[06:08:03] <jynus>	 XioNoX mmandere when around, I belive you should update this week's schedule (A still shows as assigned this week), but wanting you to be around before breaking things
[06:12:39] <mmandere>	 jynus: ack
[06:13:15] <jynus>	 I belive it was because multiple switches happened, not reflected on victorops
[06:13:17] <marostegui>	 mmm is it me or the sync to our puppet repo in github isn't working? the last commit is from 6h ago there: https://github.com/wikimedia/puppet
[06:14:40] <jynus>	 mmandere: you should I think coordinate with alex to remove yourself from the next week too
[06:14:49] <jynus>	 marostegui: let me see
[06:15:08] <marostegui>	 jynus: I can create a task and ping releng if you like
[06:15:43] <RhinosF1>	 marostegui: I see your 2 commits on github
[06:15:58] <marostegui>	 RhinosF1: Oh wow, it just got there indeed
[06:16:07] <marostegui>	 jynus: ^ seems to be fixed
[06:16:07] <jynus>	 there must be some lag
[06:16:11] <marostegui>	 yeah
[06:16:24] <jynus>	 I saw it there too
[06:16:38] <marostegui>	 great!
[06:22:37] <jynus>	 do you often use github (out of curiosity)?
[06:24:52] <marostegui>	 jynus: yeah, I use it to browse the repo
[06:50:47] <XioNoX>	 same
[07:50:40] <slyngs>	 Unless it conflicts with the plans of someone else: I'm going to disable Puppet fleet wide in a little bit. The goal is to move Puppet from crontab to systemd timers. 
[07:52:52] <jynus>	 how will failures will be handled, will they generate systemctl alert spam?
[07:54:05] <slyngs>	 Yes, we can disable alerting if it turns out to be an issue
[07:54:35] <jynus>	 sorry, I didn't understand, do you mean "Yes, it will generate systemctl alert spam?"
[07:54:57] <slyngs>	 Sorry, yes, failure will generate a systemctl alert
[07:55:06] <slyngs>	 It's this patch: https://gerrit.wikimedia.org/r/c/operations/puppet/+/807118
[07:55:12] <jynus>	 but we disabled puppet failure alerting, that will be a regression
[07:55:24] <jynus>	 we only alert on widspread failres, give a warning otherwise
[07:55:55] <slyngs>	 Fair point, I'll amend the patch to not alert on failures
[07:56:12] <jynus>	 what's worse, may hide legitimate systemctl alerts
[07:56:17] <jynus>	 I will comment on ticket
[07:56:32] <slyngs>	 Thank you, I'll abort the mission for now :-)
[07:57:49] <slyngs>	 I'll just check, it's the same script, so maybe it won't generate spammy alerts
[07:58:31] <XioNoX>	 jynus: good catch!
[08:00:20] <jynus>	 So I mentioned because I have pending doing changes to a script in the same way
[08:01:35] <jynus>	 I don't want systemd to alert if 1 backup fails, for example, out of 10, so I have to tune the exit status to only alert on fatal failures (e.g. config file not found)
[08:02:36] <jynus>	 (I have backup monitoring separatelly, of course)
[08:02:40] <jynus>	 so it is a similar case
[08:03:24] <slyngs>	 jynus: https://gerrit.wikimedia.org/r/c/operations/puppet/+/792113 <- We have this one, I think you commented on that one as well, but yes, same issue
[08:03:41] <jynus>	 yes, that is the one I referred to
[08:03:45] <jynus>	 I will apply it
[08:03:54] <jynus>	 just need time to update the script
[08:04:21] <slyngs>	 I'll see what we can do with the run-puppet script. 
[08:04:45] <jynus>	 maybe update the systemctl monitoring to ignore puppet?
[08:05:11] <jynus>	 as puppet has its own "monitoring stack"
[08:05:27] <jynus>	 or force a 0 exit after running from systemctl timer
[08:05:30] <jynus>	 ?
[08:05:32] <jynus>	 unsure
[08:05:52] <jynus>	 maybe there is a timer config?
[08:07:39] <slyngs>	 We could just disable monitoring for the Puppet service, or where you concerned that it might hide to much?
