Closed Bug 952881 Opened 11 years ago Closed 9 years ago

Deploy bugzfeed (WebSocket server for the Bugzilla Change Notification System) to Heroku

Categories

(bugzilla.mozilla.org :: Infrastructure, defect)

Product:
bugzilla.mozilla.org
Component:
Infrastructure
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mcote, Unassigned)

References

Details

Bugzfeed is the WebSockets application that serves data from the Bugzilla Change Notification System. It is available from pypi under the package name "bugzfeed". It is a Tornado application, installed as "bugzfeed-server". Source is at https://github.com/mozilla/bugzfeed. The default configuration should work, although you will probably want to specify the port via --port=$PORT or in a config file (see example in the source). I have no idea how many users it will have and hence no idea about system requirements. It is, however, designed to be scalable; since it creates an independent consumer on pulse, it can be run on multiple machines with a load balancer.
Mark - before we can commit to setting this up anywhere, we're going to need bugzfeed to go through a security review. i am marking this bug for a review.
Flags: sec-review?
Depends on: 957082
Clearing secreview flag as I've filed a separate secreview bug.
Flags: sec-review?
We'll have an opsec review. :cturra, do you know where this would live? afaik, we don't have websocket support behind the ZLBs at the moment.
Flags: needinfo?(cturra)
that's a great question - i don't know. this might be a good case to spend some time sorting out how we want to deal with websockets behind zeus tho.
Flags: needinfo?(cturra)
(In reply to Chris Turra [:cturra] from comment #4) > that's a great question - i don't know. this might be a good case to spend > some time sorting out how we want to deal with websockets behind zeus tho. We could do a direct NAT and SSL termination in Apache, like we do with people.mo
FYI the security reviews were completed last week. What kind of an ETA could I expect on this? Note that it's related to an IT goal (Bugzilla performance) indirectly, in that, when it is widely adopted, it should cut down on the number of clients constantly polling BMO for updates.
Flags: needinfo?(cturra)
For now, at least, I have deployed bugzfeed on AWS at ws://bugzfeed.mozilla.org/.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(cturra)
Resolution: --- → FIXED
Going to reopen this, since we do want this deployed on Mozilla infrastructure at some point.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Mark: can you please file a new bug for it when that future point arrives? Thanks!
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
Anytime you're ready. :) Some groups want apps that rely on it, so it should have some sort of proper admin.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee: server-ops-webops → klibby
QA Contact: nmaul → laura
Whiteboard: [kanban:https://kanbanize.com/ctrl_board/4/157]
Component: WebOps: Bugzilla → Infrastructure
Product: Infrastructure & Operations → bugzilla.mozilla.org
ping?
I just had a chat with :glob about this. The current, temporary, bugzfeed setup is bad and we need a proper production deployment ASAP. see 1079596 Bugzfeed needs TLS and Websocket support. Which means a TCP load balancer that handles the TLS termination but does not touch the content (no HTTP). I see 3 options, sorted by preference: 1. Use ZLB to terminate TLS and source-ip load balancing to VMs running bugzfeed 2. Use ELB in AWS to terminate TLS and source-ip load balancing to AWS instances running bugzfeed 3. NAT an IP to a single Apache server and terminate TLS there Can someone in WebOps or Infra pick a preferred solution and move this bug forward? If solution 2 is chosen, let's run this in IT AWS, and I'll help with the ELB setup (we have scripts).
Flags: needinfo?(cturra)
BMO infra is handled by Dev Services (e.g. me). :glob appears to have handled the SSLv3 issue in 1079596, so how ASAP is ASAP? I haven't forgotten about this, but I can only juggle so many chainsaws at once. If WebOps has cycles, then feel free to use them.
By the end of the quarter would be nice. We want to integrate bugzfeed into BMO, but we want to wait until it's on our dev-service-maintained infrastructure to do that.
due to ssl issues i have turned off the ssl endpoint for our "temporary" bugzfeed server (see bug 1079596). we're now looking at almost a full year from the time when we were good to go (sec-review was completed on 2014-02-04).
Flags: needinfo?(cturra)
I'm going to look into moving this to Heroku soon.
Assignee: klibby → mcote
Status: REOPENED → ASSIGNED
Summary: Deploy bugzfeed (WebSocket server for the Bugzilla Change Notification System) → Deploy bugzfeed (WebSocket server for the Bugzilla Change Notification System) to Heroku
Whiteboard: [kanban:https://kanbanize.com/ctrl_board/4/157]
I have finally set up Bugzfeed on Heroku. I'm just waiting on DNS changeover (bug 1222882), but it is currently accessible via ws://bugzfeed.herokuapp.com/ and (with SSL!) wss://bugzfeed.herokuapp.com/. SSL via wss://bugzfeed.mozilla.org/ will be available after the DNS update. You can see an example app, currently using wss://bugzfeed.herokuapp.com/, at https://people.mozilla.org/~mcote/bugzfeed_example/ (also available in the Bugzfeed source on GitHub).
Will wss://bugzfeed-dev.allizom.org (for https://bugzilla-dev.allizom.org) be also available as before?
Good point. I'll incorporate something into the production bugzfeed app, since it doesn't change enough to warrant a dev instance. So it'll probably be something like wss://bugzfeed.mozilla.org/dev/.
Nice! SSL conf looks good, but if you could just disable RC4-SHA, it's be just perfect. $ ./cipherscan bugzfeed.herokuapp.com ........................ Target: bugzfeed.herokuapp.com:443 prio ciphersuite protocols pfs curves 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime256v1 2 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime256v1 3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1 4 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None 5 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime256v1 6 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime256v1 7 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1 8 AES128-GCM-SHA256 TLSv1.2 None None 9 AES128-SHA256 TLSv1.2 None None 10 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 None None 11 AES256-GCM-SHA384 TLSv1.2 None None 12 AES256-SHA256 TLSv1.2 None None 13 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 None None 14 ECDHE-RSA-RC4-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1 15 RC4-SHA TLSv1,TLSv1.1,TLSv1.2 None None Certificate: trusted, 2048 bits, sha256WithRSAEncryption signature TLS ticket lifetime hint: 300 OCSP stapling: not supported Cipher ordering: server Curves ordering: server - fallback: no Server supports secure renegotiation Server supported compression methods: NONE TLS Tolerance: yes
Hm, I don't think I can change anything in Heroku's SSL config, unfortunately.
I put in support for bugzilla-dev today. You can now access wss://bugzfeed.herokuapp.com/dev/ for updates to bugs on bugzilla-dev. This, and the general Heroku work, are still in (and deployed from) separate branches, but I'll merge it in as soon as we switch away from the old host.
The example at https://people.mozilla.org/~mcote/bugzfeed_example/ has also been updated so you can (optionally) subscribe to bugzilla-dev.
I have already re-enabled the Bugzfeed support in my BzDeck app! Will update the endpoint URL once the DNS is updated.
The DNS record has been updated but I get the Connection Insecure message at https://bugzfeed.mozilla.org/ due to the cert mismatch. Also, Heroku says No such app.
Depends on: 1222882
Yeah, something is not right here. Not only is the cert not set up properly, but I can't even get the non-SSL version to work. ws://bugzfeed.herokuapp.com/ is fine, but ws://bugzfeed.mozilla.org/ isn't. Hm.
Now it works for me :)
\o/
Status: ASSIGNED → RESOLVED
Closed: 11 years ago9 years ago
Resolution: --- → FIXED
ulfr: I'm assuming, from your lack of reply, that leaving RC4-SHA is not ideal but acceptable.
Moving this conversation to the original security-related bug, bug 1079596.
You need to log in before you can comment on or make changes to this bug.