[04:13:53] <marostegui>	 We are going to failover s4 master in 45 minutes
[09:10:28] <XioNoX>	 access request question: does the deployment group overlap with the restricted group?
[09:11:23] <mutante>	 XioNoX: no
[09:11:28] <XioNoX>	 ok!
[09:11:46] <mutante>	 XioNoX: i thin i already now which ticket you are on...
[09:11:53] <XioNoX>	 Cindy
[09:12:18] <mutante>	 ah, no that's different
[09:12:42] <mutante>	 hold on, i gave you the wrong answer then
[09:13:28] <XioNoX>	 If you are still relying on ldaplist and not using ldapsearch,
[09:13:28] <XioNoX>	 please comment on https://phabricator.wikimedia.org/T114063
[09:13:28] <XioNoX>	 before 30 August 2016. If nobody comments, ldaplist will be removed!
[09:13:41] <XioNoX>	 well
[09:14:02] <XioNoX>	 https://github.com/wikimedia/puppet/blob/production/modules/admin/README#L70 probably needs updating then
[09:14:04] <mutante>	 that was written by Yuvi who is not here anymore
[09:15:37] <mutante>	 XioNoX: fixing my comment. Yes, restricted is a full subset of deployment, having both is not needed
[09:15:44] <mutante>	 it's only deployment then
[09:15:48] <XioNoX>	 thx!
[09:17:00] <mutante>	 i think https://phabricator.wikimedia.org/T114063 is stalled as in "nobody is working on this"
[09:28:07] <XioNoX>	 mutante: not sure I understand what I should do next on that CR
[09:32:09] <mutante>	 XioNoX: add Tyler or greg-g and get them to review
[09:32:59] <XioNoX>	 done, thx!
[13:18:13] <hnowlan>	 If I get `Unable to run wmf-auto-reimage-host: Unable to find certificate fingerprint in` when running wmf-auto-reimage-host, did I do something wrong or is that a known/expected failure?
[13:18:46] <mutante>	 hnowlan: that seems unusual, like a typo in the host name or something
[13:18:57] <mutante>	 which host is it?
[13:19:21] <hnowlan>	 restbase2009
[13:19:29] <hnowlan>	 it was followed by `no certificate found and waitforcert is disabled` though which is clearly a puppet error
[13:19:43] <volans>	 hnowlan: I can have a look in 5
[13:19:44] <hnowlan>	 and the host definitely did reprovision
[13:20:50] <mutante>	 what i can confirm so far is there is a puppet cert for restbase2009.codfw.wmnet on the puppetmaster
[13:21:40] <hnowlan>	 yeah, it looks like things worked as expected
[13:21:47] <hnowlan>	 just a weird failure to see
[13:23:41] <hnowlan>	 I actually see the exact same error in the logs for the reimage you did for restbase2014 a few weeks back mutante
[13:24:25] <mutante>	 heh, ok :)
[13:24:47] <volans>	 let's carlify
[13:24:51] <mutante>	 yea, the log looks like things worked despite it
[13:25:09] <volans>	 1) it failes, so no, it didn't completed successfully, as the reimage doesn't stop at the first puppet run but does additional things after that
[13:25:13] <volans>	 *failed
[13:26:20] <mutante>	 the "_cumin.out" file actually show the fingerprint of the cert
[13:26:26] <mutante>	 that it talks about not finding in the .log
[13:26:48] <volans>	 2) the 'Exiting; no certificate found and waitforcert is disabled' is returned by the puppetmaster, not the script
[13:26:55] <volans>	 IIRC, double checking now
[13:27:31] <volans>	 sorry, wrote it wrong
[13:27:37] <mutante>	 ----- OUTPUT of 'puppet cert list...et' 2> /dev/null'  ....  "restbase2009.codfw.wmnet" (SHA256) 92:BD:E4:65:81:1E:B0:A0:35:90:19:DB:19:B4:D3:BB:5E:94:DC:D8:6D:2E:1D:DC:F7:6E:64:29:A5:65:4F:3E
[13:27:38] <stashbot>	 D3: test - ignore - https://phabricator.wikimedia.org/D3
[13:27:38] <stashbot>	 D8: Add basic .arclint that will handle pep8 and pylint checks - https://phabricator.wikimedia.org/D8
[13:27:40] <hnowlan>	 I would expect to see that error when running puppet agent with an unrecognised cert
[13:27:41] <mutante>	  Removing file Puppet::SSL::Certificate restbase2009.codfw.wmnet at '/var/lib/puppet/server/ssl/ca/signed/restbase2009.codfw.wmnet.pem
[13:28:00] <mutante>	 stashbot: krkr :)
[13:28:01] <stashbot>	 See https://wikitech.wikimedia.org/wiki/Tool:Stashbot for help.
