[06:54:49] <moritzm>	 FYI, netmon is being rebooted
[06:56:36] <moritzm>	 and also rebooting bast6003 now
[07:38:41] <vgutierrez>	 do we have puppet-lint settings that are able to enforce our indent style? aka 4 spaces rather than 2?
[07:52:46] <volans>	 vgutierrez: git grep chars_per_indent4 should guide you, I didn't check it it's included only in some cases
[07:53:05] <volans>	 s/chars_per_indent4/chars_per_indent/
[07:56:03] <vgutierrez>	 yeah.. so using .puppet-lint.rc from our puppet repo should be enough, thx
[09:21:57] <arturo>	 moritzm: FYI openjdk-17-jre-headless unattended update (17.0.12+7-2~deb12u1, 17.0.13+11-2~deb12u1) broke puppetservers in WMCS
[09:22:12] <arturo>	 see T377803
[09:22:17] <stashbot>	 T377803: Cloud VPS:  cloud-wide puppet problem related to puppet-enc 2024-10-22 - https://phabricator.wikimedia.org/T377803
[09:25:56] <elukey>	 arturo: o/ yes we are aware of this issue, when openjdk is installed we need to immediately restart puppetserver :(
[09:26:02] <elukey>	 IIUC a restart fixed it right?
[09:26:18] <arturo>	 elukey: apparently yes
[09:26:22] <moritzm>	 yeah, you should exempt openjdk-17 from unattended-upgrades for the puppetserver role
[09:26:40] <moritzm>	 puppetserver needs an immediate restart after the upgrade
[09:27:35] <moritzm>	 I think it's related to jruby, jruby-compiled artefacts generated by two different JREs don't mix
[09:30:17] <arturo>	 in modules/profile/manifests/puppetserver/wmcs.pp
[09:30:23] <arturo>	 I see
[09:30:25] <arturo>	     # To ensure the server is restarted on unattended java upgrades
[09:30:25] <arturo>	     profile::auto_restarts::service { 'puppetserver': }
[09:30:31] <arturo>	 I guess that's not working as expected?
[09:32:22] <moritzm>	 it's working as expected, but doesn't help here
[09:32:37] <moritzm>	 the auto_restarts are splayed across the day
[09:33:04] <moritzm>	 but once openjdk-17 is upgraded, puppetserver fails with the next catalogue compile
[09:33:43] <moritzm>	 so it would remain broken for up to 23:59 hours in the worst case scenario
[09:34:12] <arturo>	 ah, I see
[09:34:21] <moritzm>	 we already have some exceptions in the unattended-upgraded config, best to simply add openjdk-17 to it for the puppetserver role
[09:34:58] <moritzm>	 or deploy some script which checks if java updates are available
[09:35:14] <moritzm>	 and which if that's the case installs them along with a subsequent puppetserver.service restart
[09:35:46] <moritzm>	 it's really surprising the puppetserver even stumbles over minor updates like 17.0.x
[09:36:24] <arturo>	 I'm having difficulties finding that setting to prevent openjdk-17 from auto-updating
[09:36:28] <arturo>	 do you have a pointer?
[09:36:46] <moritzm>	 and Puppet Enterprise possibly bundles Java like any good Enterprise application :-)
[09:38:41] <moritzm>	 hmmh, all I can find is apt::unattendedupgrades which doesn't appear to have exceptions
[09:39:07] <moritzm>	 but we definitely had these in the past, as some updates caused issues on toolforge in the gridengine days
[09:39:29] <moritzm>	 maybe that config vanished when the old tools setup was retired, not sure
[09:44:56] <arturo>	 if the exceptions were via normal apt pinnings, then most likely yes, we deleted all these
[09:55:05] <moritzm>	 arturo: alternatively just ping openjdk-17-jre-headless to a specific version for now within the role? and when we can periodically bump that along with puppetserver.service restarts via cloudcumin?
[09:55:13] <moritzm>	  /ping/pin
[09:55:54] <arturo>	 yeah, I'll cook a patch soon and let you know
[09:56:09] <moritzm>	 sgtm
[09:57:18] <moritzm>	 I found what I mentioned earlier:
[09:57:45] <moritzm>	 profile::toolforge::apt_pinning has the setting for the packages which were pinned to avoid toolforge errors
[10:02:43] <arturo>	 oh, I thought we had dropped that file
[11:32:59] <klausman>	 TIL about git blame -C (and -CC and -CCC): it makes git try and find the original author of a line. Very useful if e.g. a section was moved between files. It will even annotate what file the line was originally committed to.
