[08:54:53] <godog>	 akosiaris: re: kubetcd monitoring, I see the targets are down according to prometheus here https://grafana.wikimedia.org/d/NEJu05xZz/prometheus-targets?orgId=1&from=now-1h&to=now
[08:55:10] <godog>	 and indeed prometheus1003:~$ curl kubetcd1004:2379/metrics
[08:55:17] <godog>	 returns an empty body
[08:55:30] <akosiaris>	 https://
[08:55:38] <akosiaris>	 maybe I need to switch the scheme
[08:56:00] <godog>	 ah! no my mistake, the config has https
[08:56:13] <godog>	 but missing SAN, maybe it is that
[08:56:29] <akosiaris>	 ah it needs fqdn perhaps?
[08:56:47] <akosiaris>	 yeah the fqdn works fine as well
[08:57:23] <godog>	 indeed
[08:58:16] <akosiaris>	 subject: CN=_etcd-server-ssl._tcp.k8s3.eqiad.wmnet
[08:58:30] <akosiaris>	 I guess we can reissue them with the hostname as well as the fqdns as SANs
[08:58:43] <akosiaris>	 unless it's easy to use fqdns instead
[08:59:08] <godog>	 so yeah either the hostname in SAN or hostnames_only => false in the class_config
[08:59:31] <akosiaris>	 I 'll do latter.. seems faster
[08:59:34] <akosiaris>	 thanks for that pointer
[08:59:57] <godog>	 I think the former would be preferrable, the latter changes the 'instance' label to be a fqdn as a side effect, if you don't mind that then yeah it is faster
[09:02:00] <akosiaris>	 I actually prefer the instance to be fqdn in most cases
[09:02:15] <akosiaris>	 but I haven't really created anything yet, so for now it's a moot point
[09:02:49] <godog>	 indeed
[11:43:06] <hnowlan>	 heads-up, I'm gonna remove remaining changeprop components from scb in a few minutes https://gerrit.wikimedia.org/r/c/operations/puppet/+/603534
[13:04:43] <apergos>	 what impact should this have?
[13:26:01] <_joe_>	 none
[13:26:09] <_joe_>	 hnowlan: burn with fire
[13:29:25] <hnowlan>	 all gone
[13:55:13] <cmjohnson1>	 marostegui d1 and d2 pdu swap has been completed.
[13:55:23] <marostegui>	 cmjohnson1: \o/ thanks
[13:55:41] <cmjohnson1>	 Jeff_Green I am going to be starting fundrasing rack now, C1-eqiad
[14:11:47] <volans>	 how can I talk to about url-downloader? dns git blame suggests Alex but was from 2016 :)
[14:12:47] <kormat>	 we should fix git blame. hardcode the output to say "it's elukey. it's always elukey"
[14:15:40] <XioNoX>	 can volans call volans ?
[14:16:13] <volans>	 every time I try it's occupied
[14:16:41] <moritzm>	 volans: what do you need wrt url downloaders?
