[09:07:42] <Krenair>	 vgutierrez, did you get stuff under /etc/acmecerts showing up as dirs that should not be?
[09:07:54] <vgutierrez>	 you're right :/
[09:25:29] <wikibugs>	 10Traffic, 10Operations, 10Patch-For-Review: Partial cache_upload traffic switchover to ATS and switchback to Varnish - https://phabricator.wikimedia.org/T213263 (10ema) We're currently using swift-rw (eqiad only)  as the origin server for upload cache misses. Thumb traffic can however be served active/activ...
[09:42:34] <ema>	 godog: shall ATS serve thumb traffic A/A? https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/498028/
[09:50:04] <wikibugs>	 10Traffic, 10Operations, 10Performance-Team, 10media-storage, 10Patch-For-Review: Automatically clean up unused thumbnails in Swift - https://phabricator.wikimedia.org/T211661 (10Gilles) 05Open→03Stalled
[09:50:10] <wikibugs>	 10Traffic, 10Operations, 10Performance-Team, 10Patch-For-Review: Normalize thumbnail request URLs in Varnish to avoid cachebusting - https://phabricator.wikimedia.org/T216339 (10Gilles) 05Open→03Stalled
[09:50:13] <wikibugs>	 10Traffic, 10Operations, 10Performance-Team, 10media-storage, 10Patch-For-Review: Automatically clean up unused thumbnails in Swift - https://phabricator.wikimedia.org/T211661 (10Gilles)
[10:24:11] <vgutierrez>	 damn... the expectedfail annotation in get_file_metadata() test masked the issue :(
[10:24:25] <godog>	 ema: yeah looks good!
[10:35:43] <wikibugs>	 10Acme-chief: acme-chief >0.13 generates wrong metadata for the endpoint used in file based deployment layout - https://phabricator.wikimedia.org/T218862 (10Vgutierrez) p:05Triage→03High
[11:20:38] <vgutierrez>	 Krenair: fixed in https://gerrit.wikimedia.org/r/c/operations/software/acme-chief/+/498046 and tested successfully with a puppet client for both scenarios (file, and directory)
[11:29:12] <Krenair>	 vgutierrez, approved
[11:29:19] <vgutierrez>	 thx
[11:29:21] <Krenair>	 vgutierrez, you know in puppet 5 this API is documented as being able to return application/json
[11:29:45] <vgutierrez>	 we're returning yaml right now
[11:30:03] <Krenair>	 yeah but it'd be easy to change to json
[11:30:08] <vgutierrez>	 indeed
[11:30:11] <Krenair>	 not sure how easy it'd be to change to pson
[12:05:45] <ema>	 godog: I now see slightly more connections to codfw than to eqiad on cp-ats-codfw, as expected
[13:39:57] <andrewbogott>	 vgutierrez or ema,  I'm looking at  the puppet diff for https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/496858/ and concerned about this diff:
[13:40:02] <andrewbogott>	 https://www.irccloud.com/pastebin/myaXO4m6/
[13:40:32] <andrewbogott>	 Does it matter that I'm adding a public IP endpoint on a host that otherwise only has private ones?  lvs1006 is itself on a public IP, so it /should/ work… but I don't like being the one big outlier there
[13:41:21] <vgutierrez>	 the lvs sits in all the VLANs, so it shouldn't be an issue AFAIK
[13:41:29] <andrewbogott>	 ok
[13:41:37] <andrewbogott>	 Ready for me to merge that, or do you have other concerns?
[13:43:22] <vgutierrez>	 maybe bblack can take a final look to the CR
[13:44:36] <andrewbogott>	 ok
[13:55:32] <bblack>	 yeah there's some issues with that CR, but I need to finish some coffee to nail it all down
[13:55:42] <andrewbogott>	 thanks!
[14:27:49] <bblack>	 andrewbogott: updated, but there's still one part I can't quite figure out, but could fix the rest
[14:35:18] <andrewbogott>	 bblack: updated.  It's the role::lvs::realserver::pools: bit that's unclear?
