[08:25:00] <jayme>	 elukey: slyngs: re: ganeti.reimage: I already did like 8 reimages with the cookbook plus the additions I've noted in the CR (manually changing the DHCP config beforehand). AIUI the DHCP thing (e.g. selecting the OS to use for reimage) is the only blocker (as it simply does not work this way)
[08:27:34] <slyngs>	 jayme: Yeah, I talked about that with moritzm and there's a plan involving removing the OS image information from the Puppet DHCP config... I might be remembering that wrong, I'll followup 
[08:28:23] <slyngs>	 But thank you for doing the testing :-)
[08:29:44] <jayme>	 np. IMHO you could just drop the option from the cookbook for now and instruct the user to edit the dhcp config
[08:30:05] <jayme>	 it makes sense anyways because it should be persisted to the repo (at least after the reimage)
[08:30:32] <jayme>	 if that makes it easier (code wise) and the cookbook immediately useful, I'd say it's a win :)
[08:31:21] <slyngs>	 That's a pretty good idea, we can always add it back if we want to change the flow in the future
[08:31:37] <jayme>	 ideed
[08:34:17] <elukey>	 jayme: o/ yes yes I figured after some tries, I basically copied your version of ganeti cookbook on cumin1001 to my deployment of the repo :)
[09:46:44] <volans>	 no please, the DHCP stuff is already ready in spicerack since forever, let's not do frankensteins
[09:47:06] <volans>	 no more need to store MAC in the repo at all
[09:47:08] <volans>	 it's all automatic
[09:50:12] <volans>	 also please don't run non-reviewed/non-merged cookbooks with SAL disabled in production unless it's in DRY-RUN mode or for the very first run before merging but *after* the code reviews just to spot silly errors
[10:14:26] <jayme>	 volans: Not sure I understand. Are you saying that all MAC's in modules/install_server/files/dhcpd/linux-host-entries.ttyS0-115200 are no longer required?
[10:15:20] <volans>	 will be no longer required once we officially merge the cookbook and move to a dynamic DHCP snipper like the physical host, yes
[10:15:27] <volans>	 *snippet
[10:15:47] <volans>	 the two things needs to happen at the same time
[10:15:56] <jayme>	 ah, okay so that's the plan. That was not clear to me
[10:58:32] <vgutierrez>	 hmmm ceph-quincy third-party apt component seems to be currently broken, btullis could you fix it please?
[10:58:59] <vgutierrez>	 https://www.irccloud.com/pastebin/tuPQr3sU/
[11:05:09] <vgutierrez>	 btullis, moritzm: I think that it could be fixed by https://gerrit.wikimedia.org/r/c/operations/puppet/+/886842 :?
[11:05:19] <moritzm>	 looking
[11:07:58] <btullis>	 Also looking. Sorry for that.
[11:08:36] <vgutierrez>	 I'll wait to merge it till the puppetmaster errors are addressed
[11:09:32] <claime>	 I'm gonna need help for that
[11:10:07] <volans>	 claime: did you force-push the wrong SHA1 earlier?
[11:11:06] <claime>	 I didn't because I saw jynus merged something and I figured it would straighten things out
[11:12:19] <claime>	 Basically my connection dropped during puppet-merge
[11:12:36] <claime>	 https://phabricator.wikimedia.org/P43611
[11:12:40] <claime>	 That's my log
[11:13:07] <claime>	 Then I tried to merge.py --ops on puppetmasters, but that failed because I hadn't specified --yes
[11:13:27] <claime>	 Then I saw j.ynus had merged something new, so I didn´t run it
[11:14:50] <claime>	 Should I connect to the alerting hosts and run puppet-merge there?
[11:14:54] <jbond>	 claime: what time was your tun
[11:16:18] <jbond>	 ahh sorry let me go the/me answering my own question 10:00:04
[11:17:09] <claime>	 I need to put datetime back in my prompt because I had no idea
[11:17:33] <claime>	 I +2'd my change at 10:22:35 GMT
[11:18:11] <jbond>	 ahh yes you are right 
[11:18:11] <jbond>	 10:23:02 puppetmaster1001 /puppet-merge.py: (puppet) Merging: a697efe12b913ef15bb71a8dc0eb59f0cfaeefa6 -> e1047aa3e6898bba6f1de75cb4ba53cd5a57f456
[11:22:51] <godog>	 jbond: FYI let me know how it goes / if help is needed (clinic duty)
[11:23:37] <jbond>	 godog: thanks but i dont think there is a proble, i just merged a change and its all gone fine 
[11:23:57] <jbond>	 claime: i suspect that jyn.us fixed things when he did his merged
[11:24:28] <godog>	 oh ok, yeah I'm expecting a subsequent puppet-merge to make things right again
[11:24:30] <jbond>	 the error about puppetmaster[12]002 is a red hering.  those two nodes have been marged for decomission
[11:24:58] <godog>	 ah, got it, thank you that explains
[11:25:02] <claime>	 Aaaaah
[11:25:28] <claime>	 Can we downtime them if they're to be decommed?