[14:17:08] <marostegui>	 XioNoX: he'd find a nit for sure
[14:17:21] <XioNoX>	 hahaha
[14:17:59] <volans>	 moritzm: so, we have url-downloader.eqiad.wikimedia.org (and similar for codfw) that are A records with the same IP of urldownloader[12]002
[14:18:08] <volans>	 and then we have url-downloader        1H  IN CNAME      url-downloader.eqiad
[14:18:34] <volans>	 I was wondering if 1) we need all those 3 records or just one it's enough and 2) if they could all be CNAMEs
[14:21:13] <moritzm>	 depends on what is being used in the deployments, I guess url-downloader might have been a thing from the time before codfw was setup
[14:21:31] <moritzm>	 I think in Puppet we mostly configure the site specific CNAMEs
[14:22:04] <moritzm>	 not sure about images
[14:23:11] <moritzm>	 I'm not why those a A records
[14:23:36] <moritzm>	 and I don't see a reason why a CNAME wouldn't work
[14:24:40] <volans>	 I miss the context for what they are used, but from the name I couldn't think of a use case where a cname wouldn't work
[14:24:56] <volans>	 I can send a patch to convert them
[14:25:06] <volans>	 if there is someone willing to merge it :D
[14:28:25] <moritzm>	 we can simply give it a shot on eqiad first, it receives some minor level of requests as well
[14:29:37] <volans>	 ack, btw they are all 1H TTL, if the idea was to do failovers is not great
[14:33:06] <moritzm>	 I think that's simply because noone ever bothered to change away from the 1H default, the url downloaders are practically maintenance free apart from the odd OS upgrades
[14:35:53] <volans>	 ack
[14:36:38] <volans>	 moritzm: there is one trick move to cnames, it will be v6 too
[14:36:47] <volans>	 and maybe by default v6
[14:36:58] <volans>	 in case the listener is not configured for it
[14:37:19] <volans>	 the hosts have v6 defined in DNS fwiw
[14:39:35] <moritzm>	 just checked, squid also listens on v6
[14:40:21] <volans>	 great
[14:40:53] <volans>	 patch sent
[14:42:50] <XioNoX>	 and maybe check ip6tables too
[14:44:02] <moritzm>	 volans: +1d, I can merge this on Monday and keep an eye on it
[14:44:39] <volans>	 moritzm: sounds perfect, thanks a lot
[14:46:09] <volans>	 XioNoX: at first look ip6tables looks very similar to the v4 one
[14:46:36] <XioNoX>	 great
[14:49:42] <elukey>	 kormat: meta question - who's this elukey person that you people keep mentioning today?
[14:50:12] <elukey>	 :D
[14:51:06] <kormat>	 elukey: if you don't know, i'd keep it that way. :)
[16:20:03] <marostegui>	 wikibugs down?
[16:20:31] <marostegui>	 Going to give it a restart
[16:27:58] <hauskatze>	 marostegui: I can restart it if you want or don't have access
[16:28:20] <marostegui>	 hauskatze: thanks - done already :)
[16:28:37] <hauskatze>	 Looks it's working though
[16:28:42] <hauskatze>	 On some channels at least
[16:29:26] <marostegui>	 hauskatze: yeah, I restarted 8 minutes ago :)
[17:04:56] <andrewbogott>	 volans: interested in hearing about weird sre.hosts.decommission behavior?  (or if not you, someone?)
[17:05:39] <volans>	 andrewbogott: sure, shoot
[17:06:06] <andrewbogott>	 ugh, hard to backscroll in 'screen'
[17:06:08] <andrewbogott>	 https://www.irccloud.com/pastebin/4mcsuyr4/
[17:06:31] <andrewbogott>	 This could easily be user error, I'm not sure I've used this before
[17:07:37] <volans>	 that spacing makes it super hard to read
[17:08:01] <volans>	 what CLI did you run?
[17:08:15] <andrewbogott>	 sudo cookbook -d  sre.hosts.decommission --force FORCE cloudvirt100[1-9].eqiad.wmnet  -t  T263151
[17:08:15] <stashbot>	 T263151: decommission cloudvirt100[1-9].eqiad.wmnet - https://phabricator.wikimedia.org/T263151
[17:09:31] <volans>	 what's --force FORCE ?!?!?
[17:09:45] <andrewbogott>	 without it it will only do up to six hosts at once
[17:09:51] <volans>	 ah damn, that's supposed to be an action store_true
[17:09:54] <volans>	 I'll add it
[17:09:55] <andrewbogott>	 I can try doing six without it
[17:09:55] <rzl>	 it does the decommission with a hammer
[17:10:00] <volans>	 but unrelated
[17:10:35] <volans>	 so you run it in dry-run
[17:11:09] <volans>	 in dry-run we force the netbox-ro token to be selected
[17:11:14] <volans>	 because you know, dry-run
[17:11:38] <andrewbogott>	 Maybe it does a dry run by default?  I definitely didn't specify dry-run on the cli
[17:11:45] <volans>	 yes -d
[17:11:48] <andrewbogott>	 oh!
