[11:50:26] <hnowlan>	 If a change is made to conftool-data a puppet-merge will update conftool data as well, right?
[11:50:56] <vgutierrez>	 yep, be sure to run it with sudo -i :)
[11:51:06] <volans>	 hnowlan: yes, but there are other trickities
[11:51:11] <volans>	 like the default weight
[11:51:17] <volans>	 that needs to be set
[11:52:41] <hnowlan>	 Is that in conftool-data or is that something that happens manually? For now I don't necessarily care about the weight as long the hosts are depooled to begin with
[11:53:29] <volans>	 yes the hosts are depooled to begin with but when you'll pool them they must have a positive weight
[11:53:35] <volans>	 the default is zero
[11:53:48] <hnowlan>	 cool
[11:53:54] <volans>	 for context this is because of some changes in the last few months on the conftool side, before there was a default per cluster
[11:54:04] <volans>	 but that part has been ditched for various reasons
[11:54:22] <volans>	 for some specific hosts there is a quick script that takes care of this part
[11:54:41] <volans>	 but is not yet generic IIRC, cc _joe_ that has done it
[11:55:51] <_joe_>	 it exists, it just needs people to include it in their puppet classes
[11:56:22] <_joe_>	 conftool::scripts::initialize
[11:56:39] <_joe_>	 only current user is profile::cache::base
[12:09:08] <XioNoX>	 how can I check if a specific package is on our buster-wikimedia repo?
[12:10:50] <moritzm>	 you can e.g. run "reprepro ls puppet" on install1002.wikimedia.org
[12:12:09] <moritzm>	 but you need sudo -i (as it grabs some setting from the home of the root user)
[12:13:44] <XioNoX>	 ok, thanks!
[13:31:54] <cdanis>	 XioNoX: there is also https://tools.wmflabs.org/apt-browser/
[13:32:47] <XioNoX>	 cdanis: no objection that I add it to the doc?
[13:32:48] <XioNoX>	 :)
[13:33:08] <cdanis>	 it's linked to from the [[Apt]] page on wikitech
[13:33:59] <XioNoX>	 ah yeah! I was only looking at the reprepo page
[13:34:38] <cdanis>	 seems worth linking to from the reprepro page as well
[13:35:21] <XioNoX>	 thx
[13:40:59] <cdanis>	 akosiaris: mark: are you both around?
[13:41:41] <cdanis>	 I wanted to talk about T245058 and T245060
[13:41:42] <stashbot>	 T245058: Create an automated alert for 'too many nodes depooled from a service' - https://phabricator.wikimedia.org/T245058
[13:41:42] <stashbot>	 T245060: Pybal should reject a confctl configuration that indicates only one cp-text is pooled - https://phabricator.wikimedia.org/T245060
[13:55:46] <akosiaris>	 cdanis: I am around
[13:56:33] <cdanis>	 ehlos
[13:56:51] <cdanis>	 just replied on the task(s)
[13:57:01] <akosiaris>	 2.5.0 :)
[13:57:09] <akosiaris>	 yeah just saw it
[13:57:40] <cdanis>	 as an aside I think we need some better nouns here -- 'pooled' is getting very overloaded
[13:59:45] <cdanis>	 (since there's "configuration indicates should be pooled" vs "pybal believes healthy and asks LVS to include in actual-pool")
[14:00:20] <akosiaris>	 ok, I think I am understanding now what you want to see as an alert. pybal /alerts alerts on the "operational" side of it, you want an alert based on the "configuration" side of it
[14:00:25] <akosiaris>	 corrrect?
