So either we need to get toolforge roots automatic access to cloudcuminxxxx hosts, or we need to split out a subset of cookbooks to run on cloud-vps (which I fear we just got done with un-splitting). cc'ing @fnegri who likely has already thought this through.

For those following along with extra energy, here are things I'd be interested in:

I worked on this a bit over the break. I'm pretty happy with the static site that httrack produces. It was generated like this:

We're now using the project-local recursor for integration-agent-docker-*. This won't really give us an answer but it will at least provide a big more diagnostic info.

This DB filled up and got stuck; I increased the size (and quota) to 85GB in order to provide room to maneuver and get things unstuck.

For science (and to be totally sure that this failure is upstream from the integration project), I have made a project-local dns recursor in the Integration project.

I don't know if that's what fixed it, but I enabled 'hard-disk failover' and bios booting and reimaged and it made it to the end.

I will have another go!

Done (for 'search')

Due to a sad but well-known upstream issue (https://lists.ceph.io/hyperkitty/list/ceph-users@ceph.io/thread/HENIUNVB475QPYFALDTSMTN67Q32J2X5/) this project probably cannot use object storage. We can definitely create you a new project for use as an object-storage container (or move you to a new project entirely if you prefer).

A cI job failed with a dns failure at 8:13

Thank you for pursuing this, @cmooney

I designated every drive a non-raid drive in the bios and now the install is completing. I can't make it stop installing though, it just keeps installing debian over and over despite repeated attempts at

This server seems to have a raid controller, which is different from all the other standard ceph OSD nodes. Not sure how that happened but I should be able to work around it -- will update on the task when I get somewhere.

In T382492#10415566, @RobH wrote:

@Andrew,

Two call outs! The original ordering task had a bad hostname range provided by you for racking "Hostnames: cloudvirt1068 - cloudvirt1066" but that makes no sense as it goes down by 2, and even a swap of the numbers isn't accurate. If we order 9 hosts and start with cloudvirt1068 as a new hostname, then its cloudvirt1068 to cloudvirt1074 for a total of 9 hosts.

In T374830#10415630, @Lucas_Werkmeister_WMDE wrote:

The last DNS failures I saw were indeed just over 24 hours ago (13:30 UTC yesterday), but slightly after that Puppet change was merged IIUC (but maybe before it rolled out everywhere?).

Using hashar's test

The two small drives should be mirrored (raid 1) and used for the OS, the larger drives left unformatted for Ceph to manage.

As passed labtestwikitech, so passed these clouddb hosts.

Created T382412 about relocating the cloudnet-dev servers.

@hashar do the containers in question map the system /etc/resolv.conf such that if I alter it the change will take effect immediately in the containers? Or do I need to alter the container config somehow?

Just setting

Updated docs look good. Thanks for polishing up this already-done task!

Can't promise that I'll finish this task but I'm currently working on making an httrack copy of wikitech

indeed, that same postgres crash is happening again

In T359820#10407316, @MoritzMuehlenhoff wrote:

In T359820#10407226, @Andrew wrote:

@SLyngshede-WMF one last little thing, can you please update the docs at https://office.wikimedia.org/wiki/Security/LDAP#Disabling_a_Non-Staff/Non-NDA_User_for_Production for what I presume is a new slightly different workflow? thank you!

The capability is part of Bitu, but initially was only enabled for these users: anticomposite, deltaquad, urbanecm, jjmc89 (stewards), bd808, Simon, myself and Taavi.

We should also add a few more people from Wikimedia Cloud Services, can you sort out with the team who to add?

this seems to be working now

@SLyngshede-WMF one last little thing, can you please update the docs at https://office.wikimedia.org/wiki/Security/LDAP#Disabling_a_Non-Staff/Non-NDA_User_for_Production for what I presume is a new slightly different workflow? thank you!

This is no longer happening, but is concerning! I'm mentally filing it in the same box as T374830 because it's one more reason I don't totally trust our network setup.

Hi @Jclark-ctr -- ideally I would consult with David about racking details but he's out until the first. Are these servers already gathering dust or do we have a while before they show up?

*now working correctly :D

This warning is no longer displayed, and having lots of facts doesn't seem to actually break anything.

@bd808 suspects that this is a conntrack table issue, which fits the pattern of the failure. A table overflow should show up in logs, though, and I can't turn up anything with greps e.g.

@Lucas_Werkmeister_WMDE I don't think it's necessary to post more examples, we're able to reproduce the issue albeit not with regularity. Most of the SREs are at an offsite and/or out sick this week so progress towards a fix will not be super fast unfortunately.

awesome

These hosts have a somewhat unusual vlan setup, so my guess is something is tripping on that -- paging @cmooney for manual cleanup.

In T376267#10394651, @taavi wrote:

I was just looking over @Sarai-WMF's shoulder and wikitech is for some reason not editable for her.

What exactly does this mean? Is there some permission error on the edit/"view source" pages?

Oh, I should add that there was a roadbump with running resize2fs because the volume was mounted both on the VM OS level and also within the docker container. Had to unmount and also kill the db container before resizing.

@Magnus sorry for the hangup, looks like Trove automation isn't great at this yet. I did a bit of hands-on repair and I think you're good to go now (at least, all the status flags say that thins are up and working.) Do things look good from your end?

I was just looking over @Sarai-WMF's shoulder and wikitech is for some reason not editable for her. I gave her the comfirmed user right and that didn't change anything.

Timing is flexible although I'd like to do a graceful shutdown and check after the fact. Can this wait until next week when I'm back from the offsite? If you'd like to do it sooner just please do a graceful on-console shutdown of the server and then ping me here when it's back up. Thanks!

Resizing may or may not be graceful but has worked for me recently

Not directly related but likely to suffer fallout from this one way or another: T381293

@taavi -- for future reference, regenerating the config file just consists of deleting replica.my.cnf on the nfs server and waiting for it to be dropped back in place by maintain-dbusers? Or were there more steps?

Hello again @Multichill -- this request is stalled pending your response.

It completed.

The primary/reported issue is failing dns lookups. I can reproduce that from a VM with e.g.

I've replaced a lot of these metrics, but maybe not all of them. @aborrero can you tell me how to reproduce the panel in the screenshot?

I've checked all the resolv.confs and they all look fine. I'm passing this task over to @ssingh to review what fnegri and dcaro determined about the low-level puppet resolv functions... I don't see obvious low-level ways to prevent this sort of thing happening in the future but it's worth digging deeper.

The set of 'slow' hypervisors includes cloudvirt1033 which is is currently drained and running only a canary. So that rules out noisy neighbor issues within a cloudvirt.

I was hoping the slow lookups would correspond to rack or row, but it seems not.

In T381419#10376812, @hashar wrote:

We have 18 integration-agent-docker instances each at 24G of Ram (432G). If we wanted to fit 4 builds of 12G in memory, that would be 48G more per host or a 864G increase for a total usage of 1296G. Maybe it is overkill, but maybe we can do that on a couple host and see whether it might be worth it.

I had some hope that work on T381373 would help with this but it doesn't seem to. I'm still seeing ping hesitations today:

This has been recurring for some time (e.g. T368211) so probably needs DC attention. @Jhancock.wm, it's OK to power down this system if necessary, with a small bit of notice to the wmcs team.

This is possibly related to https://phabricator.wikimedia.org/T381078 although the timing doesn't really line up