[00:00:59] <icinga-wm>	 PROBLEM - Puppet freshness on virt1004 is CRITICAL: Last successful Puppet run was Sat 22 Feb 2014 02:36:40 PM UTC  
[00:02:19] <icinga-wm>	 PROBLEM - gitblit.wikimedia.org on antimony is CRITICAL: HTTP CRITICAL: HTTP/1.1 500 Server Error - 1703 bytes in 6.223 second response time  
[00:07:56] <mutante>	 !log restarting gitblit on antimony
[00:08:04] <morebots>	 Logged the message, Master
[00:09:19] <icinga-wm>	 RECOVERY - gitblit.wikimedia.org on antimony is OK: HTTP OK: HTTP/1.1 200 OK - 237850 bytes in 7.317 second response time  
[00:34:59] <icinga-wm>	 PROBLEM - Puppet freshness on labstore4 is CRITICAL: Last successful Puppet run was Tue 25 Feb 2014 06:33:37 PM UTC  
[00:38:26] <grrrit-wm>	 (03CR) 10TTO: [C: 04-1] "Flow is only enabled on a single page, and is causing no problems or interference with normal community activity on Meta, so I am inclined" [operations/mediawiki-config] - 10https://gerrit.wikimedia.org/r/115412 (owner: 10Odder)
[00:44:04] <paravoid>	 hello
[00:57:40] <grrrit-wm>	 (03PS2) 10Ori.livneh: Set enable_geoiplookup on cp1066 for geo_cookie [operations/puppet] - 10https://gerrit.wikimedia.org/r/115525 
[00:59:07] <ori>	 bblack: I amended the patch to scope it to a single text varnish, picked at random. There's nothing relying on the GeoIP cookie being there at the moment and no consequence to setting it only on some responses, so it's an easy way to lower to stakes. Dunno why I hadn't thought of that earlier.
[01:29:02] <grrrit-wm>	 (03CR) 10TTO: "> Although I am extremely concerned about Terry's statement" [operations/mediawiki-config] - 10https://gerrit.wikimedia.org/r/115412 (owner: 10Odder)
[01:37:09] <icinga-wm>	 RECOVERY - check_job_queue on terbium is OK: JOBQUEUE OK - all job queues below 200,000  
[01:48:52] <AaronSchulz>	 ori: https://gerrit.wikimedia.org/r/#/c/115553/ ;)
[01:51:09] <icinga-wm>	 PROBLEM - check_job_queue on terbium is CRITICAL: JOBQUEUE CRITICAL - the following wikis have more than 199,999 jobs: , Total (200677)  
[01:52:46] <logmsgbot>	 !log aaron synchronized php-1.23wmf15/includes/filebackend  '5a7a77cf3fd118bc70aa79993b85fc5e737d7526'
[01:52:57] <morebots>	 Logged the message, Master
[01:53:10] <icinga-wm>	 RECOVERY - check_job_queue on terbium is OK: JOBQUEUE OK - all job queues below 200,000  
[02:12:36] <logmsgbot>	 !log LocalisationUpdate completed (1.23wmf14) at 2014-02-26 02:12:36+00:00
[02:12:44] <morebots>	 Logged the message, Master
[02:13:39] <grrrit-wm>	 (03CR) 10Jeremyb: "(not actually reverted, revert abandoned)" [operations/apache-config] - 10https://gerrit.wikimedia.org/r/113877 (owner: 10Jeremyb)
[02:13:59] <icinga-wm>	 PROBLEM - Puppet freshness on virt1000 is CRITICAL: Last successful Puppet run was Fri 21 Feb 2014 04:42:42 PM UTC  
[02:15:29] <icinga-wm>	 RECOVERY - HTTP 5xx req/min on tungsten is OK: OK: reqstats.5xx [warn=250.000  
[02:41:01] <logmsgbot>	 !log LocalisationUpdate completed (1.23wmf15) at 2014-02-26 02:41:01+00:00
[02:41:09] <morebots>	 Logged the message, Master
[02:43:09] <icinga-wm>	 PROBLEM - check_job_queue on terbium is CRITICAL: JOBQUEUE CRITICAL - the following wikis have more than 199,999 jobs: , Total (205530)  
[02:54:19] <grrrit-wm>	 (03CR) 10Andrew Bogott: [C: 032] Add some labs management scripts. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115360 (owner: 10Andrew Bogott)
[03:00:51] <grrrit-wm>	 (03PS1) 10Andrew Bogott: Add standard headers to the virtscripts. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115563 
[03:01:59] <icinga-wm>	 PROBLEM - Puppet freshness on virt1004 is CRITICAL: Last successful Puppet run was Sat 22 Feb 2014 02:36:40 PM UTC  
[03:02:42] <grrrit-wm>	 (03PS2) 10Andrew Bogott: Add standard headers to the virtscripts. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115563 
[03:04:26] <grrrit-wm>	 (03CR) 10Andrew Bogott: [C: 032] Add standard headers to the virtscripts. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115563 (owner: 10Andrew Bogott)
[03:11:09] <icinga-wm>	 RECOVERY - Puppet freshness on virt1000 is OK: puppet ran at Wed Feb 26 03:11:05 UTC 2014  
[03:14:38] <logmsgbot>	 !log LocalisationUpdate ResourceLoader cache refresh completed at 2014-02-26 03:14:37+00:00
[03:14:46] <morebots>	 Logged the message, Master
[03:23:09] <icinga-wm>	 RECOVERY - check_job_queue on terbium is OK: JOBQUEUE OK - all job queues below 200,000  
[03:32:25] <grrrit-wm>	 (03PS1) 10Andrew Bogott: Puppetize the new_install key on palladium, add to iron. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115566 
[03:35:59] <icinga-wm>	 PROBLEM - Puppet freshness on labstore4 is CRITICAL: Last successful Puppet run was Tue 25 Feb 2014 06:33:37 PM UTC  
[03:57:09] <icinga-wm>	 PROBLEM - puppetmaster https on virt0 is CRITICAL: CRITICAL - Socket timeout after 10 seconds  
[03:59:59] <icinga-wm>	 RECOVERY - puppetmaster https on virt0 is OK: HTTP OK: Status line output matched 400 - 336 bytes in 3.980 second response time  
[04:08:30] <grrrit-wm>	 (03CR) 10Ori.livneh: [C: 032] "I have a bit of time now to watch this roll out, so I'll give it a shot." [operations/puppet] - 10https://gerrit.wikimedia.org/r/115525 (owner: 10Ori.livneh)
[04:14:13] <grrrit-wm>	 (03PS1) 10Ori.livneh: Revert "Set enable_geoiplookup on cp1066 for geo_cookie" [operations/puppet] - 10https://gerrit.wikimedia.org/r/115567 
[04:14:24] <grrrit-wm>	 (03CR) 10Ori.livneh: [C: 032 V: 032] Revert "Set enable_geoiplookup on cp1066 for geo_cookie" [operations/puppet] - 10https://gerrit.wikimedia.org/r/115567 (owner: 10Ori.livneh)
[04:17:24] <ori>	 !log enabling geo_cookie on cp1066 caused general protection fault, so reverted and restarted.
[04:17:33] <morebots>	 Logged the message, Master
[04:18:39] <icinga-wm>	 PROBLEM - Varnish traffic logger on cp1066 is CRITICAL: PROCS CRITICAL: 1 process with command name varnishncsa  
[04:20:39] <icinga-wm>	 RECOVERY - Varnish traffic logger on cp1066 is OK: PROCS OK: 2 processes with command name varnishncsa  
[04:42:58] <grrrit-wm>	 (03PS6) 10Andrew Bogott: Add a script that updates labs instances after migration. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115342 
[05:35:40] <AaronSchulz>	 springle: I'm curious what you think of https://bugzilla.wikimedia.org/show_bug.cgi?id=57176
[05:38:02] <springle>	 AaronSchulz: ah that one. reading...
[05:38:29] <AaronSchulz>	 I was also curious about those revision insert timeouts...saw those in the logs earlier
[05:38:52] <springle>	 did you see https://bugzilla.wikimedia.org/show_bug.cgi?id=61898 ?
[05:39:31] <AaronSchulz>	 yeah just read that
[05:47:06] <grrrit-wm>	 (03CR) 10Greg Grossmeier: "I wanna close this out, so I'll revoke my bike shed and just make it match the other previous values." [operations/puppet] - 10https://gerrit.wikimedia.org/r/114503 (owner: 10Greg Grossmeier)
[05:47:16] <grrrit-wm>	 (03PS2) 10Greg Grossmeier: Modify login credential hint [operations/puppet] - 10https://gerrit.wikimedia.org/r/114503 
[06:01:21] <grrrit-wm>	 (03CR) 10MZMcBride: "I thought we decided to use Bugzilla for discussion, not Gerrit. I've replied on bug 61729." [operations/mediawiki-config] - 10https://gerrit.wikimedia.org/r/115412 (owner: 10Odder)
[06:02:59] <icinga-wm>	 PROBLEM - Puppet freshness on virt1004 is CRITICAL: Last successful Puppet run was Sat 22 Feb 2014 02:36:40 PM UTC  
[06:08:29] <springle>	 AaronSchulz: replied on 57176. tricky one. do you know if anyone ever tried an index on domain name only without leading protocol?
[06:08:39] <springle>	 reversed or not
[06:09:17] <AaronSchulz>	 not sure, I wasn't involved in the table design either
[06:11:42] <AaronSchulz>	 springle: I think B would probably work fine (at least for up to a pretty huge number of matching results)
[06:16:36] <springle>	 i'm not clear on how it would blend with the LIMIT. for the example in comment #1, wouldn't it mean running 1023 queries each time and doing some sort of app-side sorting/paging?
[06:21:07] <AaronSchulz>	 springle: if the user wants X rows per page, you'd go through shard 0 first, and give results of X rows, and give an ?continue parameter like 0|<next el_id>. Once you reach the end of that or get less that X rows, you move on to shard 1. The server code is only looking at one (or sometimes a few) shards at a time.
[06:21:50] <AaronSchulz>	 it would work just like the other APIs that page on a tuple instead of a single column
[06:22:30] <springle>	 so we really don't care about result order here
[06:22:41] <AaronSchulz>	 you wouldn't have to hit 1024 shards for the small case due to doing an EXPLAIN SELECT to estimate how many rows there are and doing it the current way if it's not super high
[06:23:19] <AaronSchulz>	 you just want some stable ordering even if it is totally meaningless (just like el_id and they OFFSET are anyway)
[06:23:41] <AaronSchulz>	 *and OFFSET
[06:25:10] <AaronSchulz>	 the actually queries hitting the DB (for the shard usage case) would be have WHERE index=X and an OFFSET with that
[06:25:24] <AaronSchulz>	 the filesort would be 1024 times smaller than it is now though
[06:26:07] <AaronSchulz>	 of course, with 30 million hits, it will take some time to traverse but at least the queries won't time out then
[06:26:54] <springle>	 there is no filesort presently, but yes i get the point
[06:26:58] <AaronSchulz>	 actually that probably would not filesort
[06:27:05] <AaronSchulz>	 gah, you just said that ;)
[06:27:19] * AaronSchulz  was thinking of ORDER BY el_id for a second

[06:27:44] <springle>	 i had to go back and check the bug ... .oO(did i mention filesort?) :)
[06:28:33] <springle>	 in any case, breaking the queries up is A Good Thing for the database. if it works for the api users too, then great
[06:29:09] <AaronSchulz>	 "the actually queries"
[06:29:13] * AaronSchulz  must be getting tired

[06:29:36] <AaronSchulz>	 springle: anyway, if that works for you I can ping anomie about it, since he seems to do more API stuff
[06:29:47] <springle>	 yeah get his input
[06:35:39] <AaronSchulz>	 also you might want to leave a comment there ;)
[06:36:23] * AaronSchulz  needs to look at  WebVideoTranscode::updateJobQueue later

[06:36:59] <icinga-wm>	 PROBLEM - Puppet freshness on labstore4 is CRITICAL: Last successful Puppet run was Tue 25 Feb 2014 06:33:37 PM UTC  
[06:44:41] <AaronSchulz>	 heh, looks like  MessageGroupStats::forItemInternal  tries to insert the same row from a bunch of servers at once
[06:52:14] <grrrit-wm>	 (03PS1) 10Matanya: remove sockpuppet, decom [operations/dns] - 10https://gerrit.wikimedia.org/r/115578 
[07:12:17] <grrrit-wm>	 (03CR) 10Matanya: [C: 031] Setting up kafkatee on analytics1003 to log mobile webrequest logs [operations/puppet] - 10https://gerrit.wikimedia.org/r/115411 (owner: 10Ottomata)
[07:16:51] <grrrit-wm>	 (03PS1) 10Matanya: removed pdf1, decom [operations/dns] - 10https://gerrit.wikimedia.org/r/115581 
[07:26:13] <grrrit-wm>	 (03PS1) 10Matanya: remove locke, decom [operations/dns] - 10https://gerrit.wikimedia.org/r/115583 
[07:26:46] <grrrit-wm>	 (03PS1) 10Andrew Bogott: Wipe out /etc/resolv.conf before migrating instances. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115584 
[07:28:23] <matanya>	 hi andrewbogott :)
[07:28:23] <grrrit-wm>	 (03PS2) 10Andrew Bogott: Wipe out /etc/resolv.conf before migrating instances. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115584 
[07:28:33] * andrewbogott  waves

[07:28:50] <andrewbogott>	 matanya, I was going to ask you to review something but 'git review' is hanging on my dev box :(
[07:29:16] <matanya>	 i'm here, ping me when you need
[07:29:49] <andrewbogott>	 Ah, ok, it didn't hang it's just VERY slow.  So maybe in a few more minutes...
