[10:12:11] <elukey>	 hey folks
[10:12:27] <elukey>	 on deploy1002 puppet has been failing since an hour ago, and the error is weird
[10:12:30] <elukey>	 Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Systemd::Timer::Job[httpbb_kubernetes_hourly]:
[10:12:55] <elukey>	 the only relevant thing that I see is https://gerrit.wikimedia.org/r/c/operations/puppet/+/868212 but it was merged two days ag
[10:12:58] <elukey>	 *ago
[10:16:43] <claime>	 ok that's my fault elukey 
[10:16:44] <claime>	 checking
[10:17:02] <XioNoX>	 yeah, was going to say https://github.com/wikimedia/operations-puppet/commit/dfb1ae3003f29c09b12470a924cc96e7813d30ca
[10:17:12] <claime>	 'xactly
[10:17:31] <elukey>	 ahhh I lost that commit!
[10:17:36] <elukey>	 okok makes sense
[10:17:52] <XioNoX>	 Make PCC happy but elukey unhappy
[10:17:53] <XioNoX>	 :)
[10:18:08] <elukey>	 XioNoX: with claime? No way
[10:18:14] <claime>	 elukey: <3
[10:18:27] <claime>	 I'll fix it pronto
[10:18:59] <elukey>	 the only rivalry between French and Italias is for soccer and wine
[10:19:07] <elukey>	 *Italians
[10:19:19] <elukey>	 the rest doesn't matter :D
[10:19:26] <claime>	 That's because Italy sucks at rugby btw :p
[10:19:52] <elukey>	 claime: I was being polite and you ruined it, I am going to send you half wikilove this time :D
[10:19:59] <claime>	 elukey: lmao
[10:20:04] <XioNoX>	 hahahaha
[10:28:49] <claime>	 https://gerrit.wikimedia.org/r/c/operations/puppet/+/889764 < fix
[10:33:13] <claime>	 elukey: merged, applied, good to go.
[10:35:38] <elukey>	 super thanks!
[10:44:25] <claime>	 jelto: while checking another puppet issue, I stumbled upon a puppet issue with planet1002.eqiad.wmnet, fix up here https://gerrit.wikimedia.org/r/c/operations/puppet/+/889767/
[10:45:39] <jelto>	 claime: thanks a lot, I'll take a look in a sec
[10:45:46] <claime>	 no problem
[10:47:22] <regina_hallad[m]>	 Hi 👋... (full message at <https://libera.ems.host/_matrix/media/v3/download/libera.chat/094cda18a584a36cb9ba5298a4499d86279b22f3>)
[11:44:28] <claime>	 ~/45
[16:40:01] <urandom>	 XioNoX: can you  think of anything that would make networking sketchy for a sessionstore host after a reboot?  To be specific, something that would make it sketchy for a period of 15 minutes after a reboot (https://phabricator.wikimedia.org/T327954#8620319)? 
[16:40:50] <volans>	 have you checked if that aligns with puppet runs?
[16:41:18] <urandom>	 volans: I have not.
[16:41:27] <urandom>	 but I can.
[16:41:52] <urandom>	 volans: but isn't puppet run immediately after a reboot?
[16:42:00] <volans>	 I just wonder if after a reboot you need 2 puppet runs for some reason and so the @reboot + the next one
[16:42:29] <volans>	 (and yes it is run at reboot)
[16:47:23] <urandom>	 volans: yeah, the timing is suspicious 
[16:47:29] <urandom>	 (looking at the logs)
[16:47:35] <volans>	 if it's less than 24h ago
[16:47:40] <volans>	 or you can repro
[16:47:49] <volans>	 the changes are in puppetboard
[16:47:52] <urandom>	 with seconds
[16:47:54] <volans>	 or local syslog
[16:48:08] <urandom>	 yeah, i looked at the local logs
[16:48:32] <urandom>	 (*within seconds)
[17:04:00] <volans>	 btullis: what's the status of kafka-stretch2002? it's sending one email to root@ every day since Jan 10
[17:14:48] <urandom>	 volans: not quite sure Puppet runs line up well here after all.  The first one seemed very close, the second one is off by 4 minutes (Puppet only ran 4 minutes after the node righted itself). 