[14:00:27] <cdanis>	 yes
[14:00:33] <akosiaris>	 s/rrr/rr/
[14:00:41] <akosiaris>	 cool, yeah, makes sense
[14:00:55] <cdanis>	 in general I see the preventative actions from that postmortem as being about avoiding obviously-bad configurations
[14:00:58] <akosiaris>	 there's a number of alerts I also want to create for conftool
[14:01:19] <akosiaris>	 e.g. having in an alert the "desired state" of discovery RRs
[14:02:05] <akosiaris>	 and issue a warning when we are diverging from that. So that we have another way of knowing a) that something has happened b) what the "desired state" of discovery RRs
[14:02:24] <akosiaris>	 I think both are related in that they are alerts that should be created on the conftool level of the infra
[14:02:34] <cdanis>	 sure
[14:02:58] <cdanis>	 (another thing I want to see is conftool itself at least printing a warning when you ask it to depool 'too much' capacity)
[14:03:42] <akosiaris>	 there is the question of defining what "too much" is ofc, but agreed
[14:03:59] <cdanis>	 dbctl has this functionality and it lets you define it per-database-section ;)
[14:04:05] <akosiaris>	 pybal has a ratio config variable, I don't think we have something similar in conftool, but I guess we can add it
[14:04:14] <cdanis>	 sadly we recently removed the service objects from conftool
[14:04:19] <cdanis>	 which would be a natural place to put it
[14:04:24] <akosiaris>	 yes ...
[14:04:53] <volans>	 cdanis: there is an additional problem with this, as depools happen on the single hosts too
[14:04:58] <volans>	 some as part of shutdown for example
[14:05:01] <cdanis>	 yes
[14:05:08] <cdanis>	 as happened exactly in this case
[14:05:19] <cdanis>	 i have written this in the incident doc :P
[14:06:42] <cdanis>	 (https://wikitech.wikimedia.org/wiki/Incident_documentation/20200211-caching-proxies)
[14:18:31] <mark>	 cdanis: here now for a bit
[14:18:49] <mark>	 so right now pybal does not reject any configurations, but it does have a feature to keep a minimum percentage of its servers pooled
[14:19:13] <cdanis>	 right
[14:19:15] <mark>	 so if you have say 4 servers, you can configure it to keep at least 2 of them pooled even though it thinks they're down
[14:19:30] <mark>	 because you know you need at least 2 otherwise you can't sustain the load, there's no point depooling more at that point
[14:19:35] <mark>	 (and that feature has saved us many times)
[14:19:40] <cdanis>	 yep
[14:19:47] <mark>	 so similarly, we could create a feature that rejects configurations with fewer than N hosts I suppose
[14:20:08] <mark>	 but i wouldn't want to hardcode that in for sure
[14:26:06] <cdanis>	 mark: yeah, by 'rejects configurations' i mean the keep-pooled feature, basically
[14:27:33] <cdanis>	 one thing I haven't checked is if the depool invocation on CP shutdown does pooled=inactive
[14:29:01] <bblack>	 it does pooled=no I believe
[14:29:15] <cdanis>	 ok that's good
[14:29:23] <bblack>	 when we set up all the etcd pooling for the cps, inactive didn't exist and/or we weren't sure about how to use it with pybal etc
[14:29:57] <vgutierrez>	 pooled=no
[14:30:02] <vgutierrez>	 I can confirm :)
[14:30:05] <bblack>	 cdanis: is there per-service metadata settable in etcd?
[14:30:13] <cdanis>	 there _used_ to be
[14:30:28] <bblack>	 could set a non-default threshold there and have confctl pull that to make a decision
[14:30:31] <cdanis>	 some months ago it was removed as part of a code cleanup, since all it really did was let you set a default weight for new node additions
[14:30:39] <cdanis>	 but I am thinking maybe we need to re-add it
[14:31:05] <bblack>	 on the other hand, we still have the human vs non-human thing
[14:31:12] <bblack>	 and I imagine non-human depools will be common
[14:31:33] <bblack>	 having confctl ignore the automated depool because of a threshold, with nobody at the keys to react, seems bad too
[14:32:07] <cdanis>	 yeah, that's why I think that 1) confctl should output a warning, but probably should still do what you tell it to  and 2) there should be some flavor of alert for such a state
[14:32:20] <bblack>	 yeah that sounds right to me
[14:32:52] <bblack>	 maybe for bonus points, if confctl could detect there's a real tty attached, it could do a warning + are you sure re-prompt
[14:33:17] <cdanis>	 yeah, that's fairly straightforward
[14:34:15] <bblack>	 but while we're on the subject, IIRC (but my memory may be hazy), pybal's depool limits had some quirks that probably aren't yet solved in the branch we're running.