[07:30:03] <grrrit-wm>	 (03PS1) 10Andrew Bogott: Add a fact to pull the ec2id out of instance metadata. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115585 
[07:30:16] <andrewbogott>	 There it goes.  matanya, check my ruby?  ^
[07:31:00] <grrrit-wm>	 (03CR) 10Matanya: Wipe out /etc/resolv.conf before migrating instances. (032 comments) [operations/puppet] - 10https://gerrit.wikimedia.org/r/115584 (owner: 10Andrew Bogott)
[07:31:01] <grrrit-wm>	 (03CR) 10Andrew Bogott: [C: 032] Wipe out /etc/resolv.conf before migrating instances. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115584 (owner: 10Andrew Bogott)
[07:31:34] <andrewbogott>	 oops, I will take your advice in a subsequent patch :)
[07:32:39] <grrrit-wm>	 (03PS1) 10Andrew Bogott: rm -f resolv.conf. -rf was overkill. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115586 
[07:33:03] <grrrit-wm>	 (03CR) 10Matanya: [C: 031] Add a fact to pull the ec2id out of instance metadata. (031 comment) [operations/puppet] - 10https://gerrit.wikimedia.org/r/115585 (owner: 10Andrew Bogott)
[07:33:52] <andrewbogott>	 thanks!
[07:35:32] <andrewbogott>	 I will never get used to the implicit return thingy that ruby does
[07:35:58] <matanya>	 it actully makes sense
[07:36:13] <grrrit-wm>	 (03PS2) 10Andrew Bogott: Add a fact to pull the ec2id out of instance metadata. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115585 
[07:36:15] <andrewbogott>	 how so?
[07:36:28] <andrewbogott>	 I mean, in an assembly 'what was last in the register' sense it makes sense...
[07:36:28] <matanya>	 why declare something we know?
[07:37:14] <andrewbogott>	 I guess the fact that the behavior depends on the position of the line bothers me?
[07:37:38] <matanya>	 think of python indentation :)
[07:37:42] <andrewbogott>	 Also, what if my intent in a function is to return nothing in particular?  Then an arbitrary value can leak out, and a caller might come to depend on that.
[07:38:22] <andrewbogott>	 But, anyway, I won't argue that it's incorrect, only that it makes me uneasy :)
[07:38:31] <grrrit-wm>	 (03CR) 10Andrew Bogott: [C: 032] rm -f resolv.conf. -rf was overkill. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115586 (owner: 10Andrew Bogott)
[07:39:43] <matanya>	 logstash is a pain in the ...
[07:43:27] <grrrit-wm>	 (03PS3) 10Andrew Bogott: Add a fact to pull the ec2id out of instance metadata. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115585 
[07:44:39] <grrrit-wm>	 (03Abandoned) 10Andrew Bogott: Attempt to get ssh keys working, pre-puppet [operations/puppet] - 10https://gerrit.wikimedia.org/r/114408 (owner: 10Andrew Bogott)
[07:46:51] <grrrit-wm>	 (03CR) 10Andrew Bogott: [C: 032] Add a fact to pull the ec2id out of instance metadata. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115585 (owner: 10Andrew Bogott)
[07:47:59] <icinga-wm>	 RECOVERY - RAID on labstore1 is OK: OK: optimal, 2 logical, 24 physical  
[08:03:55] <matanya>	  /join #logstash
[08:04:01] <matanya>	 arrg
[08:27:59] <grrrit-wm>	 (03PS1) 10Andrew Bogott: Slight change to prod.sh [operations/puppet] - 10https://gerrit.wikimedia.org/r/115587 
[08:29:01] <grrrit-wm>	 (03CR) 10Andrew Bogott: [C: 032] Slight change to prod.sh [operations/puppet] - 10https://gerrit.wikimedia.org/r/115587 (owner: 10Andrew Bogott)
[09:03:59] <icinga-wm>	 PROBLEM - Puppet freshness on virt1004 is CRITICAL: Last successful Puppet run was Sat 22 Feb 2014 02:36:40 PM UTC  
[09:37:59] <icinga-wm>	 PROBLEM - Puppet freshness on labstore4 is CRITICAL: Last successful Puppet run was Tue 25 Feb 2014 06:33:37 PM UTC  
[09:49:03] <andrewbogott>	 matanya: a puppet question:  When a client changes from one master to another, what do I need to do to encourage it to accept the cert from the new master?
[09:49:05] <andrewbogott>	 Any idea?
[09:49:26] <andrewbogott>	 I know that if I erase /everything/ in /var/lib/puppet it helps, but I'd prefer to be more surgical :)
[09:49:42] <matanya>	 iirc, you need to tell him in his own config about the new master
[09:49:43] <andrewbogott>	 hashar, same question, in case you know...
[09:49:52] <andrewbogott>	 Ah, yes, I'm updating puppet.conf already.
[09:49:59] <andrewbogott>	 But there's a validation phase that's failing for me.
[09:50:07] <matanya>	 ok, that is a good start :)
[09:50:19] <andrewbogott>	 I think because client is comparing the old cert to the new master which of course doesn't work...
[09:50:21] <hashar>	 andrewbogott: can't remember sorry :-(
[09:50:29] <hashar>	 I think I restart the puppet services
[09:50:29] <andrewbogott>	 ok
[09:50:32] <hashar>	 on the client
[09:50:34] <andrewbogott>	 oh, on the client?
[09:50:40] <hashar>	 and it eventually end up catching the new cert
[09:50:56] <hashar>	 apergos and I attempted to write a class that would revert from puppetmaster::self back to the normal labs puppet
[09:50:59] <hashar>	 never went far though
[09:51:03] <andrewbogott>	 hm, nope, same
[09:51:27] <andrewbogott>	 "err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client"  <- sound familiar?
[09:51:33] <hashar>	 ohh
[09:51:44] <andrewbogott>	 I mean, it's smart that the client is rejecting the new master, could me mitm
[09:51:45] <hashar>	 never seen that
[09:51:48] <andrewbogott>	 *could be
[09:52:04] <hashar>	 is time in sync? aka ntp on both hosts
[09:52:14] <andrewbogott>	 yes
[09:52:21] <hashar>	 might want to try with --debug, it might show up the cert being used
[09:52:46] <andrewbogott>	 at least, to my eyeball they time looks the same
[09:52:47] <hashar>	 or you want to regenerate the cert for that host. I think puppet client gives you the command to run on the master
[09:53:34] <hashar>	 :-(
[09:53:59] <hashar>	 you might need a new cert on the client.
[09:54:30] <matanya>	 does the client have the correct cert at all?
[09:54:52] <hashar>	 the client cert is probably not know on the new puppet master
[09:55:02] <hashar>	 might need to sign it on puppet master
[09:55:16] <andrewbogott>	 No, it's the other way around I think.
[09:55:21] <andrewbogott>	 The client cert /is/ signed and ready.
[09:55:27] <andrewbogott>	 It's the client, rejecting the master.
[09:55:29] <andrewbogott>	 It checks both ways, right?
[09:55:34] <matanya>	 yes
[09:55:34] <hashar>	 no idea :-]
[09:55:50] <andrewbogott>	 matanya: so, probably the client does not have the correct cert.  I'm wondering how to get it the right one.
[09:56:06] <andrewbogott>	 Here's a debug run, not very useful:  https://dpaste.de/A7GA
[09:56:24] <matanya>	 the easiest way i think is to revoke the key on master a
[09:56:32] <matanya>	 and create a new one on master b
[09:57:16] <andrewbogott>	 ok, so I'd run revoke on the client?
[09:58:09] <matanya>	 yes, but also on the old master
[09:58:31] <andrewbogott>	 why would that matter?  The instance isn't even talking to the old master anymore, doesn't know about it.
[09:58:54] <andrewbogott>	 I should explain:  I'm trying to duplicate an existing instance w/a new puppet master.  So I don't want to break things for the original instance.
[09:59:04] <andrewbogott>	 I just want to make a copy, and make the copy work with the new master.
[09:59:04] <matanya>	 just for security reasons, not anything else
[09:59:08] <andrewbogott>	 Ah, sure.
[09:59:17] <akosiaris>	 andrewbogott: rm -rf /var/lib/puppet/ssl on instance and puppetd -t 
[09:59:24] <akosiaris>	 and puppetca -s -a on your puppetmaster
[09:59:28] <akosiaris>	 and you are done
[09:59:31] <matanya>	 i love you akosiaris 
[09:59:33] <andrewbogott>	 akosiaris: that will revoke the client cert as well, which I specifically do not want to do.
[09:59:48] <akosiaris>	 ?
[09:59:55] <akosiaris>	 revoke it where ?
[09:59:55] <andrewbogott>	 "andrewbogott: I know that if I erase /everything/ in /var/lib/puppet it helps, but I'd prefer to be more surgical :)"
[10:00:16] <akosiaris>	 well i was slightly more surgical. I added /ssl at the end :-)
[10:00:16] <andrewbogott>	 akosiaris: well… currently my clieng has a cert that is signed on the master.
[10:00:21] <andrewbogott>	 If I erase the cert on the client side...
[10:00:38] <andrewbogott>	 then the master will /definitely/ have a cert that doesn't match mine and I will have to revoke that one, etc. etc.
[10:00:45] <akosiaris>	 which master ?
[10:00:51] <akosiaris>	 old or new ?
[10:01:07] <akosiaris>	 old, who cares about it anyway, new won't have anything
[10:01:24] <akosiaris>	 until the first puppet run that is 
[10:01:29] <akosiaris>	 and you running puppetca -s -a
[10:02:10] <akosiaris>	 but anyway puppett clients can only have one master and only one ca 
[10:02:22] <andrewbogott>	 OK, let me begin at the beginning.
[10:02:44] <akosiaris>	 and since a master is also a ca you basically are well off if you make the client forget about the old CA and be done with it
[10:03:03] <andrewbogott>	 Yes, so, how do I do that?
[10:03:08] <andrewbogott>	 Without making the master forget about the client?
[10:03:21] <akosiaris>	 again which master? the old one ?
[10:03:24] <akosiaris>	 or the new one ?
[10:03:25] <andrewbogott>	 new one
[10:03:30] <andrewbogott>	 Here is what happens:
[10:03:32] <andrewbogott>	 a)  I move the instance
[10:03:53] <akosiaris>	 that is pmtpa => eqiad labs move ?
[10:03:53] <andrewbogott>	 b)  New instance talks to old puppet master, which prompts an update to puppet.conf, pointing at the new master
[10:03:58] <andrewbogott>	 yes
[10:04:09] <andrewbogott>	 c) client talks to new master, gets a cert, and the new master signs the cert
[10:04:11] <andrewbogott>	 All good, right?
[10:04:19] <akosiaris>	 yes
[10:04:19] <andrewbogott>	 Except, then d)  https://dpaste.de/A7GA
[10:04:31] <andrewbogott>	 Now, why does c work?  I don't know.
[10:04:31] <akosiaris>	 wait c is wrong
[10:04:40] <andrewbogott>	 yeah, it shouldn't work, right?
[10:04:45] <akosiaris>	 client will not be able to talk to new master
[10:04:53] <akosiaris>	 cause it will be a different CA 
[10:04:57] <andrewbogott>	 I'd think.
[10:05:03] <andrewbogott>	 And yet I see a signed cert on the master.
[10:05:10] <andrewbogott>	 So maybe something else stupid is happening :(
[10:05:18] <akosiaris>	 ok . virt0 and virt1000 ?
[10:05:23] <akosiaris>	 may I login and see what is going on ?
[10:05:24] <scfc_de>	 andrewbogott: Have you looked at a more general setup like http://docs.puppetlabs.com/guides/scaling_multiple_masters.html ?
[10:05:44] <akosiaris>	 scfc_de: he wants to migrate, not scale
[10:05:45] <andrewbogott>	 masters are virt0 and virt1000
[10:05:51] <akosiaris>	 virt0 will be decomissioned
[10:05:55] <akosiaris>	 eventually that is
[10:05:56] <andrewbogott>	 the instance in question is testmigrate7.eqiad.wmflabs
[10:05:58] <andrewbogott>	 I will add you to the project
[10:06:39] <scfc_de>	 Apparently, the guy in http://stuckinadoloop.wordpress.com/2012/02/16/automated-migration-of-systems-to-a-new-puppet-master-server/ had the same problem.