[11:40:10] <moritzm>	 thanks for the pointer, I never heard about that before!
[11:44:30] <klausman>	 https://blog.gitbutler.com/git-tips-1-theres-a-git-config-for-that/ <- where I got it, also more
[12:50:06] <arturo>	 moritzm: https://gerrit.wikimedia.org/r/c/operations/puppet/+/1082201
[14:47:10] <urandom>	 hnowlan, swfrench-wmf: re: T363996, I have a ~1 hr meeting in 15 mins, then one free hour, followed by another meeting of 30 mins in length
[14:47:10] <stashbot>	 T363996: Sessionstore's discovery TLS cert will expire before end of May 2024 - https://phabricator.wikimedia.org/T363996
[14:49:39] <urandom>	 we should probably (have) set this up as a calendar event
[14:50:07] <hnowlan>	 heh, true. Want to aim for the 1600 UTC window then? 
[14:55:54] <swfrench-wmf>	 16:00 sounds good to me. looks like there are patches scheduled for the puppet window, plus if things run over, we can always take some of the 17:00 infra window too.
[14:56:03] <swfrench-wmf>	 *there are no patches
[14:56:07] <swfrench-wmf>	 lol, typing
[15:17:27] <urandom>	 hnowlan, swfrench-wmf: wfm (if an hour block is enough)
[15:23:04] <taavi>	 anyone who knows pybal enough to review https://gerrit.wikimedia.org/r/c/operations/puppet/+/1076420 please? that is ultimately blocking me from fixing a broken link in a totally unrelated script
[15:26:07] <sukhe>	 taavi: what's the unrelated script/error?
[15:27:11] <taavi>	 sukhe: https://gerrit.wikimedia.org/r/c/operations/puppet/+/1082226 :D
[15:28:11] <sukhe>	 taavi: in a meeting so forgive me but that is passing?
[15:29:28] <taavi>	 sukhe: yes, since that depends on the pybal patch? if you rebased that patch to not depend on it then https://gerrit.wikimedia.org/r/c/operations/puppet/+/1082227 (which is needed for the original patch to pass) would start failing
[15:34:20] <sukhe>	 should be OK for this case, +1
[16:02:57] <urandom>	 swfrench-wmf, hnowlan: ok, I have an hour! :)
[16:03:41] <hnowlan>	 cool, I'm good to go :) 
[16:03:54] <swfrench-wmf>	 am here as well
[16:05:12] <hnowlan>	 heads up arnoldokoth, cdanis: we're doing some migration work on sessionstore. We're following a successful pattern that was done for the other kask deployment but sessionstore is obviously pretty sensitive 
[16:05:18] <cdanis>	 ack!
[16:05:20] <hnowlan>	 I'll start by depooling codfw
[16:05:25] <cdanis>	 thanks hnowlan 
[16:05:37] <urandom>	 hnowlan: are we starting with codfw then?
[16:05:44] <urandom>	 we said eqiad in the ticket
[16:05:50] <hnowlan>	 oh, my bad 
[16:06:35] <urandom>	 eluke.y did anyway
[16:07:03] <hnowlan>	 they're roughly equivalent in terms of traffic level so it's much of a muchness but let's follow the ticket 
[16:07:35] <hnowlan>	 depooling eqiad
[16:07:52] <arnoldokoth>	 hnowlan: Thank you.
[16:10:05] <swfrench-wmf>	 FYI, https://grafana.wikimedia.org/goto/bn-RNjmHR?orgId=1 is what I have up for looking at mediawiki -> sessionstore latency measured at the downstream envoy
[16:10:48] <swfrench-wmf>	 (units are ms)
[16:11:10] <hnowlan>	 nice
[16:11:17] * swfrench-wmf wishes this could display as a semi-log plot
[16:11:33] <hnowlan>	 For badness I'm also watching https://grafana.wikimedia.org/goto/YAPVNCiHg?orgId=1 https://grafana.wikimedia.org/goto/-KZSHCmNR?orgId=1
[16:12:23] <swfrench-wmf>	 ah, good idea
[16:13:08] <hnowlan>	 if things start showing up in those it's definitive time to panic
[16:15:57] <hnowlan>	 alright, we're close to 0 on eqiad. I'll merge and apply there
[16:16:01] <urandom>	 wait!
