[08:25:55] <godog>	 urandom: no policy re: team=sre for probes, I'm assuming you are talking about service::catalog 'probes' section ? at any rate I just filed https://phabricator.wikimedia.org/T399807
[08:26:11] <godog>	 we haven't implemented the functionality though we totally should
[08:52:47] <dcaro>	 tappof: We got a new alert `DeadManSwitch` popping up, and I found a patch of yours attached to it, is there anything we have to do? (the task does not say much)
[09:01:32] <tappof>	 hi dcaro , it's a check for metamonitoring. Nothing special to do. I'll work on hiding it from alerts permanently.
[09:04:35] <dcaro>	 nice, 👍
[13:07:20] <urandom>	 godog: I was looking at prometheus::blackbox::check::tcp
[13:07:51] <godog>	 urandom: ah! that supports 'team' parameter iirc
[13:07:53] <urandom>	 godog: I don't know it's a problem per say.  I mean, data persistence is a subset of sre
[13:08:06] <urandom>	 yes, but it seems almost no one uses that
[13:08:29] <urandom>	 typically, uses rely on the default of `sre`
[13:08:58] <godog>	 got it, yeah I guess for most things it is fine, I'm thinking also of paging checks
[13:09:25] <godog>	 however I don't see downsides with other teams for specific things
[13:09:32] <urandom>	 yeah, that's what I was wondering.... I noticed this when I attempted to filter by team=data-persistence in the alerts dashboard
[13:10:10] <urandom>	 which might not be the (main) purpose of that categorization (paging, being the primary)
[13:10:45] <godog>	 heh yeah I was thinking the paging case too, for that I'd imagine team=sre makes sense in most cases
[13:11:00] <urandom>	 but probedown doesn't page, does it?
[13:11:55] <urandom>	 oh, maybe it can?
[13:12:25] <godog>	 it can and it does yes, for example most service::catalog probes page
[13:28:44] <urandom>	 interesting, this had me looking at other active `ProbeDown`s, and I found: https://alerts.wikimedia.org/?q=%40state%3Dactive&q=%40cluster%3Dwikimedia.org&q=alertname%3DProbeDown (a month old!)  The logs for that showing a tcp 'connection reset by peer': https://logstash.wikimedia.org/goto/03d362e5e973dcd85a52821f5af7b0b2
[13:29:11] <urandom>	 https://www.irccloud.com/pastebin/KjkbB1HY/
[13:29:43] <godog>	 sob
[13:30:04] <godog>	 as in the exclamation, not the expletive
[13:30:18] <urandom>	 what's up with that, keys/certs??
[13:31:09] <urandom>	 godog: it almost works interchangeably though, doesn't it?
[13:32:24] <godog>	 lol it really does
[13:33:02] <godog>	 but yeah no idea tbh what's up with that, I don't think it is certs
[13:33:36] <urandom>	 curl seems prone to red herrings
[13:34:12] <urandom>	 all I could think of was that it didn't like the CN or something, and that the error itself was misleading
[13:41:21] <godog>	 mmhh I would have expected to go a little further in tls in that case
[14:10:30] <urandom>	 godog: the reason it fails (at least using curl from the deployment server) is that you need to use SNI
[14:10:52] <urandom>	 https://www.irccloud.com/pastebin/D80cq4Wp/
[14:11:32] <urandom>	 godog: but what that also be the problem with the http probe?  surely this isn't he only probe that would require that?
[14:11:50] <urandom>	 s/but what/but would/
[14:13:39] <godog>	 hah! good find, and yes indeed not the only probe that would require that
[14:14:06] <godog>	 I think what's happening is that the probe is sending data-gateway-staging as SNI not data-gateway
[14:14:37] <godog>	 IOW there's a host: data-gateway.k8s-staging.discovery.wmnet parameter missing from service::catalog
[14:14:49] <godog>	 by defualt the name/sni is inferred from the service::catalog entry
[14:15:23] <akosiaris>	 yeah, I see the stanza is pretty simple
[14:15:23] <akosiaris>	 - labels:
[14:15:23] <akosiaris>	     address: 10.2.2.69
[14:15:23] <akosiaris>	     family: ip4
[14:15:23] <akosiaris>	     module: http_data-gateway-staging_ip4
[14:15:24] <akosiaris>	   targets:
[14:15:25] <akosiaris>	   - data-gateway-staging:30443@https://[10.2.2.69]:30443/healthz
[14:15:39] <akosiaris>	 and it's more or less the exact same for the data-gateway (minus the IP)
[14:15:47] <akosiaris>	 so what godog suggests checks out
[14:23:03] <urandom>	 ok —stupid question— where is this configured?
[14:25:03] <godog>	 not a stupid question! that's service::catalog in hieradata/common/service.yaml
[14:26:31] <urandom>	 does that generate the snippet a.kosiaris posted?
[14:29:24] <urandom>	 it must...
[14:29:52] <godog>	 yes that's correct, that yaml gets grinded by puppet into pieces and spat out as various configurations
[14:31:30] <urandom>	 got it; thanks!
[14:32:30] <godog>	 sure np!
[14:32:31] <godog>	 go akosiaris 
[14:32:37] <godog>	 yeah! go akosiaris!
[14:33:03] <akosiaris>	 :D
[14:37:58] <urandom>	 yes; thank you both!
