[08:20:47] <godog>	 cheers Southparkfan, not exactly out of the woods yet!
[08:23:27] <Southparkfan>	 Ah yeah, shared curve errors
[08:24:00] <godog>	 yes and no, a red herring I believe
[08:25:40] <Southparkfan>	 Is it a bug in rsyslog?
[08:27:17] <godog>	 I don't know yet for sure tbh
[08:27:25] <Southparkfan>	 ECC would be totally broken if you don't have common curves ;-)
[08:28:16] <godog>	 how broken? "can't set up the connection" level of broken?
[08:28:29] <Southparkfan>	 So unless rsyslog is falling back to, let's say, ciphersuites relying on non-ECC key exchange algorithms, I don't really see how you cannot have shared curves
[08:29:08] <Southparkfan>	 In most cases, yes 
[08:29:59] <Southparkfan>	 Admittedly I don't know what ciphersuites are supported atm
[08:30:15] <godog>	 ok thank you, would no shared curves explain the behaviour in https://phabricator.wikimedia.org/T351710#9349879 ?
[08:30:33] <godog>	 i.e. hosts with low traffic have no issues, with high traffic do have issues
[08:30:42] <godog>	 traffic being syslog traffic
[08:34:08] <Southparkfan>	 Do the nodes with low traffix *never* emit these errors?
[08:36:03] <godog>	 not afaics
[08:41:48] * Southparkfan looks at the Cloud VPS nodes
[08:43:06] <godog>	 thank you
[08:44:20] <godog>	 I'm testing a rollback to gnutls for the centrallog servers only
[08:44:43] <Southparkfan>	 at least I see the same errors on Cloud VPS..
[08:45:17] <godog>	 heheh good in some ways
[08:45:23] <Southparkfan>	 is the new puppet leaf cert signed by an intermediate instead of directly by the root CA?
[08:45:37] <godog>	 that's my understanding yes
[08:45:38] <Southparkfan>	 because gnutls would fail miserably :D
[08:45:57] <Southparkfan>	 unless the gnutls issue was a verification issue client-side
[08:46:16] <Southparkfan>	 but I recall having server-side issues with sending the appropriate chain
[08:46:32] <godog>	 is this the issue you had in mind? https://phabricator.wikimedia.org/T351181
[08:46:46] <godog>	 in that case we did openssl -> gnutls and things seemed to work
[08:49:28] <Southparkfan>	 so maybe the client is not as broken as the server is
[08:50:07] <godog>	 I'm also thinking of using this opportunity to move rsyslog receiver to a separate rsyslog process/service
[08:50:40] <Southparkfan>	 can you find out if rsyslog serves a different chain when using gnutls compared to openssl? https://phabricator.wikimedia.org/T324623#8449240
[08:50:55] <Southparkfan>	 you can leave the -CAfile out
[08:51:35] <godog>	 sure I'll test that
[08:52:49] <godog>	 err not now that is
[08:53:45] <Southparkfan>	 yeah I have to go now 
[08:54:03] <Southparkfan>	 but I've started a tcpdump on the syslog server
[08:54:09] <godog>	 thank you for your help so far Southparkfan !
[08:54:14] <Southparkfan>	 no problem
[08:54:45] <Southparkfan>	 I like tinkering with tls and networking ;-p
[08:56:52] <godog>	 respect
[09:32:36] <brouberol>	 Hi team! I'd like to have a script that runs periodically for each kafka cluster, to export the replication factor of each topic to prometheus. Is there a specific host that feels right to runs this on? Thanks!
[09:44:33] <godog>	 brouberol: would kafka_cluster_Partition_ReplicasCount do ?
[09:45:13] <godog>	 I'm aware that doesn't answer your question though :)
[09:47:25] <brouberol>	 ah, I think it would actually! 
[09:47:35] <brouberol>	 which would make my life ever easier
[09:48:06] <godog>	 sweet! thanks for reaching out
[09:53:37] <brouberol>	 https://thanos.wikimedia.org/graph?g0.expr=max+by+%28topic%29+%28kafka_cluster_Partition_ReplicasCount%7Bcluster%3D%22kafka_jumbo%22%2C+topic%3D%22webrequest_text%22%7D%29&g0.tab=0&g0.stacked=0&g0.range_input=1h&g0.max_source_resolution=0s&g0.deduplicate=1&g0.partial_response=0&g0.store_matches=%5B%5D does exactly what I need 
[09:53:42] <brouberol>	 thanks for saving me time!
