[09:20:57] <jynus>	 I belive cp hosts are overloading centrallog with:
[09:21:05] <jynus>	 Nov 22 09:19:55 cp3066 haproxykafka[1334378]: {"level":"error","TopicPartition":{"Topic":"webrequest_frontend_text","Partition":0,"Offset":588,"Metadata":null,"Error":{}},"error":"Broker: Topic authorization failed","time":"2024-11-22T09:19:55Z","message":"Failed to publish message"}
[09:21:32] <jynus>	 ^ does that ring a bell to someone?
[09:22:06] <jynus>	 we are going to run out of log space soon
[09:22:39] <jynus>	 effie: you were working on kafka?
[09:22:51] <jynus>	 or maybe this is traffic, sukhe ?
[09:23:26] <jynus>	 this started 17:40 yesterday
[09:26:53] <moritzm>	 looking at SAL timing-wise this matches very well with "adding acls to kafka-jumbo cluster (T380373)"
[09:26:54] <stashbot>	 T380373: Allow TLS authenticated client to write on new topics - https://phabricator.wikimedia.org/T380373
[09:26:58] <moritzm>	 ^ fabfur
[09:28:10] <effie>	 jynus: yes, but that was 2 days ago
[09:28:50] <jynus>	 sorry, I was just trying to get help from someone, according to moritzm may be I.F.
[09:59:45] <jynus>	 I am going to create an UBN task
[09:59:51] <fabfur>	 sorry ooo today, I'll look asap
[10:00:12] <jynus>	 moritzm: who can take care instead of fabfur?
[10:01:36] <jynus>	 I will start escalating to the managers
[10:04:01] <vgutierrez>	 I'll take care
[10:06:29] <jynus>	 vgutierrez: https://phabricator.wikimedia.org/T380570
[10:08:23] <jynus>	 the only urgent part is the logs, the rest can wait
[10:13:44] <fabfur>	 thank you jynus 
[10:14:21] <jynus>	 thanks to vgutierrez who is doing the work !
[10:15:20] <fabfur>	 sorry for all this 
[10:24:39] <vgutierrez>	 jynus: log flooding should've been stopped already
[10:24:49] <jynus>	 it did
[10:25:36] <jynus>	 to overcome the existing logs, how do you want to go about them: can I transfer them elsewere so you don't lose the valid events?
[10:25:52] <vgutierrez>	 the haproxykafka ones? please discard them
[10:26:27] <jynus>	 sadly all  the syslogs go to the same file
[10:26:44] <jynus>	 that is why I wanted to keep them rather than filtering them, which will take too much time
[10:27:07] <jynus>	 I guess technically they are on the local hosts
[10:27:30] <jynus>	 so can I remove the remote syslogs for the last 24 hours?
[10:27:41] <jynus>	 only the syslog, no the webrequets?
[10:27:58] <jynus>	 from centralauth, or do you want me to make a copy first?
[10:28:12] <vgutierrez>	 we got them too [sadly]
[10:28:16] <vgutierrez>	 -rw-r-----   1 root          adm              29G Nov 22 10:27 daemon.log
[10:28:16] <vgutierrez>	 -rw-r-----   1 root          adm              33G Nov 22 00:00 daemon.log.1
[10:28:21] <jynus>	 yeah
[10:28:42] <jynus>	 so is deletion acceptable?
[10:29:12] <jynus>	 and one can go to local ones if needed (?)
[10:31:49] <jynus>	 I am compressing and rotating while you give me some options, vgutierrez
[10:32:21] <vgutierrez>	 jynus: you can easily delete per host on centrallogs?
