[06:24:58] <marostegui>	 I have restarted sirenbot as it was disconnected
[06:25:55] <marostegui>	 !oncall-now
[06:25:56] <sirenbot>	 Oncall now for team SRE, rotation batphone:
[06:25:56] <sirenbot>	 A.mir1, c.white, s.lyngs, l.mata, x.ionox, r.zl, c.danis, m.arostegui, s.ukhe, q.uestion_mark, v.gutierrez, m.oritzm, a.pergos, v.olans, a.okoth, r.obh, e.ffie, _.joe_, a.kosiaris
[07:34:58] <marostegui>	 I just realised phabricator master is on row A
[07:35:09] <marostegui>	 I am going to try to see if I can switch it before the maintenance
[08:18:46] <marostegui>	 I am going to switch over m3 (phabricator) database master, phabricator will be on read only for around 1 minute
[08:21:25] <marostegui>	 All done
[09:20:20] <akosiaris>	 wikikube eqiad upgrade has started btw, already reimaging etcd nodes
[09:35:43] <marostegui>	 we got paged
[09:51:07] <btullis>	 Was it eventgate-analytics on wikikube that p.aged?
[09:51:07] <marostegui>	 btullis: yes
[09:51:07] <marostegui>	 it just paged again
[09:51:07] <akosiaris>	 marostegui: ack it please?
[09:51:07] <marostegui>	 it is acked
[09:51:07] <akosiaris>	 I am pretty sure I scheduled 24h downtime for the thing...
[09:51:07] <akosiaris>	 yup, I did 
[09:54:30] <_joe_>	 !incidents
[09:54:30] <sirenbot>	 3450 (RESOLVED)  ProbeDown (ip4 probes/service eqiad)
[09:54:30] <sirenbot>	 3449 (RESOLVED)  [7x] ProbeDown (ip4 probes/service eqiad)
[09:54:31] <sirenbot>	 3446 (RESOLVED)  PHPFPMTooBusy parsoid (php7.4-fpm.service codfw)
[09:54:43] <_joe_>	 akosiaris: btw you can just use sirenbot to ack stuff
[10:12:21] <klausman>	 https://wikitech.wikimedia.org/wiki/Vopsbot Docs for that are here.
[10:15:51] <akosiaris>	 !incidents
[10:15:51] <sirenbot>	 3451 (RESOLVED)  [2x] ProbeDown (ip4 probes/service eqiad)
[10:15:51] <sirenbot>	 3450 (RESOLVED)  ProbeDown (ip4 probes/service eqiad)
[10:15:52] <sirenbot>	 3449 (RESOLVED)  [7x] ProbeDown (ip4 probes/service eqiad)
[10:15:52] <sirenbot>	 3446 (RESOLVED)  PHPFPMTooBusy parsoid (php7.4-fpm.service codfw)
[10:35:06] <akosiaris>	 !sing
[10:35:06] <sirenbot>	 Never gonna give you up
[10:35:07] <sirenbot>	 Never gonna let you down
[10:35:08] <sirenbot>	 Never gonna run around and desert you
[10:35:09] <sirenbot>	 Never gonna make you cry
[10:35:09] <sirenbot>	 Never gonna say goodbye
[10:35:10] <sirenbot>	 Never gonna tell a lie and hurt you
[10:35:14] <akosiaris>	 :P
[10:54:32] * _joe_ whistles
[11:02:06] <godog>	 TIL !sing
[11:06:58] <Emperor>	 it was hinted in the docs, IIRC
[11:07:56] <Emperor>	 ...though now I'm remembering the Phantom of the Opera ;p
[11:09:28] <akosiaris>	 tbh, I am disappointed it answers to !sing and not !rickroll 
[11:09:33] <akosiaris>	 hmm
[11:09:35] <akosiaris>	 !rickroll 
[11:09:48] <akosiaris>	 let's fire up git and do an MR 
[11:17:51] <Emperor>	 we could teach it a library of suitable songs :)
[11:18:00] <Emperor>	 "suitable"
[11:33:06] <klausman>	 fuzzy-match the alerts and sing suitable songs. E.g. "DC overheats" -> "We didn't start the fire."
[11:33:40] <akosiaris>	 or "the roof is on fire"
[11:58:24] <Emperor>	 how bad a failure results in "Daisy, daisy"?
[12:00:54] <klausman>	 Several rows lost in all DCs
[12:01:31] <Emperor>	 :)
[12:09:16] <Emperor>	 who owns the API maxlog calculation? I'm trying to work out which team should get T331405
[12:09:20] <stashbot>	 T331405: Depooled servers may still be taken into account for query service maxlag - https://phabricator.wikimedia.org/T331405
[12:33:26] <akosiaris>	 WMDE I guess
[12:40:15] <klausman>	 Every time I see WMDE, my mind first parses it as "WindowMaker Desktop Environment"
[13:00:39] <_joe_>	 Emperor: uh that was solved AFAIK
[13:01:00] <_joe_>	 ah no I see
[13:05:13] <_joe_>	 Emperor: you can tag it #User-joe
[13:18:05] * Emperor still a bit confused, maybe it just has to stay sat in the clinic queue
[13:34:52] <topranks>	 Heads up - Eqiad row A network maintenance starting in ~25 mins (T329073)
[13:34:53] <stashbot>	 T329073: eqiad row A switches upgrade - https://phabricator.wikimedia.org/T329073
[13:59:09] <topranks>	 Emperor: let me know when you are happy for network maintenance to proceed 
[14:00:00] <Emperor>	 topranks: sorry, just finished doing my depools and updated the phab task. You're good from my pov
[14:00:12] <topranks>	 Emperor: ok great thanks :)
[14:00:43] <Emperor>	 (what do you mean that was cutting it fine before 14:00 UTC? :) )
[14:00:59] <btullis>	 topranks: All clear from Data Engineering perspective.
[14:01:19] <topranks>	 btullis: great thanks :)
[14:06:04] <topranks>	 hnowlan: let me know when the restbase depool is done thanks :)
[14:06:18] <hnowlan>	 topranks: done! 
[14:08:40] <topranks>	 hnowlan: thank you!
[14:13:42] <topranks>	 Just waiting on some iDRAC firmware upgrades that got started inconveniently to complete before rebooting switches
[14:15:51] <marostegui>	 pages arriving 
[14:16:03] <bblack>	 do we have a known cause?
[14:16:17] <marostegui>	 I guess network maintenance?
[14:18:50] <bblack>	 the mathoid page was just an expired downtime
[14:18:51] <topranks>	 marostegui: I've not started the disruptive part of the maintenance
[14:18:52] <moritzm>	 expired downtime
[14:19:08] <moritzm>	 from k8s rebuild
[14:19:08] <marostegui>	 yep akosiaris mentioned it in -operations
[14:19:22] <topranks>	 ok yep if it was those then I think we're ok 
[14:20:28] <akosiaris>	 repeating what I said in -operations, you can safely ignore the helmfile deploys, I 've cordoned off the row A nodes
[14:21:03] <topranks>	 thanks
[14:21:22] <topranks>	 Everything is ready for the reboot now I am rebooting the row A switches, hard downtime starting now
[14:21:33] <akosiaris>	 ack
[14:21:48] <volans>	 let's !log it ;)
[14:21:58] <topranks>	 volans: yep done 
[14:22:28] <volans>	 sorry missed htat
[14:22:42] <topranks>	 better than I missed the 'log' :P
[14:32:33] <topranks>	 switches are starting to come back online 
[14:33:01] <topranks>	 still waiting on EX4300 / 1G units
[14:34:00] <topranks>	 master/backup roles assumed by asw2-a7-eiqad and asw2-a2-eqiad 
[14:34:54] <topranks>	 MAC forwarding tables being populated on 10G devices 
[14:35:26] <topranks>	 EX4300 / 1G units showing online and present in VC now 
[14:35:56] <topranks>	 Netbox is working for me, at first glance things look ok :)
[14:37:38] <inflatador>	 {◕ ◡ ◕}
[14:39:52] <moritzm>	 tested two puppet runs in eqiad, re-enabling in general now
[14:40:03] <topranks>	 moritzm: ack, thanks 
[14:41:19] <moritzm>	 done
[14:41:57] <jbond>	 ftr pki can stay in codfw
[14:42:10] <akosiaris>	 I am deploying things fine in kubernetes row A fwiw
[14:42:33] <topranks>	 akosiaris: great :)
[14:44:49] <inflatador>	 topranks just confirming, switch reboots are done?
[14:46:00] <topranks>	 inflatador: yes all complete and I've not found any sign of problems 
[14:46:19] <topranks>	 think we're good, I'll give official all clear in another 5 mins just double-checking a few things 
[14:46:34] <inflatador>	 topranks np, thanks for the update
[14:46:34] <akosiaris>	 cool. can we proceed with host reimages ? 
[14:46:51] <topranks>	 akosiaris: yeah no reason not to 
[14:46:59] <akosiaris>	 thanks!
[14:47:57] <Emperor>	 I want to increase the systemd timeout for smartmontools timeout from default of 90s to 300s (since on the latest swift backends it takes about 2 minutes). Is it OK to do this in the smart class, or should I make the change swift-backend-specific? ISTM that increasing the timeout should be generally benign
[14:48:35] <Emperor>	 startup/stop timeout that is
[14:48:44] <volans>	 Emperor: is that run also via NRPE?
[14:49:57] <Emperor>	 volans: not sure; the issue I'm having is that nagios is unhappy because systemd is marking the unit as failed because it gets bored waiting for it to start up
[14:50:15] <Emperor>	 I wouldn't think nagios would start up the entire daemon, rather query it for status
[14:50:35] <topranks>	 I'm happy to declare the switch maintenance successful / over
[14:50:47] <topranks>	 Anything that's not already re-pooled we can go ahead and do now 
[14:51:02] <volans>	 what I'm saying is that if we call smartmontools from nrpe and it takes longer than the nrpe timeout it will fail anyway
[14:51:07] <volans>	 \o/ topranks 
[14:51:58] <topranks>	 thanks all for the assistance / help!  I know these row-wide outages are a big headache :)
[14:52:13] <moritzm>	 ganeti/eqiad is all fine as well
[14:52:25] <Emperor>	 volans: I think this is just the time taking for smartd to initially start up
[14:52:37] <volans>	 ack
[14:52:58] <Emperor>	 (some light testing on ms-be2070 certainly suggests as much)
[14:53:00] <sukhe>	 topranks: nicely done!
[14:54:17] <godog>	 +1, nicely done topranks et al indeed
[14:55:54] <inflatador>	 <3
[15:35:10] <Emperor>	 https://gerrit.wikimedia.org/r/c/operations/puppet/+/895309 <-- change to increase the timeout for smartd startup. +1 anyone? :)
[15:38:44] <moritzm>	 looking
[16:48:02] <bd808>	 akosiaris: thank you for an uneventful redeploy of Toohub in the upgraded cluster.
[16:51:23] <bd808>	 The main sign I have been able to find of the whole process in the Toolhub site itself is just a gap in the crawler run log. There were no runs between 09:07 and 15:07 (as expected).
[20:30:53] <inflatador>	 Hey all, having some problems deploying with scap, ebernhardson (SWE) can't seem to deploy https://gitlab.wikimedia.org/repos/data-engineering/airflow-dags-scap-search but I can, is there a keyholder or other perms issue we need to look at?
[20:31:53] <taavi>	 what error are you getting?
[20:33:02] <inflatador>	 taavi top message here https://phabricator.wikimedia.org/P45275
[20:35:08] <taavi>	 scap.cfg in that repo specifies `keyholder_key: deploy_airflow`, so you need to look here https://gerrit.wikimedia.org/g/operations/puppet/+/2c8c679e083ad7067850d595b0aa6b578ef1a60e/hieradata/role/common/deployment_server/kubernetes.yaml#112
[20:35:24] <taavi>	 you need to be a member of any of those four groups to deploy
[20:37:02] <inflatador>	 thanks taavi ! Per https://gerrit.wikimedia.org/g/operations/puppet/+/production/modules/admin/data/data.yaml#900 it does look like he's in the correct group, is there something we need to sync maybe?
[20:38:38] <taavi>	 it's missing from `profile::admin::groups` on the deployment server
[20:40:43] <inflatador>	 taavi awesome, so I just need to add that group to https://gerrit.wikimedia.org/g/operations/puppet/+/2c8c679e083ad7067850d595b0aa6b578ef1a60e/hieradata/role/common/deployment_server/kubernetes.yaml#8 ?
[20:42:30] <taavi>	 as long as that group does not add any unwanted sudo rules or other side effects to deploy* hosts, then yes
[20:43:22] <inflatador>	 cool. I don't think it does, but you can see the perms it grants in the data.yaml link above
[20:46:11] <bblack>	 topranks: if you're around: do you remember if the lvs interface vlan trunking stuff on the asw's is configured by netbox, or needs initial config manually
[20:46:54] <bblack>	 we're looking at a case (eqsin) where the switch side of the trunking doesn't seem to be configured at all, but netbox does know about the trunked interface and its IPs.  So I'm starting to guess maybe it was meant to be manual?
[20:47:15] <topranks>	 bblack: hey
[20:47:44] <bblack>	 basically I know what's wrong, but I'm not sure which way to fix it :)
[20:47:53] <topranks>	 The switch-side config is driven from netbox, but the Netbox helper scripts that dc-ops use when deploying servers don't automatically add the right config
[20:48:04] <topranks>	 So we need to manually do it in Netbox, then push to the device with Homer
[20:48:19] <topranks>	 I can look now, what server is it ?
[20:48:42] <bblack>	 all of lvs500[567], but I think we need to take some care and do failovers, they're live.
[20:48:50] <bblack>	 err sorry wrong numbers
[20:48:56] <bblack>	 lvs500[456]
[20:49:20] <bblack>	 I suspect when we installed all the new hardware in eqsin a while back, we just never fixed up the vlan trunking on these.
[20:49:27] <topranks>	 let me have a look, depending on the existing config we can add the vlans without interrupting currently working connections 
[20:49:34] <bblack>	 the hosts are configured for it, but not the switch side
[20:50:31] <bblack>	 the reason it has gone unnoticed, is we really only configure those public trunk connections for consistency and in case of future needs, but not actual production service relies on it working at the edge sites (only at the core)
[20:50:33] <topranks>	 Yeah - looks like Vlan 510 (public1-eqsin) is missing on the switch side 
[20:50:57] <bblack>	 we only figured this out because it also screws up ssh-ing into these hosts from the local bastion, because the host wants to route the traffic through the broken trunked interface :)
[20:51:19] <topranks>	 ah makes sense 
[20:51:58] <topranks>	 So in terms of the switch config we can make the change without affecting the link
[20:52:19] <bblack>	 ok, maybe try 5006 first, it's the secondary/backup one
[20:52:24] <topranks>	 it's only a logical change to the mode adding the tagged vlan, shouldn't affect any untagged traffic
[20:52:25] <topranks>	 ok
[20:52:35] <topranks>	 best to be safe anyway 
[20:52:36] <bblack>	 well you have to change the port's mode to trunked too, and set native-vlan-id
[20:52:41] <bblack>	 but yeah I guess you know all that :)
[20:53:08] <bblack>	 I would have assumed it would blip the interface, but I'm terribly pessimistic in trusting juniper
[20:56:16] <bblack>	 where in netbox needs fixing anyways.  I was compariing a working example from ulsfo and couldn't find where it would be anyways.
[20:57:01] <topranks>	 brain fart my side too - I was changing our "netbox next" test server 
[20:57:10] <topranks>	 You need to edit the switch interface directly
[20:57:14] <bblack>	 (they both show an IP address in the correct vlan assigned to the tagged sub-interface, but I don't see anything related-but-missing)
[20:57:34] <bblack>	 oh, got it.  I was assuming it was derived from metadata on the host side of this link
[20:57:39] <topranks>	 Yeah on the host side it's the switch side you need to change
[20:58:16] <topranks>	 So if you are looking at the ints for lvs5006, click the "xe-0/0/15" that should be under 'connection'
[20:58:28] <topranks>	 It'll bring the switch-side interface: https://netbox.wikimedia.org/dcim/interfaces/27732/
[20:58:41] <topranks>	 Click EDIT on that page, then right at the bottom is the vlan setup 
[20:59:01] <bblack>	 got it
[20:59:02] <topranks>	 We change mode to 'tagged, leave 'untagged vlan' alone, and add 510 to the 'tagged vlans'
[20:59:28] <topranks>	 I have an objective to improve our scripts for DC-ops to allow this to be done at host provision time fwiw 
[20:59:38] <bblack>	 is LVS the only case like this?
[21:00:02] <bblack>	 we will eventually get rid of it, which maybe would be the end of this insanity :)
[21:00:02] <topranks>	 Our Ganeti hosts are the same, and now WMCS have moved to using tagged handoff 
[21:00:08] <bblack>	 ah ok
[21:00:10] <topranks>	 So it's becoming more of a pain 
[21:00:38] <topranks>	 Ok I'll run Homer to change lvs5006 that ok?
[21:01:26] <bblack>	 topranks: yeah
[21:02:37] <topranks>	 Ok done
[21:02:42] <topranks>	 I was running a ping from the serial console
[21:02:48] <topranks>	 It did lose 1 ping
[21:03:11] <bblack>	 I can confirm it does fix the actual problem though, and there was no link-loss at the host level
[21:03:24] <bblack>	 I can just temporarily depool the other two just in case
[21:04:13] <topranks>	 Yeah I had "ip monitor" running too, definitely no physical link drop 
[21:04:29] <bblack>	 we're at the low point in eqsin traffic for the day anyways, so I can just fail both lvs500[45] over to the now-fixed 6 for a bit
[21:04:29] <inflatador>	 taavi one more question if you're able, do we need to reload keyholder after we add the perms?
[21:04:34] <topranks>	 But was an interruption to traffic, presumably while switch changed its internal state 
[21:04:53] <topranks>	 bblack: ok cool, let me know when that's done, I'll prep the change for those now 
[21:04:58] <inflatador>	 It's still bombing out with the same error ;(
[21:06:53] <bblack>	 topranks: you're good to go!
[21:07:42] <bblack>	 incidentally, I had never used "ip monitor" before today. I found out about it while trying to debug the same issue that lead me here heh :)
[21:07:49] <topranks>	 bblack: running
[21:08:05] <topranks>	 heh yeah it's very useful, I only found out about it last year or so.
[21:08:06] <bblack>	 pretty handy thing!
[21:08:21] <topranks>	 very useful for seeing what the kernel is doing under the hood
[21:08:39] <bblack>	 yeah, it was showing me basically that ARP was failing, which was my critical clue
[21:09:13] <topranks>	 gotcha, I was running here to see if there was a momentary UP/DOWN transition for the interface 
[21:09:25] <topranks>	 Ok that's changed switch-side now so hopefully we are ok 
[21:10:07] <bblack>	 ok, repooling
[21:11:28] <topranks>	 I don't see why the connection from bastion was failing, the DNS records point to the private IP
[21:11:35] <topranks>	 and the default on the hosts is via that interface 
[21:11:56] <bblack>	 topranks: the problem is the bastion's on the same public1 /28 network as that trunked vlan interface.
[21:12:06] <topranks>	 ah yeah of course 
[21:12:08] <bblack>	 so the ssh packets from bastion->lvs get there ok, but lvs wants to reply over the trunk
[21:12:11] <bblack>	 and it fails :)
[21:12:38] <bblack>	 since nobody regularly uses the eqsin bastion, nobody really noticed
[21:12:57] <topranks>	 gotcha
[21:12:59] <bblack>	 but apparently vg reconfigured his ssh config to use the site-local bastion for various .foo.wmnet and found it today
[21:13:45] <bblack>	 topranks: in any case, all fixed and back to normal state now, thank you!
[21:13:48] <topranks>	 well like I say 2 things on my agenda over next few weeks are to add an option to our 'server provision' script to trunk additional vlans
[21:13:53] <topranks>	 so it can be part of normal workflow 
[21:14:29] <topranks>	 The other is to slightly adjust how we represent the host interfaces on the Netbox side, which will enable us to add a report to catch any discrepancies like this that might occur 
[21:14:39] <topranks>	 so the situation should improve 
[21:14:42] <topranks>	 anyway glad it's ok now!
[21:14:43] <bblack>	 sounds like progress!