[10:15:09] <godog>	 amazing
[11:23:14] <jbond>	 hi all (cc godog ) im going to deploy a change to blackbox::check::* ssl certs
[11:23:17] <jbond>	 https://gerrit.wikimedia.org/r/c/operations/puppet/+/976273
[11:23:28] <jbond>	 ill start by disabling puppet on all prometheus hosts 
[11:23:46] <jbond>	 then deploy to prometheus1005.eqiad.wmnet  prometheus1006.eqiad.wmnet
[11:24:04] <jbond>	 *just 1005 
[11:25:49] <godog>	 ack jbond, thanks for the heads up
[11:25:53] <godog>	 I'm going to lunch shortly fwiw
[11:26:02] <jbond>	 godog: ack 
[11:32:03] <Southparkfan>	 godog: I haven't been able to dump the information I need, but it looks like my syslog server is broken as well, so is my puppetmaster
[11:32:24] <godog>	 Southparkfan: :( bummer
[11:32:49] <Southparkfan>	 do you have a Cloud VPS project with local puppetmaster I can (temporarily?) use?
[11:33:31] <Southparkfan>	 or gather the data in production, with some precautions to not disclose any actual confidential data :)
[11:34:02] <Southparkfan>	 arguably the latter is not preferred, because rsyslog will be restarted, hence impacting the syslog stream
[11:34:19] <Southparkfan>	 or... wait a minute..
[11:34:44] <godog>	 yeah I'd rather do the former i.e. cloudvps, I don't have a local puppetmaster free for use atm
[11:34:53] <godog>	 ok need to run to lunch, bbiab
[11:35:26] <Southparkfan>	 ah I think I've found the issue :P
[11:39:17] <jbond>	 godog: fyi i have reverted that change as it didn;t fix the issue.  i thin it might still be usefull to do but i also needed to add an addtional fix 
[11:47:24] <Southparkfan>	 godog: (after lunch) bookworm rsyslog client reports ten (10) supported curves/finite-field groups in its ClientHello, bullseye server replies back with a shared curve group in its ServerHello
[11:50:31] <Southparkfan>	 but I'd defer to Valentín if/when we are going to dig into rsyslog source code and OpenSSL library functions
[11:51:39] <Southparkfan>	 do we notice a correlation based on OS (e.g. pairs of bullseye clients and bookworm servers?) or function (only ms-fe?)
[11:52:05] <vgutierrez>	 Southparkfan: I guess that's expected behavior... the server picks the preferred curve from the ones available to the client (or refuses to complete the TLS handshake)
[11:52:26] <Southparkfan>	 also need to take into account how much time to spend here vs. actually adding config that adds secure defaults
[11:52:59] <vgutierrez>	 adding config providing a solid TLS configuration for rsyslog isn't optional IMHO
[11:53:10] <Southparkfan>	 vgutierrez: yeah, so it does work as expected in the average case, but my Cloud VPS syslog server also reports errors
[11:53:13] <vgutierrez>	 but I'm the TLS crazy guy
[11:53:28] <Southparkfan>	 but doesn't provide much information on which client it failed for
[11:53:42] <Southparkfan>	 the 'vs.' does indicate mutual exclusion :-)
[11:54:22] <Southparkfan>	 I absolutely agree secure defaults are needed, I was wondering if we should aim straight for adding the defaults or if we should debug further first
[11:58:15] <vgutierrez>	 a quick check, openssl ecparam -list_curves | sort |md5sum yields the same output on bookworm and bullseye
[12:00:08] <Southparkfan>	 That makes sense
[12:03:52] <Southparkfan>	 Have to go now, but unless rsyslog empties the list of supported curves client-side...
[12:04:25] <Southparkfan>	 (why would you)
[12:09:49] <vgutierrez>	 https://github.com/rsyslog/rsyslog/blob/ef1bd6bc03849a22110a6e54abbdb9573bf7b1b6/runtime/nsd_ossl.c#L1487-L1501
[12:10:30] <vgutierrez>	 OPENSSL_VERSION_NUMBER >= 0x10002000L is 1.0.2, so SSL_CTX_set_ecdh_auto is being used
[12:11:47] <vgutierrez>	 the error comes from osslPostHandshakeCheck: https://github.com/rsyslog/rsyslog/blob/ef1bd6bc03849a22110a6e54abbdb9573bf7b1b6/runtime/nsd_ossl.c#L1615
[12:15:05] <vgutierrez>	 on OpenSSL 3 manpage... SSL_CTX_set_ecdh_auto() and SSL_set_ecdh_auto() are deprecated and have no effect.
[12:15:20] <vgutierrez>	 it looks like rsylog could use a patch
[12:15:25] <vgutierrez>	 *rsyslog
[12:20:33] <vgutierrez>	 so no specific curve selection is happening for OpenSSL 3 (rsyslog for bookworm)
[12:20:52] <vgutierrez>	 enforcing it via configuration should get rid of that 
[12:30:23] <Southparkfan>	 vgutierrez: nice find. What about bullseye? Is openssl 1.1.xy still the default there?
