[07:59:25] <effie>	 volans: gimme a sec 
[07:59:56] <volans>	 yep, same thing, now the question is if serviceops is interested in debugging the "bad" pod before deleting it
[08:01:06] <effie>	 it is two in a row 
[08:01:29] <effie>	 ok I will dig into it a bit, see if something comes up, and then I will kill it 
[08:02:08] <volans>	 effie: is there a way to "isolate" it so that it doesn't serve anymore traffic but is still around for debugging?
[08:02:48] <volans>	 so at least we don't serve the 5xx 
[08:04:02] <effie>	 one thing that comes to mind is complicated, as in changing a bit the selector from the service 
[08:05:08] <volans>	 changing the labels of the pod maybe?
[08:06:10] <effie>	 could be, let me have a go
[08:07:59] <volans>	 right now it has labels: app=mediawiki,deployment=mw-api-ext,pod-template-hash=7686884f77,release=main,routed_via=main
[08:15:12] <volans>	 ok the pod disappeared before we could debug anything
[08:15:22] <volans>	 and errors are back to zero and recovery is comung
[08:32:42] <volans>	 for posterity the "disappearance" was due by the train passing by...
[08:39:11] <_joe_>	 ah damn
[08:39:33] <_joe_>	 volans: I think the problem is that the pod was still responding ok to its readiness probe
[08:39:57] <_joe_>	 while it shouldn't have
[08:40:26] <_joe_>	 volans, effie you can look in prometheus for the metrics of that specific pod
[08:40:36] <_joe_>	 maybe they'll tell you something about why it failed
[08:40:42] <volans>	 indeed that's why we wanted to isolate it for debugging
[08:40:56] <volans>	 also check if it was on the same host of the one from yesterday
[08:41:31] <_joe_>	 that can still be verified looking at events I think
[08:41:39] <_joe_>	 volans: but I doubt the host is the issue
[08:43:27] <_joe_>	 uhm so we just call a php script that returns 'OK'
[08:44:05] <_joe_>	 maybe we need a script that loads mediawiki at the very least, and tries to do some work locally 
[08:44:24] <_joe_>	 like accessing data in apcu 
[08:44:29] <_joe_>	 something like that
[08:44:36] <volans>	 something happened to that pod around 6:26 UTC, graphs are all almost zeroed since then (thanks effie for finding the dashboard :D )
[08:44:55] <_joe_>	 volans: if you talk about php graphs
[08:45:05] <effie>	 no itis cpu graphs 
[08:45:05] <_joe_>	 that's because there was no worker free to report metrics probably
[08:45:08] <volans>	 no pod graphs, cpu/network/etc..
[08:45:21] <_joe_>	 uhm that's strange indeed
[08:45:23] <volans>	 and are not 0, but very low
[08:45:31] <_joe_>	 ah no that is normal
[08:45:37] <_joe_>	 if every request is in a deadlock
[08:45:53] <_joe_>	 have you checked the slow logs from that pod already?
[08:45:55] <volans>	 but we alerted at 7:57
[08:46:33] <_joe_>	 volans: what was the name of the pod?
[08:47:05] <volans>	 mw-api-ext.eqiad.main-7686884f77-ql69d
[08:47:44] <volans>	 https://grafana.wikimedia.org/goto/8s5YHnXIg?orgId=1
[08:47:54] <_joe_>	 https://logstash.wikimedia.org/goto/8c535747c43965b0339b316c85f3510a
[08:48:00] <_joe_>	 not that usefulk I fear
[08:50:09] <effie>	 ok we will dig deeper, _joe_ we may ping you if nothing useful comes up 
[09:43:31] <elukey>	 hello folks, as FYI I am deploying spicerack 8.8.0 on cumin2002 to test it
[09:45:22] <_joe_>	 elukey: how do you plan to test spicerack? running cookbooks?