[16:16:04] <urandom>	 did you wait?
[16:16:09] <urandom>	 hnowlan: wait?
[16:16:23] <hnowlan>	 yep 
[16:16:29] <hnowlan>	 urandom: sup? 
[16:16:30] <urandom>	 ok, we should baseline with siege first, no?
[16:16:36] <hnowlan>	 ah, go for it
[16:17:10] <urandom>	 ok, running
[16:19:44] <swfrench-wmf>	 hnowlan: when we get to that part, after you merge but before you run destroy, try a helmfile diff - I almost forgot to do this when migrating echostore, and it was only at that point that I uncovered the values layering surprises
[16:20:21] <urandom>	 I set `-t 5m` (5 minutes), at least for the first run.  The urls.txt is using generated keys/values, so it needs some warmup (probably not 5 minutes, but...)
[16:20:50] <hnowlan>	 swfrench-wmf: ack 
[16:21:44] <urandom>	 actually, I'm starting to wonder if 5m is enough, I expected the 404 rate to have fallen by now
[16:25:30] <hnowlan>	 take your time, things look reasonably stable 
[16:26:20] <urandom>	 I upped concurrency, and dropped the delay.  I want to see the 404s go away, so that we're apples-to-apples when comparing
[16:36:40] <urandom>	 hnowlan: Ok, I think we're good to go
[16:37:48] <hnowlan>	 alright, great
[16:41:12] <hnowlan>	 swfrench-wmf: the diff looks reasonable enough to me - do you want to check it out before I apply? 
[16:42:44] <swfrench-wmf>	 as long as it renders, it's probably fine :)
[16:42:48] <swfrench-wmf>	 happy to take a look, though
[16:42:51] <swfrench-wmf>	 (doing)
[16:44:19] <swfrench-wmf>	 that looks good!
[16:44:31] <hnowlan>	 cool :) 
[16:45:24] <hnowlan>	 alright, as expected the apply fails. doing the destroy
[16:46:44] <nemo-yiannis>	 hnowlan: Hey! Any objections to deploy this one: https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/1064013 
[16:47:11] <hnowlan>	 nemo-yiannis: might need to come back to me on this one, in the middle of something a bit scary
[16:47:25] <hnowlan>	 urandom: you should be good to go 
[16:48:09] <hnowlan>	 nemo-yiannis: it might need to wait until we're done here, sorry 
[16:48:28] <nemo-yiannis>	 ok, i will revisit it tomorrow early my day no worries
[16:50:35] <urandom>	 siege is running btw
[16:50:46] <urandom>	 I never did get the 404s to hit zero... which bugs me
[16:51:20] <urandom>	 because we definitely should have run through the entire urls file (multiple times)
[16:51:56] <urandom>	 to be clear, this wouldn't be related the work at hand
[16:52:36] <hnowlan>	 would hitting an invalid key consistently return 404s? 
[16:52:52] <urandom>	 seeing like 1/s now out of a total transaction rate of ~630/s
[16:53:26] <urandom>	 hrmm... maybe it's a result of the averaging
[16:55:05] <swfrench-wmf>	 from operations: `FIRING: SessionStoreOnNonDedicatedHost: Sessionstore k8s pods are running on non-dedicated hosts`
[16:55:10] <swfrench-wmf>	 looking
[16:55:59] <hnowlan>	 hum, I understand that error but not how to fix it 
[16:56:07] <hnowlan>	 have the taints gone away? 
