[07:57:54] <pfischer>	 o/ dcausse: do you have time to continue working on the ES sink? Otherwise I could pick up and build a release.
[08:56:53] <dcausse>	 pfischer: yes please, thanks for the offer! :) 
[08:57:44] <dcausse>	 I mean "no I don't have much time" so please go ahead :)
[08:58:05] <pfischer>	 dcausse: Sure, no worries. 🙂
[08:59:59] <pfischer>	 I pinged Luca, so hopefully we can move https://phabricator.wikimedia.org/T351503. Balthazar already offered his support in setting up the topic once we get green light from OPs
[09:15:17] <dcausse>	 nice! :)
[09:15:29] <dcausse>	 sadly the topic already exists :/
[10:36:46] <dcausse>	 errand + lunch
[14:45:51] <dcausse>	 quick errand
[15:39:22] <hashar>	 hello :)
[15:39:54] <hashar>	 while browsing the production logs for MediaWiki, I found out that rolling 1.42.0-wmf.7 causes an insane amount of log originating from CirrusSearch 
[15:40:01] <hashar>	 ex Pool key 'CirrusSearch-Search:_elasticsearch_enwiki' (CirrusSearch-Search): ⧼poolcounter-connection-error
[15:40:17] <hashar>	 I have filed it as an unbreak now at https://phabricator.wikimedia.org/T352444  cause I don't know the impact
[15:40:39] <hashar>	 I don't know why `⧼poolcounter-connection-error⧽`  uses those special angles brackets
[15:40:50] <hashar>	 and maybe it is a placeholder for the actual underlying error
[15:41:12] <gehel>	 dcausse ^
[15:41:18] <dcausse>	 hashar: looking
[15:41:49] <dcausse>	 that's all over the place...
[15:41:49] <hashar>	 the screen shot shows the messages appeared with group 1 wikis and of course the rate of message doubled this morning as I promoted the rest of the wikis
[15:41:58] <hashar>	 so I guess it is log spam originating from some code in CirrusSearch
[15:46:13] <hashar>	 and  poolcounter  has some sharp drop since I rolled the train tihs morning ( https://grafana.wikimedia.org/d/aIcYxuxZk/poolcounter?orgId=1&from=now-24h&to=now )
[15:46:22] <hashar>	 then I don't know what is using poolcounter
[15:47:20] <HolidayRhino>	 hashar: the angle brackets is probably missing i18n message
[15:47:28] <HolidayRhino>	 The rest I can't help with
[15:48:13] <HolidayRhino>	 Which does make sense
[15:48:15] <HolidayRhino>	 https://github.com/search?q=repo%3Awikimedia%2Fmediawiki%20poolcounter-connection-error&type=code
[15:48:24] <dcausse>	 don't see anything new in cirrus, wondering if it's the poolcounter failing to load its config and falling back to very low values
[15:48:33] <HolidayRhino>	 Has no en.json result
[15:48:39] <hashar>	 yeah I am just surprises it is not using the good old < and >
[15:49:01] <HolidayRhino>	 hashar: no idea on the specific type of brackets
[15:49:11] <HolidayRhino>	 That definitely should be a task filed though
[15:49:20] <HolidayRhino>	 Because an actual error is being hidden
[15:49:29] <hashar>	 dcausse: it looks like we have lost poolcounter yeah
[15:50:05] <gehel>	 so that might not be just Search? And Search is overloading the logs because Search is the largest user of poolcounter?
[15:51:55] <hashar>	 that is my guess yes
[15:52:35] <hashar>	 or something else entirely
[15:54:38] <hashar>	 https://grafana.wikimedia.org/d/aIcYxuxZk/poolcounter?orgId=1&from=now-2d&to=now&var-dc=codfw%20prometheus%2Fops
[15:54:56] <hashar>	 that is the 2 days view of locks held/released  and requests processed 
[15:55:04] <hashar>	 which goes down whne promoting group 1 
[15:55:13] <hashar>	 and fall to almost nothing once promoint all wikis
[15:55:16] <hashar>	 promoting
[16:02:28] <ebernhardson>	 \o
[16:04:25] <HolidayRhino>	 Amir1: I see you doing PoolCounter stuff
[16:04:27] <HolidayRhino>	 See here
[16:06:00] <Amir1>	 You know I'm already pinged on this?
[16:06:19] <hashar>	 so we ended up continuing in the _security channel
[16:06:44] <hashar>	 and most probably the issue is in mediawiki/core and the patch is being rolled back https://gerrit.wikimedia.org/r/q/4344b2fb80727daa44eb461e316421ac803d8df1
[16:06:45] <hashar>	 :)
[16:07:13] <HolidayRhino>	 Amir1: no I can't see the conversation anywhere else
[16:07:37] <Amir1>	 then please assume, I'm aware ^_^
[16:11:22] <dcausse>	 o/
[16:24:02] <dcausse>	 surprised that searches were still working with the poolcounter broken...
[16:24:10] <ebernhardson>	 oh! that seems risky
[16:24:39] <dcausse>	 seems like we fallback to "no poolcounter" in this case?