[09:47:04] <elukey>	 _joe_ that is one way, or we can use the code directly (Riccardo has a script to use single modules in repl)
[09:51:14] <claime>	 elukey: that was supposed to be a secret
[09:51:21] <claime>	 :p
[09:53:05] <elukey>	 yes sure :D
[10:15:07] <volans>	 as soon as I find a way to make it safe I'll puppetize it :D
[11:50:49] <volans>	 any mainteance in progres in codfw?
[11:51:16] <claime>	 I racresetted a host, doubtful that's the reason
[11:51:21] <volans>	 !incidents
[11:51:22] <sirenbot>	 4880 (ACKED)  [3x] ProbeDown sre (ip4 probes/service codfw)
[11:51:22] <sirenbot>	 4879 (RESOLVED)  ATSBackendErrorsHigh cache_text sre (mw-api-ext-ro.discovery.wmnet esams)
[11:51:22] <sirenbot>	 4859 (RESOLVED)  db1219 (paged)/MariaDB Replica Lag: s1 (paged)
[11:51:23] <effie>	 there was a heads up usually  so 
[11:51:23] <claime>	 No scheduled vendor maintenance on calendar
[11:51:39] <volans>	 might be netowrk
[11:51:56] <volans>	 I see a lot of conn timeouts
[11:51:58] <effie>	 which graph shall we start from then 
[11:52:01] <jelto>	 yeah probably network, gitlab2002 (also in codfw) also alerted
[11:52:15] <jayme>	 lots of different things indeed
[11:52:18] <volans>	 XioNoX, topranks: anything ongoing with network in codfw?
[11:52:24] <vgutierrez>	 yup.. DC wide
[11:52:28] <volans>	 should we depool it?
[11:52:29] <effie>	 great 
[11:52:30] <brett>	 depool?
[11:52:31] <topranks>	 volans: yeah something odd 
[11:52:32] <effie>	 yes
[11:52:44] <effie>	 volans: I can get the patch ready
[11:52:50] <claime>	 volans: +1 depool
[11:52:56] <effie>	 alright hangon 
[11:53:07] <vgutierrez>	 from some of the alerts.. "Unknown server host 'db2161.codfw.wmnet" --> DNS impacted as well there
[11:54:17] <volans>	 https://gerrit.wikimedia.org/r/c/operations/dns/+/1055189
[11:54:38] <brett>	 +1
[11:54:54] <XioNoX>	 looking
[11:54:56] * kamila_ updating statuspage
[11:54:59] <volans>	 effie: we shoudl start an incident on the status page IMGO
[11:54:59] <arnaudb>	 +1ed
[11:55:04] <volans>	 kamila_: <3 thanks
[11:55:17] <effie>	 volans: yes we should 
[11:55:42] <vgutierrez>	 so low-traffic LVS is impacted and lvs-secondary, lvs-high-traffic1 and 2 are happy though
[11:55:51] <effie>	 so also 
[11:55:52] <effie>	 14:55:11 Unable to find image 'docker-registry.wikimedia.org/releng/operations-dnslint:0.0.12-s3' locally
[11:55:52] <effie>	 14:55:11 docker: Error response from daemon: received unexpected HTTP status: 503 Service Unavailable.
[11:56:02] <volans>	 vgutierrez: should I stop? I'm deploying right now
[11:56:03] <topranks>	 fwiw I'm 99% sure what it is (me) and fixing 
[11:56:12] <vgutierrez>	 topranks: <3
[11:56:20] <effie>	 topranks: shall we hold our horses?
[11:56:22] <volans>	 topranks: great
[11:56:25] <volans>	 clush:  3/15
[11:56:33] <volans>	 it's a bit late for that, but we can rever
[11:56:35] <volans>	 OK - authdns-update successful on all nodes!
[11:56:40] <volans>	 apaprently on codfw's ones too
[11:57:01] <brett>	 volans: the patch wasn't merged?
[11:57:03] <volans>	 ah no sorry, I'm stupid
[11:57:13] <volans>	 clicked submit but not continue on the popup
[11:57:19] <volans>	 so now is merged
[11:57:23] <effie>	 lol
[11:57:26] <volans>	 wiating a second to deploy
[11:57:28] <brett>	 might have done that a few times myself before ^^
[11:57:29] <volans>	 if we have a solution
[11:57:48] <volans>	 topranks: it's a thing of a minute or 10?
