[07:48:55] * arturo online
[07:51:51] <dcaro>	 morning!
[07:53:21] <taavi>	 i'm renewing the puppet CA in toolsbeta, so in case you see puppet errors that's probably why
[07:54:46] <dcaro>	 ack
[08:03:04] <dhinus>	 o/
[08:17:09] <taavi>	 certs have been renewed
[08:17:18] <taavi>	 (+ docs updated etc)
[08:17:33] <dcaro>	 thanks!
[08:30:04] <taavi>	 arturo: I think we need a generic fix to prevent the *-tofu service accounts from receiving puppet failure emails
[08:31:15] <arturo>	 we can maybe just update their email address to a blackhole
[08:31:34] <arturo>	 we only needed a valid address for the initial account setup
[08:44:22] <dhinus>	 wikitech-static is failing with (Cannot access the database)
[08:46:27] <dhinus>	 the disk is full
[08:47:58] <dhinus>	 maybe similar to T338520
[08:47:58] <stashbot>	 T338520: Shellbox is broken on wikitech-static due to disk fullness - https://phabricator.wikimedia.org/T338520
[08:51:43] <dhinus>	 yep, the same fix worked
[08:55:28] <taavi>	 arturo: is there a specific reason to make octavia-lb-mgmt ipv4-only?
[08:56:21] <arturo>	 taavi: is just a healthcheck network, I don't see the value of it being dualstack. We could make it IPv6 only however
[09:01:08] <taavi>	 arturo: i would honestly just do dualstack, cloud-private doesn't use ipv6 everywhere just yet so can't make it v6-only but I also think it should support v6 from the start so dualstack seems the best option to me
[09:03:07] <arturo>	 if cloud-private doesn't work on IPv6 then not having any IPv6 sounds the right option to me. Also, adding IPv6 dualstack at the openstack level is a very easy change via tofu-infra, it can be done at any later time without disruption
[09:04:57] <taavi>	 cloud-private will support v6 very soon
[09:05:26] <taavi>	 (it's a matter of figuring out how to add the addresses and dns records without disruption, everything else is already there)
[09:05:43] <taavi>	 if you add it later then you'd still have all the existing instances with no v6 addresses
[09:05:48] <taavi>	 it's easier to just have that from the start
[09:08:30] <arturo>	 ok
[09:10:44] <arturo>	 taavi: https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/232
[09:12:39] <taavi>	 +1
[09:13:49] <arturo>	 I'll let andrew merge that one
[10:13:19] <taavi>	 please review: https://gerrit.wikimedia.org/r/c/operations/puppet/+/1145093 https://gerrit.wikimedia.org/r/c/operations/puppet/+/1145094
[10:21:55] <arturo>	 done
[11:31:56] * arturo brb
[12:55:21] <andrewbogott>	 taavi or topranks, want to double check https://gerrit.wikimedia.org/r/c/operations/puppet/+/1146598 and https://netbox.wikimedia.org/search/?q=octavia-lb-mgmt ?
[12:56:43] <topranks>	 andrewbogott: that looks good to me in theory 
[12:56:48] <topranks>	 what is this network for though?
[12:57:32] <topranks>	 the only consideration I would have is whether it possibly should be a private network
[12:57:38] <topranks>	 rather than on public address space 
[12:57:55] <andrewbogott>	 It's for lbaas, the load balancer instances will live there. There needs to be communication between the load balancers and cloudcontrol nodes.
[12:58:07] <andrewbogott>	 I don't think I have an opinion about public vs private, that's maybe an arturo question
[12:58:15] <topranks>	 so it doesn't sound like you need them to get hacked into 
[12:58:44] <topranks>	 For IPv4 the discussion is different, cos all the openstack networks are on private space 
[12:58:53] <topranks>	 and we can decide what we want to do NAT for or not 
[12:59:13] <topranks>	 For IPv6 we should choose a block from space open to the internet or not, depending on the use case 
[12:59:36] <andrewbogott>	 hm
[12:59:58] <topranks>	 so possibly should choose a block from https://netbox.wikimedia.org/ipam/prefixes/1080/
[13:00:06] <andrewbogott>	 I mean, as load balancers, they should be reachable on the internet. But since this is meant to be the management network that should probably be handled separately.