[08:10:25] <jynus>	 but the monitoring is a bit complex- it uses aggregarion to decide if to alert
[08:11:02] <jynus>	 e.g. alertmanager only alerts if it fails on more than 1 host
[08:11:23] <jynus>	 per-host puppet failure alerting (not monitoring) was disabled due to spam
[08:11:43] <jynus>	 oh, or you mean the systemctl one, specifically?
[08:11:54] <slyngs>	 Oh, yes, just the systemctl one
[08:12:08] <jynus>	 sorry, I missunderstood
[08:12:12] <slyngs>	 The alertmanager alerts are fine, they aren't being influenced
[08:12:15] <jynus>	 yeah, that was one of my suggestions indeed
[08:12:44] <slyngs>	 In that case I misunderstood :-)
[08:12:56] <slyngs>	 I'll amend the patch and let people review it again 
[08:12:58] <jynus>	 "maybe update the systemctl monitoring to ignore puppet?" <- here
[08:13:44] <slyngs>	 Perfect, I just put way more meaning into that 
[08:14:26] <jynus>	 let's make sure people are aware of it, though on ticket and maybe an email or SRE meeting comment
[08:14:36] <jynus>	 *trough the patch
[08:14:40] <jynus>	 *through
[08:14:43] <jynus>	 arg I cannot write
[08:16:45] <joe>	 slyngs: I think you'd be better off by just running bash -c "run-puppet-agent || /bin/true" from the timer if you don't want it to fail on puppet failures
[08:17:27] <jynus>	 that is the other option I mentioned :-), whatever most people prefer (not sure which one would cause the least surprise?)
[08:17:38] <joe>	 I would not modify run-puppet-agent tbh, the way it returns status codes is somewhat related to how we run stuff in cumin
[08:18:02] <jynus>	 ah, makes sense
[08:18:03] <slyngs>	 I don't think systemd will be to happy about the ||
[08:19:07] <slyngs>	 We could to "Yet another wrapper" that will run the  bash -c "run-puppet-agent || /bin/true
[08:20:45] <jynus>	 the last option is to downgrade systemctl to a warning for puppet timer only
[08:20:55] <jynus>	 *systemctl monitoring
[08:21:27] <joe>	 slyngs: why would systemd not be happy about that? if you quote the command correctly it will
[08:22:16] <slyngs>	 Is it just the redirects it doesn't like?
[08:23:48] <jynus>	 just single quotes should do the work according to this? https://unix.stackexchange.com/a/496370
[08:25:00] <slyngs>	 I'll just do a few test. The whole thing is wrapped in another script, to handle sending email
[08:25:08] <jynus>	 he he
[08:25:19] <jynus>	 maybe that could be changed instead
[08:26:04] <slyngs>	 Yeah, but that's equally dangerous as that wrapper a ton of customer systemd timers and jobs
[08:27:14] <joe>	 something like
[08:27:19] <joe>	 ExecStart=/bin/bash -c "/bin/false || echo TEST" 
[08:27:20] <joe>	 works
[08:27:26] <joe>	 so I'm not sure what's the worry here
[08:28:58] <slyngs>	 It will end up as ExecStart=/usr/local/bin/systemd-timer-mail-wrapper /bin/bash -c "/bin/false || echo TEST" 
[08:29:29] <joe>	 why do we need to send email?
[08:29:42] <slyngs>	 Maybe... I might just be overly paraniod
[08:29:44] <joe>	 I don't think we do from the current cron
[08:30:02] <joe>	 and I don't see a good reason to mail everyone if puppet is failing to run
[08:30:07] <joe>	 given we're already alerting on it
[08:31:09] <slyngs>	 No, you're right, just don't send email and ignore errors and let AlertManager handle the alerting should work
[08:31:29] <moritzm>	 cron simply silently failed errors, so with the migration to systemd timers we need to figure out the cases where this actually would make sense
[08:31:44] <joe>	 +1
[08:31:49] <moritzm>	 but I agree that for puppet runs this would be too noisy and the other measures we have in place are effective enough already
[08:32:36] <slyngs>	 I'll just do a little tweaking to the patch and run it through review again :-)
[08:33:49] <jynus>	 sorry if this caused you more work- I was surprised nobody else brought it up
[08:35:56] <jynus>	 as an example, I see now up to 7 systemd unit run errors on icinga
[08:36:12] <jynus>	 (some acked/disabled)
[08:36:13] <slyngs>	 jynus: No this is great, much better to deal with it upfront
[08:36:55] <slyngs>	 So it turns out that some one thought about this. Systemd will ignore errors is the command is prefixed with -
[08:37:16] <slyngs>	 And our puppet module actually knows about that
[08:37:41] <jynus>	 much cleaner solution :-D
[08:38:32] <slyngs>	 Who ever wrote the puppet module had an amazing amount of foresight
[08:39:49] <slyngs>	 From the systemd manual: If the executable path is prefixed with "-", an exit code of the command normally considered a failure (i.e. non-zero exit status or abnormal exit due to signal) is recorded, but has no further effect and is considered equivalent to success.
