[07:12:52] 10netops, 10Datasets-General-or-Unknown, 10Operations: dumps.wikimedia.org seems to have poor throughput towards some destinations - https://phabricator.wikimedia.org/T120425#4235481 (10Aklapper) 05stalled>03declined Unfortunately closing this report as no further information has been provided and as the... [09:15:05] nice.. the PR on librdkafka has been merged :D [09:15:16] yay! [09:24:20] 10Traffic, 10netops, 10Operations: cp intermittent IPsec MTU issue - https://phabricator.wikimedia.org/T195365#4235789 (10ayounsi) No more ICMP mentioning cp3039, which helps narrowing down the possible causes. Note that adding the static /32 does not bypass xfrm, traffic stays encrypted. [09:33:21] vgutierrez: you rock, thanks! [10:52:12] elukey: confluent-kafka-2.11 1.1.0-1 --> that's kafka version 1.1.0 using scala 2.11, right? [10:52:53] or that's what I understand from https://docs.confluent.io/current/installation/available_packages.html#confluent-kafka-scala-version [11:33:16] 10Traffic, 10Operations, 10Goal, 10Patch-For-Review, 10User-fgiunchedi: Add Prometheus client support for varnish/statsd metrics daemons - https://phabricator.wikimedia.org/T177199#4236103 (10ema) [11:33:19] 10Traffic, 10Operations, 10Goal, 10Patch-For-Review, 10User-fgiunchedi: Deprecate python varnish cachestats - https://phabricator.wikimedia.org/T184942#4236102 (10ema) 05stalled>03Open [11:34:24] 10Traffic, 10Operations, 10Goal, 10Patch-For-Review, 10User-fgiunchedi: Deprecate python varnish cachestats - https://phabricator.wikimedia.org/T184942#3901180 (10ema) varnishrls removed, thanks @Krinkle. [12:41:56] 10Traffic, 10Operations, 10Goal: Begin execution of non-forward-secret ciphers deprecation - https://phabricator.wikimedia.org/T192555#4236298 (10aborrero) [12:46:46] vgutierrez: yes exactly, that is my understanding too [13:24:52] 10Traffic, 10Operations, 10Goal: Begin execution of non-forward-secret ciphers deprecation - https://phabricator.wikimedia.org/T192555#4236420 (10Vgutierrez) [13:24:55] 10Traffic, 10Operations: Identify bots using AES128-SHA maintainers running on toolforge - https://phabricator.wikimedia.org/T194380#4236418 (10Vgutierrez) 05Open>03Resolved a:03Vgutierrez [13:29:32] 10Traffic, 10Operations: Identify bots using AES128-SHA maintainers running on toolforge - https://phabricator.wikimedia.org/T194380#4236437 (10Vgutierrez) [13:30:33] elukey: BTW, checking the kafka broker config I've observed that a plaintext port is configured (9092), could we get rid of that? [13:33:15] vgutierrez: it is enabled on purpose, not all the clients are ready to be TLS-only and we might to want to get rid of the plaintext port [13:33:55] for example, the webrequests topics (containing sensitive data) will eventually need some auth even for consumption (now we require auth only to produce to them) [13:34:23] hmmm then we should be banning cross-DC traffic on :9092 [13:34:59] not yet, we use a thing called mirror maker to "reply" topics from eqiad and codfw [13:35:25] hmm but I guess that's currently using IPsec tunnels? [13:35:56] nope, the topics that we mirror do not contain sensitive data [13:36:04] ack [13:37:01] but, I agree that having TLS would be way better, even for an auth perspective. So I 100% support the deployment of TLS buut we'd need a bit of time to rollout all the changes without people trying to kill us because we break things :D [13:37:34] let's chat in Prague about this if you want! [13:37:40] sure :D [13:38:02] elukey: what would happen if accidentally webrequest traffic would be sent to 9092? [13:39:29] vgutierrez: in theory whatever is trying to produce to those topics without a valid client certificate (at the moment only varnishkafka holds a valid one) will get an error [13:39:46] we've set ACLS to allow only varnishkafka to produce to webrequest topics on Jumbo [13:40:21] (the error comes because sending traffic to 9092 would end up with user ANONYMOUS that kafka will not allow to produce events to webrequest topics) [13:41:26] so a misconfigured varnishkafka to send plain text data to jumbo:9092 would fail, right? [13:45:43] yes this is how it shoud work [13:45:53] nice [15:42:10] 10netops, 10Operations, 10Patch-For-Review: Detect IP address collisions - https://phabricator.wikimedia.org/T189522#4236820 (10ayounsi) a:03ayounsi