[17:11:49] <andrewbogott>	 ok
[17:12:06] <andrewbogott>	 want me to try again without?
[17:12:08] <volans>	 I can make it faile in a better way, it's very hard to make this one work with dry-run
[17:12:15] <volans>	 sure go head should work fine
[17:12:20] <volans>	 last famous words™
[17:13:14] <andrewbogott>	 seems happy so far
[17:13:38] <andrewbogott>	 probably no need to actually fix anything here
[17:13:45] <volans>	 the argument for sure
[17:13:56] <andrewbogott>	 I guess you could make the recipe say 'nope, I can't do a dry run' if asked
[17:16:36] <volans>	 I think I can make it work, let me try
[17:19:28] <volans>	 patch sent
[17:24:28] <andrewbogott>	 hm, now it's proposing to remove
[17:24:41] <andrewbogott>	 db1131                                   1H IN AAAA 2620:0:861:103:10:64:32:6
[17:24:52] <andrewbogott>	 from dns along with the cloudvirt bits
[17:25:23] <volans>	 andrewbogott: yeah expected, go ahead
[17:25:31] <andrewbogott>	 ok.  Just a race with other dns changes?
[17:25:46] <volans>	 I forgot to run the dns cookbook after fixing a weird situation in netbox
[17:25:52] <volans>	 that host got moved row today
[17:25:56] <andrewbogott>	 ok
[17:27:08] <volans>	 andrewbogott: you're the lucky one finding weird stuff
[17:27:15] <volans>	 I'm failing to see in the task what failed for cloudvirt1005.eqiad.wmnet (FAIL)
[17:27:32] <volans>	 was the stdout more clear?
[17:27:36] <andrewbogott>	 https://www.irccloud.com/pastebin/uvA6Epaj/
[17:28:02] <volans>	 yeah tht's the same of the task
[17:28:07] <volans>	 I meant specific to 1005
[17:28:23] <volans>	 see https://phabricator.wikimedia.org/T263151#6471727
[17:28:41] <volans>	 failed actions are in bold, let me look at the logs
[17:31:59] <volans>	 andrewbogott: got it, Failed downtime host on Icinga (likely already removed)
[17:32:14] <andrewbogott>	 as long as it did everything else that doesn't worry me :)
[17:32:15] <volans>	 it shouldn't consider it a failure of the whole thing
[17:32:49] <andrewbogott>	 ok for me to move ahead with purging puppet/dns?
[17:33:18] <volans>	 yeah  Idon't see any blocker
[17:34:12] <volans>	 included fix/improvement in the existing cr
[17:34:17] <andrewbogott>	 'k
[17:34:33] <andrewbogott>	 thank you!  This is all pretty great even with confusing output :)
[17:35:54] <volans>	 :)
[18:11:08] <mutante>	 trying to build the Etherpad package on deneb. running into "Unmet build dependencies: nodejs (>= 10) npm (>= 5.8) libpq-dev". I know there would be "apt-get build-dep etherpad-lite" but also that since we use pbuilder/pdebuild we should be able to avoid cluttering the build host like that and it should "just work". It doesn't though for me.
[18:13:34] <elukey>	 this is on kafka main nodes:
[18:13:34] <elukey>	 Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Function Call, changeprop-admin is not a valid group name
[18:15:22] <mutante>	 looks like from https://gerrit.wikimedia.org/r/c/operations/puppet/+/603534
[18:16:16] <mutante>	 elukey: i'll fix that
[18:18:09] <elukey>	 mutante: thanks!
[18:23:18] <mutante>	 aww. there is a second error hidden behind that. cpjobqueue-admin is not a valid group name
[18:35:13] <mutante>	 elukey: i ran puppet on kafka-main via cumin (6 hosts) and should all be recovered. leaving comments on that ticket to make sure it's also desired that these shell users can't get on kafka hosts anymore, only roots now