[10:32:36] <jynus>	 per host yes, it is separate by that, but not per service
[10:32:46] <vgutierrez>	 jynus: kill them with fire then
[10:33:10] <vgutierrez>	 we can keep them on the cp hosts if they are needed for some other reaons
[10:33:12] <vgutierrez>	 *reasons
[10:33:12] <jynus>	 for context: https://phabricator.wikimedia.org/P71117
[10:33:34] <jynus>	 thanks, will do, and only touch the centrallog ones
[10:33:45] <jynus>	 which was what causing the immediate issues
[10:34:15] <jynus>	 will update on ticket when done and leave it open in case you want to reporpurse for other work
[10:36:37] <jynus>	 (e.g. checking why it was erroring out, as it was probably not intended)
[13:44:24] <fabfur>	 jynus: back, sorry for all the mess today, let me know if I can help
[13:46:17] <jynus>	 nothing else from oncall perspective. I assigned https://phabricator.wikimedia.org/T380570 to you but coordinate with vgutierrez on next steps
[13:46:31] <fabfur>	 thanks
[13:46:48] <jynus>	 if it is being handled by your team at T380583
[13:46:49] <stashbot>	 T380583: Avoid logging errors per produced message - https://phabricator.wikimedia.org/T380583
[13:46:53] <jynus>	 you can resolve it
[13:47:03] <jynus>	 resolve my report, I mean
[14:34:24] <ihurbain>	 hi folks - I could do with a hand on a k8s deploy. we deployed push-notifications yesterday, and we want to revert that because logspam. i deployed the revert to staging without issue, but the deploy to codfw is timing out. i don't know the service and it's my third time trying to deploy... help? :/ 
[14:34:38] <ihurbain>	 https://www.irccloud.com/pastebin/3l6Gzx7J/
[14:35:33] <claime>	 ihurbain: I'll take a look
[14:35:50] <ihurbain>	 claime: thank you :))
[14:36:13] <ihurbain>	 (i still have a second deploy command running, in case that's relevant)
[14:36:38] <ihurbain>	 (i'm waiting for it to timeout, i don't know if i can kill it)
[14:37:06] <claime>	 let it run through
[14:37:41] <claime>	 3m53s       Warning   FailedCreatePodSandBox   pod/push-notifications-main-5954f99fcb-f22pj    (combined from similar events): Failed to create pod sandbox: rpc error: code = Unknown desc = failed to setup network for sandbox "93422201921138c255500204dccd63bbbdd8922b127e55fc0199ce3691b9fa3d": plugin type="calico" failed (add): failed to request IPv4 addresses: Assigned 0 out of 1 requested IPv4
[14:37:43] <claime>	 addresses; No more free affine blocks and strict affinity enabled
[14:37:51] <claime>	 we seem to have run out of ip wth
[14:38:00] <ihurbain>	 mmmmmmmmh
[14:38:08] <ihurbain>	 that's sad
[14:38:14] <dbrant>	 :(
[14:38:57] <ihurbain>	 (command has returned btw) (in the same way, unsurprisingly)
[14:42:16] <claime>	 i think jayme has dealt with something similar in the past
[14:42:51] <jayme>	 👀
[14:43:04] <jayme>	 ah...ETOOMANYNODES
[14:43:09] <claime>	 aaah
[14:43:21] <jayme>	 damn...I totally forgot that one. Ne need to stop adding nodes claime :)
[14:43:23] <claime>	 I can cordon all the parse nodes since they were refreshed
[14:43:41] <claime>	 that will take a minute but they're supposed to be decom'd anyways
[14:43:53] <jayme>	 that won't help
[14:44:02] <claime>	 they need to be removed completely?
[14:44:08] <jayme>	 we need to cordon every node that does not have a ippool assigned
[14:44:12] <jayme>	 or that, yes
[14:45:22] <jayme>	 or sync with Cathal on https://phabricator.wikimedia.org/T375845
[14:46:22] <claime>	 Maybe that's not a friday thing (actually fixing the blocks)
[14:46:28] <jayme>	 but that's a bit more complicated as it requires some helm chart patching as well I soppose
[14:46:34] <claime>	 yeah
[14:46:38] <jayme>	 yeah, it's not - you're right
[14:46:55] <claime>	 I'm gonna go ahead and start decommissioning the parse nodes
[14:47:42] <claime>	 Is there something to get the ipblocks reassigned or does calico do that automatically afterwards?
[14:48:10] <jayme>	 they get freed automatically when you delete the node objekt in k8s api
[14:48:19] <jayme>	 should we split them up or something?
[14:49:03] <claime>	 I'm starting the depool but yeah, take bottom 10, I'll take top, task is T380473
[14:49:05] <stashbot>	 T380473: Decommission parse20[01-20] - https://phabricator.wikimedia.org/T380473
[14:49:24] <jayme>	 claime: ack
[14:50:17] <claime>	 crap we should have cordoned the nodes with missing blocks first
[14:50:26] <claime>	 it'll try to schedule pods there
[14:53:04] <jayme>	 claime: I can try to figure that out first, if you're not already doing so
[14:54:49] <claime>	 I'm not
[14:55:08] <jayme>	 ok
[15:01:10] <jayme>	 claime: done
[15:01:16] <claime>	 <3
[15:01:26] <claime>	 I'm preparing the patch to remove the hosts from puppet
[15:01:47] <cdanis>	 do you need extra hands?
[15:02:10] <jayme>	 cdanis: this is the list of hosts I've cordoned/drained https://paste.debian.net/1336432/
[15:02:52] <jayme>	 cdanis: I think we're good - thanks 🤗
[15:03:11] <jayme>	 the list of hosts should have not pinged you, sorrt
[15:03:28] <cdanis>	 np!