[14:34:48] <cdanis>	 I see
[14:35:01] <bblack>	 IIRC, pybal's depool thresholding is on the final runtime pool state (the result of both healthchecks and etcd)
[14:35:13] <cdanis>	 that sounds as it should be
[14:35:52] <bblack>	 but it doesn't keep a separate state table of desired pooling based on etcd and/or healthcheck, vs real pooling that was held back by threshold
[14:35:59] <bblack>	 or something like that
[14:36:40] <bblack>	 like I said, my memory is hazy, but I don't think it keeps enough state to deal with it very well
[14:36:43] <cdanis>	 sure
[14:37:05] <cdanis>	 and there's plenty of hard questions about what exactly to do when you're in such a state, even if you are tracking all of that
[14:37:08] <bblack>	 say you had 10 servers and a threshold of 5.  If healthchecks have knocked down 4 already, then etcd knocks down two more, etc...
[14:37:14] <bblack>	 and then which ones recover in which order.
[14:37:26] <bblack>	 I think pybal only has one item of state per server entry, in one place, IIRC
[14:38:04] <bblack>	 but I remember we've run into a past incident where pybal more or less lost track of what to sanely do, depending on the combination and timing of inputs there
[14:40:52] <cdanis>	 mmm. seeing as how I'd like to leave "rewrite Pybal" out of scope for this, maybe it's best just to work on the confctl and monitoring side of things
[14:51:35] <bblack>	 yes, probably best for now :)
[14:59:19] <XioNoX>	 someone can tell me why this always boots the VM from disk instead of from the network:
[14:59:27] <XioNoX>	 https://www.irccloud.com/pastebin/RT47RyrV/
[14:59:35] <XioNoX>	 I did it 3 times...
[15:01:56] <cdanis>	 weird I've never had that; my experience has been more 'you typoed the MAC address in DHCP, and now it silently won't boot and won't give you console either'
[15:04:01] <XioNoX>	 it's re-image so didn't change the mac
[15:04:07] <cdanis>	 yeah
[15:04:22] <XioNoX>	 who are the ganeti masters? :)
[15:05:24] <cdanis>	 akosiaris
[15:05:39] <cdanis>	 also I thought the reimage cookbook was modified to understand Ganeti at some point?? by chaomodus I thought
[15:06:32] <akosiaris>	 lol
[15:07:13] <XioNoX>	 opened https://phabricator.wikimedia.org/T245158
[15:07:19] <akosiaris>	 XioNoX: you are trying to reimage it?
[15:07:31] <XioNoX>	 akosiaris: following https://wikitech.wikimedia.org/wiki/Ganeti#Reinstall_%2F_Reimage_a_VM
[15:07:38] <XioNoX>	 it worked for 3 VMs but not that 4th one
[15:07:58] <akosiaris>	 hmm smell like DHCP issues. lemme verify
[15:08:54] <XioNoX>	 akosiaris: that's the DHCP change I did https://gerrit.wikimedia.org/r/c/operations/puppet/+/571962
[15:09:30] <akosiaris>	 wait.. where are the DHCP servers running now ?
[15:09:40] <volans>	 cdanis: nope
[15:09:43] <akosiaris>	 hmmm
[15:09:49] <XioNoX>	 akosiaris: installX
[15:10:26] <XioNoX>	 unrelated but someone broke https://my.juniper.net/
[15:10:30] <cdanis>	 lol volans literally just sent https://gerrit.wikimedia.org/r/c/operations/software/spicerack/+/571998 ? 👀
[15:11:31] <volans>	 that's noop though, it's just moving it from teh makevm cookbook to spicerack ;)
[15:24:10] <akosiaris>	     kvm_extra: -bios OVMF.fd
[15:24:16] <akosiaris>	 sigh, how did that make it in there?
[15:24:48] <XioNoX>	 hm, I remember someone asking me if they could use my VMs for testing something before they were prod
[15:24:58] <akosiaris>	 that someone is paravoid :P
[15:25:46] <XioNoX>	 akosiaris: can you check if rpki1001 is the same?
[15:25:49] <akosiaris>	 sure
[15:25:53] <XioNoX>	 thx!