[17:15:05] <volans>	 ack
[17:15:21] <volans>	 but the 2nd run has any changes that might be related to network?
[17:15:46] <urandom>	 "unchanged"
[17:16:06] <volans>	 then hardly at fault :)
[17:16:18] <urandom>	 I'm grasping for anything here
[17:17:17] <urandom>	 the node has connectivity, clients can connect, you can open an ssh session, other nodes see the rebooted nodes heatbeats, but it misses heartbeats from other nodes
[17:17:46] <urandom>	 and 15 minutes later (+/- seconds) it just automagically starts working
[17:18:00] <urandom>	 and only after a reboot... restarting the service seems OK
[17:18:32] <urandom>	 misses heartbeats from other nodes... but never *all* of the other nodes
[17:19:07] <urandom>	 oh, and restarting the service while it's in this state does nothing... 15 minutes have to pass
[17:22:26] <claime>	 Did you try a tcpdump to see if the heartbeats at least arrive to the host?
[17:27:39] <urandom>	 No, I was focusing on ensuring I had the circumstances down pat to reproduce, and only started to put some of these things together afterward
[17:28:41] <volans>	 could it be a negative cache that when rebooting the host is down and the other clients cache that fact for 15m?
[17:28:43] <urandom>	 at which point "damn, I wish I'd grabbed a tcpdump" was pretty high on my lists of regrets
[17:28:57] <volans>	 eheheh
[17:29:16] <urandom>	 volans: I don't think so, as far as they are concerned it *is* up and healthy
[17:30:13] <urandom>	 whatever the situation, it's asymmetric, the rebootee's view of the topology doesn't match the rest of the cluster, including an accurate state of that node 
[17:30:57] <urandom>	 the logs suggest it's not receiving the gossip heartbeat from those other nodes
[17:31:18] <volans>	 did ferm start ok at boot?
[17:31:56] <urandom>	 yeah, that was one of the other items on my list of regrets, after putting the environment back together
[17:32:07] <urandom>	 but there are no errors logged
[17:32:30] <volans>	  /var/log/syslog.1:Feb 15 20:27:08 sessionstore2001 ferm[835]: Starting Firewall: fermError in /etc/ferm/conf.d/10_cassandra-cql line 10:
[17:32:31] <urandom>	 and you can ssh in, and clients can connect to Cassandra (if they couldn't, there'd be no errors)
[17:32:39] <urandom>	 !!??
[17:32:57] <volans>	 that's on sessionstore2001, not sure if at the time of the reboot
[17:34:23] <volans>	 in that case it looks like a temporary failure to resolve sessionstore1001.eqiad.wmnet
[17:35:36] <urandom>	 it is at the time of reboot (one of them)
[17:36:14] <urandom>	 oh, that's why I missed it... I went looking on a subsequent reboot
[17:36:34] <urandom>	 yeah, and that rule is for tcp/9042, which would prevent client connections
[17:37:01] <volans>	 *but* usually when ferm fails it fails to apply all rules
[17:37:22] <volans>	 and IIRC that's all open unless we changed something recently~is
[17:37:24] <volans>	 *~ish
[17:37:46] <urandom>	 all open?
[17:38:02] <claime>	 -J ALLOW and not -J DROP
[17:39:05] <urandom>	 input defaults to DROP
[17:39:24] <claime>	 Then...
[17:41:12] <volans>	 I think that that's only after ferm runs
[17:41:19] <volans>	 but I might be wrong
[17:42:25] <urandom>	 either way, that one error seems exceptional, ferm succeeded on the other examples of this
[17:42:37] <urandom>	 (so probably not the culprit)
[17:43:10] <volans>	 ack
[17:46:17] <claime>	 ack