[06:53:30] <batushka>	 why did they name the initramfs tooling Dracut?
[06:58:33] <batushka>	 a helpful and curious mind in #linux found the answer: https://dracut.wiki.kernel.org/
[06:58:55] <batushka>	 apparently it's a town in massachusetts
[07:39:39] <_joe_>	 Krinkle: that's one of the advantages of mw on k8s - we can decide the size of each pod and optimize it 
[07:40:20] <_joe_>	 but overall I do expect some performance penalty from running on newer kernels / more cpu mitigations / more layers of indirection
[08:37:59] <elukey>	 hi folks, on apt1001 we have some disk space issue
[08:38:15] <elukey>	 jbond, ottomata - can you review your home dirs and drop what is not needed?
[08:39:40] <elukey>	 there is also /srv/home-install1002.wikimedia.org that you be reviewed/dropped as well
[08:39:55] <elukey>	 nothing super urgent but we should free space today if possible
[08:52:27] <moritzm>	 I've removed /srv/home-install1002.wikimedia.org, that was an old copy frm a migration which is long over and also freed 5G in my home
[08:53:54] <_joe_>	 elukey: you won't have my precious files
[08:54:03] <XioNoX>	 if we can empty /srv/wikimedia/incoming/ it would free up 1.8G
[08:54:18] <XioNoX>	 from the doc that directory is supposed to be empty most of the time
[08:54:24] <_joe_>	 we have 25 gb free people
[08:54:25] <elukey>	 thanks moritzm!
[08:55:07] <_joe_>	 but to elukey's point, of the 141G we have occupied there, onluyu 85 are in /srv
[08:55:13] <_joe_>	 where the useful stuff resides
[08:55:34] <_joe_>	 heh 51 GB in /home
[08:55:59] <elukey>	 I know that Andrew was working on the new anaconda-wmf deb that is big, I think the files are not needed anymore so if rushed we can drop them in theory
[08:56:06] <elukey>	 (but I'd prefer to wait for Andrew's confirmation)
[08:56:16] <_joe_>	 yeah let's wait for jbond too
[08:57:22] <_joe_>	 those two are indeed the big offenders :)
[09:11:09] <jbond>	 i have cut mine down to 175M
[09:41:06] <Emperor>	 Delete All The Things! 
[10:06:03] <elukey>	 folks I added some info about how to handle TLS certificate renewals for Kafka brokers (now that we have alarms) - https://wikitech.wikimedia.org/wiki/Kafka/Administration#Renew_TLS_certificate
[10:06:24] <elukey>	 ideally in the long term everything will be handled by puppet and the Kafka PKI intermediate
[10:06:34] <elukey>	 but more tests are needed
[10:06:55] <elukey>	 the new PKI is used by Kafka test, and soon we'll have the first certs to renew (in a couple of weeks I think)
[10:07:30] <elukey>	 if you see something not-clear/weird/etc.. lemme know
[10:10:01] <btullis>	 elukey: Excellent. Thanks for that. I didn't know that you could reload the certificates without a broker restart.
[10:11:47] <elukey>	 btullis: I discovered it recently, it seems to work, the software heritage people did a similar thing :D
[10:12:26] <_joe_>	 elukey: did you test the procedure?
[10:14:43] <elukey>	 _joe_ yes 
[10:14:55] <elukey>	 I also added a big WARNING as well
[10:15:25] <elukey>	 The command seems doing what's needed, the Kafka logs confirm etc.. but I haven't tested it for a real keystore swap
[10:18:41] <elukey>	 (I'll do it in the next days when the first warnings will pop up)
[10:18:57] <elukey>	 if we move all kafka brokers to the new PKI we'll need some automation, the default expiry is 4 weeks
[10:22:19] <btullis>	 4 weeks seems quite a short period. Is it too late to extend the expiry period allowed by the Kafka intermediate CA?
[10:27:55] <elukey>	 I think that it can be changed, shouldn't be a big problem..
[10:28:27] <elukey>	 but if we manage to force puppet to reload the certs consistently it may not be needed
[10:28:54] <elukey>	 it needs to be done very carefully of course
[11:01:50] <btullis>	 Can anyone advise where my cumin-fu is going wrong here please? `sudo cumin R:Class ~ "(?i)role::analytics_test_cluster::(client|coordinator)"`
[11:02:52] <btullis>	 Trying to follow the multiple role selection example here: https://wikitech.wikimedia.org/wiki/Cumin#PuppetDB_host_selection but it responds with: `cumin: error: -m/--mode is required when there are multiple COMMANDS`
[11:03:47] <volans>	 btullis: sudo cumin 'R:Class ~ "(?i)role::analytics_test_cluster::(client|coordinator)"'
[11:03:50] <volans>	 works fine
[11:03:55] <volans>	 (quoting the query)
[11:04:35] <volans>	 as otherwise it would try to parse the args as "R:Class" as query and "~" and "(?i)role::analytics_test_cluster::(client|coordinator)" as commands to execute
[11:05:40] <btullis>	 Ah, thanks volans. Makes perfect sense now.
