[08:34:30] <XioNoX>	 Hello! at 10UTC I'm going to upgrade eqsin's switches, it's going to be a hard downtime, but I'm going to depool the site shortly and downtime as many things as I can.
[08:55:30] <jynus>	 thank you
[08:58:26] <godog>	 thank you for the heads up XioNoX 
[10:00:46] <XioNoX>	 alright, time for eqsin's upgrade
[10:04:58] <godog>	 godspeed
[10:06:13] <claime>	 o7
[10:30:28] <XioNoX>	 status update, one of the two switches doesn't want to come back up healthy from the upgrade... The other is fine. Opened a critical ticket with JTAC
[10:31:51] <XioNoX>	 so all the devices in that rack are down until it's fixed: https://netbox.wikimedia.org/dcim/devices/?q=&rack_id=78&status=active
[10:31:57] <XioNoX>	 obviously keeping the site depooled
[10:32:24] <volans>	 :(
[10:42:59] <XioNoX>	 vgutierrez: out of curiosity, and despite the lack of redundancy at many levels now, could eqsin run without those CP/LVS servers https://netbox.wikimedia.org/dcim/devices/?q=&rack_id=78&status=active&role_id=1 ?
[10:43:53] <vgutierrez>	 we could lose one lvs, but those are too many cp servers to lose
[10:44:14] <vgutierrez>	 that's 50% of the cp servers
[10:44:58] <XioNoX>	 that's what I thought, thanks
[11:05:36] <XioNoX>	 JTAC's only option is to have someone onsite to format/install the OS...
[11:05:44] <XioNoX>	 I'll follow up with DCops
[11:10:55] <godog>	 random shot in the dark so please take it with a grain of salt, can we rollback the upgrade in the meantime ?
[11:17:34] <XioNoX>	 godog: unfortunately not, I tried with JTAC, but even booting on the recovery images doesn't work
[11:18:49] <volans>	 so currently we have a nice costly brick :D
[11:19:10] <XioNoX>	 pretty much, yeah
[11:20:05] <XioNoX>	 I think I ACKed everything relevant here
[11:22:17] <godog>	 sigh
[11:22:31] <godog>	 XioNoX: thanks for the update anyways!
[11:22:39] <godog>	 a very expensive brick indeed
[16:05:44] <jynus>	 hi, denisse, mutante. This was an evenfuly, but no outages EU morning. A switch from eqsin failed and only recently got online, all while being depooled. Netops are still looking at it.
[16:26:33] <mutante>	 jynus: thanks, alright!
[16:27:07] <mutante>	 eqsin not lucky these days
[16:33:43] <jynus>	 mutante: the yesterday acked p*ges on your shift are still in acked state- I think it is because the lost routers/links/redundancy are still down, but unsure of that
[16:34:18] <jynus>	 mentioning it not because I worry about eqsin, but because not sure how often it will try to page again if not resolved
[16:36:52] <mutante>	 sigh.ok.. acked is not good enough?
[16:37:04] <mutante>	 I did not get the nagging mails that I got previously
[16:37:11] <jynus>	 I honestly don't know
[16:37:27] <jynus>	 maybe I am thinking of icinga, and it doesn't happen on victorops
[16:37:53] <mutante>	 when you say "in acked state" which tool are you looking at?
[16:37:53] <jynus>	 but it is not resolved, so wanted to flag that the issue they are reporting is not resolved
[16:38:06] <jynus>	 (victorops) let me get you the link
[16:38:07] <mutante>	 ok, thanks
[17:39:38] <andrewbogott>	 What does it mean when I have a phantom
[17:39:43] <andrewbogott>	 https://www.irccloud.com/pastebin/FQhYCIAp/
[17:40:05] <andrewbogott>	 on every puppet run? I was thinking it was a typo in a config rule but now I'm not so sure
[17:40:13] <andrewbogott>	 since ferm isn't complaining
[17:42:50] <RhinosF1>	 andrewbogott: that would indicate ferm isn’t running
[17:43:18] <andrewbogott>	 It's not supposed to run, though, ferm isn't a persistent service.