[16:24:58] <Amir1>	 that's scary 😅
[16:25:14] <dcausse>	 yes :/
[16:34:29] <Amir1>	 okay the patch is deployed dcausse 
[16:34:37] <dcausse>	 Amir1: thanks! :)
[16:35:19] <dcausse>	 this is because: https://gerrit.wikimedia.org/g/mediawiki/core/+/e49f585abaad23fa0b2d78c3d1495fbe647a61c6/includes/poolcounter/PoolCounterWork.php#154 I think
[16:36:07] <dcausse>	 wondering if we should prefer failing the work in that case (for search at least)
[16:37:11] <dcausse>	 this problem remained unnoticed for 24+h
[16:37:15] <ebernhardson>	 hard to say, my main datapoint is when we first deployed codfw cluster i ran a loadtest that didn't use any connection limiting and the whole cluster fell over
[16:37:31] <ebernhardson>	 but that was several versions ago, smaller cluster, who knows
[16:40:47] <hashar>	 the issue got solved by reverting the faulty patch in mediawiki/core
[16:40:49] <dcausse>	 yes not sure what's appropriate, take the risk and let the system respond or fail everything so that gets fixed quickly...
[16:41:20] <dcausse>	 hashar: \o/, thanks for taking care of this!
[16:41:50] <hashar>	 Amir1 pushed all the buttons! :]
[16:42:31] <Amir1>	 I like pushing shiny buttons
[16:45:04] <pfischer>	 ebernhardson: I do have a setup working with a ES bulk processor that has access to the sink’s init context/metrics but I can’t get the artefact into archiva (401).
[16:45:37] <ebernhardson>	 pfischer: hmm, i haven't seen a 401 from archiva  thats odd
[16:45:54] <ebernhardson>	 pfischer: do you have an archiva password?
[16:47:04] <pfischer>	 ebernhardson: I do have credentials (LDAP) I can log in at the UI https://archiva.wikimedia.org/
[16:47:09] <ebernhardson>	 i suppose i have this configured, it's probably what prevents the 401: https://wikitech.wikimedia.org/wiki/Data_Engineering/Systems/Archiva#Deploy_to_Archiva
[16:47:37] <ebernhardson>	 and we might need to check your ldap groups, this says you need archiva-deployers
[16:48:11] <pfischer>	 Same here, I’ve got my encrypted password associated with archive.snapshots… yes is that something I can do myself (check)?
[16:48:33] <ebernhardson>	 i'm not sure, i suspect ryan or brian can do the ldap bits. I'm trying to see if i can even query ldap
[16:50:03] <pfischer>	 According to the lookup (via mwmaint) I’m only in the ou=people
[16:50:36] <ebernhardson>	 yea seeing the same, I suspect we need https://wikitech.wikimedia.org/wiki/SRE/LDAP#Add_a_user_to_a_group
[16:51:03] <ebernhardson>	 not clear if that requires doing a full access request or if it can just be done, i would vote for just do it (by sre with sudo)
[16:51:18] <ebernhardson>	 inflatador: ^
[16:51:50] <inflatador>	 ebernhardson ACK, will take a look once I'm out of mtgs
[16:51:55] <ebernhardson>	 thanks
[16:53:51] <pfischer>	 ebernhardson: in the mean time: which metrics would you be interested in? noops total | per batch | batch size | failures (per batch and update type?)
[16:54:39] <ebernhardson>	 pfischer: i think the main thing would be noops rate broken out by source, a rate of successfull and failed writes as well
[16:54:47] <ebernhardson>	 i don't know if per-batch is too meaningful, i think it can just be overall
[16:55:10] <ebernhardson>	 maybe batch size would be interesting, get more insight into what it's doing
[16:55:38] <pfischer>	 Yeah, that’s what I thought as well. Alright, I’ll set them up.
[16:56:10] <ebernhardson>	 the version of that in Cirrus ends up here, but it isn't broken out it's only top level: https://grafana.wikimedia.org/d/JLK3I_siz/elasticsearch-indexing?orgId=1&viewPanel=43
[16:56:23] <ebernhardson>	 it's just created/noop/updated per second
[16:56:30] <ebernhardson>	 which probably map directly to elasticsearch status's
[16:58:29] <ebernhardson>	 pfischer: oh, it looks like we also record per-index stats but only for specified indexes. The cirrus impl for reference is https://github.com/wikimedia/mediawiki-extensions-CirrusSearch/blob/master/includes/DataSender.php#L408
[16:59:13] <ebernhardson>	 or maybe thats all indices, mhm
[16:59:54] <inflatador>	 Trey314159 might be 1-2m late to our mtg
[17:00:11] <Trey314159>	 inflatador: no worries
[17:00:44] <ebernhardson>	 huh, i guess i didn't remember that, but indeed in grafana we have per-index stats on noop/created/etc. I'm not sure if we ever used that
[17:01:35] <dcausse>	 I look at it once in a while but not sure that's particularly useful
[17:07:00] <dcausse>	 oops I missed the restbase meeting, ebernhardson did you attend?