[11:57:50] <brett>	 topranks, what's the ETA for fixing?
[11:58:10] <topranks>	 2-3 mins
[11:58:25] <effie>	 I think that by everyone of us pinging him on IRC, is not helpin 
[11:58:40] <claime>	 So surprisingly, codfw mw-web was still serving ~1krps
[11:58:46] <brett>	 We need to know which actions to take
[11:58:54] <vgutierrez>	 godog/o11y: rsyslog is munching 5 CPU cores in lvs2012...
[11:59:05] <vgutierrez>	 claime: cp@text seems to be ok there
[11:59:09] <brett>	 IMO depooling is still the best way. By the laws of the universie it will take 6-10 minutes
[11:59:12] <brett>	 or longer
[11:59:21] <claime>	 yeah I agree we should depool
[11:59:22] <jelto>	 rsyslog is also working hard on the gitlab host :)
[11:59:32] <vgutierrez>	 unable to hit kafka?
[11:59:33] <claime>	 I'm serving between 5 to 20% 5xx
[11:59:50] <volans>	 the impact is not enormous:
[11:59:50] <volans>	 https://grafana.wikimedia.org/d/O_OXJyTVk/home-w-wiki-status?orgId=1&refresh=5m
[11:59:54] <godog>	 vgutierrez: ok
[12:00:07] <effie>	 I was about to say that it is not as bad as it looks
[12:00:17] <godog>	 checking
[12:00:45] <topranks>	 ok hopefully I've undone the damage I did 
[12:00:54] <jelto>	 🤞
[12:00:57] <arnaudb>	 recoveries are coming
[12:00:57] <volans>	 recoveries coming up
[12:01:02] <volans>	 <3 topranks 
[12:01:06] <claime>	 200 5xx/s to mw-web is not great though
[12:01:07] <volans>	 saving the day!
[12:01:09] <claime>	 let's see it recover
[12:01:11] <effie>	 topranks: does that include mental damages? no ?
[12:01:14] <fabfur>	 👍
[12:01:14] <effie>	 <#
[12:01:14] <volans>	 give it a second
[12:01:26] <effie>	 topranks: many thanks, lets see how things go 
[12:01:27] <topranks>	 effie: not at all, I'm only preparing for the big network migration today ffs ....
[12:01:34] <vgutierrez>	 rsyslog CPU recoverying in lvs2012
[12:01:36] <claime>	 topranks: <3
[12:01:40] <arnaudb>	 thanks for the fix topranks 
[12:01:55] <volans>	 Ihttps://gerrit.wikimedia.org/r/c/operations/dns/+/1055193
[12:01:57] <volans>	 for the revert
[12:02:12] <topranks>	 so - in brief - I miscalculated and added the codfw row C and D vlan interfaces to the new spines in codfw 
[12:02:20] <claime>	 5xx recovered
[12:02:20] <arnaudb>	 +1ed volans 
[12:02:43] <topranks>	 that creates a BGP route for those networks on the new spines.