[11:06:22] <volans>	 anytime
[11:13:28] <XioNoX>	 out of curiosity, what does the "(?i)" do?
[11:14:05] <btullis>	 > (?i) allow to perform the query in a case-insensitive mode (our implementation of PuppetDB uses PostgreSQL as a backend and the regex syntax is backend-dependent) without having to set uppercase the first letter of each class path.
[11:14:06] <jynus>	 I don't know what's the context, but isn't that related to case insesitivity?
[11:14:08] <volans>	 case-insensitive otherwise you have to write it CamelCased as Puppet they are in puppet
[11:15:03] <jynus>	 ah, if it is postgress syntax that makes sense where I have seen it before
[11:21:21] <XioNoX>	 thanks
[11:25:17] <jynus>	 actually it is a rather standar regex syntax, so not only for postgres
[11:30:36] <btullis>	 I added a small note to the Wikitech page about the need to quote multiple host selection queries. Seems obvious to me now, but still tripped me up.
[14:54:07] <hauskatze>	 marostegui: hello, got a minute?
[14:55:56] <marostegui>	 hauskatze: hey what's up
[15:37:05] <hnowlan>	 This is a very vague problem statement but I have a host that is failing to boot into the debian installer properly - on a reboot, it does a pxe boot successfully, all ipmi  commands succeed. It loads initrd.gz and there's a long pause, console goes blank and then the hosts just reboots into the OS already installed 
[15:37:20] <hnowlan>	 any historical examples of similar issues with dells? 
[15:38:53] <elukey>	 hnowlan: sounds familiar :D https://phabricator.wikimedia.org/T297422
[15:39:07] <elukey>	 I got the same issue, I had to ask dcops to upgrade nic+bios
[15:39:09] <elukey>	 and then it worked
[15:39:34] <elukey>	 original task https://phabricator.wikimedia.org/T296856
[15:39:40] <hnowlan>	 elukey: ah, good/bad to hear :D 
[15:40:04] <elukey>	 the good part is that with an upgrade all worked fine :D
[15:41:48] <elukey>	 hnowlan: are those old nodes?
[15:43:09] <hnowlan>	 elukey: old-ish yeah, 2018-11 R440 (only hit one so far but I assume more will follow) 
[15:44:55] <moritzm>	 hnowlan: that's the problem I mentioned two days ago on IRC, I'm running into the same with the Ganeti servers in eqiad, these will also need firmware updates
[15:45:34] <hnowlan>	 moritzm: ahh I see - I saw your ticket linked in elukey's too :) 
[15:48:43] <moritzm>	 on the bright side, for the 16 cases where we had seen that error so far, the firmware update resolved it reliably
[15:53:24] <hauskatze>	 Sorry! This site is experiencing technical difficulties.
[15:53:25] <hauskatze>	 Try waiting a few minutes and reloading.
[15:53:25] <hauskatze>	 (Cannot access the database: Cannot access the database: Unknown database 'metawiki' (db1164) (db1164))
[15:55:45] <hauskatze>	 I am trying to supress an abusive account and keep getting this ^
[15:58:17] <zabe>	 huh
[15:58:35] <_joe_>	 Amir1, marostegui ^^
[15:58:53] <cdanis>	 db1164 is s1?
[15:59:06] <Amir1>	 I'm at a meeting
[15:59:14] <Amir1>	 how large scale is the issue?
[15:59:24] <zabe>	 the stacktrace actually indicates that this looks like my work, I think it's mixing up db connections :/
[15:59:26] <_joe_>	 seems pretty serious, let me check
[15:59:26] <Amir1>	 (should I leave the meeting early?)
[15:59:34] <hauskatze>	 can't suppress any global account
[15:59:48] <_joe_>	 I need to go into a meeting
[15:59:50] <_joe_>	 as well
[15:59:56] <_joe_>	 but this seems like a serious issue
[16:00:06] <_joe_>	 if code is suspected, let's rollback first, ask quesitons later
[16:00:08] <Amir1>	 I can take over soon, let me know if you have a patch ready for review and deployment
[16:01:06] <hauskatze>	 I am not sure if this is happening for this very account I'm trying to nuke, or for others as well
[16:01:14] <hauskatze>	 let me test with another
[16:01:18] <Amir1>	 okay, the meeting is over, let me see
[16:01:40] <cdanis>	 https://logstash.wikimedia.org/goto/592ea2f850bcc277e8661ab5ba2dfbd2
[16:01:45] <zabe>	 I think I found the issue
[16:01:46] <cdanis>	 the error has been happening at low rates for a week
[16:01:54] <cdanis>	 not sure a rollback would be helpful
[16:01:57] <hauskatze>	 Yep, I can't suppress any global account
[16:02:09] <zabe>	 or maybe not
[16:02:41] <_joe_>	 cdanis: same server?