[12:31:20] <vgutierrez>	 Yeah.. no openssl 3 
[12:31:53] <vgutierrez>	 1.1.1w at the moment
[12:33:25] <Southparkfan>	 Aha
[12:33:45] <Southparkfan>	 If we cannot reproduce the errors on bullseye->bullseye, this must be the cause
[12:34:28] <Southparkfan>	 It's... interesting
[12:39:59] <jinxer-wm>	 (PuppetFailure) firing: Puppet has failed on prometheus1006:9100 - https://puppetboard.wikimedia.org/nodes?status=failed - https://grafana.wikimedia.org/d/yOxVDGvWk/puppet - https://alerts.wikimedia.org/?q=alertname%3DPuppetFailure
[12:48:48] <godog>	 jbond: ack thank you
[12:49:05] <godog>	 Southparkfan: ack too, thank you and vgutierrez for the investigation so far!
[14:30:45] <Southparkfan>	 https://github.com/rsyslog/rsyslog/blame/ef1bd6bc03849a22110a6e54abbdb9573bf7b1b6/runtime/nsd_ossl.c#L1487-L1501 SSL_CTX_set_ecdh_auto is used if openssl >=  1.0.2 and <= 1.1.1o, SSL_CTX_set_tmp_ecdh is used if openssl < 1.0.2
[14:34:00] <Southparkfan>	 buster ships with 1.1.1n, bullseye with 1.1.1w and bookworm with 3.0.11. so the latter two don't use SSL_CTX_set_ecdh_auto, on 3.0.11 the function is deprecated regardless, but I'm not sure what happens if you remove the call on 1.1.1w
[14:34:26] <jbond>	 godog: (cc herron ) re the change set to move rsyslog to pki 
[14:34:38] <Southparkfan>	 I recall seeing these errors on bullseye clients as well...
[14:35:22] <jbond>	 i think i shuld plan a time when either one or both of yu are around to deploy this change (alternativly yu deploy while im around)
[14:35:52] <jbond>	 it would be good to get tone today tomorrow but let me know if thats to tight a timeline
[14:36:35] <godog>	 jbond: thank you for the heads up, early next week works best for me tbh
[14:36:50] <godog>	 which will mean herro.n is around too, added bonus
[14:37:31] * jbond checks to make sure jobo is not here
[14:38:10] <jbond>	 godog: ack that works, im not strickly ment to be doing changes next week but i dont see that lasting so lets aim for monday/tuesday at a time that is good for herron
[14:38:11] <godog>	 Southparkfan: quite interesting, can't say I understand what's going on heh, or what is supposed to
[14:38:22] <godog>	 jbond: SGTM, thank you
[14:38:41] <jbond>	 ill send out an invite but feel free to suggest alternates
[14:38:49] <Southparkfan>	 no worries godog, I've never used the library either :)
[14:40:34] <godog>	 heheh
[14:41:02] * Southparkfan still has nightmares regarding his exam questions on Galois fields' purpose in TLS
[14:41:09] <godog>	 jbond: I'm doing some work in an adjacent area btw, and I've sent some patches your way, there shouldn't be clashes though with your work and I'm happy to hold off too
[14:44:34] <godog>	 Southparkfan: makes you want to run all across those fields and far away
[14:44:39] <godog>	 that's their purpose
[14:44:43] <Southparkfan>	 xD
[14:46:11] <jbond>	 godog: ack ill tak a proper look in a bit but from a scan i agree they do not conflict
[14:47:45] <godog>	 cheers, I'm about to jump into meetings for a couple of hours
[14:48:58] <Southparkfan>	 using two bullseye systems (one client, one server, absolutely no other remote dests configured on either system) is also enough to emit the error
[14:57:00] <Southparkfan>	 SSL_get_shared_curve itself is also legacy, ha
[15:14:25] <Southparkfan>	 ok, I have no time anymore to dig further, but the pcaps don't match the errors, and it's not an openssl 3 (bookworm)-only issue
[15:37:05] <vgutierrez>	 Southparkfan: SSL_get_negotiated_group() is the new one
[16:40:14] <jinxer-wm>	 (PuppetFailure) firing: Puppet has failed on prometheus1006:9100 - https://puppetboard.wikimedia.org/nodes?status=failed - https://grafana.wikimedia.org/d/yOxVDGvWk/puppet - https://alerts.wikimedia.org/?q=alertname%3DPuppetFailure
[20:40:14] <jinxer-wm>	 (PuppetFailure) firing: Puppet has failed on prometheus1006:9100 - https://puppetboard.wikimedia.org/nodes?status=failed - https://grafana.wikimedia.org/d/yOxVDGvWk/puppet - https://alerts.wikimedia.org/?q=alertname%3DPuppetFailure
[20:43:20] <denisse>	 ^Looking
[20:49:19] <denisse>	 The alert is expected since Puppet is disabled on that host. Acknowledging it to cut down on notifications. More details at https://gerrit.wikimedia.org/r/c/operations/puppet/+/976273.