Closed Bug 1224318 Opened 9 years ago Closed 8 years ago

Can't access app listening on port 3003 on dashboard1.metrics.scl3.mozilla.com

Categories

(Infrastructure & Operations Graveyard :: WebOps: Other, task)

Product:
Infrastructure & Operations Graveyard
Component:
WebOps: Other
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: aalmossawi, Assigned: ericz)

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/2148] ) 

Node is running on port 3003 on dashboard1, yet connections to that port time out. ericz said to file a bug.

https://metrics.mozilla.com:3003/deps/filename=accessible:jsat:EventManager.jsm

Expected result: http://almossawi.com:3003/deps/filename=accessible:jsat:EventManager.jsm
Hello -- you need to let me know where you are trying to access this resource from.
Can you give the IP address from which you are coming from?

Thanks,
Assignee: network-operations → dcurado
Status: NEW → ASSIGNED
I'm accessing it from 10.251.28.147 (SF, behind VPN), though this endpoint is meant to be public.
OK, there is nothing on the network blocking you from reaching that resource.
Can you verify that the service is running on port 3003/tcp on metrics.mozilla.com?
and/or that there aren't some host based controls preventing you from accessing it?

Thanks.
Flags: needinfo?(aalmossawi)
netstat -anp |grep 3003
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:3003                0.0.0.0:*                   LISTEN      27822/node

I'm not sure about the latter question. Eric?
Flags: needinfo?(aalmossawi) → needinfo?(eziegenhorn)
Also note that this appears to be a ZLB node.
Make sure that the ZLB is configured to handle port 3003?

Thanks.
dashboard1.metrics.scl3 is not a zlb, but if this is going to be a public facing website we should probably front it with Zeus.  Can you explain what you're running here Ali?
Flags: needinfo?(eziegenhorn)
This endpoint: http://almossawi.com:3003/deps/filename=accessible:jsat:EventManager.jsm

It's experimental work for Platform Engineering that returns the set of dependencies for an arbitrary file in the Firefox codebase. It would be accessible from here: https://metrics.mozilla.com/code-quality/

And the code for it is here: https://github.com/mozilla/firefox-code-quality/tree/master/deps
I should point out that in the near term, only a few people are likely to access this. The decision to share the link more broadly would be contingent on how useful we find the work to be in the coming months.
Caught up a bit on IRC, this is accessible via VPN at http://dashboard1.metrics.scl3.mozilla.com:3003/deps/filename=accessible:jsat:EventManager.jsm

To get it accessible at metrics.mozilla.com, we'll have to add a Zeus VIP that forward to port 3003.
Not netops, moving.
Assignee: dcurado → eziegenhorn
Component: NetOps: Other → WebOps: Other
QA Contact: jbarnell → smani
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/2148]
April, can you please look at this proposed internet-facing service from an opsec perspective?  It's proposed to make the nodejs app on dashboard1.metrics.scl3.mozilla.com:3003 available to the public via Zeus.
Flags: needinfo?(april)
Sure, that shouldn't be a problem.  Has there been an RRA of this service completed?

Can you give me a broad level view of how sensitive this data is, and what it will be used for?

Thanks!
Flags: needinfo?(eziegenhorn)
Please refer to https://bugzilla.mozilla.org/show_bug.cgi?id=1224318#c7

It's all public data.

Thank you.
No RRA that I know of.  Ali is authoritative on the data and app.
Flags: needinfo?(eziegenhorn)
Flags: needinfo?(april)
April, is there anything else that I need to do in order to get the bug moving? Thank you.
Flags: needinfo?(april)
Hmm, sorry that the RRA hasn't been initiated.  I'm still okay with having it be publicly accessible, although I'm not the one who would set up the zlb rules.

Kang, can you setup an RRA with them soon?  Thanks!
Flags: needinfo?(april) → needinfo?(gdestuynder)
our workflow was broken hence the delay - see https://bugzilla.mozilla.org/show_bug.cgi?id=1225627#c1 for the RRA and thanks for the needinfo!
Flags: needinfo?(gdestuynder)
The RRA is completed (Risk Record at https://bugzilla.mozilla.org/show_bug.cgi?id=1239502 - access needed to see this bug)
We have assessed both code quality (the dashboard) and the aforementioned NodeJS service above.
As per RR the risk is LOW currently and it seems reasonable to host NodeJS, however there are a couple of recommendations:

- specially if publicly accessible, it should go behind the load balancer (LBL) and the load balancer should provide TLS termination
- if no service with higher than LOW risk are hosted on the dashboard1 server, it's reasonable to deploy the NodeJS service there as well as they belong to the same project. Otherwise, these services should be separated (i.e. must not host nodejs service on dashboard1). In fact, would consider moving the rest of code quality to it's own server if that's the case.

Hope this help!
Zeus VIP setup at metrics.mozilla.com:3003 for now, app is unresponsive on the server side as far as I can tell.
Time out, please re-open if there's anything we can do.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.