[15:06:50] <claime>	 jayme: https://gerrit.wikimedia.org/r/c/operations/puppet/+/1094466
[15:06:54] <jayme>	 looking
[15:07:10] <claime>	 (the depool cookbook is still running)
[15:09:18] <_joe_>	 One friday thing we could do is to add an alert on this, I guess
[15:09:19] <claime>	 jayme: iirc merging this and running puppet on masters should remove them from the k8s api right?
[15:09:44] <claime>	 or I can just kubectl delete node I guess
[15:09:57] <cdanis>	 _joe_: I was just looking around what we already have in grafana for calico trying to find something relevant
[15:10:06] <jayme>	 claime: the latter - but stop puppet and kubelet on all of them first
[15:12:19] <jayme>	 cdanis: I think I checked last time and could not find a proper signal - apart from https://alerts.wikimedia.org/?q=%40state%3Dactive&q=team%3Dsre&q=alertname%3DKubernetesAPILatency
[15:12:50] <jayme>	 because the metrics do not track block allocation...or not the available blocks. One of the values was missing IIRC
[15:14:21] <claime>	 jayme: nodes deleted
[15:14:38] <jayme>	 claime: ack, I'll double check and uncordon the new ones
[15:14:59] <claime>	 I'll restart the push-notifications deploy cc ihurbain 
[15:15:17] <ihurbain>	 thanks claime <3
[15:15:44] <ihurbain>	 (and thanks all for dealing with that!)
[15:16:27] <claime>	 that's what you get when you defer all you decom's to after you've put all the refreshes in production :(
[15:16:51] <claime>	 ok, it deployed fine in codfw ihurbain you can go ahead with eqiad if it wasn't done yet
[15:16:58] <ihurbain>	 thanks :)
[15:17:42] <cdanis>	 jayme: could we write our own exporter that watches the CRDs?
[15:17:58] <cdanis>	 it would be really nice to have a mechanism to never put a k8s cluster into this state
[15:18:22] <jayme>	 cdanis: I wanted to double check the next calico version if it has extended metrics...something is in the back of my head
[15:18:37] <cdanis>	 ah fair enough
[15:18:44] <cdanis>	 also gotta make sure it's in core ;)
[15:18:53] <jayme>	 🙈
[15:19:24] <claime>	 jayme: I'll start running decom cookbooks
[15:19:25] <cdanis>	 but fwiw, in the meanwhile ... I think it would be reasonable to hack up something quickly with kubectl and jq writing a node_exporter textfile
[15:19:41] <cdanis>	 (on the masters)
[15:20:07] <jayme>	 maybe kube-state-metrics has a custom query thing as well...
[15:21:19] <cdanis>	 hm, not obviously
[15:22:41] <jayme>	 actually the correct way to deal with this (IMHO) is something like the node-problem-detector - marking the node as notready in case it has no ipblock assigned
[15:25:22] <claime>	 oh the decom cookbook takes a list of hosts
[15:25:31] <cdanis>	 btw: if it is for handy for impact estimation: I snagged the output of `kubectl get events -A -o json | jq -c '.items[]' | grep calico` in deploy2002:/home/cdanis/codfw-calico-events.2024-11-24.jsonl
[15:26:09] <cdanis>	 that is one signal that exists, at least
[15:26:11] <claime>	 jayme: I'll run the cookbook for all remaining parse nodes in one go, don't worry about taking the bottom 10
[15:26:16] <claime>	 might as well do it all at once
[15:26:39] <jayme>	 claime: ok. I'm trying to find out why the blocks are not re-assigned then :-|
[15:26:46] <claime>	 :/
[15:36:34] <cdanis>	 jayme: when you have a minute can you post your recipe for finding nodes without ipblocks?
[15:38:13] <jayme>	 cdanis: I just compared kubectl get ipamblocks.crd.projectcalico.org with the list of nodes
[15:40:25] <jayme>	 cdanis: blockaffinities.crd.projectcalico.org sorry
[15:40:30] <cdanis>	 aha thank you
[15:40:35] <cdanis>	 I hadn't found that one yet
[15:41:08] <jayme>	 https://wikitech.wikimedia.org/wiki/Calico#IPAM :p
[15:48:37] <jayme>	 cdanis: but there is a better way
[15:49:15] <cdanis>	 👀
[15:50:05] <jayme>	 the ipamblocks.crd.projectcalico.org objects have a spec.affinity field which references the node
[15:50:21] <jayme>	 maybe that's more fancy
[15:50:40] <jayme>	 but I could not find a reference from node to block || affinity
[15:52:32] <jayme>	 ip blocks have been re-assigned now and I did uncordon the nodes
[15:52:38] <jayme>	 claime: ^
[15:53:07] <claime>	 jayme: did you have to force something, or it was just a matter of waiting for a bit?
