimedia.org/r/709108

gerritbot added a comment.Jul 30 2021, 9:08 PM

Change 709108 merged by Legoktm:

[labs/private@master] Add k8s shellbox and shellbox-constraints users

https://gerrit.wikimedia.org/r/709108

Legoktm mentioned this in rLPRIc1eefffbb18d: Add k8s shellbox and shellbox-constraints users.Jul 30 2021, 9:08 PM
gerritbot added a comment.Jul 30 2021, 9:12 PM

Change 709097 merged by Legoktm:

[operations/puppet@production] Add tokens and users for shellbox-constraints service

https://gerrit.wikimedia.org/r/709097

gerritbot added a comment.Jul 30 2021, 9:15 PM

Change 709104 merged by jenkins-bot:

[operations/deployment-charts@master] Add shellbox-constraints namespace

https://gerrit.wikimedia.org/r/709104

Legoktm updated the task description. (Show Details)Jul 30 2021, 9:51 PM
gerritbot added a comment.Jul 30 2021, 10:03 PM

Change 709114 had a related patch set uploaded (by Legoktm; author: Legoktm):

[operations/deployment-charts@master] Add helmfile.d for shellbox-constraints

https://gerrit.wikimedia.org/r/709114

gerritbot added a comment.Jul 30 2021, 10:38 PM

Change 709114 merged by jenkins-bot:

[operations/deployment-charts@master] Add helmfile.d for shellbox-constraints

https://gerrit.wikimedia.org/r/709114

Legoktm added a comment.Jul 30 2021, 10:48 PM
$ curl https://staging.svc.eqiad.wmnet:4010/healthz
{
    "__": "Shellbox running",
    "pid": 9
}

Next steps are to generate TLS certs, deploy to eqiad/codfw clusters, and then set up LVS.

Legoktm updated the task description. (Show Details)Aug 2 2021, 11:38 PM
gerritbot added a comment.Aug 3 2021, 12:15 AM

Change 709566 had a related patch set uploaded (by Legoktm; author: Legoktm):

[operations/puppet@production] Add shellbox-constraints to LVS

https://gerrit.wikimedia.org/r/709566

gerritbot added a comment.Aug 3 2021, 12:15 AM

Change 709567 had a related patch set uploaded (by Legoktm; author: Legoktm):

[operations/puppet@production] service: Switch shellbox-constraints to lvs_setup

https://gerrit.wikimedia.org/r/709567

gerritbot added a comment.Aug 3 2021, 12:15 AM

Change 709568 had a related patch set uploaded (by Legoktm; author: Legoktm):

[operations/puppet@production] service: Switch shellbox-constraints to monitoring_setup

https://gerrit.wikimedia.org/r/709568

gerritbot added a comment.Aug 3 2021, 12:15 AM

Change 709569 had a related patch set uploaded (by Legoktm; author: Legoktm):

[operations/puppet@production] service: Switch shellbox-constraints to production

https://gerrit.wikimedia.org/r/709569

gerritbot added a comment.Aug 3 2021, 12:16 AM

Change 709571 had a related patch set uploaded (by Legoktm; author: Legoktm):

[operations/dns@master] Add shellbox-constraints.svc.{codfw,eqiad}.wmnet

https://gerrit.wikimedia.org/r/709571

gerritbot added a comment.Aug 3 2021, 12:16 AM

Change 709572 had a related patch set uploaded (by Legoktm; author: Legoktm):

[operations/dns@master] Add shellbox-constraints to discovery

https://gerrit.wikimedia.org/r/709572

gerritbot added a comment.Aug 4 2021, 8:09 AM

Change 709566 merged by Legoktm:

[operations/puppet@production] Add shellbox-constraints to LVS

https://gerrit.wikimedia.org/r/709566

gerritbot added a comment.Aug 4 2021, 8:13 AM

Change 709567 merged by Legoktm:

[operations/puppet@production] service: Switch shellbox-constraints to lvs_setup

https://gerrit.wikimedia.org/r/709567

gerritbot added a comment.Aug 4 2021, 8:33 AM

Change 709571 merged by Legoktm:

[operations/dns@master] Add shellbox-constraints.svc.{codfw,eqiad}.wmnet

https://gerrit.wikimedia.org/r/709571

gerritbot added a comment.Aug 4 2021, 8:36 AM

Change 709568 merged by Legoktm:

[operations/puppet@production] service: Switch shellbox-constraints to monitoring_setup

https://gerrit.wikimedia.org/r/709568

gerritbot added a comment.Aug 4 2021, 8:45 AM

Change 709569 merged by Legoktm:

[operations/puppet@production] service: Switch shellbox-constraints to production

https://gerrit.wikimedia.org/r/709569

gerritbot added a comment.Aug 4 2021, 8:53 AM

Change 709572 merged by Legoktm:

[operations/dns@master] Add shellbox-constraints to discovery

https://gerrit.wikimedia.org/r/709572

gerritbot added a comment.Aug 4 2021, 9:02 AM

Change 709960 had a related patch set uploaded (by Legoktm; author: Legoktm):

[operations/puppet@production] services_proxy: Add envoyproxy for shellbox-constraints

https://gerrit.wikimedia.org/r/709960

Legoktm updated the task description. (Show Details)Aug 4 2021, 9:05 AM
gerritbot added a comment.Aug 4 2021, 8:08 PM

Change 710109 had a related patch set uploaded (by Legoktm; author: Legoktm):

[operations/deployment-charts@master] mwdebug: Add shellbox-constraints envoyproxy

https://gerrit.wikimedia.org/r/710109

gerritbot added a comment.Aug 4 2021, 8:10 PM

Change 709960 merged by Legoktm:

[operations/puppet@production] services_proxy: Add envoyproxy for shellbox-constraints

https://gerrit.wikimedia.org/r/709960

gerritbot added a comment.Aug 4 2021, 8:19 PM

Change 710109 merged by jenkins-bot:

[operations/deployment-charts@master] mwdebug: Add shellbox-constraints envoyproxy

https://gerrit.wikimedia.org/r/710109

Legoktm updated the task description. (Show Details)Aug 4 2021, 8:29 PM
Legoktm closed this task as Resolved.Aug 5 2021, 10:38 PM
Legoktm claimed this task.
Legoktm updated the task description. (Show Details)

I'm going to close this as resolved as I believe everything is now set up on the k8s/SRE side of things, though there will be additional tuning needed as the rollout progresses, which is happening on T176312: Don’t check format constraint via SPARQL (safely evaluating user-provided regular expressions).

Ladsgroup added a comment.Aug 6 2021, 6:42 AM

Thanks <3

gerritbot added a comment.Aug 11 2021, 1:33 AM

Change 711245 had a related patch set uploaded (by Legoktm; author: Legoktm):

[operations/puppet@production] configmaster: Add shellbox-constraints to disc_desired_state

https://gerrit.wikimedia.org/r/711245

gerritbot added a comment.Aug 11 2021, 1:40 AM

Change 711245 merged by Legoktm:

[operations/puppet@production] configmaster: Add shellbox-constraints to disc_desired_state

https://gerrit.wikimedia.org/r/711245

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL