[07:50:22] <Nikerabbit>	 do you know someone with exercise addictionI am working with Safeguard on this request. It seems there are two different Employer of Records in Finland which would explain the differences. 
[07:50:42] <Nikerabbit>	 argh :/
[10:35:57] <dcaro>	 vgutierrez: hi! from the last day, we were having issues connecting to wikis from some tools, I have a reproducer right now, from one of our workers (tools-k8s-worker-43), to commons.wikimedia.org, I'm doing a pcap of a curl request that hangs
[10:36:07] <dcaro>	 is there anything else I can get that will help debug?
[10:36:23] <dcaro>	 (I can give you access or debug live if you have time right now)
[10:36:44] <vgutierrez>	 mtr/traceroute to commons.wikimedia.org from the worker as well
[10:40:08] <dcaro>	 ack
[10:43:04] <dcaro>	 vgutierrez: mtrs look the same T356164
[10:43:05] <stashbot>	 T356164: [toolforge] several tools get periods of connection refused (104) when connecting to wikis - https://phabricator.wikimedia.org/T356164
[10:43:37] <dcaro>	 oh, but now it's working again
[10:43:43] <dcaro>	 so maybe the mtr was a bit late
[10:44:34] <vgutierrez>	 where is the pcap?
[10:45:30] <dcaro>	 vgutierrez: give me a sec, I think it might have some private info (captured all traffic), I'll send it to your email
[10:45:46] <vgutierrez>	 ack
[10:46:54] <dcaro>	 I think it might be too big xd
[10:47:36] <dcaro>	 it's 14G, I'll try to trim it by host, is that ok? (filtering by the commons IP)
[10:48:04] <vgutierrez>	 sure
[10:53:31] <dcaro>	 xd, still 3.9G
[10:57:27] <dcaro>	 uploading it to cloudcontrol1007.eqiad.wmnet:/root/only_commons.pcap.gz, vgutierrez you have access to that right?
[10:57:35] <vgutierrez>	 filter by stream? :)
[10:58:01] <vgutierrez>	 yes, I got access
[10:58:29] <vgutierrez>	 BTW, did you dump the TLS keys during the handshake? :)
[11:00:52] <dcaro>	 I did not do anything specific for it, so I'm guessing I did not? How should I have dumped them?
[11:01:58] <vgutierrez>	 SSLKEYLOGFILE=/root/sslkey.log curl [...]
[11:02:55] <dcaro>	 I'll take it into account for the next, that would allow us to decode the https stream?
[11:03:22] <vgutierrez>	 yes
[11:04:03] <dcaro>	 awesome, got another worker having the issue, I'll try it there (and try to get a smaller pcap)
[11:08:08] <vgutierrez>	 dcaro: just use --local-port to a privileged port that you know for a fact that is not being used
[11:08:14] <vgutierrez>	 and filter by that
[11:08:30] <dcaro>	 I added a dummy header xd, but that sounds easier to filter by
[11:08:51] <vgutierrez>	 a dummy header on a TLS communication?
[11:09:06] <vgutierrez>	 you'll end up with another huge pcap that requires processing 
[11:09:43] <dcaro>	 ack, using the port 
[11:16:32] <dcaro>	 vgutierrez: got it
[11:16:34] <dcaro>	 https://www.irccloud.com/pastebin/5TeBVliD/
[11:16:50] <vgutierrez>	 lovely :D
[11:18:57] <vgutierrez>	 dcaro: oh wow... the pcap shows retransmissions happening even during the TLS handshake
[11:19:09] <vgutierrez>	 dcaro: are you sure that mtr is happy?
[11:19:26] <vgutierrez>	 https://www.irccloud.com/pastebin/L2rdN8Cb/
[11:19:35] <dcaro>	 vgutierrez: that might be because I captured all interfaces
[11:19:48] <dcaro>	 (so it might be seeing it from the docker interface + the host interface)
[11:19:57] <dcaro>	 I can try using only the host one
[11:20:29] <vgutierrez>	 not only duped ones
[11:21:07] <vgutierrez>	 https://www.irccloud.com/pastebin/b5HDD0zZ/
[11:21:57] <dcaro>	 let me rerun, it's still having issues
[11:22:38] <vgutierrez>	 dcaro: also let's run mtr on monitor mode... mtr -t -T -P 443 
[11:22:59] <vgutierrez>	 and see if you're getting some lost packets in there as well
[11:23:12] <vgutierrez>	 (that should open the curses iface running till you stop it manually)
[11:23:28] <dcaro>	 okok, running `mtr -P 443 -t -T -w 208.80.154.224`
[11:24:00] <dcaro>	 looks clean
[11:24:05] <dcaro>	 https://www.irccloud.com/pastebin/HSBbIAFE/
[11:25:58] <vgutierrez>	 ack, let me know when you have the new pcap in place
[11:26:00] <dcaro>	 got another pcap, listening only on eth0
[11:26:04] <dcaro>	 uploading
[11:26:42] <dcaro>	 it's under `cloudcontrol1007.eqiad.wmnet:/tmp/only_eth0.tgz`
[11:26:46] <vgutierrez>	 got it
[11:27:43] <dcaro>	 the ssl decoding is awesome btw.
[11:27:53] <vgutierrez>	 looking better, I'm only seeing the burst of retransmissions at the end prior to haproxy RSTing the connection
[11:28:03] <vgutierrez>	 s/decoding/decryption/
[11:28:08] <dcaro>	 yep xd
[11:29:30] <dcaro>	 nice, python requests also generates the ssl key log file when the envvar is set, that will help a lot debugging stuff xd
[11:36:09] <vgutierrez>	 dcaro: you're welcome
[11:36:27] <vgutierrez>	 btw... the IP from that worker is always the same?
[11:37:28] <dcaro>	 yes, the ips get assigned on VM creation, and only changed when rebuilding the VM
[11:40:58] <vgutierrez>	 dcaro: ack, can you tell me the x-cache response header from a working oneE?
[11:41:06] <vgutierrez>	 (on the same worker)
[11:41:23] <dcaro>	 that worker now works xd
[11:41:32] <dcaro>	 < x-cache: cp1106 miss, cp1106 pass
[11:41:46] <vgutierrez>	 so that host is hitting cp1106
[11:41:48] <dcaro>	 from that same worker, same url
[11:41:54] <vgutierrez>	 URL doesn't matter
[11:42:00] <vgutierrez>	 just source IP
[11:42:16] <dcaro>	 same ip too
[11:42:23] <dcaro>	 < x-client-ip: 172.16.6.13
[11:45:48] <dcaro>	 it stopped working again
[11:47:30] <vgutierrez>	 that URL is being used by the bot as well right?
[11:48:05] <dcaro>	 yes
[11:48:17] <dcaro>	 I can try see if it happens with a different url
[11:48:41] <vgutierrez>	 right now I'm guessing is still failing?
[11:48:45] <dcaro>	 just api.php without params also fails
[11:48:46] <dcaro>	 yep
[11:49:00] <dcaro>	 it did work for a minute though
[11:50:07] <vgutierrez>	 yeah... requests aren't going through the CDN node at all from that client
[11:51:41] <dcaro>	 that sounds like maybe routing issues? (as it works sometimes?)
[11:51:44] <vgutierrez>	 and now is working again
[11:51:50] <vgutierrez>	 right?
[11:52:03] <dcaro>	 yep
[11:52:08] <vgutierrez>	 unles....
[11:52:23] <vgutierrez>	 Feb 07 11:41:23 cp1106 haproxy[1857819]: [debug] silent-drop_for_300s: type=ipv4 <172.16.6.13>
[11:52:57] <vgutierrez>	 the bot is so aggressive that's triggering the silent-drop protection mechanism from HAProxy
[11:53:27] <dcaro>	 ohhh, that is interesting, and as it shares ip with anything on that worker, any container running there would also see the blockage right?
[11:53:34] <vgutierrez>	 indeed
[11:53:50] <dcaro>	 has that limit changed lately? the user said it was working before
[11:53:57] <dcaro>	 (without any change on their side)
[11:53:57] <vgutierrez>	 fabfur & cdanis ^^
[11:54:19] <vgutierrez>	 dcaro: hmm maybe now the tool is on a busier node?
[11:54:38] <fabfur>	 AFAIK the silent-drop limits haven't changed lately 
[11:55:22] <dcaro>	 I'll look into the node traffic, see if there's a congregation of high traffic tools or similar
[11:56:22] <volans>	 vgutierrez: why only on cp1106?
[11:56:43] <vgutierrez>	 volans: :?
[11:56:58] <volans>	 the silent drop
[11:57:08] <vgutierrez>	 cause the abusing IP is the same one
[11:57:16] <vgutierrez>	 and load balancers work like that
[11:57:41] <volans>	 yeah, I know I mean all the traffic comes only from that single cloud IP?
[11:58:04] <vgutierrez>	 all the traffic that's being silent-dropped by cp1106 comes from that IP
[11:59:00] <dcaro>	 is there anything that can be done to prevent that? (headers sent about traffic limit so the users can rate-limit themselves, increase limits for toolforge ips, ...)
[11:59:01] <vgutierrez>	 sigh... the most used UAs on that IP in the last day are python-requests/2.28.2 and 2.31.0... 6k requests the first one and 1.7k the second one
[11:59:30] <vgutierrez>	 so you have two heavy unindentified users on that node
[12:00:08] <dcaro>	 I know one at least xd
[12:01:01] <vgutierrez>	 the python-requests/2.28.2 UA has the same amount of requests in the last 24h that the rest of the top 10 together
[12:01:34] <arturo>	 I kind of remember we had a policy in Toolforge that tools had to set an explicit UA. But can't find the docs at the moment
[12:01:47] <vgutierrez>	 it's definitely against our policies
[12:01:49] <dcaro>	 yes we do
[12:02:45] <dcaro>	 https://wikitech.wikimedia.org/wiki/Help:Toolforge/Banned for tools that were banned until changed the user agent
[12:03:01] <vgutierrez>	 so we need some banning :)
[12:03:45] <dcaro>	 I hope a bit of asking might be enough https://wikitech.wikimedia.org/wiki/User:Legoktm/toolforge_library
[12:03:51] <arturo>	 dcaro: but that page is about accessing toolforge. This problem here is about hitting the wikis form toolforge, no?
[12:03:54] <dcaro>	 there's libraries to help too
[12:04:00] <vgutierrez>	 dcaro: to be clear.. we silent drop if we see more than 500 concurrent requests from a single IP 
[12:04:21] <vgutierrez>	 so we won't be relaxing that limit for toolforge
[12:04:34] <dcaro>	 that's ok
[12:04:41] <vgutierrez>	 tools need to behave :)
[12:04:59] <dcaro>	 so the rate is about concurrent requests, not rate-limiting then?
[12:05:15] <vgutierrez>	 that's right
[12:05:17] <dcaro>	 (as in, you can do many small quick requests, but 500 long-running ones will hit the limit)
[12:06:14] <vgutierrez>	 yeah.. if you spawn 1000 threads you get banned immediately but you can have 100 threads going as fast as they can and you won't trigger the silent-drop
[12:06:34] <dcaro>	 ack, that's useful
[12:06:56] <vgutierrez>	 you would trigger some 429s for sure
[12:06:59] <vgutierrez>	 but not the silent-drop
[12:07:21] <arturo>	 vgutierrez: the silent drop is known to return HTTP 104 always?
[12:07:43] <vgutierrez>	 arturo: you're not seeing an HTTP 104
[12:08:15] <vgutierrez>	 but ECONNRESET 104 Connection reset by peer
[12:08:17] <dcaro>	 os error, not http
[12:08:18] <dcaro>	 (os error 104)
[12:08:26] <arturo>	 right
[12:08:49] <dcaro>	 would that sum up diffirent wikis? or it's per-wiki?
[12:09:03] <vgutierrez>	 it's per CDN node
[12:09:07] <arturo>	 is that ECONRESET the known behavior on the client side when the silent drop triggers?
[12:09:13] <vgutierrez>	 arturo: yes
[12:09:41] <arturo>	 vgutierrez: ok, and last question, is just using a proper UA enough to avoid the limit?
[12:09:47] <vgutierrez>	 nope
[12:09:54] <vgutierrez>	 the limit is enforced by source IP
[12:10:36] <arturo>	 maybe source IP and source port? or only src IP?
[12:10:40] <vgutierrez>	 source IP
[12:11:12] <vgutierrez>	 in HTTP/1.1 you cannot have concurrent requests if you don't have several TCP connections
[12:11:25] <vgutierrez>	 that requires 500 source ports AFAIK
[12:12:10] <arturo>	 so, with the earlier question by dcaro
[12:12:30] <arturo>	 I guess we can only have 500 connections per toolforge worker node for each CDN node
[12:13:02] <arturo>	 and each worker node can run hundred of tools/bots, the available connections per tool/boot is even lower
[12:13:29] <vgutierrez>	 that's accurate
[12:14:31] <dcaro>	 and each ip gets assigned one CDN node
[12:14:31] <vgutierrez>	 BTW, limit got tightened in late November
[12:14:53] <vgutierrez>	 embrace IPv6 and get one IP per tool? :)
[12:15:05] <arturo>	 heh, do you have a magic wand? :-P
[12:15:55] <arturo>	 IPv6 for toolforge is definitely something that has been in my radar for half a decade now
[12:16:03] <dcaro>	 it's weird though that the user had no issues on grid
[12:16:13] <arturo>	 (note how half a decade sounds more time that 5 years)
[12:16:25] <dcaro>	 (were the nodes were also shared)
[12:16:59] <vgutierrez>	 in that node you got one or two abusers
[12:17:31] <vgutierrez>	 I'd suggest that you solve that issue and probably the silent-drop will stop being triggered
[12:18:36] <vgutierrez>	 happy to continue this conversation then
[12:19:47] <dcaro>	 the user is opening >1k tcp connections at once
[12:19:49] <dcaro>	 https://www.irccloud.com/pastebin/A0VSqIUW/
[12:20:14] <dcaro>	 that seems like too much xd
[12:20:19] <vgutierrez>	 lol :)
[12:24:39] <dcaro>	 arturo: found the policy, it's a soft-redirect to https://meta.wikimedia.org/wiki/User-Agent_policy
[12:24:47] <dcaro>	 https://wikitech.wikimedia.org/wiki/User-agent_policy
[12:26:23] <dcaro>	 vgutierrez: thanks a lot!! that was very helpful :)
[12:26:57] <arturo>	 dcaro: thanks
[12:26:59] <arturo>	 vgutierrez: thanks!!
[13:58:21] <dcaro>	 confd service (using nrpe) is failing everywhere, is that part of the migration to systemdunitfailure? godog?
[13:58:33] <dcaro>	 *confd service alert
[13:58:54] <dcaro>	 https://alerts.wikimedia.org/?q=alertname%3Dconfd%20service
[14:00:50] <dcaro>	 oh, they are gone now :)
[14:01:10] <godog>	 "yes" to answer your question dcaro :)
[14:01:27] <dcaro>	 ack, thanks for moving off icinga! ;)
[14:01:49] <godog>	 thank you, baby steps
[14:41:46] <akosiaris>	 cdanis: you got me digging up on BGP metrics for calico and well, it was depressing: https://docs.tigera.io/calico-enterprise/latest/operations/monitor/metrics/bgp-metrics
[14:42:05] <akosiaris>	 apparently only on calico-enterprise 😞
[14:43:38] <cdanis>	 that's ...
[14:43:41] <cdanis>	 sigh
[14:43:50] <claime>	 ugh
[14:44:52] <_joe_>	 yeah sadly I'm not surprised
[14:45:17] <_joe_>	 and calico was by far the least "freemium" of these solutions
[14:45:21] <cdanis>	 yeah
[14:45:26] <cdanis>	 we can just run bird_exporter in the pod i guess?
[14:45:31] <cdanis>	 ("just")
[14:51:46] <cdanis>	 akosiaris: there's also an open bug on their github from 2019 about bgp metrics heh https://github.com/projectcalico/calico/issues/2369
[14:52:01] <cdanis>	 i love open core
[14:52:36] <akosiaris>	 yeah I have an open task as well about exposing BGP graceful shutdown 
[14:52:42] <cdanis>	 heh
[14:52:42] <akosiaris>	 similar situation
[14:52:56] <cdanis>	 gonna need our own calico distribution
[14:53:17] <akosiaris>	 there you go: https://github.com/projectcalico/calico/issues/4607
[14:53:27] <akosiaris>	 May 12, 2021
[14:53:43] <cdanis>	 It would be nice if any support added by this PR is a compatible extension of what we already have in Enterprise.
[14:53:44] <akosiaris>	 it became evident pretty quickly what I wanted was in the enterprise product
[14:53:46] <cdanis>	 😂
[14:54:57] <claime>	 Do we ever reach out to these open-core vendors to see if they'd make a "donation" of a license to the WMF?
[14:55:07] <cdanis>	 claime: we wouldn't
[14:55:22] <claime>	 By policy I assume
[14:55:25] <akosiaris>	 yes
[14:55:34] <claime>	 ack
[14:56:43] * Emperor mutters about open-core needing dumping
[14:56:48] <inflatador>	 On the positive side, I'm excited about the open-source forks of terraform and hashi vault...it seems like they will be OK with adding features that threaten the enterprise stuff
[14:57:14] <akosiaris>	 I suppose we can put bird_exporter in a container and run it in the pod.
[14:57:42] <akosiaris>	 I 'll have to double check the sockets thing, but it shouldn't be difficult
[14:57:52] <claime>	 https://i.pinimg.com/originals/15/f5/89/15f589b8111e210ac297e86737bb3a65.jpg
[14:57:56] <akosiaris>	 we 'll need to run 2 ofc, to make things fun
[14:58:01] <akosiaris>	 one for IPv4 and one for IPv6
[14:58:21] <akosiaris>	 claime: you are fast :P
[14:58:29] <claime>	 :p
[14:58:33] <inflatador>	 faster than that motorcycle ;P
[14:58:33] <kamila_>	 oh ffs
[14:58:45] <cdanis>	 :nod:
[14:58:51] <claime>	 inflatador: tbf my 30 year old horse is faster than that motorcycle
[14:59:18] <cdanis>	 claime: we can probably speed it up by adding a few more sidecars
[14:59:30] <claime>	 With motors in them
[14:59:33] <claime>	 On per wheel
[14:59:37] <claime>	 One*
[14:59:39] <inflatador>	 Yeah, it'll look like a drone on wheels
[14:59:40] <cdanis>	 just one more sidecar bruh it's gonna fix everything i promise
[14:59:42] <cdanis>	 one more sidecar
[14:59:58] * claime slaps pod
[15:00:04] <claime>	 This baby can fit so many sidecars
[15:00:06] * kamila_ was just finishing typing up https://phabricator.wikimedia.org/T356877
[15:08:30] <_joe_>	 tbh the right allegory for this mess is a mcmansion
[15:09:30] <_joe_>	 the sidecars are the quadruple garage
[15:13:56] * kamila_ is desperately trying to figure out how to insert their beloved 4-wheeled pile of rust into the conversation
[15:14:59] <Emperor>	 kamila_: take the previous joke, and rewrite it in rust? ;-)
[15:15:18] <kamila_>	 oh god why XD
[15:16:11] * Emperor bows
[15:17:16] <_joe_>	 kamila_: took me a minute to ensure we didn't have a member of the rust evangelism task force in our team
[15:17:43] <_joe_>	 "ah no they're talking about their car, phew"
[15:17:55] <kamila_>	 I should have thought of that :D 
[15:19:02] <kamila_>	 I spent ~8h sanding rust last week and another horrible person already asked me why I did that given that rust was cool these days
[15:25:07] <claime>	 what's the car?
[15:26:15] <claime>	 nevermind :)
[15:29:54] <kamila_>	 was that an invitation to talk about my bad decisions? :D 
[15:41:23] <Emperor>	 :)
[16:01:21] <herron>	 !incidents
[16:01:21] <sirenbot>	 4427 (UNACKED)  ProbeDown sre (10.2.2.53 ip4 thanos-query:443 probes/service http_thanos-query_ip4 eqiad)
[16:01:22] <sirenbot>	 4424 (RESOLVED)  ProbeDown sre (10.2.2.53 ip4 thanos-query:443 probes/service http_thanos-query_ip4 eqiad)
[16:01:25] <Emperor>	 sad times
[16:01:32] <herron>	 !ack 4427
[16:01:33] <sirenbot>	 4427 (ACKED)  ProbeDown sre (10.2.2.53 ip4 thanos-query:443 probes/service http_thanos-query_ip4 eqiad)
[16:01:38] <herron>	 !ack 4424
[16:01:39] <sirenbot>	 Attempt to ack incident 4424 failed.
[16:01:42] <Emperor>	 is that going to be another OOM?
[16:01:46] <herron>	 !incidents
[16:01:46] <sirenbot>	 4427 (ACKED)  ProbeDown sre (10.2.2.53 ip4 thanos-query:443 probes/service http_thanos-query_ip4 eqiad)
[16:01:46] <sirenbot>	 4424 (RESOLVED)  ProbeDown sre (10.2.2.53 ip4 thanos-query:443 probes/service http_thanos-query_ip4 eqiad)
[16:01:47] * Emperor goes to look at titan nodes
[16:02:28] <Emperor>	 both eqiad titan nodes slow/nonresponsive to ssh, so I'm guessing this is a repeat of yesterday.
[16:03:04] <cdanis>	 same time as yesterday
[16:03:14] <cdanis>	 i think we have a query of death in a cronjob that runs at 16:00
[16:03:36] <_joe_>	 possible
[16:04:03] <_joe_>	 cdanis: or someone is very regular in their thanos queries :D
[16:05:26] <Emperor>	 titan1* still nonresponsive
[16:05:49] <herron>	 yeah, ping response but ssh hangs for me too probably time to reboot
[16:07:05] <Emperor>	 they did self-recover last time...
