[09:45:29] <wikibugs>	 10Traffic: Provide a TCP MSS clamping mechanism for real servers - https://phabricator.wikimedia.org/T350462 (10CodeReviewBot) vgutierrez merged https://gitlab.wikimedia.org/vgutierrez/tcp-mss-clamper/-/merge_requests/1  Provide basic functionality
[09:45:59] <vgutierrez>	 fabfur: ^^ at least CodeReviewBot updates the phab task
[09:58:05] <wikibugs>	 10Traffic, 10SRE: Enable IPIP encapsulation for ncredir - https://phabricator.wikimedia.org/T351069 (10Vgutierrez)
[09:58:51] <wikibugs>	 10Traffic, 10SRE: Enable IPIP encapsulation for ncredir - https://phabricator.wikimedia.org/T351069 (10Vgutierrez) p:05Triage→03Medium
[10:38:41] <wikibugs>	 10Traffic, 10MW-on-K8s, 10SRE, 10serviceops, and 2 others: Migrate mobileapps to k8s - https://phabricator.wikimedia.org/T350846 (10Joe) p:05Triage→03High
[11:02:45] <jinxer-wm>	 (VarnishHighThreadCount) firing: (8) Varnish's thread count on cp5017:0 is high - https://wikitech.wikimedia.org/wiki/Varnish  - https://alerts.wikimedia.org/?q=alertname%3DVarnishHighThreadCount
[11:03:42] <wikibugs>	 10Traffic, 10GitLab (Project Migration), 10Patch-For-Review: Migrate Traffic repositories from Gerrit to Gitlab - https://phabricator.wikimedia.org/T347623 (10hashar)
[11:07:45] <jinxer-wm>	 (VarnishHighThreadCount) firing: (11) Varnish's thread count on cp5017:0 is high - https://wikitech.wikimedia.org/wiki/Varnish  - https://alerts.wikimedia.org/?q=alertname%3DVarnishHighThreadCount
[11:12:45] <jinxer-wm>	 (VarnishHighThreadCount) firing: (12) Varnish's thread count on cp5017:0 is high - https://wikitech.wikimedia.org/wiki/Varnish  - https://alerts.wikimedia.org/?q=alertname%3DVarnishHighThreadCount
[11:16:19] <wikibugs>	 10Traffic, 10GitLab (Project Migration), 10Patch-For-Review: Migrate Traffic repositories from Gerrit to Gitlab - https://phabricator.wikimedia.org/T347623 (10hashar)
[11:17:45] <jinxer-wm>	 (VarnishHighThreadCount) firing: (14) Varnish's thread count on cp5017:0 is high - https://wikitech.wikimedia.org/wiki/Varnish  - https://alerts.wikimedia.org/?q=alertname%3DVarnishHighThreadCount
[11:22:45] <jinxer-wm>	 (VarnishHighThreadCount) firing: (14) Varnish's thread count on cp5017:0 is high - https://wikitech.wikimedia.org/wiki/Varnish  - https://alerts.wikimedia.org/?q=alertname%3DVarnishHighThreadCount
[11:27:46] <jinxer-wm>	 (VarnishHighThreadCount) firing: (11) Varnish's thread count on cp5017:0 is high - https://wikitech.wikimedia.org/wiki/Varnish  - https://alerts.wikimedia.org/?q=alertname%3DVarnishHighThreadCount
[11:32:45] <jinxer-wm>	 (VarnishHighThreadCount) firing: (10) Varnish's thread count on cp5017:0 is high - https://wikitech.wikimedia.org/wiki/Varnish  - https://alerts.wikimedia.org/?q=alertname%3DVarnishHighThreadCount
[11:37:45] <jinxer-wm>	 (VarnishHighThreadCount) resolved: (8) Varnish's thread count on cp5017:0 is high - https://wikitech.wikimedia.org/wiki/Varnish  - https://alerts.wikimedia.org/?q=alertname%3DVarnishHighThreadCount
[12:18:41] <wikibugs>	 10Traffic, 10MW-on-K8s, 10SRE, 10serviceops, and 2 others: Migrate mobileapps to k8s - https://phabricator.wikimedia.org/T350846 (10Joe) I decided we should move about 10% of the mobileapps traffic at a time; that means about 300 rps, which I think we should be able to serve moving over about 2-3 api serve...
[12:32:58] <wikibugs>	 10netops, 10Infrastructure-Foundations, 10SRE, 10ops-codfw: Connect two hosts in codfw row A/B for switch migration testing - https://phabricator.wikimedia.org/T345803 (10ops-monitoring-bot) Cookbook cookbooks.sre.hosts.reimage was started by cmooney@cumin1001 for host sretest2004.codfw.wmnet with OS bullseye
[12:42:44] <wikibugs>	 10netops, 10Infrastructure-Foundations, 10SRE, 10ops-codfw: Connect two hosts in codfw row A/B for switch migration testing - https://phabricator.wikimedia.org/T345803 (10ops-monitoring-bot) Cookbook cookbooks.sre.hosts.reimage started by cmooney@cumin1001 for host sretest2004.codfw.wmnet with OS bullseye...
