You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

Application servers: Difference between revisions

From Wikitech-static
Jump to navigation Jump to search
imported>Krinkle
mNo edit summary
imported>Krinkle
No edit summary
 
(8 intermediate revisions by 7 users not shown)
Line 2: Line 2:
{{See|See also '''[[Application servers/Runbook]]''' for how to perform common tasks, or diagnose issues.}}
{{See|See also '''[[Application servers/Runbook]]''' for how to perform common tasks, or diagnose issues.}}


The '''Application servers''' (or '''app servers''') are the several hundred Apache servers that run the [[MediaWiki]] backend software (written in PHP).
The '''Application servers''' (or '''app servers''') are the several hundred Apache servers that run [[MediaWiki]] (PHP application).
 
{{TOC|align=right}}


==Service==
==Service==
Line 16: Line 14:
* <code>[https://gerrit.wikimedia.org/g/operations/puppet/+/HEAD/modules/profile/manifests/mediawiki/webserver.pp profile::mediawiki::webserver]</code>, this provisions Apache, and any other packages or resources needed by MediaWiki on app servers.
* <code>[https://gerrit.wikimedia.org/g/operations/puppet/+/HEAD/modules/profile/manifests/mediawiki/webserver.pp profile::mediawiki::webserver]</code>, this provisions Apache, and any other packages or resources needed by MediaWiki on app servers.
** <code>[https://gerrit.wikimedia.org/g/operations/puppet/+/HEAD/modules/profile/manifests/mediawiki/httpd.pp profile::mediawiki::httpd]</code>, the Apache service.
** <code>[https://gerrit.wikimedia.org/g/operations/puppet/+/HEAD/modules/profile/manifests/mediawiki/httpd.pp profile::mediawiki::httpd]</code>, the Apache service.
** <code>[https://gerrit.wikimedia.org/r/plugins/gitiles/operations/puppet/+/HEAD/modules/mediawiki/manifests/web/prod_sites.pp meidawiki::web::prod_sites]</code>, the Apache configuration for all production websites (including wikipedia.org).
** <code>[https://gerrit.wikimedia.org/r/plugins/gitiles/operations/puppet/+/HEAD/modules/mediawiki/manifests/web/prod_sites.pp mediawiki::web::prod_sites]</code>, the Apache configuration for all production websites (including wikipedia.org).
** Additional Apache configurations are at [https://github.com/wikimedia/operations-puppet/tree/production/modules/mediawiki/files/apache/sites modules/mediawiki/files/apache/sites/]. Prior to 2012, Apache configuration were in a Subversion repository.
** Additional Apache configurations are at [https://github.com/wikimedia/operations-puppet/tree/production/modules/mediawiki/files/apache/sites modules/mediawiki/files/apache/sites/]. Prior to 2012, Apache configuration were in a Subversion repository.


==Architecture==
==Architecture==
{{See|See [[MediaWiki at WMF#Infrastructure|MediaWiki at WMF § Infrastructure]] for the CDN and traffic layers outside app servers. <br> See also [[MediaWiki at WMF#MediaWiki_configuration|MediaWiki configuration]].}}
{{See also|MediaWiki at WMF|HTTP timeouts#App servers}}


The application servers are load-balanced via [[LVS]]. Connections between our CDN (HTTP cache proxies) and app servers are encrypted with TLS, which is terminated locally on the app server using a simple '''Nginx-''' install. Nginx then hands the request off to the local Apache.
The application servers are load-balanced via [[LVS]]. Connections between our CDN (HTTP cache proxies) and app servers are encrypted with TLS, which is terminated locally on the app server using [[Envoy]]. Envoy then hands the request off to the local Apache.


'''Apache''' there is in charge of handling redirects, rewrite rules, and determining the [[MediaWiki at WMF#Document root|document root]]. It then uses <code>php-fpm</code> to invoke the MediaWiki software.
'''Apache''' is in charge of handling redirects, rewrite rules, and determining the [[MediaWiki at WMF#Document root|document root]]. It then uses <code>php-fpm</code> to invoke the MediaWiki software.


The Apache [https://httpd.apache.org/docs/2.4/mpm.html MPM] we use is [https://httpd.apache.org/docs/2.4/mod/worker.html mod_worker]</code>, which decides how <code>php-fpm</code> processes are spawned.
The Apache [https://httpd.apache.org/docs/2.4/mpm.html MPM] we use is [https://httpd.apache.org/docs/2.4/mod/worker.html mod_worker]</code>, which decides how <code>php-fpm</code> processes are spawned.
Line 30: Line 28:
==Logging==
==Logging==


Apache errors are logged to /srv/mw-log/apache2.log on mwlog1001.
Apache errors are logged to <code>/srv/mw-log/apache2.log</code> on <code>mwlog1001</code>.


Apache access logs are mostly disabled. Statistics are drawn from [[Varnish]] front ends instead.
Apache access logs are mostly disabled. Statistics are drawn from [[Varnish]] front ends instead.