[16:07:44] <_joe_>	 just to clarify, there's an ongoing production issue and a couple teams are flying blind atm
[16:08:15] <herron>	 I'm getting a console on titan1002 atm, getting ready to hard reboot
[16:08:55] <cdanis>	 thanks
[16:09:46] <Emperor>	 herron: shall I do titan1001 via the reboot cookbook?
[16:10:50] <herron>	 Emperor: sure I'll focus on titan1002 for the moment
[16:10:51] * Emperor doing so
[16:13:45] <herron>	 finally bios timeouts are done booting linux
[16:14:25] <herron>	 titan1002 reachable again
[16:14:31] <Emperor>	 titan1001 powercycling now
[16:16:33] <inflatador>	 does anyone have any automation that pokes Netbox to check for hosts that are past the 5-year cycle? I might put something together if not
[16:18:18] <Emperor>	 herron: I'll update T356788 to note the worse failure today
[16:18:19] <stashbot>	 T356788: thanos-query probedown due to OOM of both eqiad titan frontends - https://phabricator.wikimedia.org/T356788
[16:18:36] <herron>	 Emperor: thank you
[16:19:01] <herron>	 and I think we have some sleuthing to do re the 16:00 cron idea
[16:46:56] <btullis>	 jynus: we have a puppet-merge clash. DO you want to merge mine?
[16:47:24] <jynus>	 it is just 2 lines for statistics_servers, ok?
[16:47:40] <btullis>	 Yep. Please go ahead.
[16:48:38] <jynus>	 btullis: done
[16:48:46] <btullis>	 Cheers.
[17:04:13] <herron>	 !incidents
[17:04:14] <sirenbot>	 4428 (UNACKED)  [2x] ProbeDown sre (ip4 thumbor:8800 probes/service http_thumbor_ip4)
[17:04:14] <sirenbot>	 4427 (RESOLVED)  ProbeDown sre (10.2.2.53 ip4 thanos-query:443 probes/service http_thanos-query_ip4 eqiad)
[17:04:27] <herron>	 !ack 4428
[17:04:28] <sirenbot>	 4428 (ACKED)  [2x] ProbeDown sre (ip4 thumbor:8800 probes/service http_thumbor_ip4)
[17:05:00] <hnowlan>	 herron: I just merged a change to remove the thumbor pools, must have broken something
[17:05:03] <hnowlan>	 reverting
[17:05:10] <herron>	 hnowlan: ah!  thank you
[17:05:49] <cdanis>	 ty, was just about to see if you were still around :)
[17:06:32] <hnowlan>	 https://gerrit.wikimedia.org/r/c/operations/puppet/+/998447
[17:06:46] <hnowlan>	 thumbor is not configured in lvs to use these pools
[17:07:25] <hnowlan>	 unless I messed up the restarts
[17:08:57] <hnowlan>	 pools are restored but I'm not seeing recovery 
[17:10:23] <hnowlan>	 might I need to restart pybal to get it to pick up the restored pools? 
[17:10:27] <volans>	 hnowlan: they get re-added with weight=0
[17:10:28] <volans>	 by default
[17:10:36] <volans>	 sudo confctl select 'service=thumbor' get
[17:10:41] <hnowlan>	 aha
[17:10:44] <volans>	 and inactive
[17:10:50] <volans>	 you have to pool them and set a weight
[17:11:15] <volans>	 my select gets both eqiad and codfw
[17:11:22] <volans>	 I see all with weight=0
[17:11:33] <volans>	 and pooled=inactive
[17:11:35] <hnowlan>	 done, recovering now 
[17:14:17] <volans>	 hnowlan: I'm not sure what was the status *before* merging the patch, but my suggestion would be to always depool hosts in a pool before removing it, allows for easier testing and rollbck ;)
[17:15:07] <hnowlan>	 volans: fair point
[17:15:53] <hnowlan>	 just verified in lvs logs that the restart I did earlier didn't pick up the group change, which means that the service is using the thumbor group rather than kubesvc
[17:16:48] <volans>	 that explains
[17:34:07] <volans>	 jayme: gentle reminder to not use cumin1001 but cumin1002,cumin2002 ;) [see Mori.tz's email from December for context]
[17:35:28] <jayme>	 volans: oops, thanks. That probably got lost during my absence and muscle memory took over again
[17:35:38] <volans>	 :D