[10:06:51] <scfc_de>	 akosiaris: migrate = scale, then downsize :-).
[10:07:22] <akosiaris>	 scfc_de: that approach might cost more that it is worth
[10:14:34] <matanya>	 i still think my approach will be easiest, though it doesn't fix the root cause
[10:23:49] <scfc_de>	 andrewbogott: If both puppet masters are accessible from the client, this is no blocker for you?
[10:25:19] <andrewbogott>	 scfc_de: I need to move them at some point though
[10:25:28] <andrewbogott>	 since the old puppet master will be shut down eventually
[10:26:05] <scfc_de>	 Yeah, but before you get stuck here, I'd rather pick problems easier to solve :-).
[10:28:36] <andrewbogott>	 scfc_de: right now puppet by default changes the master to match whatever domain an instance is in.
[10:28:45] <andrewbogott>	 That clearly doesn't work, but I'm trying to roll with it :)
[10:30:19] <grrrit-wm>	 (03PS7) 10Andrew Bogott: Add a script that updates labs instances after migration. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115342 
[10:42:21] <grrrit-wm>	 (03CR) 10Tim Landscheidt: "To me, this doesn't feel "puppety" :-). I would do something along the lines of (in role::labs::instance):" [operations/puppet] - 10https://gerrit.wikimedia.org/r/115342 (owner: 10Andrew Bogott)
[10:46:44] <andrewbogott>	 scfc_de: ok, but the whole point is that puppet doesn't work
[10:46:54] <andrewbogott>	 so… a puppet-based solution sounds nice but I don't think it helps
[10:47:24] <andrewbogott>	 Still… there may be some way to use virt0 as a more effective bootstrap.  I'll think about it a bit
[10:51:49] <scfc_de>	 andrewbogott: Why doesn't it work?  I. e., if you move an instance 1:1 from pmtpa to eqiad and then run Puppet?
[11:10:59] <andrewbogott>	 scfc_de: one question is… how do I remove the virt0 cert without just always removing every cert?
[11:21:15] <grrrit-wm>	 (03PS1) 10Andrew Bogott: Clear master certs if we change puppet.conf [operations/puppet] - 10https://gerrit.wikimedia.org/r/115594 
[11:21:27] <andrewbogott>	 akosiaris: what do you think?  ^
[11:26:33] <akosiaris>	 well, not in love definitely. If anything changes in the erb, all clients will have to refetch the CA and CRL 
[11:27:00] <andrewbogott>	 Want me to limit it to labs?
[11:27:15] <andrewbogott>	 It would be better to detect that just the master is changing...
[11:27:51] <scfc_de>	 Could we manage /var/lib/puppet/ssl/certs/ca.pem as a file resource in Labs?  To be able to change it in concert with $base::puppet::server?
[11:28:08] <akosiaris>	 well there is a security concern here 
[11:28:32] <akosiaris>	 if we have ca.pem refresh on an erb change
[11:28:48] <akosiaris>	 that may very well open the door for anyone to take over the entire fleet
[11:28:58] <andrewbogott>	 Isn't an erb change already a wide open door?
[11:29:22] <akosiaris>	 yes but you remove a layer of security there
[11:29:26] <andrewbogott>	 true
[11:30:02] <akosiaris>	 I would be surpised if mark showed up and voted a huge -2 on it
[11:30:09] <akosiaris>	 I would not*
[11:30:15] <mark>	 !
[11:30:19] <mark>	 where is it
[11:30:24] <akosiaris>	 ahahaha
[11:30:41] <mark>	 what is the issue, also?
[11:30:44] <andrewbogott>	 Well, I don't want to apply it universally.  I need some way to detect that a migration is happening...
[11:30:56] <andrewbogott>	 mark, clearing the puppet master cert after an instance moves to the new dc
[11:31:06] <mark>	 why is that necessary?
[11:31:09] <mark>	 different hostname?
[11:31:15] <andrewbogott>	 yes, different puppet master
[11:31:22] <akosiaris>	 both that and virt0 => virt1000 move
[11:31:30] <andrewbogott>	 ah, yes, both
[11:31:50] <mark>	 perhaps we should use an alias now
[11:31:56] <mark>	 that won't solve our current problem but will prevent the next
[11:32:46] <andrewbogott>	 Hm
[11:32:48] <akosiaris>	 like puppet.wmflabs ?
[11:32:53] <mark>	 yes
[11:33:14] <mark>	 assuming we will want to support instance migrations in the future also
[11:33:33] <andrewbogott>	 Actually that could solve our current problem as well...
[11:33:43] <andrewbogott>	 because for /working/ instances I can clear the certs with salt.
[11:33:48] <andrewbogott>	 It's only instances that are post-migration that are broken
[11:33:49] <mark>	 as for detecting a migration is happening
[11:33:56] <mark>	 would it be feasible to create some file in the filesystem before migration
[11:34:02] <mark>	 and remove it when puppet runs and fixes up the system?
[11:34:14] <andrewbogott>	 mark:  yes, that's easy.
[11:34:19] <andrewbogott>	 So, probably a good solution.
[11:34:24] <andrewbogott>	 But...
[11:34:25] <andrewbogott>	 ok, wait:
[11:34:26] <mark>	 in that case it would be reasonable to remove the cert
[11:34:31] <mark>	 if we can make sure it can't get abused
[11:34:36] <andrewbogott>	 the issue with the puppet master isn't the /name/ of the master, it's the cert.
[11:34:40] <mark>	 yes
[11:34:41] <andrewbogott>	 So using an alias doesn't help.
[11:34:49] <mark>	 well you could use the same cert everywhere then
[11:34:52] <andrewbogott>	 Unless we copy the cert when we change masters.
[11:35:01] <andrewbogott>	 Ah, yes, that would solve the problem w/out using an alias :)
[11:35:03] <mark>	 i don't see a huge reason why we couldn't do that
[11:35:07] <andrewbogott>	 But, I defer to akosiaris on that point
[11:35:13] <mark>	 right now that's not optimal as using the virt0 name is a bit weird ;)
[11:35:23] <akosiaris>	 the only problem will be the CRL i think
[11:35:59] <akosiaris>	 and of course we will need a procedure to say "No longer sign certs on virt0, from now on only on virt1000"
[11:36:15] <akosiaris>	 and then phase out virt0
[11:36:17] <mark>	 how does signing work in labs now anyway?
[11:36:20] <andrewbogott>	 ?  If they're the same then...
[11:36:35] <akosiaris>	 but I think that the issuer in the CA is virt0 in labs
[11:36:36] <mark>	 the CA needs to remain in sync
[11:36:51] <akosiaris>	 as in the issuer field in the cert
[11:36:57] <andrewbogott>	 Ah, then sharing doesn't solve anything, it just creates new different problems.
[11:38:15] <scfc_de>	 Does Puppet check the issuer or does it only test that the keys match?
[11:39:18] <akosiaris>	 it definitely checks the chain
[11:40:18] <akosiaris>	 Issuer: CN=Puppet CA: virt0.wikimedia.org
[11:40:57] <grrrit-wm>	 (03PS2) 10Andrew Bogott: Clear master certs if we change puppet.conf [operations/puppet] - 10https://gerrit.wikimedia.org/r/115594 
[11:41:03] <andrewbogott>	 like that better?
[11:41:15] <scfc_de>	 akosiaris: I know, but does it test that the hostnames match?
[11:41:25] <akosiaris>	 yes it does
[11:42:29] <andrewbogott>	 akosiaris, mark, is ^ ok?  Or should I also limit it to labs?  Or...
[11:42:39] * andrewbogott  doesn't know for sure that that will even solve the problem, but it might :/

[11:43:29] <mark>	 I think limiting it to labs for now wouldn't be a bad idea
[11:43:46] <mark>	 also, you may want to have a generic "migration-in-progess" file instead which you could use for other things
[11:43:48] <akosiaris>	 scfc_de: well to be clear, the hostname of the master. It will obviously not chase down the entire chain hostnames(that would make no sense)
[11:44:24] <andrewbogott>	 mark:  a generic file wouldn't be rm'd at such a good time though
[11:44:36] <andrewbogott>	 hence having a task-specific flag that gets removed in one go with the cert clearing
[11:44:53] <andrewbogott>	 Also otherwise I'm not sure how to make sure the file gets cleared /after/ it's used for the test :)
[11:44:58] <scfc_de>	 akosiaris: ACK.
[11:45:18] <scfc_de>	 BTW, with Labs and network people here, 208.80.152.234 (amaranth) times out from pmtpa-Labs (incidentally, the server itself is status 503 from the InterNet, but different story).  Is this some firewall on Labs or in the network?
[11:45:19] <akosiaris>	 I 'd say limited to labs for sure. As I already said, a single merge with a changed 10-main-conf.erb has the potential of sending the entire fleet to another puppetmaster
[11:46:08] <scfc_de>	 Are there disadvantages to managing /var/lib/puppet/ssl/certs/ca.pem as a file resource in Labs?
[11:46:28] <akosiaris>	 scfc_de: and doing what with it ?
[11:47:16] <scfc_de>	 Setting it to the cert of the puppet master selected by $base::puppet::server?
[11:48:49] <akosiaris>	 in general it is a security concern. That file is your anchor with the entire puppet infra
[11:49:31] <grrrit-wm>	 (03PS3) 10Andrew Bogott: Clear master certs if we change puppet.conf [operations/puppet] - 10https://gerrit.wikimedia.org/r/115594 
[11:50:18] <scfc_de>	 Yes, and AFAICS, at the moment, it's not managed at all, but depends on the initial Puppet connection, I think?
[11:50:58] <andrewbogott>	 mark, akosiaris, ^
[11:51:05] <akosiaris>	 yes, which is the way it was designed to be by the puppet people
[11:51:45] <mark>	 it's not supposed to be managed
[11:51:50] <mark>	 at least, not by Puppet :)
[11:53:00] <grrrit-wm>	 (03CR) 10Mark Bergsma: Clear master certs if we change puppet.conf (031 comment) [operations/puppet] - 10https://gerrit.wikimedia.org/r/115594 (owner: 10Andrew Bogott)
[11:53:45] <scfc_de>	 Then how are puppet masters supposed to be changed in Puppet if puppet.conf is managed, but ca.pem not?  On change to puppet.conf, check that ca.pem's "Issuer" matches "server", otherwise delete ca.pem?
[11:54:06] <mark>	 puppet masters are not supposed to be changed in Puppet I think
[11:54:08] <mark>	 doesn't mean we can't
[11:54:12] <mark>	 but it's a bit hairy
[11:55:21] <grrrit-wm>	 (03CR) 10Alexandros Kosiaris: Clear master certs if we change puppet.conf (031 comment) [operations/puppet] - 10https://gerrit.wikimedia.org/r/115594 (owner: 10Andrew Bogott)
[11:56:17] <grrrit-wm>	 (03PS4) 10Andrew Bogott: Clear master certs if we change puppet.conf [operations/puppet] - 10https://gerrit.wikimedia.org/r/115594 
[11:56:39] <andrewbogott>	 Ah, much tidier that way.
[11:56:46] <andrewbogott>	 Presuming that 'subscribe' works like that
[11:58:53] <scfc_de>	 As it's a bit hairy, I'm looking for a simple solution :-).
[11:58:59] <grrrit-wm>	 (03CR) 10Matanya: Clear master certs if we change puppet.conf (031 comment) [operations/puppet] - 10https://gerrit.wikimedia.org/r/115594 (owner: 10Andrew Bogott)
[11:59:02] <grrrit-wm>	 (03CR) 10Alexandros Kosiaris: Clear master certs if we change puppet.conf (031 comment) [operations/puppet] - 10https://gerrit.wikimedia.org/r/115594 (owner: 10Andrew Bogott)
[11:59:24] <matanya>	 arrg
[11:59:30] <matanya>	 conflict
[12:01:15] <grrrit-wm>	 (03PS5) 10Andrew Bogott: Clear master certs if we change puppet.conf [operations/puppet] - 10https://gerrit.wikimedia.org/r/115594 
[12:04:59] <icinga-wm>	 PROBLEM - Puppet freshness on virt1004 is CRITICAL: Last successful Puppet run was Sat 22 Feb 2014 02:36:40 PM UTC  
[12:05:51] <andrewbogott>	 matanya, akosiaris, better?
