Application servers

From Wikitech
(Redirected from Apache configuration)
Jump to navigation Jump to search

The Application servers (or app servers) are the several hundred Apache servers that run the MediaWiki backend software (written in PHP).

The Apache configurations are maintained in the Puppet repository, at operations/puppet.git:/modules/mediawiki/files/apache/sites/. Prior to 2012, these were in Subversion.

See also Application servers/Runbook which covers php-fpm, opcache and more. (TODO: Should these pages be merged?)

Testing config

  • Submit change to Gerrit in the modules/mediawiki/files/apache/sites directory (project: operations/puppet)
  • Choose one of the mediawiki debug servers. Then, on that server:
    • Disable puppet: sudo puppet agent --disable 'insert reason'
    • Apply change locally under /etc/apache2/sites-enabled/
    • sudo apache2ctl restart
  • Test your change by making relevant HTTP request. See Debugging in production for how.
  • When you're done, mwdebug####$ sudo puppet agent --enable

Deploying config

It is suggested that you may wish to place any configuration updates on the Deployments page. A bad configuration going live can easily result in a site outage.

  • Test your change in deployment-prep and make sure that it works as expected.
  • Submit change to gerrit in the modules/mediawiki/files/apache/sites directory (project: operations/puppet)
  • Disable puppet across the affected mediawiki application servers.
    • Cumin can in finding the precise set of hosts. For example, this is a recent query:
      cumin 'R:File = "/etc/apache2/sites-available/04-remnant.conf"' 'disable-puppet "elukey - precaution for https://gerrit.wikimedia.org/r/#/c/380774/"' -b 10
      
      In this case the change was related to a RewriteRule change in 04-remnant.conf, but of course it must be changed every time with the file(s) modified by the Gerrit change.
  • Merge via gerrit and run on puppetmaster1001 the usual puppet-merge
  • Create a plain text file with some significant URLs that should be modified by the Gerrit change. Some examples of files with testing URLs, are deployed in /usr/local/share/apache-tests/ on the deployment hosts. This text file will be used on deploy1001 with apache-fast-test later on to verify that the change works as expected.
    • For example, if you are adding or modifying a new RewriteRule, please add to your text file some URLs that are expected to change.
  • Go to one of the mwdebug servers and enable/run puppet. Apache will reload its configuration automatically, please check that no error messages are emitted. Running apachectl -t after running puppet surely helps verifying that the new configuration is syntactically correct (it doesn't absolutely imply that it will work as intended of course).
    • Some Apache directive changes need a full restart to get applied, not a simple reload. These changes are very rare and they are clearly indicated in Apache's documentation, so please verify it beforehand. Simple RewriteRule changes require only an Apache reload.
  • On deploy1001 run apache-fast-test against the selected mwdebug host using /usr/local/share/apache-tests/baseurls and your new test file. Both of them need to return a positive confirmation that everything looks good.
elukey@deploy1001:~$ apache-fast-test /usr/local/share/apache-tests/baseurls mwdebug1001.eqiad.wmnet
testing 19 urls on 1 servers, totalling 19 requests
spawning threads..

http://elefante-a-pallini.ro.sa/
 * 200 OK 929
http://wikimedia.org/research
 * 301 Moved Permanently https://wikimedia.qualtrics.com/SE/?SID=SV_6R04ammTX8uoJFP
http://www.wikipedia.org/wiki/it:Francesco_Totti
 * 302 Found http://it.wikipedia.org/wiki/Francesco_Totti
http://zero.wikipedia.org/
 * 302 Found http://en.zero.wikipedia.org/wiki/Special:ZeroRatedMobileAccess
[.. cut ..]
 * 301 Moved Permanently https://meta.wikimedia.org/wiki/Special:UrlShortener


elukey@deploy1001:~$ apache-fast-test wikidata_redirect mwdebug1001.eqiad.wmnet
testing 1 urls on 1 servers, totalling 1 requests
spawning threads..

https://commons.wikimedia.org/data/main/Data:Bundestagswahl2017/wahlkreis46.map
 * 301 Moved Permanently https://commons.wikimedia.org/wiki/Special:PageData/main/Data:Bundestagswahl2017/wahlkreis46.map
  • Enable/Run puppet on another mediawiki application server that is taking traffic, de-pooling it beforehand via confctl. Verify again from deploy1001 that everything is working as expected, running apache-fast-test.
  • Repool the host mentioned above and verify on Apache access logs that everything looks fine. If you want to be extra paranoid, you can check the host level metrics via https://grafana.wikimedia.org/d/000000327/apache-hhvm?orgId=1 and make sure that nothing is out of the ordinary.
  • Re-enable puppet across the appservers previously disabled via cumin.
  • Keep an eye on the operations channel and make sure that puppet runs fine on these hosts.

Logging

Apache errors are logged to /srv/mw-log/apache2.log on mwlog1001.

Apache access logs are mostly disabled. Statistics are drawn from Varnish front ends instead.