[17:43:30] <andrewbogott>	 As far as I know it just configures iptables and exits.
[17:44:06] <RhinosF1>	 Puppet is saying it’s been told somewhere to ensure it’s running
[17:45:34] <andrewbogott>	 Yeah, I understand what puppet thinks, just not why it thinks that.
[17:50:53] <taavi>	 andrewbogott: which host?
[17:51:55] <andrewbogott>	 taavi: all the cloudcontrols
[17:53:54] * andrewbogott eating lunch and getting fresh eyes
[17:54:51] <mutante>	 https://phabricator.wikimedia.org/T323324
[17:55:30] <mutante>	 something is in the role that makes this happen...because it doesn't happen globally but on all those using that role
[17:55:50] <mutante>	 weird though(tm)
[18:02:14] <andrewbogott>	 hm, same issue
[18:05:32] <_joe_>	 I would suppose some ferm rule fails
[18:08:42] <_joe_>	 one of the multiple ones that are peculiar to these hosts, like I assume the galera ones and the api backends
[18:10:15] <taavi>	 yep but I assume those would be visible on `systemctl status ferm`
[18:11:26] <taavi>	 at least `ferm --lines --noexec /etc/ferm/ferm.conf` doesn't error out, so it shouldn't be a syntax error
[18:13:56] <_joe_>	 I suspect we might have hit a ferm bug
[18:14:08] <_joe_>	 because on cloudcontrol it always tries to reload the rules
[18:14:20] <_joe_>	 like some can't be applied / not detected / something
[18:14:47] <andrewbogott>	 when I refresh ferm on the cli it returns 0 which should satisfy whatever status check is happening
[18:14:51] <herron>	 looks like ferm-status errors out
[18:15:02] <andrewbogott>	 ok, that's something!
[18:16:24] <taavi>	 andrewbogott: https://gerrit.wikimedia.org/r/879115
[18:16:26] <herron>	 and puppet configures the ferm service like service { 'ferm': ensure  => 'running', status  => '/usr/local/sbin/ferm-status', so I think that'd be why puppet thinks a restart is needed
[18:17:22] <andrewbogott>	 taavi: that looks like it.  I'm surprised that ferm doesn't complain on refresh, though -- typically that's what I've seen when there's a mistake in a rule.
[18:17:24] <taavi>	 and I don't seem to have access to clouddumps boxes so can't debug those in the same way
[18:18:00] <taavi>	 indeed. this might be a bug in the ferm-status script?
[18:18:23] <andrewbogott>	 meaning that ferm properly resolves the hostname but ferm-status doesn't?
[18:19:10] <taavi>	 yea, I suspect that iptables takes the hostnames and resolves them internally but ferm-status doesn't support that because our convention is to use @resolve instead
[18:20:53] <andrewbogott>	 I'll see if I can find a similar issue on clouddumps after I finish my sandwich
[18:31:11] <andrewbogott>	 taavi: your patch worked on the cloudcontrols
[18:35:14] <andrewbogott>	 well dang, ferm-status returns one on clouddumps but produces no output
[19:00:33] <brett>	 mutante: You okay with me merging the SPDX license headers?
[19:00:47] <brett>	 ah, jinx
[19:00:56] <mutante>	 brett: yes:) 
[19:01:25] <mutante>	 I was _not_ about to merge "remove vip from profile::dns::recursor, that was scary :)
[19:01:47] <sukhe>	 :) 
[19:01:47] <brett>	 I don't know what you're talking about, nothing can go wrong ;)
[19:02:00] <mutante>	 hrhr
[19:04:58] <jayme>	 ottomata: quick shot https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/879122
[19:05:26] <jayme>	 should have gone to -serviceops
[19:07:12] <ottomata>	 oh hi
[19:07:14] <ottomata>	 just saw
[22:43:49] <robh>	 Emperor: heyas you about question on the ms-=fe racking tasks
[22:43:57] <robh>	 the orders are for 3 hosts, but you put in 4 hosts of details
[22:46:52] <robh>	 Emperor: sorry, you didnt fill that out, my bad was someone else you just commented on the config!