[12:07:37] <grrrit-wm>	 (03CR) 10Matanya: Clear master certs if we change puppet.conf (031 comment) [operations/puppet] - 10https://gerrit.wikimedia.org/r/115594 (owner: 10Andrew Bogott)
[12:08:46] <grrrit-wm>	 (03PS6) 10Andrew Bogott: Clear master certs if we change puppet.conf [operations/puppet] - 10https://gerrit.wikimedia.org/r/115594 
[12:10:23] <grrrit-wm>	 (03CR) 10Matanya: [C: 031] Clear master certs if we change puppet.conf [operations/puppet] - 10https://gerrit.wikimedia.org/r/115594 (owner: 10Andrew Bogott)
[12:12:18] <grrrit-wm>	 (03CR) 10Tim Landscheidt: [C: 031] "Tested on Tools (removed ca.pem and crl.pem), and Puppet recovered on its own." [operations/puppet] - 10https://gerrit.wikimedia.org/r/115594 (owner: 10Andrew Bogott)
[12:12:59] <grrrit-wm>	 (03PS1) 10Hashar: contint: python-dev on labs slaves [operations/puppet] - 10https://gerrit.wikimedia.org/r/115605 
[12:13:08] <grrrit-wm>	 (03CR) 10Andrew Bogott: [C: 032] Clear master certs if we change puppet.conf [operations/puppet] - 10https://gerrit.wikimedia.org/r/115594 (owner: 10Andrew Bogott)
[12:15:05] * andrewbogott  starts a test & crosses fingers

[12:25:44] <andrewbogott>	 mark, akosiaris, matanya, scfc_de:  It goes!  A clean migration -- first puppet run requests a cert and exits, second puppet run (after an appropriate delay) works.
[12:25:57] <matanya>	 nice!
[12:26:21] <andrewbogott>	 Salt isn't working -- if anyone wants to look at that I'd welcome the help.  testmigrate10.eqiad.wmflabs and salt master virt1000
[12:27:06] <mark>	 :)
[12:27:45] <andrewbogott>	 oh, nm, salt is working now too, just took a minute.
[12:27:54] <andrewbogott>	 Lemme see if it works a second time...
[12:29:56] <grrrit-wm>	 (03PS1) 10Andrew Bogott: Updated dc-migrate a bit. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115606 
[12:33:07] <akosiaris>	 andrewbogott: good to know :-)
[12:38:59] <icinga-wm>	 PROBLEM - Puppet freshness on labstore4 is CRITICAL: Last successful Puppet run was Tue 25 Feb 2014 06:33:37 PM UTC  
[12:41:38] <andrewbogott>	 And a second test works as well.  Thanks, all, for helping me sort this out.
[12:45:59] <grrrit-wm>	 (03PS2) 10Andrew Bogott: Updated dc-migrate a bit. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115606 
[12:46:38] <andrewbogott>	 mark:  communications between virt hosts looks good now.  Thanks!  Now I just have to figure out how to set up host keys so they can do unattended rsyncs...
[12:49:29] <grrrit-wm>	 (03PS3) 10Andrew Bogott: Updated dc-migrate a bit. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115606 
[12:51:00] <grrrit-wm>	 (03CR) 10Andrew Bogott: [C: 032] Updated dc-migrate a bit. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115606 (owner: 10Andrew Bogott)
[13:02:17] <grrrit-wm>	 (03PS1) 10Tim Landscheidt: Tools: Set group for $sysdir according to $::site [operations/puppet] - 10https://gerrit.wikimedia.org/r/115609 
[13:29:57] <grrrit-wm>	 (03PS1) 10Tim Landscheidt: Tools: Restore local symlinks for jobutils [operations/puppet] - 10https://gerrit.wikimedia.org/r/115612 
[13:41:15] <grrrit-wm>	 (03CR) 10PiRSquared17: [C: 04-1] Remove Flow from Meta [operations/mediawiki-config] - 10https://gerrit.wikimedia.org/r/115412 (owner: 10Odder)
[13:43:28] <grrrit-wm>	 (03PS1) 10Andrew Bogott: Add a line specifying the nova api rate limits. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115614 
[13:43:30] <grrrit-wm>	 (03PS1) 10Andrew Bogott: Turn rate limits WAY up for nova api. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115615 
[13:59:36] <grrrit-wm>	 (03PS1) 10Hashar: beta: lower memcached memory usage [operations/puppet] - 10https://gerrit.wikimedia.org/r/115617 
[14:02:31] <grrrit-wm>	 (03CR) 10coren: [C: 04-1] "It's been many months; those really should not be needed anymore, and will not be present in eqiad." [operations/puppet] - 10https://gerrit.wikimedia.org/r/115612 (owner: 10Tim Landscheidt)
[14:03:37] <grrrit-wm>	 (03PS1) 10Hashar: mediawiki: stop timidity after it got installed [operations/puppet] - 10https://gerrit.wikimedia.org/r/115618 
[14:15:37] <grrrit-wm>	 (03PS1) 10Alexandros Kosiaris: Create OSM labs db partitioning scheme and dhcp [operations/puppet] - 10https://gerrit.wikimedia.org/r/115622 
[14:20:03] <grrrit-wm>	 (03CR) 10Ottomata: "Uh, does that mean keys() doesn't work if there isn't at least two entries in the hash?" [operations/puppet] - 10https://gerrit.wikimedia.org/r/115524 (owner: 10BBlack)
[14:20:38] <grrrit-wm>	 (03PS1) 10Hashar: beta: memcached multiwrite to pmtpa and eqiad [operations/mediawiki-config] - 10https://gerrit.wikimedia.org/r/115623 
[14:25:53] <grrrit-wm>	 (03PS1) 10Hashar: deployment::target does not work in labs, skip it [operations/puppet] - 10https://gerrit.wikimedia.org/r/115624 
[14:28:35] <grrrit-wm>	 (03PS1) 10Ottomata: Putting PTR records back for analytics100{3,4}.eqiad.wmnet [operations/dns] - 10https://gerrit.wikimedia.org/r/115625 
[14:33:15] <grrrit-wm>	 (03PS1) 10Ottomata: Pointing analytics100{3,4} macs back at their .eqiad.wmnet addresses [operations/puppet] - 10https://gerrit.wikimedia.org/r/115626 
[14:34:33] <grrrit-wm>	 (03CR) 10Alexandros Kosiaris: "If I understand the commit message correctly, you should also remove the analytics100[34].wikimedia.org forward and reverse records." [operations/dns] - 10https://gerrit.wikimedia.org/r/115625 (owner: 10Ottomata)
[14:37:02] <grrrit-wm>	 (03CR) 10Alexandros Kosiaris: [C: 032] Adding OSM role classes [operations/puppet] - 10https://gerrit.wikimedia.org/r/115409 (owner: 10Alexandros Kosiaris)
[14:37:08] <grrrit-wm>	 (03CR) 10Ottomata: "Yeah, I can do that. I left them because I noticed that the .eqiad.wmnet records were mostly left intact from when we changed before...bu" [operations/dns] - 10https://gerrit.wikimedia.org/r/115625 (owner: 10Ottomata)
[14:37:40] <grrrit-wm>	 (03CR) 10Alexandros Kosiaris: [C: 032] Create OSM labs db partitioning scheme and dhcp [operations/puppet] - 10https://gerrit.wikimedia.org/r/115622 (owner: 10Alexandros Kosiaris)
[14:37:59] <grrrit-wm>	 (03PS2) 10Ottomata: Putting PTR records back for analytics100{3,4}.eqiad.wmnet [operations/dns] - 10https://gerrit.wikimedia.org/r/115625 
[14:38:04] <grrrit-wm>	 (03CR) 10Alexandros Kosiaris: [C: 032] Introduce labsdb100[45].eqiad.wmnet [operations/puppet] - 10https://gerrit.wikimedia.org/r/115410 (owner: 10Alexandros Kosiaris)
[14:38:26] <grrrit-wm>	 (03PS2) 10Hashar: mediawiki: stop timidity only once it got installed [operations/puppet] - 10https://gerrit.wikimedia.org/r/115618 
[14:38:46] <grrrit-wm>	 (03CR) 10Hashar: "Apparently timidity no more install any daemon..." [operations/puppet] - 10https://gerrit.wikimedia.org/r/115618 (owner: 10Hashar)
[14:39:38] <grrrit-wm>	 (03Abandoned) 10Tim Landscheidt: Tools: Restore local symlinks for jobutils [operations/puppet] - 10https://gerrit.wikimedia.org/r/115612 (owner: 10Tim Landscheidt)
[14:40:09] <grrrit-wm>	 (03CR) 10Alexandros Kosiaris: [C: 032] Putting PTR records back for analytics100{3,4}.eqiad.wmnet [operations/dns] - 10https://gerrit.wikimedia.org/r/115625 (owner: 10Ottomata)
[14:50:06] <Reedy>	 error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none while accessing https://git.wikimedia.org/git/mediawiki/tools/release.git/info/refs
[14:51:15] <Reedy>	 Getting that trying to clone any repos from gerrit onto tin/bast1001
[14:51:26] <grrrit-wm>	 (03PS1) 10Ottomata: README.md updates [operations/puppet/kafka] - 10https://gerrit.wikimedia.org/r/115628 
[14:51:28] <grrrit-wm>	 (03PS1) 10Hashar: Configuration for beta cluster caches in eqiad [operations/puppet] - 10https://gerrit.wikimedia.org/r/115629 
[14:51:40] <grrrit-wm>	 (03CR) 10Ottomata: [C: 032 V: 032] README.md updates [operations/puppet/kafka] - 10https://gerrit.wikimedia.org/r/115628 (owner: 10Ottomata)
[14:56:20] <grrrit-wm>	 (03PS1) 10Andrew Bogott: Turn the labs::nfs::client class off for eqiad. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115631 
[14:57:44] <grrrit-wm>	 (03PS2) 10Ottomata: Pointing analytics100{3,4} macs back at their .eqiad.wmnet addresses [operations/puppet] - 10https://gerrit.wikimedia.org/r/115626 
[14:57:50] <grrrit-wm>	 (03CR) 10Ottomata: [C: 032 V: 032] Pointing analytics100{3,4} macs back at their .eqiad.wmnet addresses [operations/puppet] - 10https://gerrit.wikimedia.org/r/115626 (owner: 10Ottomata)
[14:59:02] <grrrit-wm>	 (03PS2) 10Andrew Bogott: Turn the labs::nfs::client class off for eqiad. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115631 
[15:01:20] <grrrit-wm>	 (03PS3) 10Andrew Bogott: Turn the labs::nfs::client class off for eqiad. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115631 
[15:01:58] <grrrit-wm>	 (03CR) 10jenkins-bot: [V: 04-1] Turn the labs::nfs::client class off for eqiad. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115631 (owner: 10Andrew Bogott)
[15:02:56] <grrrit-wm>	 (03PS4) 10Andrew Bogott: Turn the labs::nfs::client class off for eqiad. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115631 
[15:04:04] <grrrit-wm>	 (03CR) 10Andrew Bogott: [C: 04-2] "OK, pretty sure we don't need this now. Keeping it in gerrit for a few days just to be sure." [operations/puppet] - 10https://gerrit.wikimedia.org/r/115342 (owner: 10Andrew Bogott)
[15:05:59] <icinga-wm>	 PROBLEM - Puppet freshness on virt1004 is CRITICAL: Last successful Puppet run was Sat 22 Feb 2014 02:36:40 PM UTC  
[15:15:52] <grrrit-wm>	 (03CR) 10Andrew Bogott: [C: 032] Turn the labs::nfs::client class off for eqiad. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115631 (owner: 10Andrew Bogott)
[15:26:53] <ottomata>	 !log rebooting analytics1004
[15:27:00] <morebots>	 Logged the message, Master
[15:27:49] <icinga-wm>	 PROBLEM - Host analytics1004 is DOWN: PING CRITICAL - Packet loss = 100%  
[15:39:59] <icinga-wm>	 PROBLEM - Puppet freshness on labstore4 is CRITICAL: Last successful Puppet run was Tue 25 Feb 2014 06:33:37 PM UTC  
[15:45:02] <grrrit-wm>	 (03PS1) 10Jgreen: grant hashar,reedy access to caesium per RT 6861 [operations/puppet] - 10https://gerrit.wikimedia.org/r/115633 
[15:46:04] <grrrit-wm>	 (03CR) 10Reedy: [C: 04-1] grant hashar,reedy access to caesium per RT 6861 (031 comment) [operations/puppet] - 10https://gerrit.wikimedia.org/r/115633 (owner: 10Jgreen)
[15:46:29] <icinga-wm>	 PROBLEM - HTTP 5xx req/min on tungsten is CRITICAL: CRITICAL: reqstats.5xx [crit=500.000000  
[15:48:55] <grrrit-wm>	 (03CR) 10BBlack: [C: 031] remove sockpuppet from puppet [operations/puppet] - 10https://gerrit.wikimedia.org/r/115527 (owner: 10Dzahn)
[15:51:25] <grrrit-wm>	 (03PS2) 10Jgreen: grant hashar,reedy access to caesium per RT 6861 [operations/puppet] - 10https://gerrit.wikimedia.org/r/115633 
[15:54:41] <grrrit-wm>	 (03CR) 10Jgreen: [C: 032 V: 031] grant hashar,reedy access to caesium per RT 6861 [operations/puppet] - 10https://gerrit.wikimedia.org/r/115633 (owner: 10Jgreen)
[16:02:01] <bblack>	 ori: ping
[16:23:12] <grrrit-wm>	 (03CR) 10Alexandros Kosiaris: [C: 032] "And no reason to keep it around as anything. It is out of sync anyway with both salt and puppet for quite some time now." [operations/puppet] - 10https://gerrit.wikimedia.org/r/115527 (owner: 10Dzahn)
[16:39:23] <paravoid>	 !log disabling puppet on sodium
[16:39:25] <grrrit-wm>	 (03PS1) 10BBlack: Varnish should restart on initscript/defaults changes [operations/puppet] - 10https://gerrit.wikimedia.org/r/115637 
[16:39:31] <morebots>	 Logged the message, Master
[16:40:02] <paravoid>	 bblack: that's kinda scary isn't it
[16:40:12] <paravoid>	 you change one file and it restarts the whole cluster
[16:40:22] <paravoid>	 without depooling or anything
[16:40:27] <bblack>	 yeah, that's why I didn't +2 it :)
[16:40:30] <paravoid>	 even frontends :)
[16:40:47] <bblack>	 but the current situation sucks pretty bad
[16:41:35] <bblack>	 in the case of the geoip_cookie patches (which have other issues, but ...), flipping on geoip for a type of cache edits the initscript, pushes the VCL, then VCL reload fails everywhere because it hasn't been restarted with the new CC_COMMAND
[16:43:06] <bblack>	 I guess in the larger view, this again highlights the mmap problem.  If it weren't for that, restarts wouldn't be quite as scary.