[13:28:25] <volans>	 nice job stashbot :-P
[13:28:40] <mutante>	 it removed the existing cert.. and then a little bit later it says it can't find it
[13:28:42] <hnowlan>	 mutante: I ran `puppet cert -s restbase2009.codfw.wmnet` fwiw
[13:29:10] <volans>	 mutante: ofc, it removes the cert at the starts, that's exepcted
[13:29:49] <mutante>	 sure, but not that it is surprised about not findin gone afterwards?
[13:29:56] <mutante>	 one
[13:30:08] <volans>	 that's the client
[13:33:43] <volans>	 hnowlan: the usual workflow is this
[13:33:58] <volans>	 after d-i the host gets rebooted into the new OS
[13:34:27] <volans>	 if we detect systemd as init system, we run 'puppet agent --test --color=false' so that the puppet clients generate a CSR and sends it to the master
[13:34:39] <volans>	 we get the outpiut of this run and extract the fingerprint of the cert
[13:35:08] <volans>	 and then we go to the puppetmaster and sign it
[13:35:23] <volans>	 verifying that the fingerprint matches first
[13:35:32] <hnowlan>	 volans: d-i?
[13:35:36] <volans>	 debian-installer
[13:35:49] <hnowlan>	 oh right
[13:36:02] <volans>	 in this case the output of the first puppet run didn't show the fingerprint, like it was already run, that was the case before systemd with init and the old puppet package
[13:36:23] <volans>	 so either something has changed here or for some reason the puppet client was already run once
[13:37:18] <volans>	 and to make it totally clear: the reimage failed, the host is not installed
[13:37:33] <volans>	 has a new OS: yes, has puppet running: no
[13:38:06] <volans>	 unless something manual was done after that
[13:38:13] <hnowlan>	 I have done manual stuff after that
[13:38:38] <volans>	 it's better to understand the failure and let the automation do all the steps
[13:38:49] <hnowlan>	 running `puppet agent --test` and then signing on the puppetmaster, which I would expect to do for a host where the cert has changed between installs.
[13:39:00] <hnowlan>	 So was the source of the failure the fact that there was a preexisting certificate on the master?
[13:39:21] <volans>	 no, that cert has been revoked on the master at the start
[13:39:26] <volans>	 it's all taken care by the reimage script
[13:39:38] <volans>	 that performs many additional steps
[13:39:41] <volans>	 before adn after
[13:39:46] <volans>	 the reimage
[13:40:18] <volans>	 May 29 13:09:48 puppetmaster1001 puppet-master[25310]: restbase2009.codfw.wmnet has a waiting certificate request
[13:40:53] <volans>	 that's before the reimage detected the host was up:
[13:40:57] <volans>	 2020-05-29 13:10:25 [INFO] (hnowlan) wmf-auto-reimage::print_line: Uptime checked
[13:41:14] <volans>	 so that means that the puppet agent was already run once at that point
[13:41:17] <volans>	 which OS are you installing?
[13:42:21] <volans>	 stretch I see
[13:42:43] <volans>	 May 29 13:09:45 restbase2009 systemd[1]: Started Puppet agent.
[13:42:55] <hnowlan>	 Yep, just wanted to fully reimage it as it was before
[13:45:32] <volans>	 jbond42: by any chance do you know if anything has changed recently in the deb package for puppet for stretch?
