Puppet Class: profile::mediawiki::mcrouter_wancache

Defined in:
modules/profile/manifests/mediawiki/mcrouter_wancache.pp

Overview

Class profile::mcrouter_wancache

Configures a mcrouter instance for multi-datacenter caching

Parameters:

  • servers_by_datacenter_category (Hash) (defaults to: hiera('mcrouter::shards'))
  • port (Integer) (defaults to: hiera('mcrouter::port'))
  • has_ssl (Boolean) (defaults to: hiera('mcrouter::has_ssl'))
  • ssl_port (Integer) (defaults to: hiera('mcrouter::ssl_port', $port + 1))
  • num_proxies (Integer) (defaults to: hiera('profile::mediawiki::mcrouter_wancache::num_proxies', 1))
  • timeouts_until_tko (Optional[Integer]) (defaults to: lookup('profile::mediawiki::mcrouter_wancache::timeouts_until_tko', {'default_value' => 10}))
  • gutter_ttl (Integer) (defaults to: lookup('profile::mediawiki::mcrouter_wancache::gutter_ttl', {'default_value' => 60}))


4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# File 'modules/profile/manifests/mediawiki/mcrouter_wancache.pp', line 4

class profile::mediawiki::mcrouter_wancache(
    Hash $servers_by_datacenter_category = hiera('mcrouter::shards'),
    Integer $port = hiera('mcrouter::port'),
    Boolean $has_ssl = hiera('mcrouter::has_ssl'),
    Integer $ssl_port = hiera('mcrouter::ssl_port', $port + 1),
    Integer $num_proxies = hiera('profile::mediawiki::mcrouter_wancache::num_proxies', 1),
    Optional[Integer] $timeouts_until_tko = lookup('profile::mediawiki::mcrouter_wancache::timeouts_until_tko', {'default_value' => 10}),
    Integer $gutter_ttl = lookup('profile::mediawiki::mcrouter_wancache::gutter_ttl', {'default_value' => 60}),
) {

    $servers_by_datacenter = $servers_by_datacenter_category['wancache']
    $proxies_by_datacenter = pick($servers_by_datacenter_category['proxies'], {})
    # We only need to configure the gutter pool for DC-local routes. Remote-DC
    # routes are reached via an mcrouter proxy in that dc, that will be
    # configured to use its gutter pool itself.
    $local_gutter_pool = profile::mcrouter_pools('gutter', $servers_by_datacenter_category['gutter'][$::site])

    $pools = $servers_by_datacenter.map |$region, $servers| {
        # We need to get the servers from the current datacenter, and the proxies from the others
        if $region == $::site {
            profile::mcrouter_pools($region, $servers)
        } else {
            profile::mcrouter_pools($region, $proxies_by_datacenter[$region])
        }
    }
    .reduce($local_gutter_pool) |$memo, $value| { $memo + $value }

    $routes = union(
        # local cache for each region
        $servers_by_datacenter.map |$region, $servers| {
            {
                'aliases' => [ "/${region}/mw/" ],
                'route' => profile::mcrouter_route($region, $gutter_ttl)  # @TODO: force $::site like mw-wan default?
            }
        },
        # WAN cache: issues reads and add/cas/touch locally and issues set/delete everywhere.
        # MediaWiki will set a prefix of /*/mw-wan when broadcasting, explicitly matching
        # all the mw-wan routes. Broadcasting is thus completely controlled by MediaWiki,
        # but is only allowed for set/delete operations.
        $servers_by_datacenter.map |$region, $servers| {
            {
                'aliases' => [ "/${region}/mw-wan/" ],
                'route'   => {
                    'type'               => 'OperationSelectorRoute',
                    'default_policy'     => profile::mcrouter_route($::site, $gutter_ttl), # We want reads to always be local!
                    # AllAsyncRoute is used by mcrouter when replicating data to the non-active DC:
                    # https://github.com/facebook/mcrouter/wiki/List-of-Route-Handles#allasyncroute
                    # More info in T225642
                    'operation_policies' => {
                        'set'    => {
                            'type'     => $region ? {
                                $::site => 'AllSyncRoute',
                                default => 'AllAsyncRoute'
                            },
                            'children' => [ profile::mcrouter_route($region, $gutter_ttl) ]
                        },
                        'delete' => {
                            'type'     => $region ? {
                                $::site => 'AllSyncRoute',
                                default => 'AllAsyncRoute'
                            },
                            'children' => [ profile::mcrouter_route($region, $gutter_ttl) ]
                        },
                    }
                }
            }
        }
    )
    if $has_ssl {
        file { '/etc/mcrouter/ssl':
            ensure  => directory,
            owner   => 'mcrouter',
            group   => 'root',
            mode    => '0750',
            require => Package['mcrouter'],
        }
        file { '/etc/mcrouter/ssl/ca.pem':
            ensure  => present,
            content => secret('mcrouter/mcrouter_ca/ca.crt.pem'),
            owner   => 'mcrouter',
            group   => 'root',
            mode    => '0444',
        }

        file { '/etc/mcrouter/ssl/cert.pem':
            ensure  => present,
            content => secret("mcrouter/${::fqdn}/${::fqdn}.crt.pem"),
            owner   => 'mcrouter',
            group   => 'root',
            mode    => '0444',
        }

        file { '/etc/mcrouter/ssl/key.pem':
            ensure  => present,
            content => secret("mcrouter/${::fqdn}/${::fqdn}.key.private.pem"),
            owner   => 'mcrouter',
            group   => 'root',
            mode    => '0400',
        }

        $ssl_options = {
            'port'    => $ssl_port,
            'ca_cert' => '/etc/mcrouter/ssl/ca.pem',
            'cert'    => '/etc/mcrouter/ssl/cert.pem',
            'key'     => '/etc/mcrouter/ssl/key.pem',
        }

        # We can allow any other mcrouter to connect via SSL here
        ferm::service { 'mcrouter_ssl':
            desc    => 'Allow connections to mcrouter via SSL',
            proto   => 'tcp',
            notrack => true,
            port    => $ssl_port,
            srange  => '$DOMAIN_NETWORKS',
        }
    }
    else {
        $ssl_options = undef
    }

    class { '::mcrouter':
        pools              => $pools,
        routes             => $routes,
        region             => $::site,
        cluster            => 'mw',
        num_proxies        => $num_proxies,
        timeouts_until_tko => $timeouts_until_tko,
        port               => $port,
        ssl_options        => $ssl_options,
    }

    class { '::mcrouter::monitoring': }

    ferm::rule { 'skip_mcrouter_wancache_conntrack_out':
        desc  => 'Skip outgoing connection tracking for mcrouter',
        table => 'raw',
        chain => 'OUTPUT',
        rule  => "proto tcp sport (${port} ${ssl_port}) NOTRACK;",
    }

    ferm::rule { 'skip_mcrouter_wancache_conntrack_in':
        desc  => 'Skip incoming connection tracking for mcrouter',
        table => 'raw',
        chain => 'PREROUTING',
        rule  => "proto tcp dport (${port} ${ssl_port}) NOTRACK;",
    }
}