[14:35:29] <andrewbogott>	 I'll try to re-read that code too
[14:44:02] <wikibugs>	 10Acme-chief: acme-chief >0.13 generates wrong metadata for the endpoint used in file based deployment layout - https://phabricator.wikimedia.org/T218862 (10Vgutierrez) 05Open→03Resolved
[14:51:58] <andrewbogott>	 hm, the pool defined in role/common/scb.yaml implies that the way I had it before was right
[15:01:20] <bblack>	 andrewbogott: yeah I'm not sure either way tbh, it's hard to find an exactly identical example, but I'll look again after a couple meetings
[15:08:22] <andrewbogott>	 I confirmed (via reading code and testing with the compiler) that it's only used to look up the service IP, which is only defined for ldap-ro.  So I'm pretty sure it's right now.
[15:59:32] <bblack>	 ok
[16:00:20] <bblack>	 my other concern is just I have no idea about how we're restricting access to this, I kind of assume either router ACLs or ferm rules on the LDAP hosts, which I guess will still work through LVS.  But I assume even though we're allocating a public IP to this, that's mostly for wmcs reachability and not actually for truly public access
[16:01:05] <bblack>	 if it's router ACLs we might need to edit them to include this new LVS service IP too
[16:04:36] <andrewbogott>	 As far as I know there aren't router ACLs, just firewall rules.
[16:05:18] <andrewbogott>	 And yeah, I don't expect it to be a public service, although reliable read-only ldap could be useful for some prod services outside of cloud things.
[16:05:42] <andrewbogott>	 Do you think I should add ferm rules on the lvs servers themselves as well?  Or is it enough to have them on the ldap servers?
[16:59:46] <wikibugs>	 10Traffic, 10Horizon, 10Operations, 10Upstream, 10cloud-services-team (Kanban): Horizon Designate dashboard not allowing creation of NS records - https://phabricator.wikimedia.org/T204013 (10GTirloni)
[17:11:22] <bblack>	 andrewbogott: we don't have ferm on LVS at all, but if it's got ferm rules on the service hosts, those ferm rules should still work
[17:15:49] <andrewbogott>	 bblack: cool
[17:16:01] <andrewbogott>	 Are you around for a bit to help with aftershocks if I merge it now?
[17:20:09] <bblack>	 hopefully no aftershocks, but yes.  let me stare at it just a little more.
[17:20:14] <andrewbogott>	 'k
[17:21:17] <bblack>	 what's with the conftool-data/discovery/services.yaml stuff added?
[17:21:49] <andrewbogott>	 that was an attempt to resolve a puppet issue… it didn't help but seemed right anyway.  Am I misunderstanding what that's for?
[17:22:07] <bblack>	 that's for discovery-dns, but I don't think we're doing that for LDAP here, just LVS within a DC
[17:22:49] <andrewbogott>	 ok, I'll remove — we can worry about that later if I ever build a cluster in codfw
[17:23:17] <andrewbogott>	 done
[17:23:45] <bblack>	 the idea with discovery-dns is yeah, we'd have LVS services in both DCs, and a central ldap hostname that does a/a or a/p between the two.
[17:24:43] <andrewbogott>	 So if we ever had VMs in codfw it would save on custom images.  But, we can cross that when we come to it.
[17:24:50] <bblack>	 (probably a/a in this case, so that eqiad clients hit eqiad and codfw clients hit codfw, but it fails over if we disable one side)
[17:28:51] <bblack>	 running it through puppet compiler to see (PS10)
[17:29:26] <bblack>	 https://puppet-compiler.wmflabs.org/compiler1002/15266/
[17:31:18] <bblack>	 looks ok I think
[17:31:29] <bblack>	 we'll have to step through the pybal stuff manually for restarts
[17:31:52] <andrewbogott>	 yeah, the diff on the ldap server is pretty much unreadable but the lvs server side seems ok.