[08:41:43] <jynus>	 you get my +1 if you fix the extra space and basically copy and paste that to the patch (explaining why ignore_errors) :-)
[08:53:30] <slyngs>	 jynus: For you, I'll delete all the spaces you want.... assuming the linter is also happy :-)
[08:58:19] <jynus>	 you should be happy to get prompt reviews, even if nitpicky! I am still waiting for some that is blocking my main goals for over a month!
[08:59:36] <slyngs>	 I really do appreciate the reviews, and especially the prompt ones. 
[09:48:46] <jbond>	 slyngs: sounds like you found the required knob, but for clarity.  if yuo set `ignore_errors => true` then systemd will ignore any errors (https://github.com/wikimedia/puppet/blob/production/modules/systemd/manifests/timer/job.pp#L139)
[10:48:07] <slyngs>	 Now that everyone is happy: Puppet will be disabled in 15 minutes
[10:53:51] <slyngs>	 Oooh, that's a scary amount of servers :-)
[10:58:07] <slyngs>	 Argh, I forgot about cloud, I want to disable Puppet there as well.
[10:59:57] <moritzm>	 people might be running local puppet masters, you won
[11:00:06] <moritzm>	 won't be able to disable it fully
[11:00:35] <moritzm>	 but the majority of cloud hosts are running against a central puppet master running in cloud vps itself
[11:00:55] <moritzm>	 but I currently don't know the procedure to disable it, best to check in #wikimedia-cloud-admin
[11:01:48] <volans>	 there is cloud cumin master, if you have global root in cloud or part of that project you should be able to do it for all hosts
[11:01:52] <volans>	 including self-hosted puppetmasters
[11:04:45] <slyngs>	 volans is that just another host I can access?  
[11:05:06] <volans>	 https://wikitech.wikimedia.org/wiki/Cumin#WMCS_Cloud_VPS_infrastructure
[11:05:08] <volans>	 yes
[11:05:19] <slyngs>	 Perfect, thank you
[11:05:30] <volans>	 if you are in that project or have global cloud root
[11:05:36] <volans>	 (not all sre have it)
[11:06:33] <slyngs>	 I don't even think I have ssh setup for wikimedia.cloud
[11:12:49] <slyngs>	 I don't appear to be allowed to login. I'll ask in cloud-admin for help
[12:13:48] <marostegui>	 moritzm: I recall you said the decom script needed some patches on Friday? Was done already?
[12:14:50] <moritzm>	 marostegui: only for VMs, baremetal servers are fine
[12:15:54] <moritzm>	 for VMs I think it will be fixed today
[12:16:26] <marostegui>	 ah cool
[12:16:27] <marostegui>	 thanks
[12:29:47] <volans>	 yes I'm working on it, today/tomorrow at ma
[12:29:48] <volans>	 *max
[12:30:42] <marostegui>	 Yeah no rush volans, I was just asking to see if we can use the decom script 
[13:47:14] <andrewbogott>	 Do we have anything resembling a runbook/cookbook/automation for rotating a puppet cert?