[13:45:37] <volans>	 5.5.10-2~deb9u2
[13:46:02] <volans>	 it seems that systemd started puppet-agent after the reboot after the debian-installer
[13:46:24] <volans>	 that logic has already changed once in the past, hence asking
[13:46:39] <moritzm>	 I have a hunch, let me check
[13:47:40] <volans>	 hnowlan: most reimages nowadays are done with buster, hence you might have hit some corner case
[13:48:34] <moritzm>	 indeed, this is a side effect of one of the change which moved Puppet 5 / Facter 3 into "main", making a patch to fix this
[13:48:35] <hnowlan>	 One thing I'm curious about is the empty message in the error `Unable to find certificate fingerprint in:`. Looks like there was no output from `puppet_generate_certs`
[13:49:06] <volans>	 hnowlan: that's: 'Unable to find certificate fingerprint in:\n{msg}'
[13:49:25] <volans>	 so being "Exiting; no certificate found and waitforcert is disabled" the message
[13:49:37] <hnowlan>	 ohh, misunderstood that newline
[13:49:43] <hnowlan>	 the leading one
[13:49:46] <volans>	 because the puppet agent shows the newly generated cert and it's fingerprint only at the first one
[13:49:49] <volans>	 *run
[13:49:58] <volans>	 at subsequent runs it shows just that message
[13:50:15] <volans>	 that is misleading, I know :)
[13:50:27] <volans>	 moritzm: you rock, thanks!
[13:52:01] <moritzm>	 https://gerrit.wikimedia.org/r/599867 should fix it
[13:53:54] <volans>	 great! thanks a lot.
[13:54:02] <hnowlan>	 thanks moritzm!
[13:54:12] <volans>	 hnowlan: would you be ok to retry the reimage once merged it not too much trouble?
[13:54:21] <hnowlan>	 absolutely, no bother
[13:54:44] <volans>	 sorry for the trouble. I'm also curious, why re-imaging into the same OS? :D
[13:56:23] <hnowlan>	 Just a dead disk replacement, cassandra running in JBOD so it's simpler to reimage as si
[13:56:35] <volans>	 got it :)
[13:56:53] <moritzm>	 hnowlan: merged  the patch and ran puppet on preseed servers
[13:57:25] <moritzm>	 there goes my secret plan to silently break stretch installs and force people into moving to buster :-)
[13:57:37] <hnowlan>	 haha, sorry :D
[13:58:06] <hnowlan>	 We're talking about upgrading I promise
[13:58:13] <volans>	 lol
[14:00:37] <bblack>	 future chaos engineering ideas: have a scheduled task that reimages one random server in the fleet every 6 hours during monday-thurs working hours.  let service owners blacklist critical servers that can't be part of that scheme.
[14:00:47] <bblack>	 use blacklist to guide future efforts to reduce it :)
[14:01:12] <cdanis>	 bblack: +1
[14:01:29] <volans>	 we're discussed/proposed this multiple times in the past few years :)
[14:01:34] <mutante>	 we can start with bastions, they need to be upgraded to buster and worst case some people need to use another one, heh
[14:02:07] <volans>	 bblack: clearly the blocker for this is the service owners catalog :-P
[14:02:40] <bblack>	 well, creating the mechanism and announcing a start date a few months out might get people thinking about the ones they care about
[14:02:43] <cdanis>	 well kormat just mostly-fixed one other blocker
[14:02:48] <cdanis>	 (keeping /srv around across reimages)
[14:03:13] <bblack>	 that's cheating a little, but I guess it reduces the blacklist considerably for the first go-round
[14:03:51] <cdanis>	 I don't think it's cheating
[14:04:20] <bblack>	 it's not cheating if it's an optimization and the contents of /srv would be reproduced on reimage anyways, just slower
[14:04:31] <cdanis>	 yeah, I agree
[14:05:10] <_joe_>	 it is cheating if what you want to test is that your host is expendable
[14:05:14] <_joe_>	 databases clearly aren't
[14:05:17] <bblack>	 right
[14:05:24] <_joe_>	 not completely expendable at least
[14:05:27] <bblack>	 but they can be, hypothetically, in some future architecture
[14:05:49] <_joe_>	 bblack: let me rephrase "not expendable without cost/time/more resources"
[14:06:08] <_joe_>	 so in general you don't want to force yourself to reimport all the db data from another host, if possible
[14:06:33] <volans>	 or re-shuffle all shards for ES
[14:26:56] <hnowlan>	 moritzm: patch worked, thank you!
[14:44:57] <moritzm>	 great :-)
[14:50:54] <cdanis>	 elukey: XioNoX: have a minute for a last glance at https://gerrit.wikimedia.org/r/c/operations/puppet/+/598841 ?
[14:51:13] <cdanis>	 we do seem to have fixed the issue -- https://phabricator.wikimedia.org/T253128#6177207
[14:52:14] <XioNoX>	 cdanis: lgtm
[14:52:33] <cdanis>	 ty, will disable puppet on netflow* and roll out carefully
[14:58:27] <elukey>	 lgtm!
