[00:19:11] <jinxer-wm>	 RESOLVED: [2x] PfwCoreBGPDown: Fundraising Firewall core BGP session down between pfw1-codfw and (null) (10.195.0.248) - group VPN - https://wikitech.wikimedia.org/wiki/Network_monitoring#BGP_status  - https://alerts.wikimedia.org/?q=alertname%3DPfwCoreBGPDown
[03:10:25] <jinxer-wm>	 FIRING: SystemdUnitFailed: netbox_ganeti_eqiad_sync.service on netbox1003:9100 - https://wikitech.wikimedia.org/wiki/Monitoring/check_systemd_state - https://grafana.wikimedia.org/d/g-AaZRFWk/systemd-status - https://alerts.wikimedia.org/?q=alertname%3DSystemdUnitFailed
[03:11:41] <jinxer-wm>	 FIRING: NetboxAccounting: Netbox - Accounting job failed - https://wikitech.wikimedia.org/wiki/Netbox#Report_Alert - https://netbox.wikimedia.org/core/jobs/ - https://alerts.wikimedia.org/?q=alertname%3DNetboxAccounting
[03:32:55] <jinxer-wm>	 FIRING: [6x] SystemdUnitFailed: netbox_ganeti_eqiad_sync.service on netbox1003:9100 - https://wikitech.wikimedia.org/wiki/Monitoring/check_systemd_state - https://grafana.wikimedia.org/d/g-AaZRFWk/systemd-status - https://alerts.wikimedia.org/?q=alertname%3DSystemdUnitFailed
[03:34:59] <jinxer-wm>	 FIRING: [6x] SystemdUnitFailed: netbox_ganeti_eqiad_sync.service on netbox1003:9100 - https://wikitech.wikimedia.org/wiki/Monitoring/check_systemd_state - https://grafana.wikimedia.org/d/g-AaZRFWk/systemd-status - https://alerts.wikimedia.org/?q=alertname%3DSystemdUnitFailed
[03:35:14] <jinxer-wm>	 FIRING: [6x] SystemdUnitFailed: netbox_ganeti_eqiad_sync.service on netbox1003:9100 - https://wikitech.wikimedia.org/wiki/Monitoring/check_systemd_state - https://grafana.wikimedia.org/d/g-AaZRFWk/systemd-status - https://alerts.wikimedia.org/?q=alertname%3DSystemdUnitFailed
[03:35:34] <jinxer-wm>	 FIRING: [6x] SystemdUnitFailed: netbox_ganeti_eqiad_sync.service on netbox1003:9100 - https://wikitech.wikimedia.org/wiki/Monitoring/check_systemd_state - https://grafana.wikimedia.org/d/g-AaZRFWk/systemd-status - https://alerts.wikimedia.org/?q=alertname%3DSystemdUnitFailed
[03:40:25] <jinxer-wm>	 RESOLVED: [6x] SystemdUnitFailed: netbox_ganeti_eqiad_sync.service on netbox1003:9100 - https://wikitech.wikimedia.org/wiki/Monitoring/check_systemd_state - https://grafana.wikimedia.org/d/g-AaZRFWk/systemd-status - https://alerts.wikimedia.org/?q=alertname%3DSystemdUnitFailed
[03:54:34] <jinxer-wm>	 FIRING: DiskSpace: Disk space serpens:9100:/ 6.576% free - https://wikitech.wikimedia.org/wiki/Monitoring/Disk_space - https://grafana.wikimedia.org/d/000000377/host-overview?orgId=1&viewPanel=12&var-server=serpens - https://alerts.wikimedia.org/?q=alertname%3DDiskSpace
[04:11:41] <jinxer-wm>	 RESOLVED: NetboxAccounting: Netbox - Accounting job failed - https://wikitech.wikimedia.org/wiki/Netbox#Report_Alert - https://netbox.wikimedia.org/core/jobs/ - https://alerts.wikimedia.org/?q=alertname%3DNetboxAccounting