Apache setup checklist

  • apt-get update && apt-get dist-upgrade -y && apt-get install wikimedia-task-appserver && reboot && exit
  • Wait for the server to come back online, ensure it starts apache correctly
    • echo 'GET /' | nc localhost 80 or any of the number of tests listed below
  • If the server is part of the memcached group, follow instructions on Memcached
  • If the server is new, you will need to do the following:
  • Login to the LVS server for apaches (lvs3 as of 2009-02-13) and add the new servers to /etc/pybal/apaches
  • If the server is not new do the following:
  • Ensure the server is now enabled in pybal on the LVS server in the file /etc/pybal/apaches
  • You will need to add the server to DSH groups if new, or check if they are commented, if the server is not new:
  • Add/Uncomment the host to /usr/local/dsh/node_groups/apaches and mediawiki-installation, as well as any other groups needed
  • Reload nagios to accept the changes to the node groups:
  • cd /home/wikipedia/conf/nagios && ./sync
  • Verify that the server is tacking traffic and doing work
  • ipvsadm -L | grep SERVERNAME
  • traffic logs?

Test cases

Here are some test cases you can use to test the apache configuration after changing something.

GET /wiki/Foo HTTP/1.1
Host: en.wikipedia.org
User-agent: testthing

GET /wiki/Foo HTTP/1.1
Host: www.wikipedia.org
User-agent: testthing

GET /wiki/Main_Page HTTP/1.1
Host: www.wikipedia.com
User-agent: testthing

GET / HTTP/1.1
Host: wikipedia.com
User-agent: testthing

GET / HTTP/1.1
Host: wikibooks.org
User-agent: testthing

GET / HTTP/1.1
Host: wikiquote.org
User-agent: testthing

GET / HTTP/1.1
Host: dk.wikipedia.org
User-agent: testthing

GET / HTTP/1.1
Host: foo.wikipedia.org
User-agent: testthing

GET /wiki/Main_Page HTTP/1.1
Host: test.wikipedia.org
User-agent: testthing

GET /wiki/Foo HTTP/1.1
Host: en.wikipedia.org
User-Agent: Exalead

GET /wiki/Foo HTTP/1.1
Host: meta.wikimedia.org
User-agent: testthing

GET / HTTP/1.1
Host: en.wiktionary.org
User-agent: testthing


Hardware Repair

Application Servers

When taking down application servers (running mediawiki) for things like disk replacement or other hardware repair, _do not forget to_:

  • before: remove from dsh group

These are in puppet, operations/puppet repo, in modules/dsh/files/group. The important one for Mediawiki sync is "mediawiki-installation".

  • before: de-pool in pybal
  • TODO: Document what to do if it's a scap proxy (see hieradata/common/dsh/config.yaml)

See pybal. You can just grep for the server name and set 'enabled': False and save.

  • before: check nobody is scapping right now (best: announce with a !log line in IRC)

This is an IRC thing on freenode in #wikimedia-dev/-tech/-operations

  • during: acknowledge Icinga monitoring checks (best: with related ticket number as comment)

Do this by logging in via browser on icinga.wikimedia.org. search for the hostname, check all services and use the "acknowledge" option. You'll see the IRC bots outputting this as well and they will stop repeating things over and over in the channels.

  • after: re-add to dsh groups

Revert the above.

  • after: re-pool in pybal

Revert the above.

Adding a new server into production

  • Create DNS patch to assign IP addresses to them. This is usually done by dcops nowadays but they might want your review for it. (example change)
  • Create a puppet patch that adds the servers with the right regexes in site.pp. Apply the spare::system puppet role. (example change)
  • Create mcrouter certs, merge them in the private puppet repo on the puppetmaster (as of today Puppetmaster1001).
  • Create a patch to add fake certs in the labs/private repo. Merge it. In the labs/private repo you have to also add the V+2 yourself, no jenkins. (example change)
  • Decide which role this server should have (appserver, API appserver, jobrunner,..). Use Netbox to search for the host and see which rack it is in. Try to balance servers (and roles) across racks.
  • Create a puppet patch that adds the proper role to servers and adds them in conftool-data in the right section. Don't merge it yet. (example change)
  • Start with the first 2 steps to avoid Icinga alert spam. Then merge the patch to add puppet roles to the new servers.
  • Run puppet on the new hosts. Some errors are normal in the first puppet run.
  • Run puppet on the new hosts a second time. It should complete successfully.
  • Watch all (new) Icinga alerts on the hosts turn green, make sure Apache does not have to be restarted. You can "reschedule next service check" in the Icinga web UI to speed things up. It is expected that the "not in dsh group" alert stays CRIT until the server is pooled below. Once all alerts besides that one are green (not PENDING and not CRIT) it is ok to go ahead.
  • Check for ongoing deployments. Wait if that is the case. You can use "jouncebot: now" on IRC and/or the Deployment page on Wikitech wiki.
  • Run "scap pull" on new servers to ensure latest MediaWiki version deployed is present.
  • Give the server a weight with confctl: ex: [cumin1001:~] $ sudo -i confctl select name=mw1355.eqiad.wmnet set/weight=10
  • Pool the server with confctl: ex: [cumin1001:~] $ sudo -i confctl select name=mw1353.eqiad.wmnet set/pooled=yes
  • Watch Grafana Host Overview, select server and see it is getting traffic.

See also