[00:14:59] <AaronSchulz>	 TimStarling: I think the stuff from https://gerrit.wikimedia.org/r/c/operations/puppet/+/398007/ is still there
[23:17:57] <TimStarling>	 regarding #mediawiki_security multi-DC discussion 10 hours ago
[23:19:37] <TimStarling>	 I said that the number of cross-DC DB connections will be on the order of 10 per second
[23:20:54] <TimStarling>	 based on logstash count of ~800,000 messages of the form "Expectation (masterConns <=) 0 by MediaWiki::main not met" in the last 24 hours
[23:21:04] <TimStarling>	 is that correct?
[23:21:25] <TimStarling>	 <cdanis> that sounds to me like the latency hit of just using the built-in-to-PHP support for TLS would be completely acceptable
[23:22:25] <Krinkle>	 Feels higher than I'd guess based on code knowledge and traffic, but not too high I suppose. We have around 5000/sec app server reqs right?
[23:22:41] <Krinkle>	 Perhaps some of the routes aren't acknowledged in TrxProf yet
[23:22:54] <Krinkle>	 Eg loginwiki and rollback
[23:24:28] <TimStarling>	 <cdanis> 10/second when our usual appserver load is ~6k/second
[23:25:05] <TimStarling>	 consider 10/s to be an upper bound
[23:26:53] <TimStarling>	 if it's 1/s that makes the case for plain TLS even stronger, right?
[23:29:52] <Krinkle>	 ack, checks out with `channel:DBPerformance AND message:masterConns AND -server:login.wikimedia.org` on 'mediawiki' Logstash dashboard. around 5-6K per 15min, which is ~8/s
[23:31:25] <Krinkle>	 of which 4K are from BlockManager and 400 are MWEchoNotifUser
[23:31:43] <Krinkle>	 https://phabricator.wikimedia.org/T231961
[23:31:51] <Krinkle>	 stashbot: T231961
[23:31:51] <stashbot>	 See https://wikitech.wikimedia.org/wiki/Tool:Stashbot for help.
[23:31:52] <stashbot>	 T231961: DBPerformance warning: "Expectation masterConns <= 0 not met" from CentralAuth special pages - https://phabricator.wikimedia.org/T231961
[23:32:25] <Krinkle>	 err. I mean T267945
[23:32:26] <stashbot>	 T267945: Increase in DBPerformance warnings since 1.36.0-wmf.13 - https://phabricator.wikimedia.org/T267945
[23:32:36] <Krinkle>	 anyway, yeah, that's a pretty small tail after that already
[23:33:10] <Krinkle>	 apart from BlockManager, they're also mostly post-send
[23:35:31] <TimStarling>	 ok, if you're agreeing then let's close T196378 and update T134809 to say that we will go ahead with plain TLS
[23:35:32] <stashbot>	 T134809: App servers <=> mariadb SSL/TLS for cross-datacenter writes - https://phabricator.wikimedia.org/T134809
[23:35:32] <stashbot>	 T196378: Investigate solutions for MySQL connection pooling - https://phabricator.wikimedia.org/T196378
[23:43:11] <Krinkle>	 Sounds good to me, TimStarling