[16:43:09] <grrrit-wm>	 (03PS1) 10Jgreen: swap in tantalum for rhodium for pdf/trusty testing [operations/puppet] - 10https://gerrit.wikimedia.org/r/115638 
[16:43:17] <paravoid>	 no they'd be, for frontends
[16:43:28] <paravoid>	 you can alter cc_command without a restart
[16:43:32] <paravoid>	 varnishadm param.*
[16:43:43] <bblack>	 oh really?
[16:43:44] <paravoid>	 varnishadm param.show cc_command
[16:43:55] <paravoid>	 param.set cc_command ...
[16:43:56] <paravoid>	 etc.
[16:44:11] <bblack>	 hmm maybe the puppet stuff can be re-worked to invoke that (in addition to editing the initscript)
[16:45:26] <bblack>	 re: frontend restarts, perhaps all in a 30-minute window would be scary, yeah
[16:46:11] <paravoid>	 no, they are in general without a depool
[16:46:22] <paravoid>	 you're basically throw errors to a bunch of clients :)
[16:46:36] <bblack>	 yeah I know
[16:46:37] <bblack>	 https://graphite.wikimedia.org/render/?title=HTTP%205xx%20Responses%20-8hours&from=-8hours&width=1024&height=500&until=now&areaMode=none&hideLegend=false&lineWidth=2&lineMode=connected&target=color%28cactiStyle%28alias%28reqstats.5xx,%225xx%20resp/min%22%29%29,%22blue%22%29
[16:46:43] <paravoid>	 even more so for all of them in < 30 minutes (and we are generally trying to lower the 30' interval too)
[16:46:56] <bblack>	 but percentage-wise, one at time is bearable with delays
[16:47:59] <grrrit-wm>	 (03CR) 10BBlack: [C: 04-2] "Don't actually merge this!" [operations/puppet] - 10https://gerrit.wikimedia.org/r/115637 (owner: 10BBlack)
[16:48:01] <grrrit-wm>	 (03CR) 10Jgreen: [C: 032 V: 031] swap in tantalum for rhodium for pdf/trusty testing [operations/puppet] - 10https://gerrit.wikimedia.org/r/115638 (owner: 10Jgreen)
[16:48:05] <paravoid>	 welll, ideally we should depool from pybal, wait for most sessions to expire, restart, then pool again
[16:48:20] <bblack>	 x83
[16:48:27] <bblack>	 manually
[16:48:29] <paravoid>	 most things you can do without a restart
[16:48:42] <paravoid>	 via VCL or param.set
[16:48:46] <bblack>	 while waiting for settlement between, and watching for the impact of delayed backend restarts for failed SILO load
[16:49:01] <bblack>	 I'm talking about the still-ongoing 3.0.5 rollout
[16:49:08] <paravoid>	 oh
[16:49:20] <paravoid>	 I was still at cc_command :)
[16:49:49] <bblack>	 well, your comments about frontend restarts lead to "I've not been depooling while upgrading these 83 servers over a period of days to 3.0.5"
[16:50:05] <bblack>	 which is why we get little spikes on 5xx, but only when I'm not asleep :P
[16:50:10] <paravoid>	 heh, okay, I said "ideally" :)
[16:50:41] <paravoid>	 ideally we'd have a better mechanism for depooling servers automatically :)
[16:51:16] <bblack>	 ideally software would do its job without all this handholding.  if only one soul on this whole planet could write perfect software :P
[16:53:13] <bblack>	 anyways, I'm on server# 60/83 now, the process should be finished today
[16:53:33] <paravoid>	 cool
[16:54:59] <icinga-wm>	 PROBLEM - Host analytics1003 is DOWN: PING CRITICAL - Packet loss = 100%  
[16:59:27] <bblack>	 ideally, maybe we could build some puppet mechanism for queuing up delayed/randomized actions
[16:59:57] <bblack>	 e.g. on an event that requires varnish restart, it enqueues the restart command locally to happend at $random_time_over_48_hrs or whatever
[17:12:24] <Ryan_Lane>	 paravoid, bblack: could write a salt runner that iterates over the list of minions, where it depools the minion, does the action, waits for success, then repools the minion
[17:12:41] <Ryan_Lane>	 the goes to the next minion
[17:12:43] <Ryan_Lane>	 *then
[17:13:21] <Ryan_Lane>	 should be relatively easy to write a salt module that can pool/depool/enable/disable hosts in the pybal config
[17:13:45] <mark>	 ideally pybal would have some support for that
[17:13:55] <Ryan_Lane>	 that would be nice too :)
[17:14:17] <Ryan_Lane>	 I had wanted to add an API to pybal for a while
[17:14:22] <mark>	 yeah
[17:16:09] <grrrit-wm>	 (03PS1) 10coren: Labs: manage LVM volumes on instance [operations/puppet] - 10https://gerrit.wikimedia.org/r/115641 
[17:17:03] <paravoid>	 I, otoh, want to switch pybal to etcd :)
[17:18:52] <paravoid>	 or zookeeper, but etcd seems much much simpler from the cursory look I've given it
[17:25:05] <grrrit-wm>	 (03PS1) 10Cmjohnson: Adding mgmt ip's for row d pdus [operations/dns] - 10https://gerrit.wikimedia.org/r/115645 
[17:26:15] <grrrit-wm>	 (03CR) 10Cmjohnson: [C: 032] Adding mgmt ip's for row d pdus [operations/dns] - 10https://gerrit.wikimedia.org/r/115645 (owner: 10Cmjohnson)
[17:28:06] <grrrit-wm>	 (03PS2) 10coren: Labs: manage LVM volumes on instance [operations/puppet] - 10https://gerrit.wikimedia.org/r/115641 
[17:30:17] <grrrit-wm>	 (03CR) 10coren: [C: 032] "Noop for now." [operations/puppet] - 10https://gerrit.wikimedia.org/r/115641 (owner: 10coren)
[17:33:19] <grrrit-wm>	 (03CR) 10Gage: [C: 032] Setting up kafkatee on analytics1003 to log mobile webrequest logs [operations/puppet] - 10https://gerrit.wikimedia.org/r/115411 (owner: 10Ottomata)
[17:33:27] <ottomata>	 !log upgraded to librdkafka1 0.8.3 on cp3019, restarting varnishkafka
[17:33:31] <grrrit-wm>	 (03PS1) 10Andrew Bogott: Create new instance with duplicate puppet classes and vars. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115646 
[17:33:34] <morebots>	 Logged the message, Master
[17:38:01] <grrrit-wm>	 (03PS1) 10coren: Labs: fixes to the test role [operations/puppet] - 10https://gerrit.wikimedia.org/r/115647 
[17:40:50] <grrrit-wm>	 (03CR) 10coren: [C: 032] "Small fix." [operations/puppet] - 10https://gerrit.wikimedia.org/r/115647 (owner: 10coren)
[17:43:00] <grrrit-wm>	 (03PS1) 10Alexandros Kosiaris: Add labs-support1-c-eqiad to autoinstall subnets [operations/puppet] - 10https://gerrit.wikimedia.org/r/115648 
[17:50:54] <grrrit-wm>	 (03PS1) 10coren: Labs: Fix directory name in labs_lvm module [operations/puppet] - 10https://gerrit.wikimedia.org/r/115650 
[17:51:19] <grrrit-wm>	 (03PS2) 10Alexandros Kosiaris: Add labs-support1-c-eqiad to autoinstall subnets [operations/puppet] - 10https://gerrit.wikimedia.org/r/115648 
[17:52:00] <grrrit-wm>	 (03CR) 10coren: [C: 032] "<adam>There's your problem.</adam>" [operations/puppet] - 10https://gerrit.wikimedia.org/r/115650 (owner: 10coren)
[17:56:30] <grrrit-wm>	 (03CR) 10Alexandros Kosiaris: [C: 032] Add labs-support1-c-eqiad to autoinstall subnets [operations/puppet] - 10https://gerrit.wikimedia.org/r/115648 (owner: 10Alexandros Kosiaris)
[17:59:29] <icinga-wm>	 RECOVERY - HTTP 5xx req/min on tungsten is OK: OK: reqstats.5xx [warn=250.000  
[18:05:29] <icinga-wm>	 PROBLEM - HTTP 5xx req/min on tungsten is CRITICAL: CRITICAL: reqstats.5xx [crit=500.000000  
[18:06:59] <icinga-wm>	 PROBLEM - Puppet freshness on virt1004 is CRITICAL: Last successful Puppet run was Sat 22 Feb 2014 02:36:40 PM UTC  
[18:18:18] <grrrit-wm>	 (03PS1) 10coren: Fixes to the labs_lvm class [operations/puppet] - 10https://gerrit.wikimedia.org/r/115653 
[18:18:58] <grrrit-wm>	 (03PS2) 10coren: Fixes to the labs_lvm class [operations/puppet] - 10https://gerrit.wikimedia.org/r/115653 
[18:25:39] <grrrit-wm>	 (03CR) 10Dzahn: [C: 031] "+1 but we need to agree on removing mgmt as well or only after disk wiping has been confirmed" [operations/dns] - 10https://gerrit.wikimedia.org/r/115581 (owner: 10Matanya)
[18:26:18] <grrrit-wm>	 (03CR) 10Dzahn: [C: 031] "+1 but we need to agree on removing mgmt as well or only after disk wiping has been confirmed" [operations/dns] - 10https://gerrit.wikimedia.org/r/115578 (owner: 10Matanya)
[18:27:03] <matanya>	 mutante: personally dns should go last in my opinion
[18:27:56] <mutante>	 matanya: there's 2 kinds of DNS, regular and mgmt
[18:28:05] <matanya>	 yes
[18:28:07] <mutante>	 matanya: it's about if the 'mgmt' part should stay or not
[18:28:27] <mutante>	 because as RobH explained the other day
[18:28:35] <mutante>	 if we keep them then we can also do disk wiping from remote
[18:28:42] <mutante>	 and if we remove it we rely on DC tech
[18:28:46] <RobH>	 yea but the lifecycle supports what you are doin
[18:28:48] <RobH>	 not what i said
[18:28:59] <RobH>	 so im the only one who wants to keep
[18:29:02] <mutante>	 ok, but that was also a good point about the wiping
[18:29:09] <RobH>	 actually, hold on lemme check the tampa specific entyr
[18:29:15] <mutante>	 so..yea. that's why i made the comment on that change:)
[18:29:25] <mutante>	 so you guys can chime in 
[18:30:01] <RobH>	 so yea, i think its nice to leave it until its unracked, in fact i wanna make that policy
[18:30:03] <RobH>	 its just not yet
[18:30:06] <RobH>	 cmjohnson1: what do you think?
[18:30:17] <RobH>	 leave mgmt dns as long as its in rack with power was my intent all along
[18:30:23] <RobH>	 but the lifecycle document didnt reflect it clearly
[18:30:27] <mutante>	 the good thing is being able to still do stuff from remote
[18:30:28] <RobH>	 didnt, still doesnt
[18:30:31] <mutante>	 the drawback is having 2 changes
[18:30:37] <RobH>	 if its in a rack with power, we should have mgmt
[18:30:41] <mutante>	 and having to do another clean up later
[18:30:48] <RobH>	 there isnt a good reason to me not to (having two dns changes isnt that big a deal imo)
[18:30:49] <cmjohnson1>	 robh: i agree
[18:30:51] <matanya>	 i think not, what do you?