[12:43:27] <wikibugs>	 10netops, 10Infrastructure-Foundations, 10SRE, 10ops-codfw: Connect two hosts in codfw row A/B for switch migration testing - https://phabricator.wikimedia.org/T345803 (10ops-monitoring-bot) Cookbook cookbooks.sre.hosts.reimage was started by cmooney@cumin1001 for host sretest2003.codfw.wmnet with OS bullseye
[13:31:40] <wikibugs>	 10netops, 10Infrastructure-Foundations, 10sre-alert-triage: Alert in need of triage: BGP status (instance cr2-eqdfw) - https://phabricator.wikimedia.org/T351083 (10LSobanski)
[13:32:31] <wikibugs>	 10Traffic, 10sre-alert-triage: Alert in need of triage: PuppetConstantChange (instance pybal-test2003:9100) - https://phabricator.wikimedia.org/T351084 (10LSobanski)
[13:53:56] <wikibugs>	 10netops, 10Infrastructure-Foundations, 10SRE, 10ops-codfw: Connect two hosts in codfw row A/B for switch migration testing - https://phabricator.wikimedia.org/T345803 (10ops-monitoring-bot) Cookbook cookbooks.sre.hosts.reimage started by cmooney@cumin1001 for host sretest2003.codfw.wmnet with OS bullseye...
[14:26:16] <hnowlan>	 hello! I'd like to restore traffic flows to the editor-analytics services, developers have since patched the issues that caused us to roll back. Given that this was successfully in place before I don't think we need a slow rollout. https://gerrit.wikimedia.org/r/c/operations/puppet/+/973758 
[14:26:54] <fabfur>	 hi hnowlan I can check it
[14:27:54] <hnowlan>	 thanks! 
[14:29:49] <fabfur>	 hnowlan: that was already tested, correct?
[14:30:52] <hnowlan>	 yes, the service was responding correctly for (most) requests after 
[14:31:00] <fabfur>	 ok
[14:31:05] <hnowlan>	 just some logic errors in the service made us roll back
[14:31:07] <fabfur>	 than I think should be ok
[14:31:30] <hnowlan>	 great, thank you! 
[14:31:39] <fabfur>	 yw!
[15:17:29] <wikibugs>	 10Traffic, 10DC-Ops, 10SRE, 10ops-eqiad: Q1:Install cp11[00-15] and rotate into production - https://phabricator.wikimedia.org/T349244 (10Fabfur)
[15:19:42] <wikibugs>	 10Traffic, 10DC-Ops, 10SRE, 10ops-eqiad: Q1:Install cp11[00-15] and rotate into production - https://phabricator.wikimedia.org/T349244 (10Fabfur)
[15:20:34] <wikibugs>	 10Traffic, 10Patch-For-Review: Upgrade Traffic hosts to bookworm - https://phabricator.wikimedia.org/T342154 (10ssingh)
[15:20:47] <wikibugs>	 10Traffic, 10Patch-For-Review: Upgrade Traffic hosts to bookworm - https://phabricator.wikimedia.org/T342154 (10ssingh)
[15:55:50] <wikibugs>	 10Traffic, 10Infrastructure-Foundations, 10Puppet-Core, 10SRE, and 3 others: Deprecate `base::service_unit` in puppet - https://phabricator.wikimedia.org/T194724 (10MoritzMuehlenhoff)
[16:15:34] <wikibugs>	 10Traffic, 10Infrastructure-Foundations, 10Puppet-Infrastructure, 10SRE, and 2 others: find solution for acmechief in puppet7 - https://phabricator.wikimedia.org/T349915 (10jbond) 05In progress→03Resolved a:03jbond This is in place now use hiera key during migration
[16:48:56] <wikibugs>	 10Traffic, 10Patch-For-Review: Alert in need of triage: PuppetConstantChange (instance pybal-test2003:9100) - https://phabricator.wikimedia.org/T351084 (10BCornwall) 05Open→03Resolved a:03BCornwall
[17:17:42] <wikibugs>	 10Traffic, 10GitLab (Project Migration), 10Patch-For-Review: Migrate Traffic repositories from Gerrit to Gitlab - https://phabricator.wikimedia.org/T347623 (10BCornwall) >>! In T347623#9322202, @LSobanski wrote: > @BCornwall For operations/software/varnish, looks like it should just be archived and not migra...