[15:29:37] <akosiaris>	 XioNoX: yes it was
[15:29:40] <akosiaris>	 fixed there as well
[15:29:43] * akosiaris running a test now
[15:30:13] <XioNoX>	 cool
[15:30:36] <akosiaris>	 Loading debian-installer/amd64/linux... ok
[15:30:38] <akosiaris>	 that was it
[15:31:08] <paravoid>	 what's the issue with OVMF?
[15:31:11] <paravoid>	 it should work
[15:31:18] <akosiaris>	 paravoid: nope, VMs don't get reimaged
[15:31:31] <akosiaris>	 in fact, they don't do network boots
[15:31:51] <paravoid>	 yes they do, how do you think this was installed? :)
[15:32:03] <akosiaris>	 well, maybe once?
[15:32:16] <paravoid>	 it's possible that the boot order can't be persistently modified though, yes
[15:33:05] <akosiaris>	 I 've removed it btw, so that the reimage can proceed
[15:33:17] <paravoid>	 so you're reimaging it in BIOS mode now?
[15:33:27] <akosiaris>	 yup, same as all VMs
[15:33:27] <paravoid>	 ohnoes, <sad trombone>
[15:33:52] <akosiaris>	 haven't you filed a couple of bugs upstream in ganeti and OVMF about support for it?
[15:33:52] <paravoid>	 fwiw, nuking the bootloader && reboot would had done it
[15:34:09] <akosiaris>	 that's what I remember
[15:34:28] <paravoid>	 just ganeti, and yeah that's to do it in a better way
[15:35:18] <akosiaris>	 yeah it's the mess of having somewhere to store the boot order that is accessible by ganeti
[15:35:41] <akosiaris>	 with OVMF having a RO part and a RW part and ganeti still not being able to use the RW part
[15:41:01] <paravoid>	 yes, gory details @ https://github.com/ganeti/ganeti/issues/1374
[15:41:38] <paravoid>	 there are two distinct/separate problems
[15:42:17] <paravoid>	 one is -boot order=N vs. ,bootindex=N, which would fix the issue above
[15:42:37] <paravoid>	 the other one is persistent state for OVMF settings, incl. bootloader entries
[15:43:39] <paravoid>	 the latter shouldn't affect us, because we're configuring d-i to copy GRUB to bootx64.efi, so we don't need to use the "debian" menu entry
[15:43:57] <paravoid>	 cf. modules/install_server/files/autoinstall/virtual.cfg:8, "d-i grub-installer/force-efi-extra-removable boolean true"
[15:48:49] <XioNoX>	 akosiaris: I saw that you closed the task, am I good to go with those VMs?
[15:53:46] <akosiaris>	 XioNoX: yup. Both should be ok
[15:56:00] <akosiaris>	 paravoid: ah yes, we met https://github.com/ganeti/ganeti/issues/1374#issuecomment-557524579 again today
[15:56:12] <akosiaris>	 I audited the clusters btw, no order OVMF enabled VMs
[15:56:24] <XioNoX>	 akosiaris: thanks!
[15:56:39] <akosiaris>	 until ganeti at least goes with the -device,bootindex=N solution we probably want to avoid it?
[16:50:32] <volans>	 akosiaris: when do you think will be time to remove package_updates from facter? :-)
[17:01:38] <XioNoX>	 who's in charge of the webproxies?
[17:04:08] <XioNoX>	 is there a squid/webproxy dashboard somewhere?
[17:06:03] <bblack>	 I think they tend to get ignored a lot because they mostly "just work"
[17:06:13] <bblack>	 (webproxy)
[17:06:32] <bblack>	 it wouldn't be a bad idea to keep better tabs on them, esp to notice anomalous outbound stuff going on...
[17:06:40] <XioNoX>	 https://phabricator.wikimedia.org/T245121#5881546
[17:06:57] <XioNoX>	 I'm wondering if the eqiad one is not overloaded or miss-behaving
[17:07:12] <bblack>	 it's possible!