[18:31:04] <RobH>	 so cmjohnson1 and i agree
[18:31:09] <RobH>	 im inclined to say its how it is ;]
[18:31:37] <mutante>	 "with power" means the rack itself has power, right
[18:31:42] <mutante>	 but the server is already shutdown -h
[18:32:02] <cmjohnson1>	 robh: can you put the idrac license for ms-be1005 in my home folder sometime today plz
[18:32:19] <cmjohnson1>	 mutante: yeah...the servers should be shutdown
[18:32:34] <RobH>	 mutante: correct
[18:32:37] <mutante>	 cmjohnson1: ok, yea, i do, last one was kaulen
[18:32:37] <RobH>	 i've updated lifecycle docs
[18:32:49] <mutante>	 RobH: ok, thanks, i'll leave them in 
[18:32:59] <mutante>	 matanya: that means your changes need to be amended i guess
[18:33:04] <matanya>	 ok
[18:33:58] <matanya>	 thanks RobH, mutante cmjohnson1 i'll amend
[18:34:34] <RobH>	 well, the lifecycle doc is now fully updated to reflect
[18:34:39] <RobH>	 it wasnt clear at all before
[18:34:43] <RobH>	 so i understand the confusion
[18:35:09] <mutante>	 the reasoning before was that wiping wasn't done via mgmt anyways
[18:35:16] <mutante>	 but this makes us more flexible.. yea
[18:35:36] <matanya>	 so for sockpuppet you want: 2»       1H»       IN PTR»       sockpuppet.mgmt.pmtpa.wmnet. back ?
[18:35:49] <matanya>	 or any other entry as well?
[18:36:06] <RobH>	 well, did it have asset tag mgmt?
[18:36:15] <RobH>	 all the mgmt entries should ideally just stay in place
[18:36:20] <mutante>	 matanya: forward and reverse for the mgmt entry
[18:36:21] <RobH>	 but yea, at minimum that
[18:36:32] <RobH>	 most systems have dual mgmt entries
[18:36:38] <RobH>	 one based off asset tag (static)
[18:36:44] <RobH>	 and one based off hostname
[18:36:45] <mutante>	 matanya: so wmnet has 2 IPs, one in the mgmt network and one that isnt
[18:37:00] <RobH>	 the dual entries point to same mgmt ip
[18:37:41] <RobH>	 that being said, we just made this change
[18:37:50] <RobH>	 so if some items dont reflect it, meh.
[18:37:57] <matanya>	 from the 4 changes i did, which 2 are need to leave in?
[18:38:06] <mutante>	 matanya: you can see the network if you scroll up to the beginning of one of those blocks, see line 243 of 'wmnet"
[18:38:17] <matanya>	 yeah, i'm there
[18:39:49] <mutante>	 so, yea, keep the IP in that network, nuke the other one
[18:40:59] <icinga-wm>	 PROBLEM - Puppet freshness on labstore4 is CRITICAL: Last successful Puppet run was Tue 25 Feb 2014 06:33:37 PM UTC  
[18:47:28] <cmjohnson1>	 !log es1006 swapping failed disk
[18:47:37] <morebots>	 Logged the message, Master
[18:48:12] <grrrit-wm>	 (03CR) 10Dzahn: [C: 031] Modify login credential hint [operations/puppet] - 10https://gerrit.wikimedia.org/r/114503 (owner: 10Greg Grossmeier)
[18:50:39] <paravoid>	 dr0ptp4kt: hello
[18:50:39] <dr0ptp4kt>	 paravoid: hello
[18:50:39] <dr0ptp4kt>	 so, we think we'll need to go with the outbound cookie approach for the time being, deferring on auto-redirect until the future.
[18:50:39] <paravoid>	 bblack: are you around by any chance?
[18:50:39] <paravoid>	 okay; how come?
[18:50:39] <bblack>	 paravoid: yes
[18:50:47] <paravoid>	 bblack: got a sec to chat about the zero/contributory features I was telling you about?
[18:50:52] <dr0ptp4kt>	 nervousness that it will break on phones.
[18:51:01] <paravoid>	 dr0ptp4kt: fair enough
[18:51:02] <bblack>	 yeah
[18:51:03] <grrrit-wm>	 (03CR) 10BryanDavis: [C: 031] Modify login credential hint [operations/puppet] - 10https://gerrit.wikimedia.org/r/114503 (owner: 10Greg Grossmeier)
[18:51:17] <bblack>	 I assume we're just going to set some odd cookie in vcl_deliver, right?
[18:52:43] <dr0ptp4kt>	 alright, so, quick question: (1) should we do it in varnish esi and have it take effect nearly instantaneously (that is, after the js is updated and it's reflected in resourceloader), or (2) should we do it from the origin, which would necessitate a cache flush between now and 30 days out for any carriers supporting https....we can't just put it in the origin, as it would have inconsistent effects across fresh versus stale pages
[18:53:01] <dr0ptp4kt>	 (that is, we can't put it in the origin without a cache flush afaik)
[18:53:04] <dr0ptp4kt>	 ^paravoid, bblack
[18:53:12] <paravoid>	 I assume you mean vcl rather than esi?
[18:53:14] <dr0ptp4kt>	 "quick question" :)
[18:53:19] <icinga-wm>	 PROBLEM - check_job_queue on terbium is CRITICAL: JOBQUEUE CRITICAL - the following wikis have more than 199,999 jobs: , Total (200233)  
[18:53:24] <dr0ptp4kt>	 yeah, sorry, vcl, not esi. brain wires entangled
[18:53:46] <dr0ptp4kt>	 not sure if there's a way to cache flush on a vary header
[18:54:03] <bblack>	 ok maybe my understanding is flawed, let me state what I think is happening and you can tell me where I'm off
[18:54:19] <icinga-wm>	 RECOVERY - check_job_queue on terbium is OK: JOBQUEUE OK - all job queues below 200,000  
[18:55:00] <bblack>	 1) You're adding some JS code that says "hey if CookieX is set, show the edit button" and 2) We're setting that cookie in vcl_deliver, iff it was a zero-rated access (X-CS would be set) and this carrier supports zero-over-https in the if/else logic
[18:55:10] <dr0ptp4kt>	 paravoid, bblack i just lost my connection, can you resend previous 2-3 messages?
[18:55:29] <dr0ptp4kt>	 bblack, correct
[18:56:05] <bblack>	 so you're saying you're worried about cache staleness on the updated javascript stuff?
[18:56:14] <dr0ptp4kt>	 bblack, exactly a non-HTTPOnly cookie so js can read it. as the contributory features generally require js, we use the js to override the display:hidden on all of the currently hidden elements
[18:57:05] <paravoid>	 I think he's saying that you can do the Set-Cookie in MediaWiki too, as the page is Varied on X-CS anyway
[18:57:07] <dr0ptp4kt>	 bblack, regarding cache staleness, i'm only concerned in the case that we didn't do the cookie from varnish. that is, if we did it from the origin, i believe we would still have objects in the cache that don't have that header, so they would be inaccurate and the js wouldn't run. does that make sense?
[18:57:13] <bblack>	 do we need the cookie when we're already https? I mean, at that point the js could just unhide itself because the connection is secure already, right?
[18:57:49] <dr0ptp4kt>	 good question - so we want to show the contrib features on cleartex http as well so that the user will discover them.
[18:58:03] <dr0ptp4kt>	 for the moment, we can't just do a redirect. too much concern it will bust on a nontrivial number of phones.
[18:58:15] <dr0ptp4kt>	 plus there's the overhead of the redirect.
[18:58:26] <bblack>	 right, but what I mean is, can't we set the cookie from http, only for http, and not continue to send it once they've switched to https by clicking an edit button?
[18:58:35] <dr0ptp4kt>	 we'll want to examine that, though, in time, as it's (i hope) inevitable we'll start funneling most everything to https by default in time
[18:58:41] <dr0ptp4kt>	 bblack, oh
[18:59:13] <dr0ptp4kt>	 yeah, i think that's fine. the js can look at scheme://...if https, show....if http, examine cookie
[18:59:19] <dr0ptp4kt>	 do i have that right?
[18:59:38] <bblack>	 I guess, I mostly asked because of your "non-HTTPOnly cookie so js can read it" comment
[19:00:33] <dr0ptp4kt>	 okay, i think we're on the same page. just wanted to indicate that the cookie shouldn't have the flag 'HTTPOnly' because that would bar js from reading the cookie at all.
[19:01:10] <bblack>	 oh, ok, I thought that meant "this cookie can't have some flag that prevents its use over HTTPS"
[19:01:13] <dr0ptp4kt>	 that said, do we care if we're sending the cookie on outbound https requests? is that a problem?
[19:01:21] <dr0ptp4kt>	 bblack, yeah, it's an unfortunate flag name :(
[19:01:35] <dr0ptp4kt>	 they should have named it httpprotocolonly or something like that
[19:01:35] <bblack>	 I don't think it's an issue either way
[19:01:50] <dr0ptp4kt>	 ok, cool...one less check in the vcl if-elseif subsections
[19:02:17] <paravoid>	 regarding your earlier question, I think that ultimately it'd be better if the origin does this as it encodes less logic into our VCL
[19:02:32] <paravoid>	 and I think you already do the carrier lookup early on in the zero extension, right?
[19:02:39] <paravoid>	 so computationally it wouldn't make a difference for you
[19:03:00] <paravoid>	 that being said, we could add it optionally (with a guard to check if it's already set) in VCL for 30 days
[19:03:03] <bblack>	 so, assuming we keep origin and the vcl logic in sync (which is already an assumption), we could do it both places
[19:03:09] <bblack>	 and then remove the VCL in 30 days
[19:03:09] <paravoid>	 so that you can deploy immediately
[19:03:22] <paravoid>	 hehe :)
[19:03:55] <bblack>	 yeah, so, I'll work on a gerrit patch for that later today and we can review/edit from that baseline and sort out the details
[19:03:56] <dr0ptp4kt>	 sweet, ok, i will proceed in that fashion. can't guarantee i won't be back to ask more questions, but i have my marching orders now
[19:04:02] <bblack>	 do you have a name/format for the cookie yet?
[19:04:17] <dr0ptp4kt>	 bblack, you're going to update the vcl? or you want me to update it?
[19:04:34] <bblack>	 I'll do it.  At least, I'll start the process
[19:04:49] <dr0ptp4kt>	 we can call the cookie anything. we should probably make it feature flag-ish. that is, let's call it ZeroOpts
[19:05:14] <icinga-wm>	 PROBLEM - Puppet freshness on mw6 is CRITICAL: Last successful Puppet run was Wed 26 Feb 2014 07:00:31 PM UTC  
[19:05:25] <bblack>	 yeah but then if we have multiple options, we'll have to parse them out to modify them in some future VCL update or something, right?
[19:05:31] <dr0ptp4kt>	 and let's have it be a colon separated thing. for now, it would only contain the value 'tls'
[19:06:14] <bblack>	 in general, what's the plan when another option hits this, which causes the same issues with a 30-day VCL change, etc?
[19:06:51] <paravoid>	 you can also check "age" from VCL
[19:07:01] <dr0ptp4kt>	 let's plan to avoid migrating more logic to varnish for this purpose. we'll work to make it an origin-only thing except for this one time.
[19:07:14] <icinga-wm>	 PROBLEM - Puppet freshness on mw6 is CRITICAL: Last successful Puppet run was Wed 26 Feb 2014 07:00:31 PM UTC  
[19:07:39] <dr0ptp4kt>	 paravoid, you saying varnish will observe the age on the cookie? it's pleasing when caches actually conform to the spec!
[19:07:44] <bblack>	 I don't see how that can happen tbh.  the first time you figure out how to move the stuff to origin-only, you'll have a varnish cache issue deploying that code :)
[19:07:59] <dr0ptp4kt>	 bblack, lol
[19:08:13] <dr0ptp4kt>	 bblack, i'm thinking future state with esi
[19:08:34] <dr0ptp4kt>	 although i guess at that point it probably wouldn't be an esi fragment for a header, but rather a <script> in the dom
[19:08:56] <dr0ptp4kt>	 bblack...better explanation, sorry:
[19:09:14] <icinga-wm>	 PROBLEM - Puppet freshness on mw6 is CRITICAL: Last successful Puppet run was Wed 26 Feb 2014 07:00:31 PM UTC  
[19:09:17] <bblack>	 the eventual existence of usable ESI is still only a probable future state of affairs, I wouldn't bet anything on it
[19:09:44] <dr0ptp4kt>	 we already have an api hit to interrogate the server for supported langs for a carrier, when the ua supports js. the thinking is to move more of the data into the cookie, thereby saving a hit to the api. we don't need that to be reflected immediately, whereas with https support we do. does that make sense?
