Hi! I am Southparkfan; co-founder and system administrator for Miraheze. I am responsible for the smooth operation of Miraheze's servers, which includes applying configuration changes, conducting maintenance and incident investigations, performance tuning, monitoring the servers and other miscellaneous tasks.
You can usually find me on IRC in the #miraheze channel on chat.freenode.net.
Running dump from db11 to dbbackup1:/srv/backups/db11. @Paladox and I are around to monitor.
New performance test (using sshfs setup, 4 mydumper threads):
For reference: mydumper is superior to mysqldump due to its better performance (using multiple threads) and the flexibility (PCRE based table inclusion/exclusion) in conjunction with transaction consistency and (almost) no locking (no read-only time required during backups). However, mydumper does not support TLS in connections, so dumping must happen at the database master.
/healthcheck = Meta's Main Page. We're already monitoring that.
I would recommend we do one that loads quite a few resources (eg. Images, javascript etc)
The blackbox exporter does not monitor subsequent requests, such as resources (images?) used on an article. We can monitor that though, but you'll need to provide specific URLs. :)
We have the blackbox exporter for this. Can we help you by monitoring specific URLs?
There are more use cases than MediaWiki only. For example, I would like to monitor SSH authentication attempts and access logs of non-MediaWiki services, which is a task for us, not for the MediaWiki team. The proof of concept above was tailored for MediaWiki logs, because said logs have a higher priority.
Proof of concept:
/etc/prometheus-es-exporter/mediawiki.cfg:
[query_log_mediawiki]
QueryIntervalSecs = 900
QueryIndices = <graylog_deflector>
QueryJson = {
"size": 0,
"track_total_hits": true,
"query": {
"bool": {
"must": [
{
"match": {
"application_name": "mediawiki"
}
}
],
"filter": [
{
"range": {
"timestamp": { "gte": "now-15m", "lte": "now" }
}
}
]
}
},
"aggs": {
"mediawiki-channels": {
"terms": {
"field": "mediawiki_channel"
}
}
}
}
The rebuild should finish in 10-30 minutes. If the errors are gone after the rebuild, you can close this task. If not, assistance will be needed.
Already did that for 'en', but without luck. Started the rebuild in a screen now.
More testing is required to determine the final backup sizes.
In order to do proper backend verification in the certificate (CN), we have tested using ENFORCE. However, the Host header from the client (e.g. allthetropes.org) is used for the CN check at the backend. Therefore, the allthetropes.org certificate would still be mandatory at the backend, even though I prefer to remove all certificates (including our wildcard one) but a single domain (such as ats-internal.miraheze.wiki) from the MediaWiki servers.
The future of these servers depends on the outcome of testing regarding T5877#139273.
I recommend rebooting the dbbackup servers. They may or may not be affected by CVE-2021-3450, but as long as these servers are rebooted gracefully, we can survive without them for a few minutes.
I cannot find the minion in /etc/salt/roster.
Servers that haven't been rebooted, except for db1[1-3] / cloud[3-5] / mon2 / ns[12]:
Fixed.
RamNode is short on capacity, so we can't resize bacula yet. I hope we can resize the server next week.
13:08:41 <+SPF|Cloud> first, the nginx config points to /etc/ssl/certs/miraheze.wiki.crt, but we have switched to /etc/ssl/localcerts 13:09:17 <+SPF|Cloud> second, the certificate is valid for 'miraheze.wiki', but not phab.miraheze.wiki
+$5/mo is approved by me, only requires John's approval as the EM of Infrastructure.
A maintenance window is required for dumping from masters directly. Not because impact is guaranteed, but because dumping may cause database locks for multiple seconds, hence increasing save time or knocking wikis offline.
Spoke with @Paladox regarding ATS. Installing and testing ATS on test3 is not ideal, since that server is used for MediaWiki tests. Installing a new server as a testing cache proxy, granted that this cache proxy may not receive the 'allow 80/443 tcp' rules yet due to security reasons (we have agreed on a security review beforehand), has my support.