[17:08:02] <XioNoX>	 there must be a squid prometheus exporter somewhere :)
[17:09:14] <XioNoX>	 https://github.com/boynux/squid-exporter not feature full but last update 4 days ago
[17:09:33] <XioNoX>	 godog :)
[17:13:19] <XioNoX>	 opened https://phabricator.wikimedia.org/T245176
[17:29:30] <godog>	 hah!
[17:29:36] <godog>	 can we trash squid for ats? :P
[17:31:38] <godog>	 only half kidding really AIUI ats can act as a forward proxy too
[17:42:09] <_joe_>	 XioNoX: have you looked at the logs from the eqiad webproxy?
[17:42:34] <XioNoX>	 _joe_: not yet
[17:42:55] <_joe_>	 what's the URL?
[17:43:38] <volans>	 XioNoX: around?
[17:43:51] <XioNoX>	 volans: yep?
[17:43:57] <volans>	 seems that the whole mgmt network is down
[17:44:04] <XioNoX>	 _joe_: https://rrdp.ripe.net/notification.xml
[17:44:12] <XioNoX>	 volans: that's not good
[17:44:25] <volans>	 not sure if related to some pdu work or something but seemed too many
[17:44:47] <XioNoX>	 volans: pinged dcops?
[17:44:53] <volans>	 already did
[17:45:09] <XioNoX>	 cool, so A6 only?
[17:45:17] <XioNoX>	 either a switch dead or a cable bumped
[17:45:28] <volans>	 no
[17:45:31] <volans>	 333 hosts
[17:45:36] <volans>	 so clearly not a single rack
[17:49:24] <_joe_>	 XioNoX: the proxy works perfectly to that url
[17:49:31] <_joe_>	 I just ran curl from boron
[17:52:47] <XioNoX>	 _joe_: it looks intermitent though
[17:53:38] <bblack>	 yeah things are flappy, this is really odd
[17:53:57] <volans>	 icinga flaps between 300 and ~390 down mgmt
[17:54:09] <volans>	 any volounteer for IC?
[17:54:13] <bblack>	 afaics there's no production impact
[17:55:14] <volans>	 agree
[17:55:40] <XioNoX>	 and it's only eqiad, right?
[17:55:41] <volans>	 now ~484 unreachable (not down)
[17:55:48] <volans>	 yes AFAICT
[17:56:01] <XioNoX>	 random though, did someone looped the mgmt network?
[17:56:11] <XioNoX>	 could be a broadcast storm
[17:56:14] <XioNoX>	 cmjohnson1: ^
[17:56:22] <volans>	 it's a possibility
[17:56:35] <XioNoX>	 yeah https://librenms.wikimedia.org/graphs/lazy_w=652/to=1581616500/device=22/type=device_bits/from=1581530100/legend=no/
[17:56:56] <volans>	 ok we're saturating it
[17:57:01] <bblack>	 there's some odd syslog entries on librenms too
[17:57:02] <volans>	 we need to undo whatever was changed
[17:57:28] <bblack>	 mr1-eqiad: %-: /usr/sbin/sshd[80684]: exited, status 255
[17:57:34] <bblack>	 I guess that's normal on session termination
[17:57:43] <godog>	 cmjohnson1: ^ likely related to the mw row D racking
[17:58:01] <XioNoX>	 tring to fidn which port
[17:58:03] <cmjohnson1>	 I am not racking anything....everything that is being done was already connected
[17:58:10] <cmjohnson1>	 just fixing idrac settings
[17:58:35] <godog>	 ah my bad, misunderstood what was going on
[17:58:46] <volans>	 I'm trying to downtime eqiad mgmt
[17:59:08] <godog>	 I'll stop ircecho, it is just spam at this point
[17:59:24] <volans>	 godog: wait
[17:59:27] <volans>	 I'm downtiming them
[17:59:37] <godog>	 ok
[18:00:00] <XioNoX>	 looks like D3 https://librenms.wikimedia.org/device/device=22/tab=port/port=3002/
[18:00:00] <stashbot>	 D3: test - ignore - https://phabricator.wikimedia.org/D3
[18:00:10] <XioNoX>	 cmjohnson1: ^
[18:00:26] <volans>	 downtimed all for 1h
[18:00:49] <godog>	 thanks volans
[18:01:15] <XioNoX>	 !log msw1-eqiad# set interfaces ge-0/0/34 disable
[18:01:22] <stashbot>	 XioNoX: Not expecting to hear !log here
[18:01:23] <bblack>	 librenms syslog/eventlog is a PITA when tryingf to skip past the recent spam
[18:01:23] <XioNoX>	 and commit confirmed 5
[18:01:51] <XioNoX>	 let me know if things improve, only D3 should be unreachable for now
[18:01:54] <volans>	 for reference I've used the downtime from the 'mgmt' hostgroup, is a bit wider that I would like but fitted the purpose:
[18:01:57] <volans>	 https://icinga.wikimedia.org/cgi-bin/icinga/extinfo.cgi?type=5&hostgroup=mgmt
[18:02:16] <volans>	 if you need to extend ^^^ click on downtime services and then the checkbox for 'hosts too'
[18:02:22] <XioNoX>	 could be a loop, could be an buggy IDRAC
[18:02:43] <volans>	 a single one?