[15:53:11] <jayme>	 It was just me being impatient I suppose...it takes a while for the auto cleanup to happen
[15:53:15] <claime>	 hehe
[15:53:29] <jayme>	 yeah...I tried to force it for a block and that broke assignment
[15:54:05] <jayme>	 because deleting the blockaffinity object is not enough - one has to delete that and the block object as well
[15:54:45] <jayme>	 or calico-kube-controller will go into a retry spiral because there's a reference to the nonexisting node still in the ipamblock
[15:57:57] <claime>	 >:[
[16:00:36] <cdanis>	 lol
[16:47:37] <cdanis>	 https://logstash.wikimedia.org/goto/c6b669ae3bc3a1c015ec6df6a2d62be4 lol what's going on with calico on mw2359
[16:56:24] <cdanis>	 jayme: I found a better way
[17:08:57] <jayme>	 cdanis: 👀
[17:10:10] <jayme>	 I think mw2359 is because there's the active typha instance running
[17:13:29] <jayme>	 ah https://gerrit.wikimedia.org/r/c/operations/puppet/+/1094489 , hehe
[17:13:31] <jayme>	 clever
[17:15:22] <cdanis>	 I ran PCC on https://gerrit.wikimedia.org/r/c/operations/puppet/+/1094490 on top of that, and it does indeed fail: https://puppet-compiler.wmflabs.org/output/1094490/5001/wikikube-ctrl2003.codfw.wmnet/index.html
[17:16:19] <jayme>	 downside is that we don't regularly run PCC for changes like adding N new nodes :/
[17:16:39] <jayme>	 but that's on us I suppose
[17:16:47] <cdanis>	 jayme: well, it will still make puppet fail on the master, ahaha
[17:16:56] <jayme>	 ah, yes. lol
[17:17:10] <jayme>	 but...we could also just alert based on # of nodes
[17:17:11] <cdanis>	 there is also *probably* a way to make CI check this
[17:18:29] <cdanis>	 jhathaway: do you know offhand of any easy ways to validate some hiera keys against Puppet types?
[17:18:33] <jayme>	 because adding them does no harm initially as they are cordoned when they join. uncordoning them is what we should not do then
[17:18:58] <cdanis>	 sure, that also seems good for now
[17:19:30] <jhathaway>	 cdanis: i.e. validatating them before compiling?
[17:19:50] <cdanis>	 yeah
[17:20:16] <jhathaway>	 unfortunately not, I cooked up some prototypes with json schema, but never finished the work
[17:20:21] <jhathaway>	 it is an unfortunate gap
[17:21:12] <cdanis>	 how hard is it to kludge up for one key and one type definition 😅
[17:21:31] <jhathaway>	 https://gerrit.wikimedia.org/r/c/operations/puppet/+/979469
[17:21:53] <cdanis>	 neat
[17:21:55] <cdanis>	 ty
[17:22:41] <jhathaway>	 longer discussion here about tradeoffs, https://phabricator.wikimedia.org/T352604
[17:23:39] <jhathaway>	 in conjunction with redhats yaml lsp it was pretty nifty
[17:28:59] <cdanis>	 jayme: I don't think it's necessarily true that it's the uncordon'ing that is the triggering step -- as soon as the nodes exist in the cluster, they'll be trying to run daemonsets, meaning they'll be trying to allocate pod IPs
[17:29:50] <cdanis>	 and then all you need is for another not-cordoned node to reboot or something
[17:58:15] <cdanis>	 okay, https://gerrit.wikimedia.org/r/c/operations/puppet/+/1094489 updated (thanks jhathaway!) and now such a patch would fail CI: https://gerrit.wikimedia.org/r/c/operations/puppet/+/1094490
[17:58:39] <cdanis>	 https://i.imgur.com/Ez1KPXP.png
[17:59:39] <jhathaway>	 nice!
[18:07:14] <kamila_>	  \o/
[20:04:45] <urandom>	 "WME is planning to do a full ingestion of commons metadata starting mid next week..."  <-- not fan of the timing there 😳
[20:06:19] <sukhe>	 yeah. thankfully it's just HEAD for the actual files
[20:06:49] <urandom>	 sukhe: what could go wrong?
[20:07:25] * sukhe asks Murphy
[20:54:06] <inflatador>	 Small patch to fix PCC messages if y'all have time to look https://gerrit.wikimedia.org/r/c/operations/puppet/+/1094530
[20:55:41] <inflatador>	 oops, comment is in the wrong place. Fixing...