[19:10:04] <dr0ptp4kt>	 the api hit from the ua to the server is unnecessary if we have a feature flag in the cookie. not bundling that with this change, obviously
[19:10:37] <bblack>	 wait, so in theory you could do this both with immediate effect and without VCL changes, by hitting the API?
[19:11:14] <icinga-wm>	 PROBLEM - Puppet freshness on mw6 is CRITICAL: Last successful Puppet run was Wed 26 Feb 2014 07:00:31 PM UTC  
[19:11:18] <bblack>	 oh, except the JS itself is cached, of course
[19:11:31] <bblack>	 but you're going to have that problem every time you add new JS code + matching API feature request, right?
[19:11:39] <dr0ptp4kt>	 we defer the api call unless it's absolutely necessary in the case of the user tapping on a link of the form of http://<lang>.[m|zero].wikipedia.org/wiki/Special:ZeroRatedMobileAccess?to=(.+)&from=(.+)
[19:12:09] <dr0ptp4kt>	 so as to keep api calls to a minimum. MaxSem noted it was excessive to do that despite the low bandwidth aspect of it (it adds garbage to logs, can slow page load slightly, etc.)
[19:12:49] <dr0ptp4kt>	 we'd be reverting to making a js hit on every session start if using the api solely...hence the cookie idea
[19:12:50] <paravoid>	 yup, that'd be very suboptimal from a page performance perspective
[19:12:54] <bblack>	 ok, well, anyways, all of this is just future-stuff.  I remain unconvinced you'll be able to set future flags origin-only without bugging us about something, though :)
[19:13:09] <dr0ptp4kt>	 pinkie swear
[19:13:12] <paravoid>	 haha
[19:13:14] <icinga-wm>	 PROBLEM - Puppet freshness on mw6 is CRITICAL: Last successful Puppet run was Wed 26 Feb 2014 07:00:31 PM UTC  
[19:13:28] <dr0ptp4kt>	 bblack we get paid to bug you, right?
[19:13:32] <dr0ptp4kt>	 ;)
[19:13:45] <bblack>	 and I get paid to hamper and deny your requests as best I can
[19:13:53] <dr0ptp4kt>	 you are good opsen
[19:14:02] <dr0ptp4kt>	 bblack, paravoid, we good to go, then?
[19:14:36] <bblack>	 yes, work on your origin thing, and I'll work on a VCL patch that we'll use for 30 days to set the same cookie
[19:14:51] <dr0ptp4kt>	 bblack, your doubts notwithstanding, so the set-cookie if it were in isolation would be something like this:
[19:15:09] <dr0ptp4kt>	 Set-Cookie: ZeroOpts=tls
[19:15:14] <icinga-wm>	 PROBLEM - Puppet freshness on mw6 is CRITICAL: Last successful Puppet run was Wed 26 Feb 2014 07:00:31 PM UTC  
[19:15:24] <dr0ptp4kt>	 obviously, if varnish inlines all cookies into one line, it will be buried in the beginning, middle, or end
[19:15:32] <bblack>	 yup
[19:15:44] <dr0ptp4kt>	 right on. hi-ho, hi-ho...
[19:16:04] <dr0ptp4kt>	 thanks gents
[19:16:14] <icinga-wm>	 PROBLEM - check_job_queue on terbium is CRITICAL: JOBQUEUE CRITICAL - the following wikis have more than 199,999 jobs: , Total (200836)  
[19:16:25] <bblack>	 and down the road, you're going to add Set-Cookie: ZeroOpts=tls:featurefoo to your origin-based cookie, and some new JS code that actually looks at :featurefoo in the cookie, and the JS will be cached, so we'll have the 30 day thing all over again :)
[19:16:47] <bblack>	 *and* we'll have to parse/edit the ZeroOpts cookie in VCL at that point instead of just setting it
[19:17:14] <icinga-wm>	 PROBLEM - Puppet freshness on mw6 is CRITICAL: Last successful Puppet run was Wed 26 Feb 2014 07:00:31 PM UTC  
[19:17:34] <bblack>	 but we'll cross that bridge when we get there, I guess
[19:18:44] <grrrit-wm>	 (03PS3) 10coren: Fixes to the labs_lvm class [operations/puppet] - 10https://gerrit.wikimedia.org/r/115653 
[19:19:14] <icinga-wm>	 PROBLEM - Puppet freshness on mw6 is CRITICAL: Last successful Puppet run was Wed 26 Feb 2014 07:00:31 PM UTC  
[19:19:14] <icinga-wm>	 PROBLEM - Puppet freshness on sodium is CRITICAL: Last successful Puppet run was Wed 26 Feb 2014 04:18:12 PM UTC  
[19:20:10] <bblack>	 dr0ptp4kt: one more thing:
[19:20:14] <bblack>	 if (!req.http.X-Forwarded-Proto && !req.http.X-Forwarded-By) { // Any new carriers are signed up as both m & zero for all languages, without proxy support set req.http.X-CS = req.http.X-CS2;
[19:20:18] <dr0ptp4kt>	 bblack, yeah
[19:20:23] <dr0ptp4kt>	 one sec
[19:20:51] <bblack>	 ^ the current "default" is non-https, is that still a valid assumption (for X-CS carriers without their own if/else clause), or should the new default going forward be https-allowed?
[19:21:14] <icinga-wm>	 PROBLEM - Puppet freshness on mw6 is CRITICAL: Last successful Puppet run was Wed 26 Feb 2014 07:00:31 PM UTC  
[19:22:14] <icinga-wm>	 RECOVERY - check_job_queue on terbium is OK: JOBQUEUE OK - all job queues below 200,000  
[19:22:47] <dr0ptp4kt>	 for now, we unfortunately gotta stick with that.
[19:23:02] <bblack>	 ok
[19:23:14] <icinga-wm>	 PROBLEM - Puppet freshness on mw6 is CRITICAL: Last successful Puppet run was Wed 26 Feb 2014 07:00:31 PM UTC  
[19:23:20] <dr0ptp4kt>	 thx, and sorry it's a headache having to get our additional changes merged in all the time.
[19:23:46] <grrrit-wm>	 (03CR) 10coren: [C: 032] "Incremental tweaks" [operations/puppet] - 10https://gerrit.wikimedia.org/r/115653 (owner: 10coren)
[19:24:06] <dr0ptp4kt>	 bblack, on that topic, i have one carrier that will need an update to support om. you want to do that as part of the patch, or have me submit a separate one? want to avoid rebase unnecessities
[19:24:17] <ottomata>	 any objectsions to me self merging this?
[19:24:17] <ottomata>	 https://gerrit.wikimedia.org/r/#/c/115411/
[19:24:30] <ottomata>	 oh gage gave me +2 now :)
[19:24:34] <ottomata>	 i guess that means go ahead :)
[19:24:59] <bblack>	 dr0ptp4kt: to support "om"?
[19:25:07] <dr0ptp4kt>	 proxy provider
[19:25:07] <bblack>	 operamini, ok
[19:25:14] <icinga-wm>	 PROBLEM - Puppet freshness on mw6 is CRITICAL: Last successful Puppet run was Wed 26 Feb 2014 07:00:31 PM UTC  
[19:25:14] <icinga-wm>	 PROBLEM - check_job_queue on terbium is CRITICAL: JOBQUEUE CRITICAL - the following wikis have more than 199,999 jobs: , Total (202178)  
[19:25:22] <bblack>	 either way, rebasing isn't an issue
[19:25:40] <bblack>	 better to keep changesets separate, just a question of who merges first
[19:26:02] <grrrit-wm>	 (03PS5) 10Ottomata: Setting up kafkatee on analytics1003 to log mobile webrequest logs [operations/puppet] - 10https://gerrit.wikimedia.org/r/115411 
[19:26:03] <dr0ptp4kt>	 bblack, cool, i'll submit something. thanks!
[19:26:14] <dr0ptp4kt>	 bblack, gotta restart irc client. dcc zombies coming after me
[19:27:14] <icinga-wm>	 PROBLEM - Puppet freshness on mw6 is CRITICAL: Last successful Puppet run was Wed 26 Feb 2014 07:00:31 PM UTC  
[19:28:02] <dr0ptp4kt>	 bblack, back in case i'm needed
[19:29:14] <icinga-wm>	 PROBLEM - Puppet freshness on mw6 is CRITICAL: Last successful Puppet run was Wed 26 Feb 2014 07:00:31 PM UTC  
[19:30:15] <icinga-wm>	 RECOVERY - Puppet freshness on mw6 is OK: puppet ran at Wed Feb 26 19:30:06 UTC 2014  
[19:32:14] <icinga-wm>	 PROBLEM - Puppet freshness on mw6 is CRITICAL: Last successful Puppet run was Wed 26 Feb 2014 07:30:06 PM UTC  
[19:32:39] <grrrit-wm>	 (03PS1) 10Dr0ptp4kt: Add proxy support for 401-01. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115666 
[19:33:32] <dr0ptp4kt>	 bblack ^ there you go
[19:34:14] <icinga-wm>	 PROBLEM - Puppet freshness on mw6 is CRITICAL: Last successful Puppet run was Wed 26 Feb 2014 07:30:06 PM UTC  
[19:34:48] <grrrit-wm>	 (03CR) 10BBlack: [C: 032 V: 032] Add proxy support for 401-01. [operations/puppet] - 10https://gerrit.wikimedia.org/r/115666 (owner: 10Dr0ptp4kt)
[19:35:05] <dr0ptp4kt>	 bblack thx
[19:41:12] <grrrit-wm>	 (03PS1) 10BBlack: Set ZeroOpts=tls cookie for HTTPS-enabled Zero clients [operations/puppet] - 10https://gerrit.wikimedia.org/r/115669 
[19:41:30] <grrrit-wm>	 (03CR) 10Dzahn: "see inline comments" (036 comments) [operations/puppet] - 10https://gerrit.wikimedia.org/r/115345 (owner: 10Jkrauska)
[19:41:41] <bblack>	 dr0ptp4kt / paravoid: so that's my general first-pass take on the idea, but I haven't looked in detail at how sane that is yet :)
[19:42:29] <grrrit-wm>	 (03PS6) 10Ottomata: Setting up kafkatee on analytics1003 to log mobile webrequest logs [operations/puppet] - 10https://gerrit.wikimedia.org/r/115411 
[19:42:35] <grrrit-wm>	 (03CR) 10Ottomata: [C: 032 V: 032] Setting up kafkatee on analytics1003 to log mobile webrequest logs [operations/puppet] - 10https://gerrit.wikimedia.org/r/115411 (owner: 10Ottomata)
[19:42:49] <bblack>	 I'm always a little confused by where and how I can use resp, beresp, req, etc
[19:45:50] <grrrit-wm>	 (03PS2) 10BBlack: Set ZeroOpts=tls cookie for HTTPS-enabled Zero clients [operations/puppet] - 10https://gerrit.wikimedia.org/r/115669 
[19:46:14] <grrrit-wm>	 (03CR) 10Dzahn: [C: 032] remove db9, decom [operations/dns] - 10https://gerrit.wikimedia.org/r/115241 (owner: 10Dzahn)
[19:46:40] <grrrit-wm>	 (03PS1) 10coren: labs_lvm class tweaks [operations/puppet] - 10https://gerrit.wikimedia.org/r/115671 
[19:47:10] <mutante>	 !log DNS update - remove db9, already shutdown, (left mgmt)
[19:47:16] <dr0ptp4kt>	 bblack, the logic makes sense to me. i don't know one way or the other if multiple vcl_deliver subroutines are allowed, though. should the vcl_deliver logic be moved into mobile-frontend.inc.vcl.erb?
[19:47:17] <morebots>	 Logged the message, Master
[19:47:26] <dr0ptp4kt>	 ^^ paravoid, too
[19:47:43] <bblack>	 dr0ptp4kt: in general, multiple subs are ok in VCL, they get appended to each other in the final VCL for compilation
[19:47:49] <grrrit-wm>	 (03PS2) 10coren: labs_lvm class tweaks [operations/puppet] - 10https://gerrit.wikimedia.org/r/115671 
[19:48:53] <dr0ptp4kt>	 bblack, cool, good to know!
[19:49:07] <bblack>	 it's kind of crappy either way: a single vcl_whatever for the whole host makes it easier to figure out what's going on globally, but keeping related code close-by in the same file is nice, too
[19:49:28] <dr0ptp4kt>	 yeah, include sludge
[19:49:31] <mutante>	 springle-away: let's kill more DNS entries of db* in pmtpa?
[19:49:53] <mutante>	 as in, db9 is dead, cool, how about db10,db35,db38..