[18:02:58] <bblack>	 it's a single rack disabled at present
[18:03:10] <volans>	 XioNoX: looks much better now from icinga POV
[18:03:22] <apergos>	 was 418 now is 273...
[18:03:44] <XioNoX>	 making my commit permamant
[18:03:57] <volans>	 182 and going down
[18:03:58] <XioNoX>	 the D3 switch is unmanaged so I can't do anything more from there
[18:04:17] <XioNoX>	 cmjohnson1: can you check cabling of D3 mgmt?
[18:04:34] <volans>	 down to 80
[18:04:37] <XioNoX>	 of course I have a bus ride in 45min :)
[18:04:37] <cmjohnson1>	 there are 3 mw servers in there that were updated...checking them now
[18:04:55] <bblack>	 (side note maybe for later, but don't we even have spanning-tree or some other kind of loop protection?)
[18:05:00] <bblack>	 (for mgmt)
[18:05:32] <paravoid>	 not really no, it's mostly unmanaged switches
[18:06:01] <bblack>	 even if the per-rack switches are unmanaged, should spanning-tree on the ms1 itself catch anyone looping one dumb switch to another?
[18:06:09] <bblack>	 *msw1
[18:06:26] <apergos>	 14 now
[18:06:35] <XioNoX>	 bblack: we can add some flood protection yes, but not spanning tree
[18:06:54] <paravoid>	 XioNoX: how did you figure out it was D3?
[18:06:54] <stashbot>	 D3: test - ignore - https://phabricator.wikimedia.org/D3
[18:06:57] <volans>	 we're moving from host down to ssh failing socket timeout
[18:07:10] <volans>	 XioNoX: how many should we expect down with D.3 disabled?
[18:07:28] <paravoid>	 volans: the servers in rack D.3, check netbox
[18:07:38] <volans>	 we've much more failing SSH
[18:07:45] <XioNoX>	 paravoid: looked are all the msw1-eqiad switch ports in librenms and flagged the one which had only inbound flood, istead of outbound for all the others
[18:07:53] <cmjohnson1>	 all 3 of the hosts I worked on are booting into their idrac/bios
[18:08:00] <bblack>	 30-40 or so
[18:08:06] <bblack>	 (servers in D3 in netbox)
[18:08:14] <bblack>	 it says devices: 40
[18:08:31] <volans>	 we've ~150 failing SSH
[18:08:42] <XioNoX>	 volans: ssh is very slow to recover
[18:08:44] <bblack>	 but some might be planned or decom or whatever
[18:08:50] <volans>	 could be true
[18:09:07] <XioNoX>	 not for later, have !log in that channel too
[18:09:11] <XioNoX>	 note*
[18:09:23] <volans>	 host down are down to 7
[18:09:28] <bblack>	 29 devices in D3 are "Active"
[18:10:27] <volans>	 https://netbox.wikimedia.org/dcim/devices/?q=&site=eqiad&rack_id=37&status=1 for reference
[18:11:22] <volans>	 the remaining failing oneas are in D6
[18:11:22] <stashbot>	 D6: Interactive deployment shell aka iscap - https://phabricator.wikimedia.org/D6
[18:11:27] <cmjohnson1>	 the network settings on the 3 servers all look normal
[18:11:40] <volans>	 failing as HOST DOWN I meant
[18:11:58] <volans>	 but are not the whole rack
[18:12:24] <cmjohnson1>	 d6 is another rack where servers were being worked on, not sure if it's related but all of these host had to have their ipmi enabled
[18:12:26] <bblack>	 ok
[18:12:29] <cmjohnson1>	 that was the only network change
[18:12:51] <bblack>	 no cable changes today?