[11:26:04] <jbond>	 claime: yes of course, i think something probably expired on them
[11:26:08] <jbond>	 ill decom them today
[11:26:17] <claime>	 jbond: ok, downtiming for 24h
[11:26:28] <jbond>	 ack
[11:28:23] <claime>	 jbond: done
[11:29:39] <claime>	 I think vgutierrez can proceed right?
[11:30:22] <jbond>	 yes vgutierrez you can proceed
[11:31:07] <jbond>	 also going back on what i said i will not decokm them, ill put them back in servers.  i rembered we are leaving theses around for a bit to make it simpler to migrate to puppet7 i the future https://phabricator.wikimedia.org/T314136#8589138
[11:32:42] <claime>	 Do your thang :p
[11:38:28] <jynus>	 does anyone know from where alertmanager sources the team tag? I think I spoted some mistakes (although I won't change anything without consulting people first) and want to make sure where the issue comes from
[11:39:21] <claime>	 jynus: I think it's from the file structure, but I'm not sure
[11:40:02] <claime>	 Huh, not even
[11:40:03] <jynus>	 I think there was some owner tagging efforts on hiera, but not sure if related
[11:40:08] <claime>	 There a team: sre tag
[11:40:29] <claime>	 ❯ git grep -c 'team: sre'
[11:40:31] <claime>	 team-netops/netops.yaml:5
[11:40:35] <claime>	 in alerts repo
[11:40:46] <claime>	 So looks like it's defined per alert
[11:41:28] <btullis>	 jynus: Here's where the team routes are defined, if that helps: https://github.com/wikimedia/operations-puppet/blob/production/modules/alertmanager/templates/alertmanager.yml.erb#L49
[11:43:37] <btullis>	 vgutierrez: Did your patch fix reprepro as expected? 
[11:46:12] <claime>	 Amir1: marostegui: Are there read-only alerts for mysql defined in alertmanager? I grepped but didn´t find one, would like confirmation before merging https://gerrit.wikimedia.org/r/c/operations/cookbooks/+/718936
[11:46:22] <marostegui>	 claime: Not that I know of
[11:46:51] <claime>	 marostegui: Thanks :)
[11:53:04] <jynus>	 I think I will ask later someone from observability, because the issue would be the subtelties about tags meaning, not the code
[11:53:17] <jynus>	 *could
[11:55:45] <marostegui>	 I haven't migrated any alert myself
[11:56:12] <marostegui>	 And I don't think Am1r did any either
[11:56:34] <claime>	 yeah, only thing I find is a general exporter test
[11:56:55] <claime>	 Anyways we'll find out, won't we :p
[12:00:35] <jynus>	 I am getting this error on running puppet: https://phabricator.wikimedia.org/P43632
[12:04:18] <claime>	 jynus: works for me, I think it just hit the puppetdb while it's api was restarting
[12:04:37] <claime>	 jynus: running 'run-puppet-agent' on dbprov2002 right?
[12:05:10] <jynus>	 ok, thanks, I thought it was something more permanent
[12:26:43] <taavi>	 godog: would it be possible to merge https://gerrit.wikimedia.org/r/c/operations/puppet/+/881602? I've tested it in toolsbeta and it works great
[12:28:36] <jayme>	 jbond | claime | godog: Not sure if that's related to the broken puppet merge earlier, but I caught puppet applying an old version of a file on kubestagemaster1001 on 11:51:04
[12:29:48] <jayme>	 ultimately revoking access to k8s apiserver metrics for the prometheus user. It was fixed with the next (manual) puppet run
[12:30:20] <claime>	 I wonder if it's because of a labs merge that wasn't done correctly or what
[12:31:09] <jayme>	 I've no idea but it looked veeery strange and made me wonder if there where other side effects as well
[12:31:52] <_joe_>	 labs merges shouldn't count
[12:32:05] <_joe_>	 has anyone checked the status of the git repos on every puppetmaster?