[16:02:50] <cdanis>	 _joe_: no
[16:03:05] <cdanis>	 a good spread of hosts, and looks like it has occurred on both .18 and .17
[16:03:47] <hauskatze>	 db1175 now with "MarcoAurelio (test 2)"
[16:04:00] <hauskatze>	 shall I file a security task in the meanwhile for reference?
[16:04:22] <Amir1>	 yup
[16:05:17] <hauskatze>	 Ack, creating
[16:05:25] <hauskatze>	 2 CA bugs today I'm filing
[16:05:27] <hauskatze>	 nice
[16:06:19] <marostegui>	 an I needed _joe_ , Amir1 ?
[16:06:22] <marostegui>	 am I
[16:06:44] <Amir1>	 marostegui: nah, I'm on it
[16:06:45] <zabe>	 hauskatze: could you add me? I would like to see if my patch is related (https://gerrit.wikimedia.org/r/c/mediawiki/core/+/723790).
[16:07:59] <hauskatze>	 Amir1: https://phabricator.wikimedia.org/T299655
[16:08:15] <hauskatze>	 zabe: if you're in NDA groups you should be able to see it?
[16:08:29] <hauskatze>	 otherwise I guess it's fine, given that you have Logstash access iirc
[16:09:02] <mutante>	 there is a "when added to LDAP wmf you automatically also get Phab WMF-NDA" nowadays
[16:09:03] <zabe>	 I have a nda, but I don't have sec issue access
[16:09:16] <jynus>	 It's weird, because from cdanis logs it affectef both userrights and centralauth suppresion
[16:09:18] <mutante>	 but maybe not the same for "nda", not the automatic part
[16:09:28] <mutante>	 feel free to reopen that ticket to ask for phab nda
[16:09:44] <hauskatze>	 zabe: added
[16:09:53] <zabe>	 thx
[16:15:29] <marostegui>	 Amir1: let me know if I need to come online, I'm 5 mins away from my laptop
[16:16:11] <Amir1>	 marostegui: nah, enjoy your evening for once 
[16:16:30] <marostegui>	 xdddd
[16:17:57] * hauskatze Squawks 7700
[16:18:45] <hauskatze>	 Amir-1 and myself are investigating
[16:42:11] <Amir1>	 zabe: https://integration.wikimedia.org/ci/job/mediawiki-quibble-vendor-mysql-php73-docker/11481/console :(((
[16:42:45] <zabe>	 sorry :(
[16:47:47] <zabe>	 Amir1: would it be possible to only merge the revert into wmf.18 for now. I'm fairly certain the failure is only due to me not being able to write good tests.
[16:48:12] <Amir1>	 zabe: that is da plan
[16:48:32] <zabe>	 ok, thx
[16:48:37] <Amir1>	 zabe: actually you wrote too good tests ("brittle tests")
[16:51:09] <taavi>	 zabe: actually I think the tests breaking prove that my fix works :D
[16:52:01] <taavi>	 I'm not even sure if it's possible to test that something correctly reads from a separate database :/
[16:52:43] <zabe>	 yeah, I remember writing some tests for UserRightsProxy and having these issues
[16:52:46] <andrewbogott>	 apergos: mind if I rename the incoming dumps NFS servers (formerly labstore100x) to 'dumps100x'?
[16:52:57] <apergos>	 um
[16:53:10] <apergos>	 we have servers called "dumpsdata100x'
[16:53:11] <apergos>	 "
[16:53:17] <apergos>	 so that might be a bit close
[16:53:40] <taavi>	 dumpsdistrib(ution)100x?
[16:54:02] <apergos>	 that's a mouthful
[16:54:08] <andrewbogott>	 apergos: we'd talked about 'clouddumps' but I'm not sure that the 'cloud' prefix is really anything there
[16:54:17] <andrewbogott>	 although it would make it easier for me to find them in icinga
[16:54:33] <apergos>	 what do the rest of the labstore boxes get renamed to?
[16:54:48] <apergos>	 is everything going to be cloud_x for some value of x?
[16:56:03] <apergos>	 you kno what
[16:56:26] <apergos>	 datasets (I know, we used to have dataset100x)
[16:56:46] <andrewbogott>	 apergos: we're moving towards not really having other cloudstores.  NFS is moving onto the cloud soon (I hope)
[16:56:51] <apergos>	 because sooner or later we might stop calling all these datasets dumps and start calling them public community datasets or something like that
[16:57:05] <andrewbogott>	 ok, so datasets100x?