[12:03:04] <topranks>	 my miscalculation was that I hadn't appreciated that those spines are connected to the row A spines directly 
[12:03:14] <effie>	 volans: topranks shall we put it on an incident report or not, is the question 
[12:03:31] <topranks>	 so while the change didn't stop the CRs talking directly to row C/D, it caused row A/B to see that route and prefer it 
[12:03:34] <volans>	 I've merged the revert
[12:03:40] <volans>	 so authdns should be a noop now
[12:03:41] <claime>	 I'm curious if that triggered udp sat from k8s logging
[12:03:42] <topranks>	 the C/D spines are not yet connected to the hosts in those rows so.... blackhole traffic :( 
[12:03:44] <topranks>	 sorry 
[12:04:02] <claime>	 it logged up to 300k messages per minute just for mediawiki
[12:04:41] <volans>	 we got new pages
[12:04:46] <volans>	 4880 (ACKED)  [3x] ProbeDown sre (ip4 probes/service codfw)
[12:06:24] <vgutierrez>	 tons of hosts being repooled n lvs2013 :)
[12:06:25] <volans>	 topranks: lsw in codfw c and d still reported as down by icinga
[12:06:30] <Emperor>	 apus in codfw is a bit sad about slow heartbeats, but I'm guessing that'll recover now the network is happier again
[12:06:49] <Emperor>	 interesting all from the host in C2
[12:07:04] <volans>	 but might be icinga slow
[12:07:04] <topranks>	 volans: they aren't in service yet - I disabled the port connecting to those spines, I can re-enable it shortly but will wait a moment 
[12:07:10] <volans>	 ah ok
[12:07:14] <volans>	 no worries that's fine
[12:07:21] <topranks>	 no it's cos I shut the CR ports connecting to all the new switches - as they aren't in use 
[12:07:27] <volans>	 it's just harder to distinguish real issues with fake ones :D
[12:07:34] <volans>	 ack
[12:07:54] <topranks>	 yeah.  probably they shouldn't be in icinga yet tbh that is also n me 
[12:08:02] <volans>	 icinga looks better, alerts is still recovering
[12:08:27] <volans>	 vgutierrez: should I run an authdns-update just inc ase?
[12:08:41] <bblack>	 it never really hurts
[12:08:55] <volans>	 k
[12:09:21] <volans>	 bblack: weird prompt, never happened to me
[12:09:22] <topranks>	 there will be some bgp alerts for CRs and SSW1-A* in codfw, that's expected also and shouldn't be an issue 
[12:09:24] <volans>	 Pulling the current revision from https://gerrit.wikimedia.org/r/operations/dns.git
[12:09:27] <volans>	 Reviewing 39d38739a4ec0d9d9117c9d7ae0266e04b86af0f...
[12:09:31] <volans>	 Merge these changes? (yes/no)?
[12:09:39] <volans>	 and there are 2 empty lines between my last 2 lines
[12:09:46] <volans>	 it's the noop right?
[12:10:02] <volans>	 just checking to be sure :)
[12:10:04] <bblack>	 yeah I assume that's because 2x commits netted out to zero lines diff
[12:10:15] <volans>	 ok, proceeding
[12:11:12] <volans>	 all done
[12:12:12] <volans>	 kamila_: <3 thanks a lot for the continous update of the status page, for now I'd leave it for a moment like that until we're confident everything is recovered
[12:12:50] <kamila_>	 volans: sure, happy to free you people's hands
[12:13:30] <volans>	 [feeback for o11y] it would be really useful to filter alerts on AM by duration, or sort them, like in icinga, to distinguish from the pre-existing ones and the outage ones
[12:13:41] <volans>	 all pages resolved now
[12:14:39] <bblack>	 [feedback for everyone] it would be really useful if we kept our active alerts cleaner when we're not in an outage, so it's not such a mess when we're in one :)
[12:15:06] <kamila_>	 +1000
[12:15:16] <volans>	 eheheh
[12:16:28] <volans>	 I'm about to force a puppet run on failed hosts on codfw, might help with the recovery
[12:16:30] <claime>	 I'll handle the sessionstore pods that got moved because the nodes were down
[12:17:07] <volans>	 claime: thanks I was about to ask
[12:17:10] <volans>	 about that alert
[12:17:21] <claime>	 just need to check the nodes are back up
[12:17:26] * volans running sudo cumin -b 30 -p 95 'A:codfw' 'run-puppet-agent -q --failed-only'
[12:20:05] <volans>	 has anyone created a doc yet? otherwise I'll start one and start backfilling it
[12:20:31] <sobanski>	 I can do that if you're busy
[12:20:45] <volans>	 sobanski: that would help, thanks a lot
[12:21:06] <claime>	 all done with sessionstore
[12:21:18] <volans>	 <3
[12:21:45] <volans>	 my $beverage_of_choice debts are growing fast today
[12:22:52] <claime>	 Can we consider that state is stable enough for deployments to restart?