[18:13:01] <bblack>	 (for this I mean, in row D)
[18:13:02] <cmjohnson1>	 no cable changes
[18:13:08] <bblack>	 hmmmm
[18:13:17] <XioNoX>	 maybe the switch is faulty
[18:13:22] <bblack>	 maybe one of the impi's grabbed a critical in-use IP of something else?
[18:13:46] <XioNoX>	 bblack: nah that would just be an IP conflict and only impact those 2 hosts
[18:13:47] <volans>	 so SSH ones we check every hour, so it's ormal they are not recovering
[18:13:54] <XioNoX>	 but we would not see that spike of traffic
[18:14:09] <bblack>	 XioNoX: no I mean like, could it have duplicated a mr/msw -level IP adress somewhere and just broke monitoring of mgmt
[18:14:25] <XioNoX>	 bblack: doesn't explain the traffic spike
[18:14:29] <bblack>	 yeah :/
[18:14:42] <cmjohnson1>	 XioNoX many of them were hitting the installer
[18:14:59] <XioNoX>	 cmjohnson1: but installed on their primary link, not mgmt
[18:15:04] <XioNoX>	 installer*
[18:15:14] <cmjohnson1>	 true
[18:15:26] <volans>	 I picked a random SSH failed and forced a recheck, it's now green, they will recover within 1h (check interval)
[18:15:33] <bblack>	 ok
[18:15:49] <volans>	 we still have 7 failing in D6
[18:15:53] <volans>	 https://icinga.wikimedia.org/cgi-bin/icinga/status.cgi?host=all&style=hostdetail&hoststatustypes=4&hostprops=1
[18:16:47] <godog>	 gotta go
[18:16:59] <volans>	 and I think are the *only* ones active in D.6
[18:17:02] <volans>	 that explains why only those
[18:17:11] <volans>	 the other are not checked
[18:17:20] <volans>	 so kinda ssume D.6 mgmt is also down
[18:18:03] <XioNoX>	 # run show interfaces descriptions | match d6
[18:18:03] <XioNoX>	 ge-0/0/28       up    up   Core: msw-d6-eqiad {#3493} [1Gbps Cu]
[18:18:10] <XioNoX>	 the switch port to d6 is good
[18:18:26] <cmjohnson1>	 d6 link to msw1 is dark
[18:18:48] <XioNoX>	 ?
[18:18:55] <bblack>	 yeah so msw1 port traffic graphs, D3 was the only one with a bidirectional spike, the rest were out-only spikes, I'm assuming that's how X found it earlier.
[18:18:55] <stashbot>	 D3: test - ignore - https://phabricator.wikimedia.org/D3
[18:19:10] <XioNoX>	 bblack: yep
[18:19:13] <cmjohnson1>	 the link light XioNoX
[18:19:21] <XioNoX>	 uh
[18:19:30] <XioNoX>	 cmjohnson1: ge-0/0/28 is D6?
