[08:29:55] <arturo>	 dhinus: good morning. I would like to merge this to re-arrange the imports. https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/25 it should help with the next patch
[08:34:48] <dhinus>	 morning!
[08:34:52] <dhinus>	 let me have a look :)
[08:38:58] <arturo>	 thanks
[08:42:01] <dhinus>	 arturo: makes a lot of sense to me, approved
[08:42:17] <arturo>	 thanks, merging
[08:42:29] <arturo>	 I'll rebase the next one and send your way. That one will be bigger
[08:53:13] <arturo>	 dhinus: https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/23 plan in the latest comment
[09:07:58] <dhinus>	 looking
[09:14:55] <dhinus>	 I'm not understanding why 2 resources (the port_v2 ones) are modified and not imported... I don't see them in the preious imports, so why are they already existing?
[09:15:12] <arturo>	 because I added a description
[09:15:31] <arturo>	 and also because I'm assigning a fixed IP, which was otherwise just computed before
[09:19:47] <arturo>	 I think they will be imported+modified
[09:19:58] <arturo>	 that is how I interpret the plan
[09:20:07] <arturo>	   # module.ports.openstack_networking_port_v2.port["cloudinstances3-flat-gw-test"] will be updated in-place
[09:20:07] <arturo>	   # (imported from "286aa59e-b288-46c0-a5ea-ee3c5de5af26")
[09:25:39] <dhinus>	 "updated in-place" usually means they are already in the state
[09:25:52] <dhinus>	 and I don't understand how they ended up in the state :)
[09:26:14] <arturo>	 they are not at the moment. They are added with the patch
[09:26:19] <arturo>	 they are imported, then updated
[09:27:10] <dhinus>	 ok, imported+modified in the same patch!
[09:28:12] <dhinus>	 yep I think you're right, that's the "imported from" line underneath the "updated in-place"
[09:28:55] <arturo>	 I could avoid any modification at all, not setting the name and description
[09:29:14] <arturo>	 I could do that in a follow up patch
[09:29:17] <dhinus>	 no that's fine
[09:29:34] <dhinus>	 I just was not understanding the plan output, because I never did an import+modify in place
[09:29:43] <dhinus>	 so I was not used to this output, but I think it's good
[09:30:02] <dhinus>	 so "cloudinstances2b-gw-lan-flat" is a name you added, and that port is currently unnamed?
[09:30:08] <dhinus>	 in openstack
[09:30:27] <arturo>	 yeah, all the ports are mostly unnamed in the openstack db
[09:30:36] <dhinus>	 ok all clear!
[09:30:37] <arturo>	 because they are usually created automatically
[09:30:46] <dhinus>	 approved!
[09:30:57] <arturo>	 thanks, merging
[09:31:32] <dhinus>	 yeah it's a classic problem also in AWS, when you create things with CLI or GUI some resources are created automatically, but in tofu you have to specify them all
[09:31:43] <dhinus>	 which is generally good because you understand better what's going on
[09:31:47] <dhinus>	 and how many things are actually created
[09:31:59] <arturo>	 yeah
[11:46:57] <arturo>	 dhinus: I'm seeing this on clouddb1013 logs:
[11:46:59] <arturo>	 https://www.irccloud.com/pastebin/knKe9uJQ/
[11:49:00] <dhinus>	 weird. I haven't touched that body, will have a look
[11:49:27] <arturo>	 thanks
[11:52:24] <arturo>	 dhinus: what I'm researching is an user report of not being able to connect to either toolsdb or the replicas
[11:52:45] <arturo>	 the replica.my.cnf file has been created already
[11:54:07] <arturo>	 and maintain-dbusers reports this in the logs
[11:54:09] <arturo>	 https://www.irccloud.com/pastebin/GOwT5vQQ/
[11:54:15] <arturo>	 I'll open a phab ticket
[11:56:52] <dhinus>	 thanks
[11:59:03] <arturo>	 T371011
[11:59:04] <stashbot>	 T371011: toolforge: some accounts don't have access even though maintain-dbusers claims it has created everything - https://phabricator.wikimedia.org/T371011
[12:01:17] <arturo>	 dcaro: are you available to investigate this?
[12:02:13] <dhinus>	 hmf I pasted a (hashed) password inadvertently to phab
[12:02:28] <dhinus>	 we should rotate it for user s56035
[12:02:42] <dhinus>	 but I see the user and grants do exist in toolsdb
[12:02:55] <dhinus>	 let me see if I can connect
[12:03:26] <arturo>	 I tried this command:
[12:03:27] <arturo>	 sql -v local
[12:03:37] <arturo>	 from within the tool account
[12:03:39] <dcaro>	 arturo: let me check it out
[12:03:48] <arturo>	 (lexica-tool)
[12:03:49] <arturo>	 dcaro: thanks
[12:06:33] <dcaro>	 the credentials file was created at 11:58 on the 24th
[12:07:07] <dcaro>	 Jul 24 11:58:34 cloudcontrol1005 maintain-dbusers[1353413]: ERROR [root.inner:160] Request to create replica.my.cnf file for account_type tool and account_id tools.lexica-tool failed without response.