[20:58:47] <inflatador>	 nm, got a review
[21:45:21] <inflatador>	 is anyone available to help me w/the conftool alert https://alerts.wikimedia.org/?q=alertname%3DConfdResourceFailed&q=name%3D_srv_config-master_pybal_codfw_wdqs-internal-scholarly.toml ? Alert happened after merging this patch: https://gerrit.wikimedia.org/r/c/operations/puppet/+/1088383 . 
[21:49:10] <inflatador>	 from what I can tell, `/srv/config-master/pools.json` on config-master2001 looks correct, but I can still see `ERROR 100: Key not found (/conftool/v1/pools/eqiad/wdqs-internal-main` in `/var/log/confd.log`
[21:53:14] <sukhe>	 let's see
[21:54:48] <inflatador>	 sukhe ACK, thanks and sorry to burden you with this on a Friday afternoon ;(
[21:55:02] <sukhe>	 the key certainly doesn't exist yeah
[21:57:27] <sukhe>	 inflatador: when you merged this on puppetserver, did you notice something in the output?
[21:57:31] <inflatador>	 Damn. Is that because the LVS service is still in `service_setup` ? 
[21:58:08] <sukhe>	 have you merged other patches as well? other than this
[21:59:32] <inflatador>	 sukhe Y to both. Here is the output from puppet-merge https://phabricator.wikimedia.org/P71118
[21:59:52] <inflatador>	 we can back out of that patch
[22:00:22] <inflatador>	 the only reason I merged it is because our earlier patch to add roles was causing PCC failures (for everyone)
[22:00:25] <swfrench-wmf>	 so, is this not in eqiad?
[22:00:43] <sukhe>	 codfw
[22:01:02] <swfrench-wmf>	 right, so what I mean is that the conftool-data/node entries are only present in codfw?
[22:01:18] <sukhe>	 I see what you mean
[22:01:25] <swfrench-wmf>	 i.e., https://gerrit.wikimedia.org/r/c/operations/puppet/+/1088383
[22:01:28] <sukhe>	 so far, it seems it was only added to codfw
[22:01:32] <sukhe>	 inflatador: ^
[22:01:32] <inflatador>	 swfrench-wmf correct, although the codfw templates are failing as well
[22:01:45] <inflatador>	 https://grafana.wikimedia.org/goto/kCbxEpnHg?orgId=1
[22:02:39] <inflatador>	 I can remove the eqiad key if you think it would help...but since we were getting CODFW failures as well I didn't think it would help on its own
[22:05:01] <sukhe>	 ah
[22:05:13] <sukhe>	 so
[22:05:39] <sukhe>	 what's the name of the service?
[22:05:51] <sukhe>	 in conftool, you say:
[22:05:51] <sukhe>	 wdqs-internal-main: [eqiad, codfw]
[22:05:52] <sukhe>	 wdqs-internal-scholarly: [eqiad, codfw]
[22:06:04] <sukhe>	 in the node data though,
[22:06:11] <sukhe>	   wdqs-internal-main:
[22:06:11] <sukhe>	     wdqs2018.codfw.wmnet: [wdqs-main]
[22:06:11] <sukhe>	     wdqs2019.codfw.wmnet: [wdqs-main]
[22:06:11] <sukhe>	     wdqs2020.codfw.wmnet: [wdqs-main]
[22:06:11] <sukhe>	   wdqs-internal-scholarly:
[22:06:14] <sukhe>	     wdqs2026.codfw.wmnet: [wdqs-scholarly]
[22:06:16] <sukhe>	     wdqs2027.codfw.wmnet: [wdqs-scholarly]
[22:07:20] <inflatador>	 sukhe good catch, sounds like we need to fix the node data then, and also remove eqiad from conftool-data/discovery/services.yaml ?
[22:08:16] <sukhe>	 inflatador: I think so but to clarify what I mean further: 
[22:08:29] <sukhe>	 if the name of the services are wdqs-internal-main and wdqs-internal-scholarly
[22:08:44] <sukhe>	 then that goes in the service.yaml file, which is correct
[22:08:54] <sukhe>	 what doesn't seem to be correct though is the etcd data
[22:09:05] <sukhe>	 this then results in the incorrect key error you are seeing
[22:09:23] <sukhe>	 so unless I am mistaken, what the above should be for example
[22:09:24] <sukhe>	 +  wdqs-internal-scholarly:
[22:09:24] <sukhe>	 +    wdqs2026.codfw.wmnet: [wdqs-scholarly]
[22:09:24] <sukhe>	 +    wdqs2027.codfw.wmnet: [wdqs-scholarly]
[22:10:11] <sukhe>	 this I thing is not correct, unless you actually wanted wdqs-scholarly lhere
[22:10:14] <sukhe>	 *think
[22:10:28] <inflatador>	 ACK, I think I understand. Writing a patch now
[22:11:13] * inflatador wonders if running PCC against config-master would've caught this
[22:11:17] <sukhe>	 tricky, not sure
[22:11:28] <sukhe>	 the etcd key layout part is distinct from PCC 
[22:13:05] <swfrench-wmf>	 so, there are kind of two issues going on at the moment leading to the confd errors
[22:13:35] <swfrench-wmf>	 one is the mismatch between the lvs.conftool section of the service catalog entries vs. what's in conftool-data
[22:13:51] <swfrench-wmf>	 the second part is that no conftool-data objects exist at all for eqiad
[22:14:16] <inflatador>	 ACK. I **think** I address both in https://gerrit.wikimedia.org/r/c/operations/puppet/+/1094536 , but LMK what you think
[22:15:06] <inflatador>	 and yeah, as sukhe suspected, PCC doesn't catch this type of error
[22:15:37] <sukhe>	 inflatador: try this, I think we should be OK, because now the service name matches
[22:15:43] <sukhe>	 unless swfrench-wmf disagrees
[22:15:52] <swfrench-wmf>	 so, just backing up a sec - what are you trying to achieve here? are these services supposed to exist only in codfw?