19:58:18 <+SPF|Cloud> my advice: reboot all VMs with services that can be depooled and repooled easily, in order to preserve uptime, do it the normal way (adhere to the 5 minutes DNS TTL, depool from varnish, wait until requests have finished, etc) 20:00:49 <+SPF|Cloud> on the critical servers, db1[1-3], cloud[3-5], mon2 and ns[12], restarting syslog-ng / IRC bots is fine, anything else shouldn't be touched (yet)
Agreed. There are multiple issues here:
21:46:14 <+SPF|Cloud> renaming the column to Kings_Rock or similar will fix the issue 21:48:18 <+SPF|Cloud> and https://mariadb.com/kb/en/identifier-names/#quoted says that the single quote (should have called them 'quotes' instead of 'apostrophes', I guess) is a valid character in a column name 21:49:18 <+SPF|Cloud> the extension is at fault here ;)
Opened T7003
Exception is generated at https://github.com/wikimedia/mediawiki-extensions-Cargo/blob/a619875ea82539bfbf525b8813036876e5cf39b4/includes/CargoUtils.php#L408
$string is string(11) "King's_Rock"
King's_Rock is a column in the cargo__Moves table:
stdClass Object
(
[Field] => King's_Rock
[Type] => tinyint(1)
[Null] => YES
[Key] => MUL
[Default] =>
[Extra] =>
)Firejail helps to secure external binaries, but apparently firejail itself doesn't have a good track record either: https://github.com/netblue30/firejail/issues/3046
I've finally found the ticket, pasting my IRC comment here:
22:37:46 <+SPF|Cloud> @SRE, I can't recall who was talking about it (and where I read it), but I saw some messages regarding automating the addition of a new certificate (for https). have you considered https://wikitech.wikimedia.org/wiki/Acme-chief?
Considering the recent outages and the mention of MariaDB
I doubt it.
Perhaps, it may be possible to directly dump from the masters, with very little interruption: https://stackoverflow.com/q/56715657.
In that case, we can use the RamNode VMs to store the logical dumps (mydumper to stdout | ssh - local file). The disadvantage is that we won't have a live replica at all times (if a master crashes for good, the data between <most recent backup> and <crash> will be lost), but it's much cheaper: I/O limit is not much of an issue and since data is not replicated, there is more space for storing logical dumps.
Collecting real data: T6981
Blackbox testing: https://github.com/prometheus/blackbox_exporter (currently being tested)
I am a huge fan of data driven decision making!
Available exporters: https://github.com/jcollie/openldap_exporter https://github.com/tomcz/openldap_exporter
WMF (for dashboard examples): https://grafana.wikimedia.org/d/DnxQ26qmk/ldap?orgId=1 / https://phabricator.wikimedia.org/T181511
@Paladox I have disabled c4 replication on dbbackup1, but the lag is not decreasing. It looks like dbbackup1 still doesn't have enough room to replicate a full database cluster. Do you see room for improvements?
I told you on IRC yesterday, but it's good practice to document this on Phabricator: my suggestion is to use https://github.com/braedon/prometheus-es-exporter, a tool that runs on the graylog hosts. The tool takes an elasticsearch query, performs the search and returns the result in prometheus format. Prometheus collects the metrics, after which we can use the metrics in Grafana dashboards.
Following a course regarding the basics of GDPR at the moment.
Analysing the queries from a binlog (c4):
mysqlbinlog mysql-bin.001818 | grep '::' > ~/analyse-queries-T6984.txt
(any query that has '::' in it usually includes the PHP caller as SQL comments)
Investigating load on dbbackup1.
Can't we generate the list dynamically? ie by running my 'script' periodically on a server?
Downtimed dbbackup[12] Current Load.
I am not sure if load alerts are useful for these servers. These servers are not production facing; as long as the replication processes are running and the replication lag is not greater than X seconds, I don't mind what the load average is.
Varnish was stopped at 16:36:45, gdnsd depooled cp12 at 16:37:02 on ns1 and at 16:37:04 on ns2. That's an excellent MTTR. I am not able to find out why the service ran out of memory, but since this quite a rare event, I'm tempted to skip the investigation process.
For tracking purposes: https://github.com/wikimedia/mediawiki/blob/6978577273048ca9a32baaa285d4270d6e860e6a/includes/user/UserNameUtils.php#L181 returns false for 'SHEIKH', but https://github.com/wikimedia/mediawiki/blob/6978577273048ca9a32baaa285d4270d6e860e6a/includes/user/UserNameUtils.php#L183 returns true, so I presume SHEIKH ended up being in the reserved names list.
c2 is done and replicates fine. c3 has not been cloned yet. c4 had its replica process stopped for too long and thus the binary position it's on doesn't exist on the master anymore: a reclone is needed.
Yes, let's see if we can receive proxmox logs without further tweaking.
What's the status on meetings in the MediaWiki team?
(no time currently)
Do you know what the bottleneck is? Is it MediaWiki -> syslog-ng or syslog-ng -> graylog?
Wikimedia has been contacted. Waiting on more information from the researcher.
southparkfan@test3:~$ python3 cve.py --url 'https://grafana.miraheze.org' [-] Testing https://grafana.miraheze.org... [-] Status: 200 [-] Checking for version... [-] Grafana version appears to be: 7.4.1 [!] Version seems to indicate it's probably not vulnerable. [-] Checking if snapshot api requires authentiation... [+] Snapshot endpoint doesn't seem to require authentication! Host may be vulnerable.