[17:31:58] <andrewbogott>	 Tell me more about stepping through the pybal stuff?
[17:32:25] <bblack>	 basically: (1) Merge the change (2) run puppet on the ldap replica hosts (3) run puppet on affected lvses (4) carefully step through manual pybal restarts on lvs1005 + lvs1002
[17:33:09] <bblack>	 pybal won't pick up the config change without a restart, so we restart the backup host 1005 first and see that it even works there correctly, and then restart 1002 (which will blip all LVS traffic over to lvs1005 briefly until its fully back)
[17:34:05] <bblack>	 I can take care of 3/4 once 1/2 is done
[17:34:14] <bblack>	 whenever you're ready :)
[17:34:20] <andrewbogott>	 ok.  So that sounds like 2 and 3 don't have to happen in a particular order, since it's a no-op until 3/4?
[17:35:04] <bblack>	 it's basically a no-op on the LVS side until 4, but it's easier to revert back out if we can see problems in 2 before we do 3
[17:35:13] <bblack>	 going to disable puppet on the affected lvses first
[17:35:30] <andrewbogott>	 And the affected lvs servers are just 1005 and 1002?
[17:35:33] <bblack>	 yeah
[17:35:51] <bblack>	 done
[17:36:03] <andrewbogott>	 ok, you beat me to it
[17:36:11] <bblack>	 so merge when ready, confirm the ldap replicas puppetize ok
[17:36:21] <andrewbogott>	 yep, have to rebase and then I'll merge
[17:40:15] <andrewbogott>	 the patch applied cleanly, with this:
[17:40:17] <andrewbogott>	 https://www.irccloud.com/pastebin/oAxxzpq5/
[17:40:28] <andrewbogott>	 Which looks right to me, I think
[17:41:08] <bblack>	 what was 10.2.2.17?
[17:41:38] <andrewbogott>	 I think that's from an earlier errnoeous version of this same patch
[17:41:41] <andrewbogott>	 *erroneous
[17:41:43] <bblack>	 it's weird that was in the diff
[17:41:47] <bblack>	 that's restbase's IP heh
[17:41:56] <bblack>	 ok
[17:42:16] <bblack>	 trying lvs1005
[17:44:36] <bblack>	 andrewbogott: can you pool them in confd?
[17:45:17] <bblack>	 Mar 21 17:44:52 lvs1005 pybal[10169]: [config-etcd] INFO: connected to etcd://conf1004.eqiad.wmnet:4001/conftool/v1/pools/eqiad/ldap-ro/ldap-ro/
[17:45:20] <bblack>	 Mar 21 17:44:52 lvs1005 pybal[10169]: [config-etcd] INFO: connected to etcd://conf1004.eqiad.wmnet:4001/conftool/v1/pools/eqiad/ldap-ro/ldap-ro-ssl/
[17:45:23] <bblack>	 Mar 21 17:44:52 lvs1005 pybal[10169]: [config-etcd] ERROR: failed: [Failure instance: Traceback (failure with no frames): <class 'twisted.web.error.Error'>: 404 Not Found
[17:45:33] <bblack>	 seeing this spam over and over, assuming it's from lack of having any backends pooled
[17:45:36] <andrewbogott>	 I don't immediately know how to pool a host but I can look it up
[17:45:54] <bblack>	 if you have root shells on the two ldap replica hosts, just type "pool"
[17:46:00] <andrewbogott>	 ok :)
[17:46:12] <andrewbogott>	 seems happy
[17:46:31] <bblack>	 still getting nothing from confd, hmmm
[17:46:46] <andrewbogott>	 ok, I got a timeout before, now I get "Can't contact LDAP server" instead
[17:46:49] <andrewbogott>	 so the IP is live at least
[17:47:26] <bblack>	 kinda
[17:47:37] <bblack>	 there's no backends pooled and I can't find it in confd
[17:47:47] <bblack>	 do you still have the output from the bottom of puppet-merge, when confd stuff happened?