[13:00:41] <topranks>	 you don't want people managing them from the internet 
[13:00:46] <topranks>	 you'd assume 
[13:00:50] <andrewbogott>	 agreed
[13:01:33] <andrewbogott>	 I'm confused, though, 2a02:ec80:a100:2::/64 is under that cidr you just linked me to isn't it?
[13:02:23] <andrewbogott>	 oh wait, I confused my tabs
[13:02:42] <topranks>	 It's not no.  It's from 2a02:ec80:a100::/55 which ends at 2a02:ec80:a100:01ff::/64
[13:03:08] <topranks>	 2a02:ec80:a100:100::/56 is a separate block 
[13:04:22] <andrewbogott>	 so I am a bit overwhelmed by all the bits, how does this look?  https://netbox.wikimedia.org/ipam/prefixes/1208/
[13:05:25] <topranks>	 andrewbogott: yeah that's perfect 
[13:05:33] <andrewbogott>	 ok, will update the gerrit patch
[13:05:49] <topranks>	 you could maybe also use 2a02:ec80:a100::/64 direct 
[13:05:53] <topranks>	 https://netbox.wikimedia.org/ipam/prefixes/1080/prefixes/
[13:06:18] <topranks>	 101 is the second network in the /55 
[13:06:22] <topranks>	 but both work as well 
[13:06:41] <topranks>	 the question I can't answer is if it needs direct internet access or not
[13:08:44] <andrewbogott>	 I'm pretty sure not but I'll cross that bridge when I get to it
[13:08:57] <andrewbogott>	 Do you feel strongly about me moving it to  2a02:ec80:a100::/64 ?
[13:09:02] <topranks>	 cool, yeah the reason I asked is the name "lb-mgmt" didn't _sound_ like it needed it 
[13:09:16] <topranks>	 andrewbogott: it'll do my ocd in so yeah
[13:09:19] <topranks>	 I'll change it in netbox 
[13:09:22] <andrewbogott>	 thx
[13:09:25] <topranks>	 if you want to prep the patch with that 
[13:12:27] <taavi>	 hm, if we're provisioning the v6 subnet in a way where it has no internet access we probably should do the same for the v4 subnet just to be consistent
[13:14:02] <topranks>	 taavi: indeed yes
[13:14:17] <topranks>	 that's the regular firewall/nat question for the private IPv4 range 
[13:16:07] <andrewbogott>	 Isn't the v4 range we're using already private by default?
[13:16:13] <andrewbogott>	 Unless we nat it?
[13:16:33] <topranks>	 it is yeah, that's the key difference with the IPv6, and why there are two blocks to choose from 
[13:17:16] <taavi>	 andrewbogott: yes but I believe the only options on cloudgw at the moment are "do not let any traffic in our out of this network" and "permit all egress and NAT it"
[13:18:27] <andrewbogott>	 right but that means this is a firewall question and not an ip range question?
[13:18:41] <topranks>	 exactly, yes
[13:19:30] <taavi>	 yes
[13:20:30] <andrewbogott>	 ok... so now I have https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/233 and https://gerrit.wikimedia.org/r/c/operations/puppet/+/1146598
[13:21:20] <andrewbogott>	 and eventually https://gerrit.wikimedia.org/r/c/operations/puppet/+/1146515 
[13:43:19] <taavi>	 very quick implementation of that firewall change: https://gerrit.wikimedia.org/r/c/operations/puppet/+/1146629
[13:46:10] <dcaro>	 hmpf... striker uses compose to build a blubber image... things become tricky for podman
[13:50:03] <andrewbogott>	 thx taavi -- I'm not sure I follow the routing rule 
[13:50:11] <andrewbogott>	 well, I guess we're just using the existing one so that seems safe
[14:15:12] <andrewbogott>	 dhinus: looks like the tofu tests passed yesterday, is that possible?
[14:15:29] <dhinus>	 andrewbogott: didn't check, looking
[14:16:38] <taavi>	 andrewbogott: https://gerrit.wikimedia.org/r/c/operations/puppet/+/1146635 should have an equivalent for the v6 subnet I think?
[14:17:03] <dhinus>	 andrewbogott: yesterday, no. but today (two hours ago) yes!
[14:17:09] <andrewbogott>	 dhinus: amazing!
[14:17:16] <andrewbogott>	 we're on a winning streak
[14:17:22] <dhinus>	 :)
[14:17:26] <andrewbogott>	 taavi: you're right, although I think it's moot for my immediate testing.  I'll add anyway.