[12:32:11] <claime>	 jayme: I got this error running puppet on puppetmaster earlier
[12:32:13] <claime>	 Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Operator '[]' is not applicable to an Undef Value. (file: /etc/puppet/modules/profile/manifests
[12:32:14] <jayme>	 because the chage that got kinda rolled back was from 2023-01-24
[12:32:15] <claime>	 /kubernetes/kubeconfig/admin.pp, line: 12, column: 32) on node cumin1001.eqiad.wmnet                                                                                                                      
[12:32:23] <claime>	 Resolved with another run
[12:32:41] <_joe_>	 thsi means there's an host with outdated puppet possibly
[12:34:04] <jayme>	 I haven
[12:34:16] <jayme>	 havent checked anything else yet tbh
[12:34:34] <_joe_>	 it looks like everything is ok now
[12:35:06] <jayme>	 maybe kubestagemaster1001's puppet run was just bad timing then
[12:36:21] <claime>	 puppetmaster[1,2]002 have very old versions of the private repo, but should not be used since jbond declared them offline
[12:37:20] <jayme>	 kubestagemaster2001 applied that (old) change now as well
[12:37:29] <jayme>	 was okay a couple of minutes ago
[12:38:37] <jayme>	 12:15:22 to be fair
[12:38:57] <claime>	 ok wth
[12:39:54] <jayme>	 also fixed with the next puppet run
[12:42:44] <claime>	 Wait a minute
[12:42:52] <claime>	 https://gerrit.wikimedia.org/r/c/operations/puppet/+/886867/ puts them back in
[12:43:09] <claime>	 but their private is WAY out of date
[12:43:52] <claime>	 it's not anymore though
[12:43:59] <claime>	 it was a few minutes ago
[12:45:36] <jayme>	 maybe it just required some time/a puppet merge after re-enabling them to update private?
[12:45:52] <claime>	 Possibly yeah
[12:46:45] <jayme>	 https://gerrit.wikimedia.org/r/plugins/gitiles/operations/puppet/+/ae5624f5ced044796847552386d91f7813564263%5E%21/#F0 they where re-enabled for puppet7 migration
[12:48:56] <claime>	 yeah but I think https://gerrit.wikimedia.org/r/c/operations/puppet/+/886867/ is responsible
[12:49:11] <claime>	 Or maybe not
[12:55:40] <_joe_>	 jbond: ^^
[12:56:05] <_joe_>	 claime, jayme: check which puppetmaster compiled the catalog for kubestagemaster2001 then
[12:56:24] <_joe_>	 grepping syslog on the puppetmasters should give you that
[12:59:19] <jbond>	 _joe_: jayme: claime: sorry this was my mistake i did not sync the private repo after bringing the 2 puppetm,asters back
[12:59:23] <jbond>	 i have synced them now
[12:59:30] <_joe_>	 ack :)
[12:59:40] <jbond>	 is there any fall out i can help with
[12:59:58] <claime>	 (1) puppetmaster2002.codfw.wmnet                  
[13:00:00] <claime>	 ----- OUTPUT of 'grep "Compiled c... /var/log/syslog' -----                                          
[13:00:02] <claime>	 Feb  6 12:15:18 puppetmaster2002 puppet-master[6644]: Compiled catalog for kubestagemaster2001.codfw.wmnet in environment production in 7.56 seconds  
[13:00:04] <claime>	 Yeah that's exactly it
[13:00:17] <claime>	 When you brought them back, they went and got their catalog from 2002
[13:00:20] <claime>	 Which was outdated
[13:00:23] <_joe_>	 i am worried about certs
[13:00:37] <_joe_>	 claime: run puppet on the deployment servers, will you
[13:00:43] <jbond>	 claime: was the catalog outdated or just the private repo, the former should have been in sync
[13:01:07] <jbond>	 s/catalog/main production repo/
[13:01:13] <claime>	 jbond: I think the catalog was compiled with outdated info from the private repo
[13:01:18] <_joe_>	 jbond: tbh i'd force-run puppet on any host which got complied there during that period
[13:01:20] <claime>	 And yes, that too
[13:01:21] <jbond>	 ack that makes senses
[13:01:26] <claime>	 _joe_: doing
[13:01:38] <jbond>	 jobo: ack ill; check the l;ogs opn the m,asters and do that now
[13:01:42] <claime>	 starting with codfw, obvs
[13:03:25] <claime>	 _joe_: Just some ownership changes on deploy2002.codfw
[13:03:58] <claime>	 (the usual trebuchet/helm corrective crap)
[13:05:22] <claime>	 looks good on deploy1002, no change
[13:05:44] <claime>	 13:00:45     +jinxer-wm │ (JobUnavailable) firing: (2) Reduced availability for job k8s-api in k8s-staging@codfw -  < jayme think that's related to what you were saying earlier wrt kubestagemaster2001 ?