[19:50:39] <grrrit-wm>	 (03CR) 10coren: [C: 032] labs_lvm class tweaks [operations/puppet] - 10https://gerrit.wikimedia.org/r/115671 (owner: 10coren)
[19:51:16] <grrrit-wm>	 (03PS1) 10Ottomata: Fixing kafaktee typo, adding kafak to typos [operations/puppet] - 10https://gerrit.wikimedia.org/r/115673 
[19:51:19] <grrrit-wm>	 (03CR) 10Dzahn: [C: 032] Modify login credential hint [operations/puppet] - 10https://gerrit.wikimedia.org/r/114503 (owner: 10Greg Grossmeier)
[19:51:38] <grrrit-wm>	 (03PS2) 10Ottomata: Fixing kafaktee typo, adding kafak to typos [operations/puppet] - 10https://gerrit.wikimedia.org/r/115673 
[19:51:44] <grrrit-wm>	 (03CR) 10Ottomata: [C: 032 V: 032] Fixing kafaktee typo, adding kafak to typos [operations/puppet] - 10https://gerrit.wikimedia.org/r/115673 (owner: 10Ottomata)
[19:53:30] <mutante>	 greg-g: being bold.. merged your auth login hint :p
[19:53:34] <grrrit-wm>	 (03PS3) 10BBlack: Set ZeroOpts=tls cookie for HTTPS-enabled Zero clients [operations/puppet] - 10https://gerrit.wikimedia.org/r/115669 
[19:53:54] <mutante>	 eh, "credential hint"
[19:54:06] <Coren>	 Gaaaaah!  Puppet!  Seriously?
[19:54:10] <Coren>	 "err: Could not retrieve catalog from remote server: Error 400 on SERVER: Cannot reassign variable name on node i-0000003c.eqiad.wmflabs"
[19:54:18] <Coren>	 No file, no line number.
[19:54:33] <mutante>	 hmm, usually it does give a file and line
[19:54:43] <mutante>	 just labs or ?
[19:54:49] <greg-g>	 mutante: thanks :)
[19:55:16] <Coren>	 "An error has occured."
[19:55:20] <mutante>	 :/
[19:55:36] <mutante>	 Coren: uncaught by jenkins?
[19:55:38] <bblack>	 "Error: author sucks at error messages"
[19:56:27] <mutante>	 oh, is this log on the master?
[19:56:31] <mutante>	 try syslog on that specific node
[19:56:42] <mutante>	 i think agent should give you line number and file 
[19:57:08] <mutante>	 or in output of puppetd -tv on the node
[19:59:41] <grrrit-wm>	 (03PS1) 10Ottomata: Fixing wrong variable reference in kafkatee.conf.erb [operations/puppet/kafkatee] - 10https://gerrit.wikimedia.org/r/115674 
[19:59:54] <grrrit-wm>	 (03CR) 10Ottomata: [C: 032 V: 032] Fixing wrong variable reference in kafkatee.conf.erb [operations/puppet/kafkatee] - 10https://gerrit.wikimedia.org/r/115674 (owner: 10Ottomata)
[20:00:34] <grrrit-wm>	 (03PS1) 10Ottomata: Updating kafkatee module with variable reference fix [operations/puppet] - 10https://gerrit.wikimedia.org/r/115675 
[20:00:39] <icinga-wm>	 RECOVERY - Puppet freshness on mw6 is OK: puppet ran at Wed Feb 26 20:00:36 UTC 2014  
[20:00:46] <grrrit-wm>	 (03CR) 10Ottomata: [C: 032 V: 032] Updating kafkatee module with variable reference fix [operations/puppet] - 10https://gerrit.wikimedia.org/r/115675 (owner: 10Ottomata)
[20:11:23] <Coren>	 mutante: No, that's running puppetd -tv on the node.
[20:16:22] <grrrit-wm>	 (03PS1) 10Ottomata: Setting up rsync job to copy kafkatee generated webrequest logs to stat1002 [operations/puppet] - 10https://gerrit.wikimedia.org/r/115677 
[20:17:07] <grrrit-wm>	 (03CR) 10jenkins-bot: [V: 04-1] Setting up rsync job to copy kafkatee generated webrequest logs to stat1002 [operations/puppet] - 10https://gerrit.wikimedia.org/r/115677 (owner: 10Ottomata)
[20:17:54] <grrrit-wm>	 (03PS2) 10Ottomata: Setting up rsync job to copy kafkatee generated webrequest logs to stat1002 [operations/puppet] - 10https://gerrit.wikimedia.org/r/115677 
[20:25:29] <icinga-wm>	 PROBLEM - HTTP 5xx req/min on tungsten is CRITICAL: CRITICAL: reqstats.5xx [crit=500.000000  
[20:26:41] <Coren>	 mutante: I have *no* idea what's breaking puppet on that instance.  At all.
[20:26:51] <Coren>	 err: Could not retrieve catalog from remote server: Error 400 on SERVER: Cannot reassign variable name on node i-0000003c.eqiad.wmflabs
[20:26:56] <Coren>	 is the /only/ error message.
[20:27:08] <mutante>	 Coren: just on that single instance?
[20:27:45] <Coren>	 Yeah, but that one includes role::labs::instancetest from manifests/role/labstest.pp, so clearly the error is there somewhere.
[20:28:22] * Coren  wonders if having a class parameter with a conflicting name to that of some meta parameters might be an issue?

[20:28:54] <Coren>	 The error message is about as clear as tar.
[20:29:20] <mutante>	 Coren: wow, so many labs roles
[20:29:37] <Coren>	 Lots of stuff in labs.  :-)
[20:31:04] <hashar>	 whenever we get tripleo, labs will take over production!
[20:31:58] <mutante>	 is $device some reserved word/variable name?
[20:33:49] <Coren>	 mutante: I don't know.  That's what I'm worried about; but I've never seen constructions to avoid those things before.
[20:34:08] <Coren>	 And I would have expected an error message at some point, I guess.
[20:34:37] <mutante>	 so it does not seem to be the same thing as duplicate resource name
[20:35:03] <tonythomas>	 Hi ! I wish to work on this project of implementing VERP functionality in mediawiki to handle email bounces https://bugzilla.wikimedia.org/show_bug.cgi?id=46640
[20:35:05] <mutante>	 or i would have said you need $name somewhere instead of a hard coded name
[20:35:21] <mutante>	 to be able to use it more than once... but this one.. yea. i also don't really see it so far
[20:35:38] <mutante>	 Coren: is it ::labs_lvm or really the role class itself/
[20:35:45] <tonythomas>	 It would be great if some one can help me with the sys-ops part as Faidon will be bit busy during the GSoC period 
[20:36:03] <grrrit-wm>	 (03PS1) 10coren: labs_lvm: change parameter names [operations/puppet] - 10https://gerrit.wikimedia.org/r/115682 
[20:36:13] <grrrit-wm>	 (03CR) 10jenkins-bot: [V: 04-1] labs_lvm: change parameter names [operations/puppet] - 10https://gerrit.wikimedia.org/r/115682 (owner: 10coren)
[20:36:33] <grrrit-wm>	 (03PS2) 10coren: labs_lvm: change parameter names [operations/puppet] - 10https://gerrit.wikimedia.org/r/115682 
[20:37:24] <Coren>	 mutante: ^^ that should eliminate the possibility of name clashes, at least
[20:37:42] <mutante>	 these should be the reserved words http://docs.puppetlabs.com/puppet/latest/reference/lang_reserved.html
[20:38:41] <Coren>	 Ah, hm.  So that shouldn't have been it.
[20:40:25] <grrrit-wm>	 (03CR) 10coren: [C: 032] "Harmless." [operations/puppet] - 10https://gerrit.wikimedia.org/r/115682 (owner: 10coren)
[20:40:31] <mutante>	 Coren: i think it might be volume.pp
[20:40:31] <mutante>	 it's a defined type
[20:40:31] <mutante>	 and $name = $title in it
[20:40:49] <mutante>	 but maybe it's missing a $name somewhere where stuff is hardcoded
[20:41:11] <Coren>	 err: Could not retrieve catalog from remote server: Error 400 on SERVER: Invalid parameter requires at /etc/puppet/modules/labs_lvm/manifests/init.pp:29 on node i-0000003c.eqiad.wmflabs
[20:41:12] <Coren>	 That's better.
[20:41:16] <mutante>	 aha
[20:41:16] <Coren>	 It gets the syntax better this time.
[20:41:16] <mutante>	 well, back to having files and line numbers as normal, good
[20:41:55] <Coren>	 Fun.  I managed to put 'requires' *everywhere*
[20:41:55] <Coren>	 :-)
[20:42:00] <mutante>	 eh,i was about to say, it's consistent
[20:42:03] <mutante>	 heh
[20:42:13] <grrrit-wm>	 (03PS1) 10coren: labs_vfs: requires -> require [operations/puppet] - 10https://gerrit.wikimedia.org/r/115683 
[20:42:13] <mutante>	 yea, that:)
[20:42:39] <Coren>	 Clearly, puppet's syntax is wrong and this should be 'requires'  :-)
[20:42:42] <grrrit-wm>	 (03CR) 10Dzahn: [C: 031] labs_vfs: requires -> require [operations/puppet] - 10https://gerrit.wikimedia.org/r/115683 (owner: 10coren)
[20:43:44] <mutante>	 so what was bad before? $device ?
[20:43:44] <grrrit-wm>	 (03CR) 10coren: [C: 032] "Syntax fix." [operations/puppet] - 10https://gerrit.wikimedia.org/r/115683 (owner: 10coren)
[20:44:17] <mutante>	 or "$name = $title,"
[20:44:29] <mutante>	 because $name is special
[20:44:40] <Coren>	 I'm guessing it was $name
[20:44:52] <mutante>	 yea, i think it's $name, yes
[20:45:05] <mutante>	 can't use that, it's always already set
[20:45:09] <Coren>	 I didn't take any chance and also changed 'device' and 'mountpoint' since those are both known.
[20:45:11] <mutante>	 to what you passed to the defined type
[20:45:23] <mutante>	 and the others would have been ok, yea
[20:45:36] <Coren>	 ... and, the class now works.
[20:45:48] <Coren>	 Thanks for your pair of eyes.  :-)
[20:46:24] <mutante>	 yw
[20:54:52] <grrrit-wm>	 (03CR) 10Ottomata: [C: 032 V: 032] Drive-by lint! [operations/puppet/wikimetrics] - 10https://gerrit.wikimedia.org/r/110188 (owner: 10Ori.livneh)
[20:56:54] <gwicke>	 manybubbles: ping
[20:57:52] * gwicke  is amused by the scrum of scrum notes talking up the dangers of deploying the parsoid PHP extension to 700ish mostly idle wikis

[21:03:06] <Krinkle>	 DId somethign got deployed today by ops with regards to integration.wikimedia.org?
[21:03:20] <Krinkle>	 It seems the /ci path http proxy to Jenkins is timing out
[21:03:24] <Krinkle>	 http://integration.wikimedia.org/ci/job/oojs-ui-npm/199/console
[21:03:27] <Krinkle>	 https://integration.wikimedia.org/ci/
[21:04:46] <mutante>	 Krinkle: https://gerrit.wikimedia.org/r/#/c/115388/ is the last one that seems at least remotely related
[21:05:00] <mutante>	 and that was just for a labs vhost and a rewrite rule
[21:06:06] <Krinkle>	 nginx/1.1.19; 504 Gateway Time-out
[21:06:10] <grrrit-wm>	 (03CR) 10PiRSquared17: "I agree with above, we should ask on Meta:Babel before removing." [operations/mediawiki-config] - 10https://gerrit.wikimedia.org/r/115412 (owner: 10Odder)
[21:06:32] <mutante>	 besides that one.. hmm   in gerrit would be like:   project:operations/puppet status:merged owner:hashar
[21:06:47] * gwicke  is getting ready for a parsoid deploy

[21:07:00] <hashar>	 mutante: yeah that is me :-]
[21:07:30] <hashar>	 Krinkle: what is happening timo?
[21:07:41] <gwicke>	 mutante, I might need help if https://bugzilla.wikimedia.org/show_bug.cgi?id=61882 bites again
[21:07:49] <icinga-wm>	 PROBLEM - Puppet freshness on virt1004 is CRITICAL: Last successful Puppet run was Sat 22 Feb 2014 02:36:40 PM UTC  
[21:09:02] <mutante>	 hashar: ah:) that isnt' related is it?
[21:09:14] <mutante>	 hashar:  https://integration.wikimedia.org/ci/
[21:09:19] <mutante>	 should that do more?
[21:09:32] <hashar>	 yeah the Jenkins landing page is super slow
[21:09:38] <hashar>	 always have been :/
[21:09:39] <icinga-wm>	 RECOVERY - RAID on es1006 is OK: OK: optimal, 1 logical, 2 physical  
[21:14:18] <Krinkle>	 hashar: not just landing page, I'm unable to open any page at the moment
[21:20:13] <Krinkle>	 hashar: I'm working on fixing the chmod for logs/ in qunit jobs, but I can't do anything it seems. I can't load up any job page or build page to see whether my patch works, or do anything else for that matter.