[14:17:32] <taavi>	 :-)
[14:24:01] <andrewbogott>	 ok, next networking blocker: I would expect this to work (or at least not time out)
[14:24:03] <andrewbogott>	 cloudcontrol2004-dev:~# telnet 172.16.131.236 9443 
[14:28:02] <andrewbogott>	 oh hang on, that VM didn't even get assigned an IP
[14:28:07] <andrewbogott>	 So that .236 is going nowhere
[14:45:24] <andrewbogott>	 taavi: here's that v6 firewall change https://gerrit.wikimedia.org/r/c/operations/puppet/+/1146641
[14:46:09] <taavi>	 andrewbogott: you can pass an array to srange, no need for two rules
[14:46:23] <andrewbogott>	 mixed v4 and v6? I looked for examples of that but didn't find them
[14:46:33] <taavi>	 yes
[14:46:38] <andrewbogott>	 ok...
[14:48:26] <andrewbogott>	 updated
[14:50:35] <andrewbogott>	 hm, a comma would be nice
[15:30:05] <andrewbogott>	 arturo: last time I started an amphora it didn't get an IP. I'm guessing that's because the project it's in (service) didn't have access to the mgmt network, so I wrote https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/234  -- does that seem reasonable?
[15:30:17] <andrewbogott>	 And if so I need to figure out how to delete the old network so that tofu can create that one.
[15:30:43] <arturo>	 mmm
[15:31:04] <arturo>	 the docs specifically said the network should belong to admin
[15:31:30] <andrewbogott>	 oh, ok, maybe we just need to make it public or shared or something
[15:31:43] <arturo>	 yeah shared was set to false originally by me
[15:32:03] <andrewbogott>	 ok, let's try flipping it to true and see what we get...
[15:32:04] <taavi>	 cam ew share that to the specific project instead of making it globally available?
[15:33:12] <arturo>	 I'm not familiar about how all that permission model works. If you make the network tenant-owned, is the admin neutron router able to get a port on that network to act as a gateway?
[15:33:39] <arturo>	 if not, then we will need a tenant router to act as a gateway, with a leg in the flat network
[15:33:52] <arturo>	 otherwise it wont get egress/ingress routing
[15:34:23] <arturo>	 my feeling is that if we make it shared=true then _any_ tenant may be able to create ports on that network
[15:34:47] <andrewbogott>	 oh, this time around it got an IP! that's better than last...
[15:35:11] <taavi>	 what did you do?
[15:35:29] <andrewbogott>	 switched the mgmt network to 'shared' so that the service project can use it
[15:35:44] <andrewbogott>	 ok, arturo, now I see 'Connection to 172.16.131.114 timed out' on the cloudcontrol.
[15:36:09] <arturo>	 if you don't do this change via tofu-infra it will get reverted on the next run
[15:36:18] * andrewbogott nods
[15:36:25] <andrewbogott>	 I also can't ping 172.16.131.114 from a cloudcontrol
[15:36:36] <andrewbogott>	 can you take a look at that while I make the tofu change?
[15:36:41] <arturo>	 yes
[15:38:19] <arturo>	 I can ping from the neutron main router
[15:38:22] <arturo>	 https://www.irccloud.com/pastebin/wpcDAaAE/
[15:38:50] <arturo>	 I can't ping from cloudgw, so that gives an indication of where the failure could be
[15:38:54] <arturo>	 aborrero@cloudgw2002-dev:~ $ ping 172.16.131.114
[15:38:54] <arturo>	 PING 172.16.131.114 (172.16.131.114) 56(84) bytes of data.
[15:38:54] <arturo>	 ^C
[15:38:54] <arturo>	 --- 172.16.131.114 ping statistics ---
[15:38:54] <arturo>	 2 packets transmitted, 0 received, 100% packet loss, time 1011ms
[15:39:54] <arturo>	 mmm sorry wrong VRF
[15:40:33] <andrewbogott>	 https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/235/diffs
[15:41:50] <taavi>	 maybe update the comment?