[12:07:08] <arturo>	 dhinus: do you know how to rotate the password?
[12:07:17] <dhinus>	 I can change it manually
[12:07:26] <dcaro>	 there's a few other tools that failed at that moment too
[12:07:33] <dhinus>	 but that won't update maintain-db-users
[12:07:45] <dhinus>	 I guess maintain-db-users has a database of passwords?
[12:07:50] <dhinus>	 or how does it work?
[12:08:10] <dhinus>	 I'll try changint the pwd manually for that user, and verify that I can connect with the new pwd
[12:08:14] <arturo>	 dcaro: so, maybe it failed the first time, but already had generated the password. Then the next time, created the account in the DBs with a different password?
[12:08:17] <dhinus>	 then we can figure out the maintain-db part
[12:08:28] <dcaro>	 arturo: I think so yes
[12:08:52] <arturo>	 ok, I think that sounds possible
[12:09:23] <dcaro>	 dhinus: yep, maintain-dbusers has it's own database
[12:09:47] <dcaro>	 you can remove the replica.conf file and it will be rotated iirc
[12:10:24] <dcaro>	 there's a lot of logs about one tool not having a home dir, Jul 24 18:58:21 cloudcontrol1005 maintain-dbusers[1371668]:   ToolforgeUserFileBackend:Skipping account daxserver: Home directory (/srv/tools/home/daxserver) does not exist yet
[12:10:28] <dcaro>	 since yesterday
[12:11:17] <arturo>	 I don't know what that really means, about the homedir. That feels like some kind of partial account. I checked maintain-kubeusers already, and it is working just fine
[12:11:45] <dcaro>	 it's a user
[12:11:53] <dhinus>	 pwd changed in toolsdb, and I can connect
[12:12:01] <dhinus>	 so I guess the pwd in replica.my.cnf is not correct
[12:12:20] <arturo>	 dhinus: thanks, I think that confirms the earlier theory
[12:12:25] <dcaro>	 I'm recreating the pw for lexica-tool
[12:13:18] <dcaro>	 arturo: for users iirc the home is created when the user first logs in
[12:13:55] <arturo>	 yaeh, makes sense
[12:14:02] <arturo>	 by PAM mkhomedir
[12:14:04] <arturo>	 in the bastion
[12:15:32] <arturo>	 are the docs here up-to-date? https://wikitech.wikimedia.org/wiki/Portal:Toolforge/Admin#Regenerate_replica.my.cnf
[12:15:41] <arturo>	 about regenerating the replica.my.cnf file
[12:15:44] <dcaro>	 I'm checking the list of tools that failed during the same time that lexica-tool
[12:16:17] <dcaro>	 arturo: I think so yes
[12:18:11] <arturo>	 ok, shall I try it for lexeme-tool?
[12:18:16] <arturo>	 sorry, lexica-tool
[12:19:06] <arturo>	 the user reports it is working now, so I'm not touching it again
[12:21:11] <dhinus>	 I think it might be working on toolsdb because I fixed it manually
[12:21:32] <dhinus>	 but it will not work in wikireplicas, and the pwd in the db for maintain-db-user is also out of adte
[12:21:35] <dhinus>	 *date
[12:21:51] <arturo>	 ok, then let me run in
[12:22:04] <dhinus>	 yeah let's do the full "regenerate" as described in the wiki
[12:22:54] <arturo>	 mmmm, but dcaro already did earlier?
[12:23:00] <arturo>	  <dcaro> I'm recreating the pw for lexica-tool
[12:23:05] <dhinus>	 oh sorry I missed that line!