[16:56:10] <urandom>	 same
[16:56:10] <claime>	 kill the pods, let them respawn on the right nodes
[16:56:23] <hnowlan>	 oh, that simple :D 
[16:56:33] <claime>	 if they don't, might be worth checking why
[16:56:52] <hnowlan>	 two of them are in the wrong place. I'll wait until the siege run is finished 
[16:56:56] <swfrench-wmf>	 ah, yes ... the best-effortness of scheduling
[16:57:19] <swfrench-wmf>	 (did confirm the node affinities are still there)
[16:57:23] <claime>	 swfrench-wmf: yeah, save from an actual separate cluster, there's no real way to *force* pods to be scheduled on a specific set of nodes
[16:57:44] <claime>	 It will try to comply with your request, but if it can't it'll just put the pods where it wants to
[16:57:54] <urandom>	 hnowlan, swfrench-wmf: so the latency histograms show a bit of regression
[16:58:03] <swfrench-wmf>	 claime: indeed, yeah
[16:58:21] <hnowlan>	 urandom: oh dear. How bad a regression? 
[16:58:36] <urandom>	 https://grafana-rw.wikimedia.org/d/000001590/sessionstore?orgId=1&viewPanel=50
[16:59:12] <swfrench-wmf>	 wait, that's measured _in_ kask ... how could that regress?
[16:59:20] <urandom>	 oh, right
[16:59:30] <urandom>	 oh... because of the deploy
[16:59:39] <urandom>	 yeah, kask is cold
[16:59:43] <urandom>	 nm
[16:59:48] <claime>	 A cold kask sounds good rn
[16:59:54] <hnowlan>	 :D
[16:59:59] <hnowlan>	 urandom: so we just do it again? 
[17:00:00] <urandom>	 https://phabricator.wikimedia.org/T363996
[17:00:28] <urandom>	 the before and after shows a difference too, but probably a cold kask there as well
[17:01:02] <urandom>	 https://phabricator.wikimedia.org/T363996#10251270 v. https://phabricator.wikimedia.org/T363996#10251366
[17:01:12] <hnowlan>	 that's less concerning, but is it worth trying now that it's warm? 
[17:01:28] <urandom>	 I mean, I could keep siege running for a bit
[17:01:40] <urandom>	 if you have the time, and want to watch it for a bit
[17:02:37] <hnowlan>	 I've got another hour or so
[17:02:45] <urandom>	 it's been running this whole time, and is improving fwiw
[17:02:46] <hnowlan>	 if the difference is that small I am willing to see what repooling does though
[17:02:58] <urandom>	 yeah, I think it's find
[17:03:02] <urandom>	 s/find/fine/
[17:03:43] <hnowlan>	 alright, I'm happy to repool unless there's other objections (swfrench-wmf?)
[17:03:50] <swfrench-wmf>	 looking at the histogram, it does seem like it's converging to pre-depool behavior (e.g., the >5ms bucket is now basically the same as before)
[17:03:56] <swfrench-wmf>	 no objections on my end!
[17:04:16] <hnowlan>	 lessgo 
[17:05:07] <hnowlan>	 ahh damnit, didn't fix those pods first
[17:06:01] <urandom>	 hnowlan, swfrench-wmf: are we doing codfw after, or letting eqiad marinate for a day?
[17:06:11] <urandom>	 (i vote for marinating)
[17:06:50] <hnowlan>	 I'm okay with marinating, but I will need to a change to undo the codfw-level mesh config
[17:06:53] <hnowlan>	 which is no biggie
[17:07:22] <hnowlan>	 is siege still running and if so should it be stopped as we're repooled
[17:07:31] <urandom>	 I'll kill it
[17:07:44] <hnowlan>	 thanks
[17:08:24] <swfrench-wmf>	 no objections to marinating, as it does give us a "quick" out of depooling (though if the concern is a latency regression, depooling is only a very temporary solution, as it adds 30ms+ to every call)
[17:12:56] <swfrench-wmf>	 to whatever degree I can trust this envoy metric, eqiad p50 latency is back to pre-depool values, and p95 is continuing to settle (not quite there yet)
[17:17:51] <hnowlan>	 login timings look reasonable also 
[17:32:42] <urandom>	 I'm ok if you both want to continue, I have pretty high confidence.  I just assumed that putting 12ish hours between the steps wouldn't change much, and would be even greater confidence
[17:33:08] <urandom>	 s/be/provide/
[17:35:08] <hnowlan>	 I'm in no rush at this hour my time
[17:53:35] <hnowlan>	 all done for now - a change is in place to keep codfw config the same and eqiad is using the mesh.