[18:19:31] <stashbot>	 D6: Interactive deployment shell aka iscap - https://phabricator.wikimedia.org/D6
[18:19:41] <XioNoX>	 it might be misslabeled
[18:20:04] <bblack>	 oh you already said that too, I just missed it :)
[18:20:17] <XioNoX>	 I'd bet it's labelled msw-d3-eqiad while it actually goes to D6
[18:20:24] <XioNoX>	 and I shut down D6 and not D3
[18:20:34] <bblack>	 either way, it was the misbehaving port
[18:20:38] <XioNoX>	 yeah
[18:20:44] <volans>	 TODO: blacklist in stashbot links to differential, at least here
[18:21:01] <volans>	 or at least to single digit differential
[18:21:19] <bblack>	 so we should be looking for a cause in D6's dumb switch, or one of the hosts attached to it
[18:21:22] <bblack>	 not in D3
[18:21:54] <XioNoX>	 to whatever is connected to msw1-eqiad:ge-0/0/34
[18:22:02] <XioNoX>	 cmjohnson1: if you can trace this port/cable ^
[18:23:10] <cmjohnson1>	 d6
[18:23:16] <cmjohnson1>	 XioNoX
[18:23:20] <XioNoX>	 ok
[18:23:50] <XioNoX>	 TODO audit msw1-eqiad ports/cables
[18:24:02] <cmjohnson1>	 XioNoX figured out the cause
[18:24:04] <XioNoX>	 cmjohnson1: so can you check if there is any loop on d6 mgmt switch?
[18:24:06] <cmjohnson1>	 loop
[18:24:07] <XioNoX>	 ahhh!
[18:24:09] <XioNoX>	 eh
[18:24:26] <XioNoX>	 cmjohnson1: let me know when I can re-enabled the port
[18:24:28] <cmjohnson1>	 operator error
[18:24:29] <cmjohnson1>	 go ahead
[18:24:59] <XioNoX>	 !log ROLLBACK: msw1-eqiad# set interfaces ge-0/0/34 disable
[18:24:59] <stashbot>	 XioNoX: Not expecting to hear !log here
[18:25:04] <bblack>	 yeah unfortunately nothing on the msw1 could reasonably detect a loop within one dumb subswitch
[18:25:54] <bblack>	 we could put some kind of flood limit in place though, down a port if it spikes traffic in over a generous threshold?
[18:25:56] <XioNoX>	   Input rate     : 0 bps (0 pps)
[18:25:57] <XioNoX>	   Output rate    : 4416 bps (3 pps)
[18:26:03] <XioNoX>	 so the port is good now
[18:26:31] <XioNoX>	 bblack: yeah juniper has some features for that, especially for BUM traffic spikes
[18:27:39] * volans forcing a re-check for the 7 remained
[18:27:50] <XioNoX>	 thx
[18:28:05] <volans>	 recovering
[18:28:09] <XioNoX>	 great
[18:28:31] <paravoid>	 so what happened?
[18:29:05] <XioNoX>	 paravoid: looped msw-d6
[18:29:23] <paravoid>	 yes, how?
[18:29:50] <XioNoX>	 paravoid: plugged both side of a cable on the switch?
[18:30:14] <XioNoX>	 (just guessing)
[18:30:57] <cmjohnson1>	 paravoid yes, a cable was not removed from the switch and mistaken for one being used by a mw server....turns out it was already plugged in
[18:31:02] <volans>	 forcing some recheck on icinga to clear it up
[18:31:11] <paravoid>	 ah
[18:31:39] <paravoid>	 but I thought there were no cable changes today?
[18:31:43] <XioNoX>	 I guess we don't need an IC anymore :)
[18:33:38] <XioNoX>	 alright going to catch a bus soon, will be working from there
[18:33:48] <volans>	 all cleared on icinga
[18:33:51] <volans>	 I've forced all the SSH checks
[18:33:55] <volans>	 and they recovered
[18:34:07] <cmjohnson1>	 I removed and re-inserted a green cable during the process it slipped out of my fingers and I must've grabbed the one that wasn't removed...I didn't really classify that as a cable change. It was until we moved to d6 from d3 did it occur to me
[18:34:09] <XioNoX>	 thanks!
[19:03:59] <XioNoX>	 bblack: if you're curious - https://www.juniper.net/documentation/en_US/junos/topics/concept/rate-limiting-storm-control-understanding.html
[19:04:18] <XioNoX>	 should prevent futur similar events
[19:10:41] <XioNoX>	 opened https://phabricator.wikimedia.org/T245192
[20:48:30] <akosiaris>	 volans: JDI ?
[20:49:51] <volans>	 nothing is using it anymore right?
[21:03:46] <_joe_>	 volans: we'll know soon enough :D
[22:09:15] <volans>	 akosiaris: https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/572101 for you :)