[13:06:02] <jayme>	 yes, that's what made me started looking
[13:06:10] <jayme>	 *start
[13:06:22] <jayme>	 well, the kubestagemaster1001 version of that alert
[13:14:33] <jayme>	 I re-ran puppet once again on kubestagemaster1001 as that one got the old version again shortly before j.bond did the sync
[13:14:54] <claime>	 https://alerts.wikimedia.org/?q=%40state%3Dactive&q=alertname%3Dpuppet%20last%20run < Mpf
[13:16:37] <claime>	 jbond: you re-running puppet rn?
[13:17:18] <jbond>	 yes
[13:17:25] <claime>	 ok
[13:20:51] <godog>	 taavi: yes, I can't today but I'll take a look later in the week
[13:23:20] <jbond>	 claime: fyi i am stopping my manual puppet run as all host will complete in there normal cycle in the next 6 minutes which is quicker then the cumin command will finish
[13:23:44] <claime>	 jbond: ack
[13:23:48] <jbond>	 but every thing shuold be back to the correct state by 13:30
[13:32:38] <vgutierrez>	 jbond: is it ok to use puppet-merge right now?
[13:32:50] <jbond>	 vgutierrez: yes shuold be fine
[13:33:00] <vgutierrez>	 ack
[13:33:05] <vgutierrez>	 I'm merging Jbond: Revert "add whitespace to test puppet-merge" (f2d9f2c9b2) along mine
[13:33:15] <vgutierrez>	 should be pretty innocuous 
[13:33:17] <jbond>	 vgutierrez: thanks 
[13:33:17] <vgutierrez>	 (last famous words)
[13:33:25] <jbond>	 yes it is just whitespace in the README
[13:33:45] <vgutierrez>	 done... all good
[13:33:49] <jbond>	 cheers
[13:37:28] <vgutierrez>	 hmm this is "new"
[13:37:30] <vgutierrez>	 vgutierrez@apt1001:~$ sudo -i reprepro --component thirdparty/haproxy24 checkupdate buster-wikimedia
[13:37:30] <vgutierrez>	 Nothing to do found. (Use --noskipold to force processing)
[13:37:43] <vgutierrez>	 moritzm: ^^
[13:38:16] <vgutierrez>	 moritzm: maybe it's related to the layer8 here...
[13:40:01] <moritzm>	 I'll have a look in ~ 5m
[13:55:43] <moritzm>	 the updates are visible if you pass --noskipold, it flags a pending update to 2.4.21-1~bpo10+1, then (no idea why this isn't the default...)
[13:56:24] <vgutierrez>	 yep.. I've noticed that
[14:11:42] <btullis>	 Hello, I'd like to welcome nfraison (https://phabricator.wikimedia.org/p/nfraison/) to the team. He's a new Senior SRE on the Data Engineering team, and he'll be working alongside Steve and me. I've invited him along to the SRE meeting later today and I hope to be there too.
[14:12:14] <volans>	 welcome aboard nfraison!
[14:12:35] <godog>	 welcome nfraison !
[14:13:11] <jynus>	 welcome!
[14:15:13] <jbond>	 welcome nfraison 
[14:16:53] <nfraison>	 Hi folks
[14:22:06] <XioNoX>	 welcome!
[14:24:42] <sukhe>	 welcome nfraison!
[14:25:28] <vgutierrez>	 welcome nfraison 
[14:26:32] <elukey>	 welcome nfraison !
[14:28:55] <moritzm>	 welcome!
[14:34:21] <claime>	 Welcome nfraison !
[14:35:11] <kindrobot>	 Welcome nfraison :)
[14:57:58] <jhathaway>	 welcome nfraison!