[12:23:24] <volans>	 re-checking icinga/AM
[12:24:52] <claime>	 as far as mw-on-k8s is concerned, all good
[12:25:08] <volans>	 nice
[12:25:27] <topranks>	 <3
[12:25:42] <volans>	 yeah I think all remaining things are minor, at least they look so
[12:26:10] <volans>	 commented in the other channel
[12:27:49] <claime>	 I'm gonna grab some lunch
[12:28:02] <volans>	 thanks everyone that interveened, it helped a lot
[12:29:34] <volans>	 puppet run completed
[12:29:39] <volans>	 all hosts successful
[12:36:33] * volans grabbing some food, will backfill the incident doc more later
[12:39:12] <Emperor>	 [apus ceph cluster HEALTH_OK again now]
[12:44:55] <volans>	 I think we can resolve the status page then, any objection?
[12:47:30] <volans>	 going once... :)
[12:48:05] <kamila_>	 +1
[12:48:58] <volans>	 sold :D
[12:49:24] <topranks>	 apologies again for the drama folks 
[12:49:44] <topranks>	 thanks everyone for stepping in, esp. volans for taking charge <3 
[12:50:35] <topranks>	 I've reverted the root-cause of the problem (row C/D vlan IP interfaces added on new spines in row D)
[12:50:49] <volans>	 no worries topranks, happened to be oncall :-P
[12:51:00] <topranks>	 So I'll now roll-back the emergency changes made to restore things (ports shut down on CRs / row A spines)
[12:51:22] <topranks>	 I was worried you might have been having a boring day yeah :P
[12:57:17] <topranks>	 Ok everything rolled-back to previous state looks ok so far 
[13:06:25] * volans watching closely :D
[14:52:31] <topranks>	 Folks I am about to commence work on T366941 
[14:52:31] <stashbot>	 T366941: Move asw-c-codfw and asw-d-codfw CR uplinks to Spine switches - https://phabricator.wikimedia.org/T366941
[14:53:08] <topranks>	 I'm confident that the plan is ok and we won't have any problems, I will be extra cautious of course given my earlier mistake 
[15:08:34] <elukey>	 hey folks, I disabled puppet on install2004 to test https://phabricator.wikimedia.org/T363576#9994708 with Papaul. Please ping me if you need puppet running in there.
[15:11:03] <elukey>	 nevermind, TIL about the dhcp cookbook
[17:59:23] <swfrench-wmf>	 FYI, merging DNS changes in https://gerrit.wikimedia.org/r/c/operations/dns/+/1055256 to direct appservers-ro.discovery.wmnet to failoid
[18:14:51] <swfrench-wmf>	 same deal, now merging https://gerrit.wikimedia.org/r/c/operations/dns/+/1055268 to direct api-ro to failoid
[18:28:54] <swfrench-wmf>	 FYI, appservers-ro and api-ro.discovery.wmnet now resolve to failoid. details and rollback instructions: https://phabricator.wikimedia.org/T367949#9996177
[19:56:29] <mutante>	 I added a new option to geoip/mediawiki::common. You can now toggle if an attempt is made to pull geoip data from "volatile" on a puppetmaster/puppetserver or not. Default is true. So nothing changed anywhere in production. But you can disable it which means you can have deployment_server and local project puppetserver in cloud VPS without having to setup fake volatile
[19:57:06] <mutante>	 (popped up as a puppet issue in multiple places )
[20:07:32] <mutante>	 yea, it works. it finally made it possible to run puppet on a deployment_server instance in cloud VPS. like scap deploys in cloud
[20:48:48] <mutante>	 plugging Tyler's "sshecret" wrapper to ensure ssh-agent isn't forwarding prod keys to cloud:  https://wikitech.wikimedia.org/w/index.php?title=SRE%2FProduction_access&diff=2207793&oldid=2174820
[20:49:23] <mutante>	 https://github.com/thcipriani/sshecret/