[14:38:05] <urandom>	 TIL
[16:11:33] <urandom>	 following up on the above, where does puppet need to be run for changes to service::catalog like this?  after merging https://gerrit.wikimedia.org/r/c/operations/puppet/+/1170361 the eqiad alerts have cleared, but codfw remain (and it's been about 1.5 hours)
[17:00:58] <mutante>	 given that it's on k8s-staging, it seems to me that should not page all of SRE, because it's staging
[17:01:59] <mutante>	 for that I would recommend using the team= and send email to the service owners or let it create phab tickets. actually I personally think automatic tickets are the best option
[17:02:19] <mutante>	 we do this in my team for everything, like every failed systemd unit
[18:02:37] <cwhite>	 urandom: the changes have been applied to both eqiad and codfw.  the difference appears to be that the prober in codfw attempts to probe 10.2.1.69, as opposed to eqiad probing 10.2.2.69
[18:03:15] <cwhite>	 is data-gateway available in the codfw k8s-staging cluster?
[18:03:16] <urandom>	 oh yeah, it does
[18:06:03] <urandom>	 cwhite: good question, I'm not sure
[18:07:00] <cwhite>	 I'm thinking maybe not? https://etherpad.wikimedia.org/p/vu2HtvX1j5JDJUDGrbtY
[18:08:46] <urandom>	 that's funny, so that connection reset by peer is NOT a red herring
[18:10:15] <urandom>	 so... I don't think it was for this service per say, but I remember something about not really using/deploying to codfw staging
[18:10:52] <urandom>	 so I wonder if the fix isn't to just remove that data-center from sites?
[18:11:24] <urandom>	 actually, this is probably where I should invoke swfrench-wmf, since they set this up!
[18:11:36] <swfrench-wmf>	 ruh roh
[18:12:19] <urandom>	 swfrench-wmf: so date-gateway-staging in hieradata/common/service.yaml uses sites: [eqiad, codfw]
[18:12:26] <urandom>	 but I think it's not deployed to codfw
[18:12:55] <urandom>	 and the result is failed http probes: https://logstash.wikimedia.org/goto/03d362e5e973dcd85a52821f5af7b0b2
[18:13:25] <urandom>	 so... should that be codfw?  or... is it good, but should be removed from `sites`?
[18:14:12] <urandom>	 good as-in, good/right the way it is, and wrong that it be listed as both
[18:14:38] <swfrench-wmf>	 thanks for the summary! getting up to speed and trying recall why we set it up this way :)
[18:15:32] <swfrench-wmf>	 in general, most services only deploy to staging in eqiad, so yeah - it would be surprising to data-gateway there in codfw
[18:15:58] <urandom>	 the cassandra staging cluster which it connects to is in codfw
[18:16:06] <urandom>	 in case it was a side-effect of that
[18:16:06] <swfrench-wmf>	 oh, wait ... I didn't create this service
[18:16:41] <swfrench-wmf>	 so, I was also surprised by the presence of a service-catalog service
[18:16:59] <swfrench-wmf>	 note that other "cassandra http gateway" shaped stuff doesn't have a service-catalog entry
[18:17:17] <swfrench-wmf>	 we just use CNAMEs to the relevant k8s ingress addresses
[18:17:27] <swfrench-wmf>	 https://gerrit.wikimedia.org/r/c/operations/puppet/+/1133848
[18:18:23] <urandom>	 oh
[18:18:43] <urandom>	 stuff happens so much
[18:18:54] <swfrench-wmf>	 i know, right? :)
[18:19:30] <urandom>	 ok, so then is it fair to say codfw was included there erroneously?
[18:19:33] <swfrench-wmf>	 so yeah, I _think_ the right way to go here is indeed to just drop codfw from the sites list
[18:19:39] <urandom>	 right right
[18:19:40] <swfrench-wmf>	 it seems so, yeah
[18:19:46] <swfrench-wmf>	 let's see what PCC says :)
[18:20:20] <urandom>	 which host does this need to be compiled for?
[18:23:13] <swfrench-wmf>	 prometheus2006 it seems?
[18:23:24] <swfrench-wmf>	 at least that's where the probes seem to be running / failing
[18:24:13] <urandom>	 oh, duh
[18:24:52] * urandom is about to find out what `auto` chooses
[18:26:13] <urandom>	 tl;dr nothing good
[18:27:14] * swfrench-wmf is trying to read through the mess of puppet code to see if this should work
[18:29:53] <swfrench-wmf>	 okay, this is what I was looking for: https://gerrit.wikimedia.org/g/operations/puppet/+/864a1fe7ea08b5fbced05ce7e2944c78543bddd5/modules/profile/manifests/prometheus/ops.pp#322
[18:32:06] <urandom>	 swfrench-wmf: https://puppet-compiler.wmflabs.org/output/1170400/4550/prometheus2006.codfw.wmnet/index.html
[18:32:58] <swfrench-wmf>	 cool, that looks like what I'd expect given the above
[18:33:50] <urandom>	 cool, thanks for the help!
[18:34:24] <urandom>	 even if I rattled your cage on the basis that you had first-hand knowledge that you didn't :)
[18:36:01] <swfrench-wmf>	 heh, always happy to help with a low-stakes puzzle regardless :)
[21:47:40] <jinxer-wm>	 FIRING: LogstashIndexingFailures: Logstash Elasticsearch indexing errors - https://wikitech.wikimedia.org/wiki/Logstash#Indexing_errors - https://grafana.wikimedia.org/d/000000561/logstash?viewPanel=40&var-datasource=codfw%20prometheus/ops - https://alerts.wikimedia.org/?q=alertname%3DLogstashIndexingFailures
[21:52:40] <jinxer-wm>	 RESOLVED: [2x] LogstashIndexingFailures: Logstash Elasticsearch indexing errors - https://wikitech.wikimedia.org/wiki/Logstash#Indexing_errors  - https://alerts.wikimedia.org/?q=alertname%3DLogstashIndexingFailures