[13:47:45] <volans>	 sre.puppet.renew-cert
[13:48:25] <andrewbogott>	 awesome! thx, will read
[13:48:29] <volans>	 has been a while since I last used it andrewbogott, so not 100% sure it's all still up-to-date, but check it's --help message for details on what it does
[13:54:25] <moritzm>	 I've been using it like a month ago and worked totally fine
[13:55:52] <XioNoX>	 feature request: store and display when was the last successful run of a script
[14:52:50] <rzl>	 XioNoX: as in a cookbook? they all log to /var/log/spicerack at least
[14:53:39] <XioNoX>	 rzl: yeah I know, half-joking with the above :)
[14:53:58] <rzl>	 haha sorry 👍
[14:55:25] <volans>	 something like https://sal.toolforge.org/production?p=0&q=%22sre.puppet.renew-cert%22&d= ? :-P
[15:07:46] <jbond>	 volans: you should create a cook book to run that command :P
[15:07:53] <volans>	 lol
[17:01:03] <jynus>	 mutante, rzl taking over, right?
[17:05:10] <mutante>	 jynus: yea
[17:05:22] <jynus>	 (nothing to report, we had a user reporting errors, but it was quite localized and not widespread
[17:05:30] <mutante>	 alright
[17:06:00] <jynus>	 had a look at my latests updates about T303534 (no more comments here)
[17:06:21] <jynus>	 *have if you can
[17:11:25] <mutante>	 ACK, TIL thatis another way to get a page by ID instead of name
[17:20:18] <rzl>	 👍
[18:10:37] <mutante>	 klausman: hi, do you know about ml-cache2 hosts? ongoing work?
[18:11:00] <mutante>	 elukey: or if you are still around maybe
[18:11:13] <klausman>	 I think elukey has more state on that than I do
[18:11:27] <mutante>	 arnoldokoth is running cookbooks for unrelated work but he gets a bunch of ml- hosts in the DNS diff
[18:11:36] <mutante>	 he needs some help to check what to do
[18:11:48] <klausman>	 can he pastebin the diff?
[18:13:08] <mutante>	 arnoldokoth: ml-cache2001-a, ml-cache2002-a, ml-cache2003-a .. right?
[18:13:20] <arnoldokoth>	 https://usercontent.irccloud-cdn.com/file/pW6bH88G/Screenshot%202022-06-27%20at%2021.05.32.png
[18:13:30] <arnoldokoth>	 Here's the diff.
[18:13:49] <mutante>	 so we need to figure out if it was just forgotten to run the DNS cookbook or if there is an issue with DNS sync 
[18:13:55] <mutante>	 or something else
[18:14:17] <mutante>	 if he cancels the DNS change then it will mean the entire decom cookbook also fails
[18:14:39] <klausman>	 I can't really answer what may have been Luca's intent, but IME, adding DNS records (that don't duplicate others) is least likely to break stuff.
[18:15:15] <klausman>	 do I understand correctly that these changes are in git, but never made it to the servers?
[18:16:35] <mutante>	 not git, but "they are in netbox but never made it to DNS"
[18:16:42] <mutante>	 but netbox and DNS are supposed to be in sync
[18:17:05] <mutante>	 and these are special types because of that "-a" suffix
[18:17:13] <mutante>	 not regular server names
[18:17:29] <mutante>	 https://netbox.wikimedia.org/search/?q=ml-cache2001-a&obj_type=
[18:17:36] <mutante>	 [mwdebug1001:~] $ host ml-cache2001-a.codfw.wmnet
[18:17:36] <mutante>	 Host ml-cache2001-a.codfw.wmnet not found: 3(NXDOMAIN)
[18:18:02] <mutante>	 note how https://netbox.wikimedia.org/search/?q=ml-cache2001&obj_type=  is not https://netbox.wikimedia.org/search/?q=ml-cache2001-a&obj_type=
[18:18:22] <klausman>	 Then I'm drawing a complete blank, sorry
[18:18:56] <klausman>	 I know Luca was working on the ml-cache hosts, but I don't know how far he'd gotten/what stae things were/are in
[18:18:56] <mutante>	 arnoldokoth: well, we tried. Afraid you have to abort cookbooks a second time 
[18:19:21] <mutante>	 and then report the issue to both Luca and Riccardo ideally
[18:19:43] <mutante>	 klausman: ACK,thank you
[18:20:56] <arnoldokoth>	 klausman: Thank you. 
[18:21:01] <arnoldokoth>	 mutante: Got it.