[12:23:31] <dhinus>	 I still see my manual pwd in replica.my.cnf though
[12:23:48] <arturo>	 maybe that was a race condition. I'll run this
[12:23:55] <arturo>	 aborrero@cloudcontrol1005:~ $ sudo /usr/local/sbin/maintain-dbusers delete tools.lexica-tool  --account-type=tool
[12:24:08] <dhinus>	 lgtm
[12:24:15] <arturo>	 ok, running it
[12:24:29] <arturo>	 https://www.irccloud.com/pastebin/xFMSKz5r/
[12:24:59] <arturo>	 I'm now watching the maintain-dbuser logs
[12:25:37] <dhinus>	 replica.my.cnf in the tool's dir was deleted
[12:25:43] <dhinus>	 now maintain-db-user should recreate it
[12:26:23] <arturo>	 just now
[12:26:23] <arturo>	 Jul 25 12:25:59 cloudcontrol1005 maintain-dbusers[2204447]: INFO [root._populate_new_account:697] Wrote replica.my.cnf for tool tools.lexica-tool
[12:26:46] <dhinus>	 it's there
[12:26:59] <arturo>	 but I don't see the log entry for the DB account creation
[12:27:25] <dhinus>	 I cannot log in to toolsdb with the new password
[12:27:46] <arturo>	 ok, just now
[12:27:47] <arturo>	 https://www.irccloud.com/pastebin/mgjpVDqc/
[12:27:48] <dcaro>	 it will get there, give it a minute
[12:27:55] <dcaro>	 just rotated all the others too
[12:27:56] * arturo was impatient
[12:28:23] <dhinus>	 now I can connect!
[12:30:26] <dcaro>	 all the others can connect too now
[12:30:29] <arturo>	 thanks you two for the assistance
[12:31:02] <arturo>	 feel free to write your conclusions in T371011
[12:31:03] <stashbot>	 T371011: toolforge: an account don't have db access even though maintain-dbusers claims it has created everything - https://phabricator.wikimedia.org/T371011
[12:34:41] <dhinus>	 I'm not sure about the actual cause of the issue, dcaro do you understand what happened exactly?
[12:35:18] <dhinus>	 arturo: now I see your comment in phab with your theory
[12:35:26] <arturo>	 👍
[12:35:43] <dhinus>	 and dcaro's comment with the root cause
[12:35:55] <dhinus>	 I don't have anything else to add :)
[12:36:03] <dcaro>	 dhinus: it's related to the envvars api path changes, at some point it broke replica_cnf new account creation, yep in the task
[12:36:18] <dhinus>	 all clear!
[12:36:50] <arturo>	 excellent, thanks
[12:37:13] <blancadesal>	 oops, my bad for forgetting to add an s in two places to replica_cnf the other day 🙈
[12:38:09] <dcaro>	 xd, no problem, we should finish up adding monitoring to maintain-dbusers to avoid that in the future
[12:38:37] <dcaro>	 T332955
[12:38:37] <stashbot>	 T332955: [maintain-dbusers] Generate prometheus metrics - https://phabricator.wikimedia.org/T332955
[12:38:46] <dcaro>	 if anyone wants to give it a go
[12:39:28] <dcaro>	 there were a couple patches also that never got merged improving the cli iirc/refactoring that we wanted in before the prometheus metrics (as it makes it easier)
[12:39:44] <dcaro>	 https://gerrit.wikimedia.org/r/c/operations/puppet/+/908843
[12:40:27] <dhinus>	 arturo: I'll leave you the honor of resolving T371011
[12:40:27] <stashbot>	 T371011: toolforge: an account don't have db access even though maintain-dbusers claims it has created everything - https://phabricator.wikimedia.org/T371011
[12:40:51] <arturo>	 ✅
[12:40:58] <arturo>	 again, thanks everyone
[12:41:11] <dcaro>	 the 'claims it has created everything' in the title is a bit misleading, it did not claim it, it actually said it failed in the logs
[12:41:51] <dhinus>	 maybe just keep just the first par? "toolforge: an account don't have db access"
[12:41:54] <dhinus>	 or even the account name
[12:42:48] <dhinus>	 anyway it's explained in the comments so I think that's fine
[12:42:52] <dcaro>	 it's ok, yep
[14:57:19] <dhinus>	 arturo: I need to run the same command 
[14:57:39] <arturo>	 dhinus: which command?
[14:57:49] <dhinus>	 arturo: I need to run the same command "maintain-dbusers delete tools" for another tool, did you trigger maintain-dbusers after that, or just waited for it to start automatically?
[14:57:59] <dhinus>	 arturo: sorry the first message was incomplete :P
[14:58:18] <dhinus>	 context: T326613
[14:58:20] <arturo>	 I just run the command in the shell and waited, watching the service logs
[14:58:30] <dhinus>	 sounds good, I will do it after the team meeting
[14:58:51] <arturo>	 ok
[16:02:01] * arturo offline
[16:02:12] <dcaro>	 arturo: just checked, validating admission policies don't allow mutation, we will have to be careful with that
[16:24:29] * dhinus offline
[17:11:16] <bd808>	 https://gerrit.wikimedia.org/r/c/operations/puppet/+/1056263 is a small bug fix for Striker that could go out when any SRE has the time to do the puppet merge dance.
[17:26:38] <dcaro>	 bd808: merged :), /me off
[17:27:04] <dcaro>	 feel free to tm me if you need anything (I'm also oncall if you need)
[17:27:10] <dcaro>	 cya \o
[17:31:09] <bd808>	 thanks dcaro. :)