[04:29:34] <jinxer-wm>	 FIRING: DiskSpace: Disk space serpens:9100:/ 3.503% free - https://wikitech.wikimedia.org/wiki/Monitoring/Disk_space - https://grafana.wikimedia.org/d/000000377/host-overview?orgId=1&viewPanel=12&var-server=serpens - https://alerts.wikimedia.org/?q=alertname%3DDiskSpace
[05:23:46] <wikibugs>	 10netops, 06Infrastructure-Foundations, 06SRE: Row C traffic outage Nov 11 2025 - https://phabricator.wikimedia.org/T409800 (10cmooney) 03NEW p:05Triage→03High
[05:53:02] <wikibugs>	 10netops, 06Infrastructure-Foundations, 06SRE: Row C traffic outage Nov 11 2025 - https://phabricator.wikimedia.org/T409800#11361879 (10cmooney)
[05:58:32] <wikibugs>	 10netops, 06Infrastructure-Foundations, 06SRE: Row C traffic outage Nov 11 2025 - https://phabricator.wikimedia.org/T409800#11361886 (10cmooney)
[06:01:25] <jinxer-wm>	 FIRING: SystemdUnitFailed: prometheus-dpkg-success-textfile.service on serpens:9100 - https://wikitech.wikimedia.org/wiki/Monitoring/check_systemd_state - https://grafana.wikimedia.org/d/g-AaZRFWk/systemd-status - https://alerts.wikimedia.org/?q=alertname%3DSystemdUnitFailed
[07:01:34] <moritzm>	 we had a failed logrotation on serpens, I fixed it manually, should recover soon
[07:04:34] <jinxer-wm>	 RESOLVED: [2x] DiskSpace: Disk space serpens:9100:/ 0% free - https://wikitech.wikimedia.org/wiki/Monitoring/Disk_space - https://grafana.wikimedia.org/d/000000377/host-overview?orgId=1&viewPanel=12&var-server=serpens - https://alerts.wikimedia.org/?q=alertname%3DDiskSpace
[07:16:25] <jinxer-wm>	 RESOLVED: SystemdUnitFailed: prometheus-dpkg-success-textfile.service on serpens:9100 - https://wikitech.wikimedia.org/wiki/Monitoring/check_systemd_state - https://grafana.wikimedia.org/d/g-AaZRFWk/systemd-status - https://alerts.wikimedia.org/?q=alertname%3DSystemdUnitFailed
[15:30:08] <wikibugs>	 10netops, 06Infrastructure-Foundations, 10Observability-Alerting, 06SRE: Nokia OSPF alerts not working - https://phabricator.wikimedia.org/T408378#11363473 (10cmooney) 05Open→03Resolved a:03cmooney >>! In T408378#11351612, @colewhite wrote: > In today's case, the alert criteria wasn't met because...
[15:37:21] <sukhe>	 topranks: any concerns if I pick 10.3.0.2/32 in 10.3.0.0/24?
[15:37:30] <sukhe>	 full context https://phabricator.wikimedia.org/T409780
[15:37:41] <sukhe>	 or I can pick something after 10.3.0.9 as well, so .10
[15:38:06] <sukhe>	 this is for hcaptcha-proxy.anycast.wmnet
[15:39:46] <topranks>	 I mean no objection really, maybe .10 is better.....
[15:39:59] <topranks>	 but my main question would be why are we using anycast for something behind the LVS ?
[15:40:27] <sukhe>	 topranks: ok on .10!
[15:40:36] <sukhe>	 yeah that's a good question, I try to clarify that in the task
[15:40:50] <sukhe>	 let me know if it doesn't make sense and happy to discuss of course
[15:41:03] <taavi>	 do we still have backup static /31 or /30 routes for the recdns .1 endpoint?