[22:17:18] <sukhe>	 if we look at the service definition, then no
[22:17:31] <inflatador>	 swfrench-wmf we are deploying a net-new service, which does only exist in CODFW. I merged a patch this morning which was supposed to just add the new service's puppet role
[22:17:52] <sukhe>	 inflatador: also, if these two patches had just been merged by themselves, then we probably won't be seeing this error now. but since the service definition bit was also merged, this is where the error came from
[22:18:05] <inflatador>	 But it activated some config that caused all PCC runs to fail (not just ours)
[22:18:09] <sukhe>	 and hence that's why you see pybal complaining 
[22:18:18] <sukhe>	 well, not pybal itself to be clear but the confd pybal error
[22:18:40] <sukhe>	 inflatador: if you mean: Could not find service wdqs-internal-main in service::catalog"
[22:19:13] <inflatador>	 sukhe confirmed
[22:19:23] <sukhe>	 yeah it's quite the mess tbh
[22:19:48] <inflatador>	 yeah, sorry...I did not intend to do anything but merge some role-related stuff today
[22:20:21] <inflatador>	 OK, merging the new patch now, let's see if it helps
[22:20:28] <swfrench-wmf>	 alright, I revise my statement from before - there seem to be two things wrong:
[22:20:28] <swfrench-wmf>	 1. the service-catalog entries contain listing for eqiad when they should not (this replaces "there are no conftool-data entries now")
[22:20:28] <swfrench-wmf>	 2. the service-catalog entries have lvs.conftool sections that do not match conftool-data/node
[22:21:05] <sukhe>	 the puppet failures you were getting
[22:21:09] <sukhe>	 are related to this bit:
[22:21:09] <sukhe>	 profile::lvs::realserver::pools:
[22:21:09] <sukhe>	   wdqs-internal-main:
[22:21:09] <sukhe>	     services:
[22:21:09] <sukhe>	       - wdqs-blazegraph
[22:21:12] <sukhe>	       - nginx
[22:21:26] <sukhe>	 this happens later in the process and hence the problem
[22:21:52] <inflatador>	 ryankemper ^^ I think this was the stuff we were talking about commenting out yesterday?
[22:22:44] <inflatador>	 OK, I merged the latest patch and I'm dumping the pools on config-master now
[22:23:30] <swfrench-wmf>	 so, you are going to find that that patch does not fix the confd issues
[22:23:43] <swfrench-wmf>	 in order to do that, see above
[22:24:19] <inflatador>	 swfrench-wmf ACK, will get to work on that now
[22:25:45] <sukhe>	 so now at least, you still need to do what swfrench says but at least in codfw:
[22:26:08] <ryankemper>	 inflatador: oof yes
[22:26:08] <sukhe>	 sukhe@cumin2002:~$ etcdctl -C https://conf1007.eqiad.wmnet:4001 ls /conftool/v1/pools/codfw/wdqs-internal-main/
[22:26:11] <sukhe>	 /conftool/v1/pools/codfw/wdqs-internal-main/wdqs-main
[22:26:13] <sukhe>	 /conftool/v1/pools/codfw/wdqs-internal-main/wdqs-internal-main
[22:26:31] <sukhe>	 folks don't get me wrong please but please follow the order as it is in the future, it will save you a lot of pain :)
[22:26:36] <ryankemper>	 my bad on that one didn’t think the hiera would have effect without a profile included to use it
[22:27:33] <ryankemper>	 FWIW i would vote to just roll back rather than forward here and do it properly come monday
[22:27:53] <sukhe>	 yes
[22:28:01] <sukhe>	 but you will have to ensure that the roll back is also clean in this case
[22:28:28] <sukhe>	 and to be honest, I am a bit split on what is fully wrong but yeah, that's where the order bit comes in
[22:28:46] <inflatador>	 sukhe yeah, it was bad judgment on my part. I saw that profile stuff causing problems on Thursday and fixed it, but we had a regression yesterday that was not immediately apparent
[22:29:15] <sukhe>	 inflatador: so now at least what swfrench-wmf is saying and swfrench-wmf correct me if I am wrong