[16:57:13] <andrewbogott>	 Not just 'data100x'?  :p
[16:57:13] <apergos>	 let's see what robh says
[16:57:28] <apergos>	 because that's very close to reusing an old name and he might not like it
[16:57:37] <apergos>	 (but I do)
[16:58:05] <apergos>	 are the other wmcs hosts cloudX or do their names vary?
[16:58:46] <andrewbogott>	 100% cloudx
[16:58:49] <apergos>	 oh
[16:58:51] <apergos>	 um
[16:58:53] <Amir1>	 zabe: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/FlaggedRevs/+/755727 🥺
[16:58:57] <apergos>	 clouddatasets
[16:59:00] <andrewbogott>	 But there's nothing fundamentally cloudish about these new hosts
[16:59:07] <apergos>	 long but not as long as dumpsdistributionthingie
[16:59:14] <apergos>	 no, just that they belong to y'all
[16:59:29] <apergos>	 well the one provides nfs to wmcs instances, that's cloud-ish :-P
[16:59:36] <andrewbogott>	 true
[16:59:59] <andrewbogott>	 arturo: was suggesting that these boxes not be cloud* but I don't know if he  had an offical rationale beyond less to type
[17:00:00] <apergos>	 so clouddumps or clouddatasets is fine
[17:00:06] <apergos>	 imo
[17:01:18] <mutante>	 dumpscloud so it does not get selected by cloud* but also is not like dumps without cloud and nobody is happy
[17:01:19] <arturo>	 I like the notion of having the `cloud` keyword for servers that are fundamental part of the core WMCS underlying infrastructure
[17:01:44] <arturo>	 +1 to mutante's suggestion
[17:02:22] <apergos>	 wmcsdumps (and that will guarantee that the team gets renamed and so does the service)
[17:02:39] <apergos>	 anyways you have my thoughts, feel free to poke me on the relevant task if you don't come to an agreement
[17:02:51] <apergos>	 or need more of my esho
[17:02:57] <andrewbogott>	 thanks :)
[17:03:09] <mutante>	 but at the end of the day, if you all use cumin aliases and not just glob/wildcard on DNS names then you can customize it all as you like
[17:03:16] <mutante>	 in cumin aliases file
[17:03:51] <apergos>	 at least one person (and maybe more in the future) will have access to the dumps related servers without having cumin access, just fyi
[17:03:58] <apergos>	 now I really am going to wander off
[17:04:03] <robh>	 apergos: uhh, talking hostnames?  i dont have a horse in this race as long as you list it on the wikitech naming standards page
[17:04:11] <robh>	 and they need to be short enough nto fit on label
[17:04:40] <robh>	 I stopped having a horse in the hostname race in 2018.
[17:04:46] <robh>	 ;D
[17:04:49] <apergos>	 there you have it folks, when you settle on a color for the shed lemme know
[17:04:59] <robh>	 the main thing being the wikitech page gets updated
[17:05:20] <robh>	 https://wikitech.wikimedia.org/wiki/SRE/Infrastructure_naming_conventions
[17:06:09] <robh>	 datasetsX will fit better on label from a purely character perspective
[17:06:27] <robh>	 granted a label is NOT the deciding factor, but it is an easy guideline
[17:06:47] <robh>	 the deciding factor is who argues loudest in the sre meeting when its brought up that someone hates the name you picked ; D
[17:07:26] <apergos>	 one could argue that
[17:07:44] <apergos>	 nope I'm not even. I"m really actually goign to do mindless twitter surfing or something
[17:10:40] <mutante>	 the servers need a little e-ink display instead of LCD, then display their "physical label" hostname on that so it stays as it is even when power off. /me hides
[17:16:36] <robh>	 the lcd used to do that but we had to program it manually and now they dont have lcds
[17:30:39] <hauskatze>	 thanks taavi and Amir1 :)
[17:30:58] <Amir1>	 happy to be of service
[17:36:45] <zabe>	 I guess I'll sit down now and fix the tests now
[17:37:02] <taavi>	 lmk if I can help
[18:49:28] <robh_>	  /nick robh
[18:49:44] <hauskatze>	 fail
[19:31:08] <mutante>	 since just now the old Bugzilla tickets are now a kubernetes service. eh, I mean "the archive of all the old tickets is". https://static-bugzilla.wikimedia.org/
[19:31:32] <mutante>	 just switched from ganeti to k8s
[19:38:38] <hauskatze>	 good ol' bugzy
[19:42:45] <mutante>	 yep, living in the future to stick around forever
[20:58:17] <jhathaway>	 !log rebotting mx1001 to test new kernel
[20:58:19] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log