==Apache setup checklist==
== Hardware repair ==
 
{{Outdated-inline|year=2015}}
* Follow the [[Automated installation]] instructions for the base install
* Run the following on the server:
:* <tt>apt-get update && apt-get dist-upgrade -y && apt-get install wikimedia-task-appserver && reboot && exit </tt>
* Wait for the server to come back online, ensure it starts apache correctly
** <tt>echo 'GET /' | nc localhost 80</tt> or any of the number of tests listed below
* If the server is part of the memcached group, follow instructions on [[Memcached]]
* If the server is new, you will need to do the following:
:* Login to the LVS server for apaches (lvs3 as of 2009-02-13) and add the new servers to /etc/pybal/apaches
* If the server is not new do the following:
:* Ensure the server is now enabled in pybal on the LVS server in the file /etc/pybal/apaches
* You will need to add the server to [[DSH]] groups if new, or check if they are commented, if the server is not new:
:* Add/Uncomment the host to /usr/local/dsh/node_groups/apaches and mediawiki-installation, as well as any other groups needed
:* Reload nagios to accept the changes to the node groups:
::* <tt>cd /home/wikipedia/conf/nagios && ./sync </tt>
* Verify that the server is tacking traffic and doing work
:* <tt>ipvsadm -L | grep SERVERNAME </tt>
:* traffic logs?
 
==Test cases==
 
Here are some test cases you can use to test the apache configuration after changing something.
 
<pre>
GET /wiki/Foo HTTP/1.1
Host: en.wikipedia.org
User-agent: testthing
 
GET /wiki/Foo HTTP/1.1
Host: www.wikipedia.org
User-agent: testthing
 
GET /wiki/Main_Page HTTP/1.1
Host: www.wikipedia.com
User-agent: testthing
 
GET / HTTP/1.1
Host: wikipedia.com
User-agent: testthing
 
GET / HTTP/1.1
Host: wikibooks.org
User-agent: testthing
 
GET / HTTP/1.1
Host: wikiquote.org
User-agent: testthing
 
GET / HTTP/1.1
Host: dk.wikipedia.org
User-agent: testthing
 
GET / HTTP/1.1
Host: foo.wikipedia.org
User-agent: testthing
 
GET /wiki/Main_Page HTTP/1.1
Host: test.wikipedia.org
User-agent: testthing
 
GET /wiki/Foo HTTP/1.1
Host: en.wikipedia.org
User-Agent: Exalead
 
GET /wiki/Foo HTTP/1.1
Host: meta.wikimedia.org
User-agent: testthing


GET / HTTP/1.1
When taking down application servers (running mediawiki) for things like disk replacement or other hardware repair, _do not forget to_:
Host: en.wiktionary.org
* before: remove from dsh group
User-agent: testthing
These are in puppet, operations/puppet repo, in modules/dsh/files/group. The important one for Mediawiki sync is "mediawiki-installation".
</pre>
* before: de-pool in pybal
* TODO: Document what to do if it's a scap proxy (see hieradata/common/dsh/config.yaml)
See [[pybal]]. You can just grep for the server name and set 'enabled': False and save.
* before: check nobody is scapping right now (best: announce with a !log line in IRC)
This is an IRC thing on libera.chat in {{irc|wikimedia-dev}}/{{irc|wikimedia-tech}}/{{irc|wikimedia-operations}}
* during: acknowledge Icinga monitoring checks (best: with related ticket number as comment)
Do this by logging in via browser on icinga.wikimedia.org. search for the hostname, check all services and use the "acknowledge" option. You'll see the IRC bots outputting this as well and they will stop repeating things over and over in the channels.
* after: re-add to dsh groups
Revert the above.
* after: re-pool in pybal
Revert the above.


== See also ==
== See also ==
* [[Application servers/Runbook#DC Ops]]
* [[Apache log format]]
* [[Apache log format]]
* [[UID]]
* [[UID]]
Line 115: Line 56:
[[Category:Servers by usage| Apache]]
[[Category:Servers by usage| Apache]]
[[Category:MediaWiki production| ]]
[[Category:MediaWiki production| ]]
[[Category:SRE Service Operations]]

Latest revision as of 02:30, 1 May 2022

The Application servers (or app servers) are the several hundred Apache servers that run MediaWiki (PHP application).

Service

Puppet roles:

  • mediawiki::appserver, mediawiki::canary_appserver
  • mediawiki::appserver::api, mediawiki::appserver::canary_api
  • mediawiki::maintenance
  • mediawiki::jobrunner

Relevant puppet classes:

Architecture

The application servers are load-balanced via LVS. Connections between our CDN (HTTP cache proxies) and app servers are encrypted with TLS, which is terminated locally on the app server using Envoy. Envoy then hands the request off to the local Apache.

Apache is in charge of handling redirects, rewrite rules, and determining the document root. It then uses php-fpm to invoke the MediaWiki software.

The Apache MPM we use is mod_worker, which decides how php-fpm processes are spawned.

Logging

Apache errors are logged to /srv/mw-log/apache2.log on mwlog1001.

Apache access logs are mostly disabled. Statistics are drawn from Varnish front ends instead.

Hardware repair

When taking down application servers (running mediawiki) for things like disk replacement or other hardware repair, _do not forget to_:

  • before: remove from dsh group

These are in puppet, operations/puppet repo, in modules/dsh/files/group. The important one for Mediawiki sync is "mediawiki-installation".

  • before: de-pool in pybal
  • TODO: Document what to do if it's a scap proxy (see hieradata/common/dsh/config.yaml)

See pybal. You can just grep for the server name and set 'enabled': False and save.

  • before: check nobody is scapping right now (best: announce with a !log line in IRC)

This is an IRC thing on libera.chat in #wikimedia-dev connect/#wikimedia-tech connect/#wikimedia-operations connect

  • during: acknowledge Icinga monitoring checks (best: with related ticket number as comment)

Do this by logging in via browser on icinga.wikimedia.org. search for the hostname, check all services and use the "acknowledge" option. You'll see the IRC bots outputting this as well and they will stop repeating things over and over in the channels.

  • after: re-add to dsh groups

Revert the above.

  • after: re-pool in pybal

Revert the above.

See also