[17:49:31] <bblack>	 because the live confd data doesn't seem to know about the ldap-ro cluster at all
[17:49:32] <andrewbogott>	 here's the whole output:
[17:49:34] <andrewbogott>	 https://www.irccloud.com/pastebin/LokYvGok/
[17:49:51] <bblack>	 not the agent run, the puppet-merge on the puppetmaster
[17:50:07] <andrewbogott>	 oh, ok
[17:50:09] <bblack>	 after it syncs up the actual puppet stuff, at the bottom of the output it deals with creating new confd keys, etc
[17:50:30] <andrewbogott>	 I don't think I have that anymore
[17:50:39] <andrewbogott>	 I'll log in and force a manual confd sync
[17:50:43] <andrewbogott>	 I think I know how to do that...
[17:51:17] <andrewbogott>	 that did quite a bit!  Must've missed it before
[17:51:33] <bblack>	 ok
[17:51:54] <bblack>	 "pool" didn't return any error before? in any case try again now
[17:52:31] <andrewbogott>	 it has more to say this time
[17:52:38] <andrewbogott>	 https://www.irccloud.com/pastebin/IePBN5cT/
[17:52:40] <andrewbogott>	 seems promising
[17:52:51] <bblack>	 ah there we go
[17:52:56] <andrewbogott>	 yep, the service works now
[17:53:18] <bblack>	 ok, doing lvs1002
[17:55:51] <bblack>	 andrewbogott: try connecting to the new service IP?
[17:56:06] <bblack>	 (with an ldap client I guess)
[17:56:31] <andrewbogott>	 ldapvi (my ldap-editing tool of choice) seems happy with both ldap: and ldaps:
[17:56:41] <andrewbogott>	 I'm going to hack a VM to use that endpoint and see if I can still log in :)
[17:57:11] <bblack>	 ok, let me know if something goes wrong, otherwise I assume we're done with this LVS part
[17:57:17] <andrewbogott>	 seems like!
[17:57:37] <andrewbogott>	 thanks!  We may wind up adding a third ldap backend but I'm hoping two is enough.
[17:58:08] <bblack>	 ok
[18:02:09] <andrewbogott>	 pointing a client VM to the new endpoint seems to work just fine
[20:33:57] <XioNoX>	 this equinix/telia circuit saga is driving me crazy
[20:33:58] <XioNoX>	 :)
[20:34:41] <XioNoX>	 Definitely a downside of paying for the X-connect ourself
[20:53:02] <wikibugs>	 10netops, 10Cloud-Services, 10Operations, 10cloud-services-team (Kanban): Allocate public v4 IPs for Neutron setup in eqiad - https://phabricator.wikimedia.org/T193496 (10GTirloni)
[22:10:48] <XioNoX>	 FYI, ping offload is 100% up and running in codfw: https://grafana.wikimedia.org/d/000000513/ping-offload
[23:07:42] <bblack>	 nice :)
[23:15:47] * jynus is disappointed the new service is not call pingoid
[23:15:53] <jynus>	 *called
[23:16:20] <Reedy>	 Is it written in node?
[23:24:25] <XioNoX>	 any idea what's up with jenkins on https://gerrit.wikimedia.org/r/c/operations/puppet/+/498264 ?
[23:40:13] <bblack>	 XioNoX: 
[23:40:14] <bblack>	 23:21:41 Class 'icinga::monitor::traffic' is already defined at /srv/workspace/puppet/modules/icinga/manifests/monitor/traffic.pp:4; cannot redefine at /srv/workspace/puppet/modules/icinga/manifests/monitor/traffic.pp:10
[23:40:31] <bblack>	 it took me several minutes of staring to find that in the middle of the log, but it's there heh
[23:40:41] <XioNoX>	 bblack: thx, I also asked on another channel
[23:40:51] <XioNoX>	 I missed that line and saw the TOX errors lower down
[23:43:09] <XioNoX>	 all green now