[15:09:18] <XioNoX>	 https://www.youtube.com/watch?v=XkfpopJFAdk
[15:09:44] <XioNoX>	 "how to repair network at scale" from google, is the first talk
[15:12:57] <cdanis>	 ty!
[15:36:48] <elukey>	 XioNoX: the network is never broken
[15:37:00] <elukey>	 :D
[15:37:12] <XioNoX>	 haha
[15:37:15] <XioNoX>	 I wish
[15:37:55] <XioNoX>	 but then they could not talk about their tooling to open vendor tickets automatically, all the way to the RMA
[15:45:24] <cdanis>	 ahaha
[15:46:24] <cdanis>	 "psychology of ipv6", sounds interesting
[15:49:32] <XioNoX>	 I had doubts, but it's fun
[15:51:35] <cdanis>	 "excuse factory" is good
[18:06:56] <rzl>	 apergos, marostegui: be advised in https://gerrit.wikimedia.org/r/593797 I've moved your cheese, if you need to re-enable that job you can find it under modules/profile/manifests/mediawiki/maintenance/ now
[18:16:10] <apergos>	 uh thanks though I don't know how I made the notify list :-)
[18:20:42] <rzl>	 apergos: via https://gerrit.wikimedia.org/r/596172 :) wasn't sure if you'd care about it long-term, but I figured too loud is better than too quiet
[18:23:40] <apergos>	 lol
[18:24:06] <apergos>	 nah it's fine, and the next time people need to tinker with the maintenance jobs I'm sure they'll find the new location
[18:24:15] <rzl>	 👍
[18:24:30] <apergos>	 (p.s. betting odds it won't be me)
[18:24:37] <rzl>	 haha acknowledged
[20:54:41] <andrewbogott>	 A friday afternoon puzzle:  I have two hosts that I recently rebuilt with Buster.  I have some amorphous/invisible connectivity issues and suspect that one of the services involved is choking on ipv6 origination IPs.  So… I'm trying to just disable v6 on both servers as an experiment.
[20:54:42] <andrewbogott>	 sysctl -w net.ipv6.conf.all.disable_ipv6=1
[20:54:48] <andrewbogott>	 On one of them, that does what I'd expect
[20:54:57] <andrewbogott>	 the other falls of the network entirely and can't be reached until a reboot
[20:55:04] <andrewbogott>	 So… what is different between those two?
[21:36:41] <andrewbogott>	 oops, I'm wrong, they both fail if I run that command
[21:42:27] <cdanis>	 do they actually fall off the network entirely, or is your ssh connection using ipv6 from the bastion?
[22:01:23] <andrewbogott>	 cdanis: probably the latter, although I can't subsequently ssh to them
[22:01:44] <andrewbogott>	 so now I'm on to a new issue, which is that it appears that ipv6 traffic is just filtered between my two hosts
[22:01:53] <andrewbogott>	 that would certainly account for connectivity issues
[22:02:45] <andrewbogott>	 ex:
[22:02:54] <andrewbogott>	 https://www.irccloud.com/pastebin/gVorHwpb/
[22:07:56] <bd808>	 andrewbogott: hmm.. that could be fallout from the ipv6 stuff that a.rturo was doing last quarter maybe? Is that IPv6 network non-standard?
[22:09:28] <cdanis>	 connection refused might indicate that the service is configured to listen on ipv4 but not ipv6, netstat -l should help
[22:09:35] * cdanis afk
[22:09:42] <andrewbogott>	 cdanis: yes, that's my current theory although I'm not sure it's complete
[22:12:09] <Krenair>	 it's not that I don't think
[22:12:20] <Krenair>	 I can telnet to that IPv6 address from my laptop
[22:13:44] <Krenair>	 andrewbogott, maybe traceroute?
[22:14:37] <andrewbogott>	 I think I have the immediate v4/v6 thing sorted
[22:14:48] <andrewbogott>	 not sure if that's going to help with my 'actual' issue but going to make a patch before I forget
[22:16:19] <andrewbogott>	 extremely simple change: https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/600017/1/modules/openstack/templates/rocky/designate/designate.conf.erb
[22:52:30] <bd808>	 andrewbogott: yeah, that should bind to all ipv6+ipv4 addrs
[22:53:10] <andrewbogott>	 yeah, too bad it didn't actually fix the bug :(