[17:42:58] <wikibugs>	 10Traffic, 10MW-on-K8s, 10SRE, 10serviceops, 10Release-Engineering-Team (Seen): Serve production traffic via Kubernetes - https://phabricator.wikimedia.org/T290536 (10Krinkle)
[18:17:07] <wikibugs>	 10Acme-chief, 10Traffic, 10SRE: acme-chief should support debian bookworm - https://phabricator.wikimedia.org/T344330 (10BCornwall) 05In progress→03Resolved
[18:17:12] <wikibugs>	 10Traffic, 10Patch-For-Review: Upgrade Traffic hosts to bookworm - https://phabricator.wikimedia.org/T342154 (10BCornwall)
[20:49:54] <wikibugs>	 10Traffic: Move analytics log from Varnish to HAProxy - https://phabricator.wikimedia.org/T351117 (10Fabfur)
[21:14:16] <brett>	 sukhe: Do you have any experience with rolling out the unified cp stuff? Trying to get traffic-cache-bookworm up and running in horizon
[21:15:29] <brett>	 Currently diffing prod and cloud hieradata but it's quite tedious
[21:23:29] <sukhe>	 brett: yeah we should have similar commits in the history
[21:23:32] <sukhe>	 I remember doing it once
[21:24:09] <brett>	 realized I misnamed the instance so I'm starting over again with better names :)
[21:24:41] <sukhe>	 traffic-cache should work fine though? that's the prefix?
[21:24:53] <sukhe>	 basically: These puppet settings will affect all VMs in the traffic project whose names begin with 'traffic-cache'. 
[21:24:58] <brett>	 yeah but we need a separate text and upload, yeah?
[21:25:11] <sukhe>	 we usually have had just one and that's fine
[21:25:16] <brett>	 oh
[21:25:28] <sukhe>	 traffic-cache-bullseye is cache::text for example
[21:25:30] <brett>	 How does that work though? hieradata keys like 'cache::cluster: upload'
[21:25:58] <brett>	 it's all just merged/shoved together?
[21:26:17] <sukhe>	 brett: just the cache::text role
[21:26:26] <brett>	 ohhhh upload is ignored
[21:26:28] <sukhe>	 so basically specify the role under "Puppet classes"
[21:26:29] <brett>	 gotcha
[21:26:44] <brett>	 okay, I'll kill the upload instance
[21:26:48] <sukhe>	 the traffic-cache-bullseye config should work verbatim
[21:27:11] <sukhe>	 16:23:29 < sukhe> brett: yeah we should have similar commits in the history
[21:27:18] <sukhe>	 I misread unifying above :)
[21:27:26] <sukhe>	 but yeah just cache::text is fine for horizon
[21:27:55] <brett>	 sorry, I had just assumed that a horizon instance hadn't been launched since the unified cp work!
[21:29:22] <sukhe>	 the unified cp part at least in prod is that text and upload have the same hardware config underneath them now
[21:29:38] <sukhe>	 so there is on difference in the per-cluster hieradata we applied
[21:29:51] <sukhe>	 at least, for eqiad, since it's the first where text and upload both have two disks!
[21:30:07] <sukhe>	 esams will follow next, so we will unify the configs there
[21:30:21] <brett>	 ohhh my bad, I misunderstood
[21:30:55] <sukhe>	 all good, my mind was thinking about unifying the configs, which is what we do once we finish reimages
[21:31:15] <brett>	 dangit, so should I relaunch with the more generic traffic-cache-bookworm? :(
[21:32:36] <brett>	 I'll do that. Well, good practice
[21:33:08] <sukhe>	 yeah I think that's the desired name. not sure if we can rename 
[21:33:45] <brett>	 I don't think that'd be easy, too many things to change. I'll just relaunch :)
[21:34:41] <sukhe>	 :P
[21:50:24] <brett>	 nd
[22:10:21] <brett>	 Okay, now how do I use the cache instance? :P
[22:17:08] <brett>	 Hm, haproxy is refusing to start with '/etc/update-ocsp.d/*.conf': No such file or directory
[22:17:36] <brett>	 Looks like the bullseye one fails to restart for the same reason
[22:18:20] <bblack>	 do we have a fake key in the private repo?
[22:18:28] <bblack>	 (well, the fakely-private repo)
[22:19:06] <bblack>	 hmmm, appears we do
[22:19:32] <bblack>	 in any case, though, I'm not sure how the OCSP stuff would've ever worked there.  There must have been a way to disable/fake that also
[22:20:07] <bblack>	 modules/profile/manifests/cache/haproxy.pp:    Boolean $do_ocsp = lookup('profile::cache::haproxy::do_ocsp'),
[22:20:10] <bblack>	 ?
[22:20:19] <bblack>	 hieradata/cloud/eqiad1/traffic/hosts/traffic-cache-atstext-buster.yaml:profile::cache::haproxy::do_ocsp: true
[22:20:22] <bblack>	 hieradata/common/profile/cache/haproxy.yaml:profile::cache::haproxy::do_ocsp: true
[22:20:31] <bblack>	 ^ seems like this flag might have existed just for this case?
[22:21:17] <bblack>	 I donno
[22:21:40] <bblack>	 but basically: you're dealing with fake TLS certs that don't even have the correct format
[22:21:47] <bblack>	 not sure how that's meant to work in a VM
[22:23:30] * brett bangs his head on the table
[22:24:13] <brett>	 ugh, sorry for not doing this on -private, I *just* realized
[22:24:15] <brett>	 glad it wasn't -sre or something
[22:24:30] <brett>	 I really need to alter my input bar on weechat to put the current chan