[22:29:17] <sukhe>	 +wdqs-internal-main: [eqiad, codfw]
[22:29:20] <sukhe>	 +wdqs-internal-scholarly: [eqiad, codfw]
[22:29:23] <sukhe>	 add this to discovery/services.yaml
[22:29:34] <sukhe>	 including the relevant entries in conftool-data/node/eqiad.yaml
[22:29:42] <sukhe>	 or simply revert the patch and see if everything clears up and start on Monday
[22:29:46] <sukhe>	 that is probably the best idea IMO
[22:31:11] <swfrench-wmf>	 sukhe: I think it's the opposite, in that the service will only exist in codfw, so they do not need to add conftool-data/node/eqiad.yaml entries. but yeah, +1 to just reverting the service::catalog patch and trying again next week with a fixed version
[22:31:18] <inflatador>	 OK, https://gerrit.wikimedia.org/r/c/operations/puppet/+/1094539 is up and that should fix the conftool alerts 
[22:31:40] <swfrench-wmf>	 inflatador: thanks! looking
[22:31:48] <inflatador>	 otherwise I think we will have to revert 3 patch
[22:32:03] <sukhe>	 the service catalog specifies eqiad though
[22:32:18] <sukhe>	 ok, so I see above that it should only exist in codfw, ok, so yeah that needs to be fixed as well
[22:33:11] <inflatador>	 sukhe understood, fixing that now
[22:33:40] <swfrench-wmf>	 inflatador: https://gerrit.wikimedia.org/r/c/operations/puppet/+/1094539 seems like a good thing to do, yeah. I don't _think_ it'll fix the confd alerts on configmaster, though.
[22:34:47] <inflatador>	 swfrench-wmf just pushed an update that also removes references to eqiad from hieradata/common/service.yaml as sukhe suggested. Let me know if this is OK. Otherwise I'll start the rollback process
[22:36:10] <inflatador>	 sukhe I will defer to you 100% on this, if you are more comfortable with us rolling back I am happy to do so
[22:36:28] <sukhe>	 inflatador: hard to say honestly, it's a bit messy and yeah, I am not convinced this will fix all errors
[22:36:32] <swfrench-wmf>	 inflatador: one more thing you'll need to fix if you're going to get it all. lvs.conftool.service is wrong
[22:37:02] <swfrench-wmf>	 you need to make them match what you changed in https://gerrit.wikimedia.org/r/c/operations/puppet/+/1094536
[22:37:18] <swfrench-wmf>	 (i.e., it looks like cluster == service in confiool-data/node)
[22:38:01] <inflatador>	 ACK, fixing
[22:38:02] <sukhe>	 inflatador: I would very much vote for a rollback of all patches at this point and given the time
[22:38:27] <sukhe>	 and then on Monday, follow the order exactly as in https://wikitech.wikimedia.org/wiki/LVS#Add_a_new_load_balanced_service
[22:38:30] <sukhe>	 including merging any patch
[22:38:35] <sukhe>	 you can prepare the patches but don't merge this
[22:40:10] <sukhe>	 simply rollback in the order you merged them and ensure that the alerts clear yup
[22:40:13] <sukhe>	 *up
[22:40:53] <sukhe>	 sorry I have to go and prepare dinner now. but just revert at this stage and things should clear up.
[22:41:07] <inflatador>	 ^^ following rollback as recommended by sukhe . Sorry to bother everyone on Friday afternoon
[22:41:17] <sukhe>	 and in case the confd alerts don't, defer to swfrench-wmf if he is around but IMO don't delete any key in etcd at all, obviously. let it be there
[22:41:21] <sukhe>	 good luck guys
[22:41:32] <swfrench-wmf>	 have a good evening, sukhe
[22:41:49] <swfrench-wmf>	 +1 to rolling back to the last known good state :)
[22:47:04] <swfrench-wmf>	 inflatador: ping me when you have your stack of reverts if you'd like review on them
[22:48:36] <inflatador>	 swfrench-wmf I'm gonna go ahead and roll back, I will definitely need your help confirming that things look good from etcd when I'm finished
[22:49:34] <swfrench-wmf>	 sound good, I'll be around. thanks for going the rollback route, even if it's a bit of a hassle given the number of layers!