[15:42:04] <andrewbogott>	 good idea
[15:42:32] <arturo>	 found the problem
[15:42:47] <arturo>	 andrewbogott: try now
[15:44:03] <arturo>	 on cloudgw servers we added a required network route to /etc/network/interfaces, but puppet updating that file wont trigger a service reload. The clean thing to do is a reboot
[15:44:06] <arturo>	 I'll reboot now
[15:44:42] <andrewbogott>	 ok, so I should wait to retry?
[15:44:56] <arturo>	 no, I applied the routing change by hand
[15:44:58] <arturo>	 it should work now
[15:45:00] <andrewbogott>	 'k
[15:45:04] <arturo>	 is just we are pending a reboot
[15:45:09] * andrewbogott watches the logs
[15:45:19] <arturo>	 actually, I can't reboot them today, I need to leave the laptop now
[15:45:52] <andrewbogott>	 Mark ACTIVE in DB for load balancer id: 9c9df77e-39e2-4410-980f-4b02f9a5c393
[15:46:01] <arturo>	 good news?
[15:46:12] <andrewbogott>	 yeah, I think that means health checks are working!
[15:46:21] <andrewbogott>	 So now I just have to see if can actually do anything :)
[15:46:36] <andrewbogott>	 I can do the reboots -- just cloudgw2xxx-dev ?
[15:46:47] <arturo>	 yeah, the 2 of them
[15:46:57] * arturo offline
[16:16:55] <dcaro>	 clouddb alert triggerd, dhinus are you doing something?
[16:17:05] <dhinus>	 ops yes sorry
[16:17:11] <dhinus>	 my fault
[16:17:14] <dcaro>	 ack np
[16:17:27] * dcaro fire mode off
[16:18:12] <dhinus>	 I briefly stopped one mysql instance, then I restarted it but forgot to run START SLAVE :)
[16:19:57] <dhinus>	 alert cleared
[16:25:10] <dcaro>	 xd
[16:25:23] <dcaro>	 got bitten by that too at some point
[16:26:56] * dhinus offline
[16:43:29] <andrewbogott>	 fyi taavi I need to apply https://gerrit.wikimedia.org/r/c/operations/puppet/+/1146680 on dynamic proxy hosts and downgrade python3-flask; at the moment if that service goes down it won't come back up
[16:48:51] <taavi>	 andrewbogott: where is the new package coming from? osbpo?
[16:49:32] * andrewbogott looks
[16:49:36] <andrewbogott>	 https://www.irccloud.com/pastebin/3wA2Emrf/
[16:49:48] <andrewbogott>	 ok, so it's not currently broken in eqiad1, it's just waiting to be broken when I upgrade
[16:49:57] <andrewbogott>	 So just applying that pin will be enough
[16:51:12] <andrewbogott>	 although now I'm worried that unattended upgrades could causes similar breakage for our users...
[16:51:39] <taavi>	 honestly I don't think we need to ship osbpo to all the VMs. surely the APIs don't change enough between versions to make the libraries included in debian proper be too old within a given VM's lifetime
[16:51:55] <taavi>	 and this is certainly not the first time something similar has happened
[16:52:25] <andrewbogott>	 That seems right, at least for 90% of the time...
[16:54:36] * andrewbogott makes T394438
[17:58:24] * dcaro off
[19:47:21] <bd808>	 T394453
[19:47:21] <stashbot>	 T394453: Emails to cloudservices@wikimedia.org from root@beta.toolforge.org bouncing - https://phabricator.wikimedia.org/T394453
[20:30:17] <andrewbogott>	 I have a silly tcpdump question...
[20:30:19] <andrewbogott>	 I see things like
[20:30:20] <andrewbogott>	 20:28:01.062140 IP 172.16.131.144.51294 > cloudcontrol2004-dev.private.codfw.wikimedia.cloud.rplay: UDP, length 314
[20:30:56] <andrewbogott>	 My question is: how do I know that those messages are actually getting to a server on that host, and not just bouncing off it?  The service certainly doesn't log anything if it's getting them.
[20:32:31] <andrewbogott>	 (bd808, I'm not ignoring that bug but will probably let someone more involved in those service accounts fix it)
[20:41:39] <andrewbogott>	 I have achieved the strange landmark of 'everything works except the status fields'
[21:07:27] <bd808>	 andrewbogott: no worries about that bouncing email thing. Somebody will figure things out. The easiest thing to do is open the list for arbitrary senders, but that might turn out to be more annoying if there are piles of spam bots already bouncing too.