[15:41:55] <sukhe>	 no, we don't do static routes anymore and we even removed from them for the LVSes (in the process) https://phabricator.wikimedia.org/T300877
[15:42:20] <topranks>	 we have static routes in place for some ranges
[15:42:39] <topranks>	 https://phabricator.wikimedia.org/P85190
[15:42:47] <topranks>	 but I am very much in favour of removing them 
[15:43:10] <sukhe>	 yeah, we decided to keep the eqiad ones for now but we will remove them eventually
[15:43:27] <topranks>	 my fear for something like a HTTP proxy is Anycast is sometimes problematic with stateful things like TCP based conections 
[15:43:30] <topranks>	 fine for DNS, NTP etc 
[15:43:47] <taavi>	 at least 10.68.16.0/21 from that paste is not in use and has not been in years, so we could drop that right awway
[15:43:59] <topranks>	 using a load-balancer is often better, but at the cost of that extra layer in the stack 
[15:44:26] <sukhe>	 yeah, in this case though we haven't really done a service at the edge and behind the CDN. so that problem is there in that respect
[15:44:36] <topranks>	 taavi: ha indeed, even the next-hop is invalid it's not in the routing table at all 
[15:44:39] <topranks>	 I'll nuke it 
[15:44:47] <sukhe>	 for the anycast / TCP thing, do note that we already do it for durum and Wikidough though in that respect, but valid point
[15:45:41] <topranks>	 even so I expect the DoH/DoT services are gonna work deal better with broken state  than something like a hcapcha transaction 
[15:45:51] <sukhe>	 topranks: feel free to comment on the task though; we want to get more input before we get started
[15:46:25] <topranks>	 yeah I'll feed back, basically I think putting anycast behind the LB is an added complication we don't need 
[15:46:26] <sukhe>	 the hcatpcha sessions should/are in theory short-lived as well
[15:46:39] <topranks>	 but on the question (you're now sorry you asked), .10 seems like a good choice :) 
[15:46:46] <sukhe>	 ha!
[15:46:58] <sukhe>	 na it's all good, please comment and we can dicuss there
[15:47:33] <sukhe>	 a typical hcatpcha session should be under a second
[15:47:48] <sukhe>	 (well the HTTP session to that service that is)
[15:47:56] <sukhe>	 but let's discuss there, I will hold off on the work
[16:14:26] <topranks>	 sukhe: maybe it's better to ask this here cos we are possibly talking past each other on task 
[16:14:45] <topranks>	 are there two services at play?  A 'hcaptcha' service and a 'http proxy' service?
[16:14:54] <topranks>	 are both behind the CDN?
[16:15:13] <sukhe>	 topranks: yeah sorry, it's a bit confusing
[16:15:19] <sukhe>	 let's start here with some idea I guess https://wikitech.wikimedia.org/wiki/HCaptcha#/media/File:Hcaptcha_wmf_design.png
[16:16:13] <topranks>	 ok take a step back. the internet is huge these days it'll never fit in that litle box :P 
[16:16:40] <topranks>	 nah but I get the setup, I think maybe I was confused though about what was proposed for each 
[16:16:56] <sukhe>	 yeah so the domain itself, what the user looks up, is behind the CDN
[16:17:13] <sukhe>	 the actual proxy is also a low-traffic service but the problme is we don't have low-traffic in edges
[16:17:27] <topranks>	 ok....
[16:17:47] <topranks>	 so the proposal is to use anycast _instead_ of LVS for the proxy service at the POPs?
[16:17:55] <sukhe>	 rather I guess, hcaptcha.wm.org -> text-lb and then text-lb backend to the proxies
[16:18:35] <sukhe>	 topranks: yep, in theory because we can't make the VMs high-traffic[12] because then high-traffic1 (text-lb) looks up itself and that doesn't work
[16:18:49] <sukhe>	 and we need something to distribute traffic between these two VMs (per site, total 14)
[16:18:53] <sukhe>	 so thoughts on how to do that I guess?
[16:23:30] <topranks>	 yeah anycast is fine 
[16:23:36] <topranks>	 I got the wrong end of the stick 
[16:24:12] <topranks>	 anycast would not bring anything if the proxy was going behind the CDN, but that's not the case 
[16:34:05] <sukhe>	 topranks: thanks, responding to your comments on the task as well