[23:02:24] <inflatador>	 swfrench-wmf OK, I **believe** we should be back to good data with the merging of https://gerrit.wikimedia.org/r/c/operations/puppet/+/1094550 , but I'm still seeing confd errors on config-master2001 . Let me know if I missed something, I'm still checking Puppet as well
[23:02:47] <swfrench-wmf>	 inflatador: ack, looking
[23:03:39] <inflatador>	 swfrench-wmf hmm, I take that back. Will still need to remove the realserver stuff from the profiles, 1 sec
[23:04:29] <ryankemper>	 inflatador: I will be back in 20’ to help out w any final cleanup
[23:05:28] <swfrench-wmf>	 inflatafor: so, the confd errors on config-master hosts should be good now that puppet has run (I see no errors in the journal since 23:01)
[23:05:36] <swfrench-wmf>	 inflatador: heh, typing ^
[23:06:37] <swfrench-wmf>	 1001 probably just needs a puppet-agent run (2001 is fine now)
[23:07:46] <swfrench-wmf>	 aaaand 1001 is fine now post-puppet
[23:07:48] <inflatador>	 ACK, we have one more thing to revert, as the realserver profile stuff is breaking PCC for everyone
[23:07:56] <swfrench-wmf>	 yes plz :)
[23:11:22] <inflatador>	 https://gerrit.wikimedia.org/r/c/operations/puppet/+/1094554 does not want to rebase due to https://gerrit.wikimedia.org/r/c/operations/puppet/+/1094468 , working on it
[23:13:27] <swfrench-wmf>	 inflatador: if it's a hassle to resolve the conflicts, I think it should be fine to just leave that as-is and roll forward your change to comment out the profile::lvs::realserver::pools that are causing PCC problems
[23:15:10] <inflatador>	 swfrench-wmf ACK, I think that's faster. Small change to that patch...
[23:18:55] <swfrench-wmf>	 as long as a roll-forward of the patch to comment out the realserver pools has a clean PCC run, then (if I understand the sequence of events and the rationale for the stub service catalog entry correctly) I think that puts us in a good state to pause
[23:19:42] <inflatador>	 I agree, running PCC against https://gerrit.wikimedia.org/r/c/operations/puppet/+/1094539 now 
[23:21:19] <swfrench-wmf>	 just to confirm, that has a stale base, right? (i.e., the service catalog entries are already gone?)
[23:21:37] <swfrench-wmf>	 (ah, yeah, confirmed those are already gone at head - just got confused by the diff)
[23:22:09] <inflatador>	 Y, we rolled that back
[23:22:24] <inflatador>	 hmm, that shouldn't be in the patch then
[23:23:09] <inflatador>	 oh yeah, exactly what you said ;P
[23:23:29] <inflatador>	 rebased
[23:35:14] <swfrench-wmf>	 inflatador: so, I'm seeing a lot of puppet failures complaining about the removal of wdqs-internal-main from the service catalog - were these added to envoy?
[23:35:48] <inflatador>	 swfrench-wmf good catch, that patch needs to be reverted as well
[23:36:19] <swfrench-wmf>	 got it, yeah I see those are from If3a8709717ede52f282f2b9f9a7b3d35246dc8ff
[23:37:44] <swfrench-wmf>	 thanks!
[23:38:20] <inflatador>	 ACK, reverting back 
[23:39:47] <inflatador>	 OK, merged/puppet-merged https://gerrit.wikimedia.org/r/c/operations/puppet/+/1094570
[23:40:57] <swfrench-wmf>	 awesome, and indeed PCC looks happy on https://gerrit.wikimedia.org/r/c/operations/puppet/+/1094539
[23:43:00] <inflatador>	 thanks for the +1, I just merged/puppet-merged
[23:43:03] <swfrench-wmf>	 aaand puppet-reported failed node count is going doing
[23:43:13] <swfrench-wmf>	 *down
[23:43:27] * swfrench-wmf cannot words terribly well today
[23:44:13] <inflatador>	 It **is** Friday. Thanks for hanging with me
[23:44:58] <inflatador>	 I think we are in a good state now, but LMK if I need to check anything else
[23:47:20] <swfrench-wmf>	 I mean, if puppet's happier (both live and PCC) and the alerts have cleared (seems like they have), then I think we're good as far as I can tell :)
[23:47:29] <swfrench-wmf>	 thanks for wrangling this back into a good state
[23:48:21] <inflatador>	 It's the least I could do. And next time I try to roll forward on a Friday...OK, no. There will NOT be a next time
[23:56:53] <inflatador>	 Thanks again all, have a wonderful weekend
[23:57:26] <swfrench-wmf>	 have a good weekend as well!