[17:07:16] <ebernhardson>	 dcausse: yup, went over the restbase / related articles question
[17:07:25] <dcausse>	 cool
[17:07:56] <ebernhardson>	 dcausse: the summary is they need more data from the apps teams about perf and migration concerns, plausible this will move to the action api with a generator to provide summaries, but not 100% certain yet
[17:08:52] <dcausse>	 ok
[17:11:13] <pfischer>	 AFK, back in 60’
[17:24:55] <ebernhardson>	 i don't know if it's strictly required, but it seems it would be annoying if eventbus keeps trying to recreate the topic by sending new events, so i've added a patch to deploy window later today to disable event bus bridge on testwiki
[17:35:40] <inflatador>	 lunch, back in ~1h
[18:04:10] <dcausse>	 dinner
[18:30:04] <inflatador>	 back
[19:10:30] <inflatador>	 CR to get rid of the broken wdqs ldf check if anyone has time to look: https://gerrit.wikimedia.org/r/c/operations/puppet/+/979149/
[19:10:59] <inflatador>	 I'm pretty sure I know how to fix it, but let's get rid of the bad one in the short temr
[19:11:48] <ebernhardson>	 looking
[19:12:09] <inflatador>	 ebernhardson no worries, already got a +1
[19:12:28] <ebernhardson>	 jj
[19:12:30] <ebernhardson>	 kk
[19:15:19] <inflatador>	 If you have ideas on the best place to put that ldf endpoint check LMK, digging thru our manifests now
[19:21:34] <ebernhardson>	 not sure, i suppose in theory what i would like to see is something that hits the full pipeline the same way a user would, from outside our network
[19:21:55] <ebernhardson>	 no clue if thats a general thing though :) 
[19:25:38] <inflatador>	 Yeah, was wondering that myself...current blackbox checks for query.wikidata use the public URL, but actually poll from our own prometheus servers
[19:26:08] <inflatador>	 Not completely "blackbox," but good enough I guess
[19:28:58] <inflatador>	 I guess we can use a flag in modules/profile/manifests/query_service/common.pp like we do for NFS dumps...then flip on the flag for the current ldf endpoint host
[19:33:02] <ebernhardson>	 inflatador: there is already an enable_ldf flag, which purports to make it into the nginx template. Can that flag be reused?
[19:33:59] <ebernhardson>	 hmm, no i don't think thats specific enough
[20:18:21] <ebernhardson>	 huh, i can't seem to add notes to dagrun's in airflow anymore, gets a 500 : psycopg2.errors.InvalidTextRepresentation: invalid input syntax for type integer: "None"
[22:07:20] <inflatador>	 pfischer back
[22:08:29] <inflatador>	 pfischer ebernhardson can you confirm you need the "archiva-deployers" group? Working on it now
[22:10:49] <inflatador>	 nm, confirmed
[22:10:55] <ebernhardson>	 inflatador: that should be the one, it matches the wikitech page on archiva, and `ldapsearch -x cn=archiva-deployers` shows a set of users that looks about right
[22:12:59] <inflatador>	 ebernhardson ACK, added pfischer . Hit me up if y'all are having issues
[22:15:12] <pfischer>	 inflatador: should that change be visible when performing  ldapsearch -x uid=pfischer?
[22:16:23] <pfischer>	 I still get a 401 from archive and the ldapsearch only shows ou=people. Does it take some time?
[22:17:54] <inflatador>	 pfischer `ldapsearch -x uid` won't show your groups . I see you when I run `ldapsearch -x cn=archiva-deployers` but I do think it might take time
[22:31:57] <pfischer>	 ebernhardson: are there any restrictions which maven artefact coordinates I’m allowed to deploy, for example, only org.wikimedia.* but not org.apache.flin.* ?
[23:03:08] <pfischer>	 Hm, I still get a 401, running with -X I see that it picks up the right username (configured in settings.xml)
[23:06:13] <inflatador>	 maybe there are other groups needed as well?
[23:06:13] <ebernhardson>	 pfischer: hmm, not sure
[23:06:30] <ebernhardson>	 i think i've only released org.wikimedia artifacts before, checking archiva config
[23:08:39] <ebernhardson>	 i don't see anything relevant there, it's not actually clear how all those repositories are defined
[23:09:05] * ebernhardson should know since he added a new repo there years ago :P
[23:15:25] <ebernhardson>	 hmm, i suspect there must be another level of auth, back then it was the single archiva-deploy users and iirc there was more access available in the web ui.  wikitech page confirms there should be an administrative web ui, but that we could see the config the web ui mutates in /var/lib/archiva/conf/archiva.xml 
[23:16:37] <ebernhardson>	 i think that would be archiva1002.wikimedia.org, but i can't peek at that server
[23:30:21] <ebernhardson>	 i suppose from the other direction though, can see in the browser that wikimedia release repository has stuff from many different namespaces. Seems most likely something else is the problem