[18:21:03] <klausman>	 np at all
[18:39:51] <volans>	 hey I'm just reading it now mutante, arnoldokoth 
[18:40:11] <volans>	 AFAIK luca added the cassandra hostnames to those hosts, I think you can safely go ahead and merge those
[18:40:40] <volans>	 BUT
[18:40:54] <volans>	 the decom cookbook is currently broken for VMs as I mentioned it in the SRE meeting earlier
[18:41:04] <volans>	 it will be fixed tomorrow at this point, sorry for the trouble
[18:58:44] <elukey>	 mutante: hey sorry yes I added the Cassandra DNS entries today for ml-cache2*
[18:59:08] <elukey>	 I indeed forgot to run the DNS cookbook, my bad, all is good to be added etc..
[18:59:18] <elukey>	 arnoldokoth: ==^
[18:59:26] <volans>	 I'm running the cookbook now
[19:00:13] <volans>	 was about to anyway (just run the test run to check if there were multiple diffs)
[19:00:25] <elukey>	 thanks!
[19:00:31] <volans>	 np
[19:02:17] <arnoldokoth>	 volans: Thanks.
[19:03:57] <volans>	 {done}
[19:26:49] <rzl>	 informal poll: do "runbook" and "playbook" mean different things to you personally? if yes, what's the difference?
[19:27:46] <btullis>	 rzl: personally, no
[19:28:46] <taavi>	 runbook is a set of instructions that you follow manually, playbooks are automated
[19:30:02] <rzl>	 taavi: interesting, that one's new to me!
[19:53:45] <robh>	 !log cp5012 shutting down and removing power via T311264
[19:53:50] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log
[19:53:51] <stashbot>	 T311264: SSH on cp5012.mgmt is flapping (CRITICAL) - https://phabricator.wikimedia.org/T311264
[19:57:07] <robh>	 ok rmeoved power via pdu commands on the power strips.. gonna let that sit that way for a couple minutes to ensure as much discharge and reset as i can, remotely...
[19:57:16] <robh>	 even better is someone click the power button on front but not possible ; D
[20:01:18] <robh>	 ok cp5012, time to rise from the dead
[20:04:08] <robh>	 wooo, idrac now responsive to ssh and https, power removal fixed it
[20:04:24] <sukhe>	 woho!
[20:04:37] * sukhe joins the dance
[20:04:43] <robh>	 always have that moment of 'well if it decides to be dead there is shit all i can do about it'
[20:04:59] <robh>	 glad its coming back to life, os will be back online shortly but may as well leave out of pool until i complete the updates
[20:05:08] <robh>	 idrac update shouldnt affect os but why not leave it out heh
[20:05:14] <sukhe>	 take your time please!
[20:05:21] <sukhe>	 and thanks of course
[20:05:34] <robh>	 i have an OKR to close out all my fiscal year tasks
[20:05:37] <robh>	 so im happy to close this today hehe
[20:07:27] <sukhe>	 :P
[20:08:38] <robh>	 plus even shorter SLAs for hw repair like this than 'fiscal year' 
[20:08:53] <robh>	 i think sla for hw repari is veyr short, we're past it on this one cuz it wasn't critical
[20:10:22] <robh>	 cp502 idrac firmware updating now.
[20:10:32] <robh>	 cp5012
[20:12:29] <robh>	 bah, upload failed signature check, mehhhh retryiung
[20:16:27] <mutante>	 I was out earlier but I read all the backlog and thanks for that, Luca and Riccardo. (never sure whether ping is good or bad when just wanting to say thanks or ack later in the day in PST, heh)
[20:21:18] <robh>	 who knew it was slow to send a large firmware file via ssh tunnel from SF to TX then over to Singapore then down through our mgmt network...
[20:21:23] <robh>	 oh wait, i knew.
[20:21:45] <robh>	 same file, no signature error this time so far.... just one little bit is all it takes
[20:23:49] <robh>	 and update complete, idrac is resettting.
[21:09:20] <mutante>	 rzl: for the survey. "playbook is an ansible term" maybe that's why it's associated with automation. but asking wiktioary, interestingly "run book" is really IT-specific, "procedures prepared by an IT admin..." and all that  (https://en.wiktionary.org/wiki/run_book#English  while playbook can be anything from children's book to American football apparently (https://en.wiktionary.org/wiki/playbook)